Mail Proxy Use SPF

[Stoiko Ivanov]

There is the problem - your DNS server does not return an answer - here I get:

 dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com

; <<>> DiG 9.16.27-Debian <<>> 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63991
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. IN    A

;; ANSWER SECTION:
216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. 112 IN A 127.0.0.2

;; Query time: 779 msec
;; SERVER: 192.168.2.15#53(192.168.2.15)
;; WHEN: Tue Aug 30 17:39:58 CEST 2022
;; MSG SIZE  rcvd: 96

Please check your DNS setup - as I'm quite certain the issue is not with the SPF check inside PMG

 

[osgit]

There is the problem - your DNS server does not return an answer - here I get:

 dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com

; <<>> DiG 9.16.27-Debian <<>> 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63991
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. IN    A

;; ANSWER SECTION:
216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. 112 IN A 127.0.0.2

;; Query time: 779 msec
;; SERVER: 192.168.2.15#53(192.168.2.15)
;; WHEN: Tue Aug 30 17:39:58 CEST 2022
;; MSG SIZE  rcvd: 96

Please check your DNS setup - as I'm quite certain the issue is not with the SPF check inside PMG

So I temporarily flipped pfsense over to DNSMASQ, rather than unbound and it's working... I'm going to have to poke at unbound to see what might be causing it not to resolve properly...

dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com

; <<>> DiG 9.16.27-Debian <<>> 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47899
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. IN        A

;; ANSWER SECTION:
216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. 200 IN A 127.0.0.2

;; Query time: 0 msec
;; SERVER: 192.168.56.1#53(192.168.56.1)
;; WHEN: Tue Aug 30 11:21:30 MST 2022
;; MSG SIZE  rcvd: 96

 

[osgit]

There is the problem - your DNS server does not return an answer - here I get:

 dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com

; <<>> DiG 9.16.27-Debian <<>> 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63991
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. IN    A

;; ANSWER SECTION:
216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. 112 IN A 127.0.0.2

;; Query time: 779 msec
;; SERVER: 192.168.2.15#53(192.168.2.15)
;; WHEN: Tue Aug 30 17:39:58 CEST 2022
;; MSG SIZE  rcvd: 96

Please check your DNS setup - as I'm quite certain the issue is not with the SPF check inside PMG

Hrm, ok. I switched back to unbound, so it seems like basically toggling from unbound > dnsmasq > unbound toggled something. Maybe a UI bug or something... It looks like it's resolving correctly now using unbound.

 dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com

; <<>> DiG 9.16.27-Debian <<>> 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55657
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f8d5df1b2bc87e4ecfd44db6630e59fd1d9a33f2f6be47f1 (good)
;; QUESTION SECTION:
;216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. IN        A

;; ANSWER SECTION:
216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. 253 IN A 127.0.0.2

;; AUTHORITY SECTION:
espf.dmp.cisco.com.     220     IN      NS      dns-01.hosted-spf.prod.agari.com.
espf.dmp.cisco.com.     220     IN      NS      dns-00.hosted-spf.prod.agari.com.
espf.dmp.cisco.com.     220     IN      NS      dns-02.hosted-spf.prod.agari.com.

;; ADDITIONAL SECTION:
dns-00.hosted-spf.prod.agari.com. 428 IN A      34.213.33.44
dns-01.hosted-spf.prod.agari.com. 428 IN A      54.203.189.11
dns-02.hosted-spf.prod.agari.com. 428 IN A      35.167.31.24

;; Query time: 51 msec
;; SERVER: 192.168.57.1#53(192.168.57.1)
;; WHEN: Tue Aug 30 11:42:05 MST 2022
;; MSG SIZE  rcvd: 257

 

[InGenetic]

Hi, mr. Stoiko Ivanov,
sorry for jump in , about spf check , if enabled, and if there's an email rejected because spf not valid, it's just block or any notification to the email sender about the reason why they email being reject ? some kind of a bounce back email .

 

[Stoiko Ivanov]

sorry for jump in , about spf check ,

in general - please open a new thread if the issue is only roughly related...

Jul 22 07:50:01 smtp postfix/smtpd[162078]: NOQUEUE: reject: RCPT from ...

this logline says that postfix rejects the mail - meaning the sending mail-server gets a permanent error back (5XX) - usually this means that this server needs to notify the sending user (via a bounce message).