JDunphy wrote:Investigate that port 53 TCP is also open for dns queries for larger 512 byte transfers. Note: Given how resolve.conf is queried, you can also list 127.0.0.1 twice. The thought process is that should it time-out, the next query could be immediate if the delay was network related. If you are getting time outs, you should investigate cause however... Because this was about doing a look up for spf records with gmail, here are a few other ideas. IMO, listing a bunch of external resolvers doesn't make a lot of sense unless you have an infrastructure in place where you are forwarding and building a rich local cache for subsequent look ups. If this isn't your environment, comment out those external resolvers to make it easier on yourself.
Note: There was a recent thread on SA "Re: DNS and RBL problems" ... here is one of the comments from Kevin A. McGrail who is leading the SA project.
"I will also mention that if you are using a server such as 8.8.8.8, you MUST change. I found that if you use 8.8.8.8, you cannot even pass a test for spamassassin builds. They are doing some interesting things likely anti-abuse that just screw with things."
But why is 127.0.0.1 failing first?, there could be another explanation relating to perl and Net::DNS module and recursion. I have never seen it but some on SA have reported it as a problem.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223
Finally, you could do the following from the command line to see if you can grab the spf recursively and all the ip addresses.
Code: Select all
% dig +short +trace TXT gmail.com
TXT "v=spf1 redirect=_spf.google.com" from server 216.239.32.10 in 62 ms.
% cat > /tmp/j.sh
#!/usr/bin/perl
$domain=shift @ARGV;
@results=getit($domain);
sub getit {
my $domain=shift;
my @foo=`nslookup -q=TXT $domain`;
my @results=();
foreach (@foo) {
next if not /$domain\ttext/;
s/$domain\ttext = "v=spf1//;
@results=split /\s+/;
foreach (@results) {
next if /-all/;
print "$_\n";
if (/include:/) {
s/include://;
getit($_);
}
}
}
}
^D
% chmod 755 /tmp/j.sh
% /tmp/j.sh _spf.google.com
Another idea would be to systematically, verify you can lookup that _spf.google.com from the command line with each resolver.
Thanks phoenix and JDunphy!
I have removed all DNS public, left DNS cache 127.0.0.1 only in /etc/resolve.conf
And i see the log, it said that:
Sep 20 22:48:25 mail amavis[27644]: (27644-02) _WARN: dns: sendto() to [203.162.0.181]:53 failed: Operation not permitted, no more alternatives
Sep 20 22:48:27 mail postfix/dnsblog[17630]: warning: dnsblog_query: lookup error for DNS query 173.202.69.118.wl.mailspike.net: Host or domain name not found. Name service error for name=173.202.69.118.wl.mailspike.net type=A: Host not found, try again
Sep 20 22:48:27 mail postfix/postscreen[17627]: warning: dnsblog reply timeout 10s for wl.mailspike.net
203.162.0.181 is the default DNS public of my network but in dont put it in /etc/resolve.conf
And sometime i see
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc3.dcc-servers.net (74.92.232.243,6277)) from *,38363: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc3.dcc-servers.net (212.223.102.90,6277)) from *,49694: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc4.dcc-servers.net (69.12.221.230,6277)) from *,47682: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc4.dcc-servers.net (137.208.8.63,6277)) from *,49845: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc5.dcc-servers.net (136.199.199.160,6277)) from *,46418: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc5.dcc-servers.net (192.84.137.21,6277)) from *,42736: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(@ (127.0.0.1,6277)) from *,33945: Operation not permitted
finally after i change DNS config
dig +short +trace TXT gmail.com
No any result
Run:
/tmp/j.sh _spf.google.com
Result
include:_netblocks.google.com
ip4:35.190.247.0/24
ip4:64.233.160.0/19
ip4:66.102.0.0/20
ip4:66.249.80.0/20
ip4:72.14.192.0/18
ip4:74.125.0.0/16
ip4:108.177.8.0/21
ip4:173.194.0.0/16
ip4:209.85.128.0/17
ip4:216.58.192.0/19
ip4:216.239.32.0/19
~all"
include:_netblocks2.google.com
include:_netblocks3.google.com
~all"
I try send mail from/to Gmail is fine, but active the SPF module in policyd, Zimbra said that:
Sep 20 22:35:10 mail postfix/smtpd[11628]: NOQUEUE: reject: RCPT from mail-ot1-f52.google.com[209.85.210.52]: 450 4.1.8 <xxxx@gm
ail.com>: Sender address rejected: Domain not found; from=<
xxxx@gmail.com> to=<info@mydomain> proto=ESMTP helo=<mail-ot1-f52.go
ogle.com>
Certainly, email from Gmail cannot received.
I think this is SA error but i have used SPF and DNS public very well for a long time until 19/09/2018.
Please give me some more clue!