[exim] SPF checking and type 99 filtering

Top Page
Delete this message
Reply to this message
Author: Christian Gregoire
Date:  
To: exim-users
Subject: [exim] SPF checking and type 99 filtering
Hello,

I'm experiencing some issues with SPF checking, which in some cases can execute
during more than 20 seconds when the remote DNS servers do not respond to type
99 DNS requests because of some firewall filtering.

With Google for example, no problems (tcpdump snapshot) :

08:57:15.258710 IP 10.10.100.45790 > 8.8.8.8.domain: 10980+ Type99? yahoo.fr.
(26)
08:57:15.308105 IP 8.8.8.8.domain > 10.10.100.45790: 10980 0/1/0 (106)

But when type 99 is filtered, no response is returned :

09:07:33.773695 IP 10.10.100.2.45983 > HIDDEN.domain: 19161 Type99? HIDDEN.
(38)
09:07:35.776550 IP 10.10.100.2.45983 > HIDDEN.domain: 3 Type99? HIDDEN. (38)
09:07:43.778003 IP 10.10.100.2.45983 > HIDDEN.domain: 50260 Type99? HIDDEN.
(38)
09:07:51.780149 IP 10.10.100.2.45983 > HIDDEN.domain: 58838 Type99? HIDDEN.
(38)

I bumped into this with a client of mine and now that he has removed the type 99
filtering on his firewall, everything's smooth. But is there a way to specify
some sort of timeout in an ACL ? defer_ok ? delay ? Unfortunatelly I can't
easily do testing on my production mail platform.

As far as I understand, libspf2 looks up for type 99 (SPF) records and if a 'no
such record' is returned, moves on to a type 16 (TXT) lookup. The problem here
is that libspf2 never gets a response and remote SMTP servers close the
connection considering it has timed out.

Thanks for your help.

Christian