1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

SPF fails if DNS refuses Type99 queries

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by REW Steven, Feb 22, 2011.

  1. REW Steven

    REW Steven Guest

    0
     
    PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

    Parallels Plesk Panel version 9.5.4
    Operating system Linux 2.6.9-89.0.29.ELsmp
    Red Hat Enterprise Linux ES release 4 (Nahant Update 8) 32bit
    psa-spf2-1.2.9-10071607

    # spfquery -version
    spfquery version information:
    SPF test system version: 3.0
    Compiled with SPF library version: 1.2.9
    Running with SPF library version: 1.2.9

    PROBLEM DESCRIPTION AND STEPS TO REPRODUCE

    The spfquery tool will fail if the domains DNS server refuses to respond to Type99 or SPF DNS Queries.

    # spfquery -ip=204.187.151.130 -sender=fake@nanaimodailynews.com -helo=smtpmail.canwest.com

    ACTUAL RESULT

    StartError
    Context: Failed to query MAIL-FROM
    ErrorCode: (26) DNS lookup failure
    Error: Temporary DNS failure for 'nanaimodailynews.com'.
    EndError
    (invalid)

    EXPECTED RESULT

    none
    smtpmail.canwest.com: No applicable sender policy available
    smtpmail.canwest.com: No applicable sender policy available
    Received-SPF: none (smtpmail.canwest.com: No applicable sender policy available) receiver=web1.rewhosting.com; identity=helo; helo=smtpmail.canwest.com; client-ip=204.187.151.130

    ANY ADDITIONAL INFORMATION

    Running a tcpdump during the execution of spfquery shows the following

    12:18:32.783588 IP 192.168.1.114.54175 > 72.3.128.241.domain: 16809+ Type99? nanaimodailynews.com. (38)
    12:18:37.784055 IP 192.168.1.114.38262 > 72.3.128.240.domain: 16809+ Type99? nanaimodailynews.com. (38)
    12:18:42.785299 IP 192.168.1.114.54175 > 72.3.128.241.domain: 16809+ Type99? nanaimodailynews.com. (38)
    12:18:47.785578 IP 192.168.1.114.38262 > 72.3.128.240.domain: 16809+ Type99? nanaimodailynews.com. (38)

    So its trying to get an answer for Type99 (which is not supported by the nameservers of nanaimodailynews.com) and never moves on to checking TXT records.

    Running spfquery against our own name servers works fine since they respond to Type99 queries with no answers.

    We also have the problem with a domain that has an SPF record in a TXT record, but their DNS server fails for Type99 queries.

    12:03:35.024881 IP 192.168.1.114.43936 > 72.3.128.241.domain: 27062+ Type99? academymortgage.com. (37)
    12:03:35.093737 IP 72.3.128.241.domain > 192.168.1.114.43936: 27062 ServFail 0/0/0 (37)
    12:03:35.093808 IP 192.168.1.114.58522 > 72.3.128.240.domain: 27062+ Type99? academymortgage.com. (37)
    12:03:35.165717 IP 72.3.128.240.domain > 192.168.1.114.58522: 27062 ServFail 0/0/0 (37)
    12:03:35.165778 IP 192.168.1.114.43633 > 72.3.128.241.domain: 27062+ Type99? academymortgage.com. (37)
    12:03:35.238770 IP 72.3.128.241.domain > 192.168.1.114.43633: 27062 ServFail 0/0/0 (37)
    12:03:35.238825 IP 192.168.1.114.54589 > 72.3.128.240.domain: 27062+ Type99? academymortgage.com. (37)
    12:03:35.303719 IP 72.3.128.240.domain > 192.168.1.114.54589: 27062 ServFail 0/0/0 (37)
     
Loading...