CINXE.COM
Question #258212 “No valid SPF record for included Google SPF re...” : Questions : pypolicyd-spf
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <base href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+index" /> <meta charset="UTF-8" /> <title>Question #258212 “No valid SPF record for included Google SPF re...” : Questions : pypolicyd-spf</title> <link rel="apple-touch-icon" sizes="180x180" href="/@@/apple-touch-icon.png?v=2022" /> <link rel="icon" type="image/png" sizes="32x32" href="/@@/favicon-32x32.png?v=2022" /> <link rel="icon" type="image/png" sizes="16x16" href="/@@/favicon-16x16.png?v=2022" /> <link rel="manifest" href="/@@/site.webmanifest?v=2022" /> <link rel="mask-icon" href="/@@/safari-pinned-tab.svg?v=2022" color="#e9531f" /> <link rel="shortcut icon" href="/@@/favicon.ico?v=2022" /> <meta name="msapplication-TileColor" content="#da532c" /> <meta name="msapplication-config" content="/@@/browserconfig.xml?v=2022" /> <meta name="theme-color" content="#ffffff" /> <link type="text/css" rel="stylesheet" media="screen, print" href="/+icing/rev78860d903de6d6d7dd5a0ade63efaca45d3467e2/combo.css" /> <meta name="description" content="Hi, I'm running postfix-policyd-spf-python 1.3.1 on Ubuntu 14.04 and everything seems to be working fine with one significant exception: SPF checks for sender domains that have _spf.google.com included in their SPF record fail with the following error: spfcheck: pyspf result: "['Permerror', 'SPF Permanent Error: No valid SPF record for included domain: _spf.google.com: include:_spf.google.com', 'mailfrom']" The _spf.google.com domain is used for domains hosted with Google Apps. This pr..." /> <meta property="og:description" content="Hi, I'm running postfix-policyd-spf-python 1.3.1 on Ubuntu 14.04 and everything seems to be working fine with one significant exception: SPF checks for sender domains that have _spf.google.com included in their SPF record fail with the following error: spfcheck: pyspf result: "['Permerror', 'SPF Permanent Error: No valid SPF record for included domain: _spf.google.com: include:_spf.google.com', 'mailfrom']" The _spf.google.com domain is used for domains hosted with Google Apps. This pr..." /> <meta property="og:title" content="Question #258212 “No valid SPF record for included Google SPF re...” : Questions : pypolicyd-spf" /> <meta property="og:type" content="website" /> <meta property="og:image" content="/@@/launchpad-og-image.png" /> <meta property="og:url" content="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+index" /> <meta property="og:site_name" content="Launchpad" /> <script type="text/javascript"> var LP = { cache: {}, links: {} }; </script> <script type="text/javascript">var cookie_scope = '; Path=/; Secure; Domain=.launchpad.net';</script> <script type="text/javascript" src="/+combo/rev78860d903de6d6d7dd5a0ade63efaca45d3467e2/?yui/yui/yui-min.js&lp/meta.js&yui/loader/loader-min.js"></script> <script type="text/javascript"> var raw = null; if (LP.devmode) { raw = 'raw'; } YUI.GlobalConfig = { combine: true, comboBase: '/+combo/rev78860d903de6d6d7dd5a0ade63efaca45d3467e2/?', root: 'yui/', filter: raw, debug: false, fetchCSS: false, maxURLLength: 2000, groups: { lp: { combine: true, base: '/+combo/rev78860d903de6d6d7dd5a0ade63efaca45d3467e2/?lp/', comboBase: '/+combo/rev78860d903de6d6d7dd5a0ade63efaca45d3467e2/?', root: 'lp/', // comes from including lp/meta.js modules: LP_MODULES, fetchCSS: false } } }</script> <script type="text/javascript"> // we need this to create a single YUI instance all events and code // talks across. All instances of YUI().use should be based off of // LPJS instead. var LPJS = new YUI(); </script> <script id="base-layout-load-scripts" type="text/javascript"> //<![CDATA[ LPJS.use('base', 'node', 'console', 'event', 'oop', 'lp', 'lp.app.foldables','lp.app.sorttable', 'lp.app.inlinehelp', 'lp.app.links', 'lp.bugs.bugtask_index', 'lp.bugs.subscribers', 'lp.app.ellipsis', 'lp.code.branchmergeproposal.diff', 'lp.views.global', function(Y) { Y.on("domready", function () { var global_view = new Y.lp.views.Global(); global_view.render(); Y.lp.app.sorttable.SortTable.init(); Y.lp.app.inlinehelp.init_help(); Y.lp.activate_collapsibles(); Y.lp.app.foldables.activate(); Y.lp.app.links.check_valid_lp_links(); }); Y.on('lp:context:web_link:changed', function(e) { window.location = e.new_value; }); }); //]]> </script> <script id="base-helper-functions" type="text/javascript"> //<![CDATA[ // This code is pulled from lp.js that needs to be available on every // request. Pulling here to get it outside the scope of the YUI block. function setFocusByName(name) { // Focus the first element matching the given name which can be focused. var nodes = document.getElementsByName(name); var i, node; for (i = 0; i < nodes.length; i++) { node = nodes[i]; if (node.focus) { try { // Trying to focus a hidden element throws an error in IE8. if (node.offsetHeight !== 0) { node.focus(); } } catch (e) { LPJS.use('console', function(Y) { Y.log('In setFocusByName(<' + node.tagName + ' type=' + node.type + '>): ' + e); }); } break; } } } function selectWidget(widget_name, event) { if (event && (event.keyCode === 9 || event.keyCode === 13)) { // Avoid firing if user is tabbing through or simply pressing // enter to submit the form. return; } document.getElementById(widget_name).checked = true; } //]]> </script> <style type="text/css" media="screen"> div.confirmBox { margin: 0; padding-right: 0.5em; padding-bottom: 0.5em; text-align: right; } </style> <script type="text/javascript"> LPJS.use('base', 'node', 'event', 'lp.app.comment', 'lp.answers.subscribers', 'lp.services.messages.edit', function(Y) { Y.on('domready', function() { LP.cache.comment_context = LP.cache.context; var first_comment = Y.one('.boardComment'); if (first_comment !== null) { var cl = new Y.lp.app.comment.CommentList({ comment_list_container: first_comment.get('parentNode') }); cl.render(); } new Y.lp.answers.subscribers.createQuestionSubscribersLoader(); Y.lp.services.messages.edit.setup(); }); }); </script> </head> <body id="document" itemscope="" itemtype="http://schema.org/WebPage" class="tab-answers main_side public yui3-skin-sam"> <div class="yui-d0"> <div id="locationbar" class="login-logout"> <div id="logincontrol"><a href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+login">Log in / Register</a></div> </div><!--id="locationbar"--> <div id="watermark" class="watermark-apps-portlet"> <div> <a href="https://launchpad.net/pypolicyd-spf"><img alt="" width="64" height="64" src="/@@/product-logo" /></a> </div> <div class="wide"> <h2 id="watermark-heading"><a href="https://launchpad.net/pypolicyd-spf">pypolicyd-spf</a></h2> </div> <!-- Application Menu --> <ul class="facetmenu"> <li class="overview"><a href="https://launchpad.net/pypolicyd-spf">Overview</a></li> <li class="branches"><a href="https://code.launchpad.net/pypolicyd-spf">Code</a></li> <li class="bugs"><a href="https://bugs.launchpad.net/pypolicyd-spf">Bugs</a></li> <li class="specifications"><a href="https://blueprints.launchpad.net/pypolicyd-spf">Blueprints</a></li> <li class="translations"><a href="https://translations.launchpad.net/pypolicyd-spf">Translations</a></li> <li class="answers active"><a href="https://answers.launchpad.net/pypolicyd-spf">Answers</a></li> </ul> </div> <div class="yui-t4"> <div id="maincontent" class="yui-main"> <div class="yui-b" dir="ltr" lang="en" xml:lang="en"> <div class="context-publication"> <h1>No valid SPF record for included Google SPF records</h1> <div id="registration" class="registering"> Asked by <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser</a> <time title="2014-11-25 11:30:16 UTC" datetime="2014-11-25T11:30:16.018021+00:00">on 2014-11-25</time> </div> </div> <div id="request-notifications"> </div> <div> <div class="report"><p>Hi,</p> <p>I'm running postfix-<wbr />policyd-<wbr />spf-python 1.3.1 on Ubuntu 14.04 and everything seems to be working fine with one significant exception: SPF checks for sender domains that have _spf.google.com included in their SPF record fail with the following error:</p> <p> spfcheck: pyspf result: "['Permerror', 'SPF Permanent Error: No valid SPF record for included domain: _spf.google.com:<br /> include:<wbr />_spf.google.<wbr />com', 'mailfrom']"</p> <p>The _spf.google.com domain is used for domains hosted with Google Apps. This problems occurs with our own domain ('geneity.co.uk') as well as with others that have Google's SPF record included. I've verified our SPF record with a number of online SPF checkers and the result is always OK.</p> <p>Here is the debug output for such a failed SPF check, hope someone can shed some light on this:</p> <p>postfix/smtpd[417]: connect from mail-wi0-<wbr />f178.google.<wbr />com[209.<wbr />85.212.<wbr />178]<br /> postfix/smtpd[417]: Anonymous TLS connection established from mail-wi0-<wbr />f178.google.<wbr />com[209.<wbr />85.212.<wbr />178]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)<br /> policyd-spf[453]: Read line: "request=<wbr />smtpd_access_<wbr />policy"<br /> policyd-spf[453]: Read line: "protocol_<wbr />state=RCPT"<br /> policyd-spf[453]: Read line: "protocol_<wbr />name=ESMTP"<br /> policyd-spf[453]: Read line: "client_<wbr />address=<wbr />209.85.<wbr />212.178"<br /> policyd-spf[453]: Read line: "client_<wbr />name=mail-<wbr />wi0-f178.<wbr />google.<wbr />com"<br /> policyd-spf[453]: Read line: "reverse_<wbr />client_<wbr />name=mail-<wbr />wi0-f178.<wbr />google.<wbr />com"<br /> policyd-spf[453]: Read line: "helo_name=<wbr />mail-wi0-<wbr />f178.google.<wbr />com"<br /> policyd-spf[453]: Read line: "<email address hidden>"<br /> policyd-spf[453]: Read line: "<email address hidden>"<br /> policyd-spf[453]: Read line: "recipient_count=0"<br /> policyd-spf[453]: Read line: "queue_id="<br /> policyd-spf[453]: Read line: "instance=<wbr />1a1.54746599.<wbr />c5b7a.0"<br /> policyd-spf[453]: Read line: "size=1999"<br /> policyd-spf[453]: Read line: "etrn_domain="<br /> policyd-spf[453]: Read line: "stress="<br /> policyd-spf[453]: Read line: "sasl_method="<br /> policyd-spf[453]: Read line: "sasl_username="<br /> policyd-spf[453]: Read line: "sasl_sender="<br /> policyd-spf[453]: Read line: "ccert_subject="<br /> policyd-spf[453]: Read line: "ccert_issuer="<br /> policyd-spf[453]: Read line: "ccert_<wbr />fingerprint=<wbr />"<br /> policyd-spf[453]: Read line: "ccert_<wbr />pubkey_<wbr />fingerprint=<wbr />"<br /> policyd-spf[453]: Read line: "encryption_<wbr />protocol=<wbr />TLSv1"<br /> policyd-spf[453]: Read line: "encryption_<wbr />cipher=<wbr />ECDHE-RSA-<wbr />RC4-SHA"<br /> policyd-spf[453]: Read line: "encryption_<wbr />keysize=<wbr />128"<br /> policyd-spf[453]: Read line: ""<br /> policyd-spf[453]: Found the end of entry<br /> policyd-spf[453]: Config: {'debugLevel': 4, 'HELO_reject': 'SPF_Not_Pass', 'PermError_reject': 'False', 'TempError_Defer': 'False', 'Lookup_Time': 20, 'Mail_From_reject': 'Fail', 'Header<br /> _Type': 'SPF', 'Mail_From_<wbr />pass_restrictio<wbr />n': 'PERMIT', 'defaultSeedOnly': 1, 'Void_Limit': 2, 'HELO_pass_<wbr />restriction'<wbr />: 'PERMIT', 'skip_addresses': '127.0.<wbr />0.0/8,:<wbr />:ffff:127.<wbr />0.0.0/104,<wbr />::1'}<br /> policyd-spf[453]: Cached data for this instance: []<br /> policyd-spf[453]: spfcheck: pyspf result: "['None', '', 'helo']"<br /> policyd-spf[453]: None; identity=helo; client-<wbr />ip=209.<wbr />85.212.<wbr />178; helo=mail-<wbr />wi0-f178.<wbr />google.<wbr />com;<br /> <email address hidden>; <email address hidden><br /> policyd-spf[453]: spfcheck: pyspf result: "['Permerror', 'SPF Permanent Error: No valid SPF record for included domain:<br /> _spf.google.com: include:<wbr />_spf.google.<wbr />com', 'mailfrom']"<br /> policyd-spf[453]: Permerror; identity=mailfrom; client-<wbr />ip=209.<wbr />85.212.<wbr />178; helo=mail-<wbr />wi0-f178.<wbr />google.<wbr />com;<br /> <email address hidden>; <email address hidden><br /> policyd-spf[453]: Action: prepend: Text: Received-SPF: Permerror (SPF Permanent Error: No valid SPF record for included<br /> domain: _spf.google.com: include:<wbr />_spf.google.<wbr />com) identity=mailfrom; client-<wbr />ip=209.<wbr />85.212.<wbr />178;<br /> helo=mail-<wbr />wi0-f178.<wbr />google.<wbr />com; <email address hidden>; <email address hidden></p></div> <div class="portlet"> <h2>Question information</h2> <div class="yui-g"> <div class="yui-u first"> <div id="portlet-details" xml:lang="en" lang="en" dir="ltr"> <div class="two-column-list"> <dl id="question-lang"> <dt>Language:</dt> <dd> English <a class="menu-link-edit sprite edit action-icon" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+edit">Edit question</a> </dd> </dl> <dl id="question-status"> <dt>Status:</dt> <dd> <span class="questionstatusSOLVED">Solved</span> </dd> </dl> <dl> <dt>For:</dt> <dd> <a href="https://launchpad.net/pypolicyd-spf" class="sprite product">pypolicyd-spf</a> <a class="menu-link-edit sprite edit action-icon" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+edit">Edit question</a> </dd> </dl> <dl> <dt>Assignee:</dt> <dd> No assignee <a class="menu-link-edit sprite edit action-icon" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+edit">Edit question</a> </dd> </dl> <dl> <dt>Solved by:</dt> <dd> <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser</a> </dd> </dl> <dl> <dt>Solved:</dt> <dd> <time title="2014-11-25 17:12:36 UTC" datetime="2014-11-25T17:12:36.077434+00:00">2014-11-25</time> </dd> </dl> <dl style="clear: both;"> <dt>Last query:</dt> <dd> <time title="2014-11-25 17:12:36 UTC" datetime="2014-11-25T17:12:36.077434+00:00">2014-11-25</time> </dd> </dl> <dl> <dt>Last reply:</dt> <dd> <time title="2014-11-25 16:50:26 UTC" datetime="2014-11-25T16:50:26.400282+00:00">2014-11-25</time> </dd> </dl> </div> </div> </div> <div class="yui-u"> <div id="related-bugs"> <h3>Related bugs</h3> <ul> </ul> </div> <ul class="horizontal"> <li><a class="menu-link-linkbug sprite add" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+linkbug">Link existing bug</a></li> </ul> <div id="related-faq" style="margin-top: 1em;"> <h3>Related FAQ:</h3> <p> None <a class="menu-link-linkfaq sprite add action-icon" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+linkfaq" title="Link this question to a FAQ.">Link to a FAQ</a> </p> </div> </div> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/1" data-i-can-edit="False" id="comment-0"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~kitterman" class="sprite person">Scott Kitterman (kitterman)</a> said <time itemprop="commentTime" datetime="2014-11-25T13:35:01.869324+00:00" title="2014-11-25 13:35:01 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #1</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>It works here. That leads me to suspect this is a local DNS issue rather than a bug in the program, particularly since (as you suggest) the _spf.google.com SPF record is quite widely used and no one else has complained.</p> <p>Can you log into the host where you have the policy server installed (ssh or locally, doesn't matter) and see what the output of:</p> <p>dig txt _spf.google.com</p> <p>is?</p> <p>You should get an answer like:</p> <p>;; ANSWER SECTION:<br /> _spf.google.com. 14 IN TXT "v=spf1 include:<wbr />_netblocks.<wbr />google.<wbr />com include:<wbr />_netblocks2.<wbr />google.<wbr />com include:<wbr />_netblocks3.<wbr />google.<wbr />com ~all"</p> <p>If you don't, that confirms a local DNS problem. It may also just be a transient issue where lookups occasionally fail.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">It works here. That leads me to suspect this is a local DNS issue rather than a bug in the program, particularly since (as you suggest) the _spf.google.com SPF record is quite widely used and no one else has complained. Can you log into the host where you have the policy server installed (ssh or locally, doesn't matter) and see what the output of: dig txt _spf.google.com is? You should get an answer like: ;; ANSWER SECTION: _spf.google.com. 14 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" If you don't, that confirms a local DNS problem. It may also just be a transient issue where lookups occasionally fail.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/2" data-i-can-edit="False" id="comment-1"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser (andre-esser-4-deactivatedaccount)</a> said <time itemprop="commentTime" datetime="2014-11-25T13:45:21.500537+00:00" title="2014-11-25 13:45:21 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #2</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Thanks Scott,</p> <p>I checked all that. DNS seems fine and there are no problems verifying other SPF records. I've restarted nscd and rebooted the server several times. The problem has persisted for several weeks now.</p> <p>Here's the dig output:</p> <p> [13:40:35] andre@proxy-103:~$ dig txt _spf.google.com +short<br /> "v=spf1 include:<wbr />_netblocks.<wbr />google.<wbr />com include:<wbr />_netblocks2.<wbr />google.<wbr />com include:<wbr />_netblocks3.<wbr />google.<wbr />com ~all"</p> <p>One more thing that might be of interest. While most Gogole related SPF checks fail with:</p> <p> No valid SPF record for included domain: _spf.google.com</p> <p>I also get the occasional:</p> <p> No valid SPF record for included domain: _netblocks.<wbr />google.<wbr />com</p> <p>which appears to indicate a race condition/timeout somewhere. Is there a DNS lookup timeout for policyd that can be configured?</p> <p>Andre</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Thanks Scott, I checked all that. DNS seems fine and there are no problems verifying other SPF records. I've restarted nscd and rebooted the server several times. The problem has persisted for several weeks now. Here's the dig output: [13:40:35] andre@proxy-103:~$ dig txt _spf.google.com +short "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" One more thing that might be of interest. While most Gogole related SPF checks fail with: No valid SPF record for included domain: _spf.google.com I also get the occasional: No valid SPF record for included domain: _netblocks.google.com which appears to indicate a race condition/timeout somewhere. Is there a DNS lookup timeout for policyd that can be configured? Andre</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/3" data-i-can-edit="False" id="comment-2"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~kitterman" class="sprite person">Scott Kitterman (kitterman)</a> said <time itemprop="commentTime" datetime="2014-11-25T14:39:14.036510+00:00" title="2014-11-25 14:39:14 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #3</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Yes, the parameter is Lookup_Time. You can add something like this to the config file:</p> <p>Lookup_Time = 20</p> <p>20 seconds is the default.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Yes, the parameter is Lookup_Time. You can add something like this to the config file: Lookup_Time = 20 20 seconds is the default. </textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/4" data-i-can-edit="False" id="comment-3"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser (andre-esser-4-deactivatedaccount)</a> said <time itemprop="commentTime" datetime="2014-11-25T15:19:19.657604+00:00" title="2014-11-25 15:19:19 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #4</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>That's a red herring then as there was never a noticeable delay in DNS lookups according to the logs. I've increased it to 60 seconds but am still getting the</p> <p> No valid SPF record for included domain: _spf.google.com</p> <p>errors.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">That's a red herring then as there was never a noticeable delay in DNS lookups according to the logs. I've increased it to 60 seconds but am still getting the No valid SPF record for included domain: _spf.google.com errors.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/5" data-i-can-edit="False" id="comment-4"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~kitterman" class="sprite person">Scott Kitterman (kitterman)</a> said <time itemprop="commentTime" datetime="2014-11-25T15:25:50.041749+00:00" title="2014-11-25 15:25:50 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #5</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>What platform is this on and what version of pydns (Python DNS) are you using?</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">What platform is this on and what version of pydns (Python DNS) are you using?</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/6" data-i-can-edit="False" id="comment-5"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser (andre-esser-4-deactivatedaccount)</a> said <time itemprop="commentTime" datetime="2014-11-25T15:30:05.376748+00:00" title="2014-11-25 15:30:05 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #6</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Ubuntu 14.04 on x86_64, python3-dns version 3.0.4.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Ubuntu 14.04 on x86_64, python3-dns version 3.0.4.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/7" data-i-can-edit="False" id="comment-6"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~kitterman" class="sprite person">Scott Kitterman (kitterman)</a> said <time itemprop="commentTime" datetime="2014-11-25T16:05:55.731960+00:00" title="2014-11-25 16:05:55 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #7</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>I'm mystified. That's exactly what I'm testing with here.</p> <p>If you log into the server and manually execute the policy server, you should be able then feed it the same input as postfix is sending it (everything after Read line and between the quotes in your original question). Then a trailing emtpy line.</p> <p>It would be interesting to see if you get any different results or error messages when you run it by hand.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">I'm mystified. That's exactly what I'm testing with here. If you log into the server and manually execute the policy server, you should be able then feed it the same input as postfix is sending it (everything after Read line and between the quotes in your original question). Then a trailing emtpy line. It would be interesting to see if you get any different results or error messages when you run it by hand.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/8" data-i-can-edit="False" id="comment-7"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser (andre-esser-4-deactivatedaccount)</a> said <time itemprop="commentTime" datetime="2014-11-25T16:16:18.222510+00:00" title="2014-11-25 16:16:18 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #8</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Same result:</p> <p>[16:15:22] root@proxy-103:~# sudo -u nobody /usr/bin/python3 /usr/bin/<wbr />policyd-<wbr />spf /etc/postfix-<wbr />policyd-<wbr />spf-python/<wbr />policyd-<wbr />spf.conf<br /> request=<wbr />smtpd_access_<wbr />policy<br /> protocol_state=RCPT<br /> protocol_name=ESMTP<br /> client_<wbr />address=<wbr />209.85.<wbr />212.178<br /> client_<wbr />name=mail-<wbr />wi0-f178.<wbr />google.<wbr />com<br /> reverse_<wbr />client_<wbr />name=mail-<wbr />wi0-f178.<wbr />google.<wbr />com<br /> helo_name=<wbr />mail-wi0-<wbr />f178.google.<wbr />com<br /> <email address hidden><br /> <email address hidden><br /> recipient_count=0<br /> queue_id=<br /> instance=<wbr />1a1.54746599.<wbr />c5b7a.0<br /> size=1999<br /> etrn_domain=<br /> stress=<br /> sasl_method=<br /> sasl_username=<br /> sasl_sender=<br /> ccert_subject=<br /> ccert_issuer=<br /> ccert_fingerprint=<br /> ccert_pubkey_<wbr />fingerprint=<br /> encryption_<wbr />protocol=<wbr />TLSv1<br /> encryption_<wbr />cipher=<wbr />ECDHE-RSA-<wbr />RC4-SHA<br /> encryption_<wbr />keysize=<wbr />128</p> <p>action=prepend Received-SPF: Permerror (SPF Permanent Error: No valid SPF record for included domain: _spf.google.com: include:<wbr />_spf.google.<wbr />com) identity=mailfrom; client-<wbr />ip=209.<wbr />85.212.<wbr />178; helo=mail-<wbr />wi0-f178.<wbr />google.<wbr />com; <email address hidden>; <email address hidden></p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Same result: [16:15:22] root@proxy-103:~# sudo -u nobody /usr/bin/python3 /usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf request=smtpd_access_policy protocol_state=RCPT protocol_name=ESMTP client_address=209.85.212.178 client_name=mail-wi0-f178.google.com reverse_client_name=mail-wi0-f178.google.com helo_name=mail-wi0-f178.google.com sender=andre.esser@geneity.co.uk recipient=aesser@geneity.co.uk recipient_count=0 queue_id= instance=1a1.54746599.c5b7a.0 size=1999 etrn_domain= stress= sasl_method= sasl_username= sasl_sender= ccert_subject= ccert_issuer= ccert_fingerprint= ccert_pubkey_fingerprint= encryption_protocol=TLSv1 encryption_cipher=ECDHE-RSA-RC4-SHA encryption_keysize=128 action=prepend Received-SPF: Permerror (SPF Permanent Error: No valid SPF record for included domain: _spf.google.com: include:_spf.google.com) identity=mailfrom; client-ip=209.85.212.178; helo=mail-wi0-f178.google.com; envelope-from=andre.esser@geneity.co.uk; receiver=aesser@geneity.co.uk </textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/9" data-i-can-edit="False" id="comment-8"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser (andre-esser-4-deactivatedaccount)</a> said <time itemprop="commentTime" datetime="2014-11-25T16:17:03.528063+00:00" title="2014-11-25 16:17:03 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #9</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Also the same result if I run it as root.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Also the same result if I run it as root.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/10" data-i-can-edit="False" id="comment-9"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~kitterman" class="sprite person">Scott Kitterman (kitterman)</a> said <time itemprop="commentTime" datetime="2014-11-25T16:26:57.675184+00:00" title="2014-11-25 16:26:57 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #10</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Thanks. Let's move down the stack and see what happens if pyspf tries to retrieve the record. Please try:</p> <p>python3 /usr/lib/<wbr />python3/<wbr />dist-packages/<wbr />spf.py _spf.google.com</p> <p>You might also install python-spf (if you haven't already) and try:</p> <p>python /usr/lib/<wbr />python2.<wbr />7/dist-<wbr />packages/<wbr />spf.py _spf.google.com</p> <p>If one of those works and the other doesn't, then we'll have a clue.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Thanks. Let's move down the stack and see what happens if pyspf tries to retrieve the record. Please try: python3 /usr/lib/python3/dist-packages/spf.py _spf.google.com You might also install python-spf (if you haven't already) and try: python /usr/lib/python2.7/dist-packages/spf.py _spf.google.com If one of those works and the other doesn't, then we'll have a clue.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/11" data-i-can-edit="False" id="comment-10"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser (andre-esser-4-deactivatedaccount)</a> said <time itemprop="commentTime" datetime="2014-11-25T16:34:22.347589+00:00" title="2014-11-25 16:34:22 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #11</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Thanks for your perseverance, results as follows:</p> <p> [16:33:08] root@proxy-103:~# python3 /usr/lib/<wbr />python3/<wbr />dist-packages/<wbr />spf.py _spf.google.com<br /> None</p> <p> [16:33:11] root@proxy-103:~# python /usr/lib/<wbr />python2.<wbr />7/dist-<wbr />packages/<wbr />spf.py _spf.google.com<br /> None</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Thanks for your perseverance, results as follows: [16:33:08] root@proxy-103:~# python3 /usr/lib/python3/dist-packages/spf.py _spf.google.com None [16:33:11] root@proxy-103:~# python /usr/lib/python2.7/dist-packages/spf.py _spf.google.com None </textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/12" data-i-can-edit="False" id="comment-11"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~kitterman" class="sprite person">Scott Kitterman (kitterman)</a> said <time itemprop="commentTime" datetime="2014-11-25T16:50:26.400282+00:00" title="2014-11-25 16:50:26 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #12</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>OK. Both those absolutely work here.</p> <p>That at least gets the policy server off the hook.</p> <p>You don't have any python related stuff in /usr/local do you?</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">OK. Both those absolutely work here. That at least gets the policy server off the hook. You don't have any python related stuff in /usr/local do you?</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/13" data-i-can-edit="False" id="comment-12"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser (andre-esser-4-deactivatedaccount)</a> said <time itemprop="commentTime" datetime="2014-11-25T17:12:36.077434+00:00" title="2014-11-25 17:12:36 UTC">on 2014-11-25</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #13</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Nothing in /usr/local, but I've done a bit more testing and it turns out that when I switch the name server in /etc/resolv.conf from our local one to 8.8.8.8 all lookups work as expected.</p> <p>Baffled why this is only a problem when using Python and seemingly only for the lookups in _spf.google.com, but I'll try to dig a bit deeper.</p> <p>Many thanks for your help,</p> <p>Andre</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Nothing in /usr/local, but I've done a bit more testing and it turns out that when I switch the name server in /etc/resolv.conf from our local one to 8.8.8.8 all lookups work as expected. Baffled why this is only a problem when using Python and seemingly only for the lookups in _spf.google.com, but I'll try to dig a bit deeper. Many thanks for your help, Andre </textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/pypolicyd-spf/+question/258212/messages/14" data-i-can-edit="False" id="comment-13"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~andre-esser-4-deactivatedaccount" class="sprite person-inactive">Andre Esser (andre-esser-4-deactivatedaccount)</a> said <time itemprop="commentTime" datetime="2014-12-10T11:19:12.219728+00:00" title="2014-12-10 11:19:12 UTC">on 2014-12-10</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #14</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Quick update, this turned out to be caused by case-sensitice handling of cached Bind replies by pyspf versions prior to 2.0.11.</p> <p><a rel="nofollow" href="http://bmsi.com/pipermail/pymilter/2014-December/000377.html">http://<wbr />bmsi.com/<wbr />pipermail/<wbr />pymilter/<wbr />2014-December/<wbr />000377.<wbr />html</a></p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Quick update, this turned out to be caused by case-sensitice handling of cached Bind replies by pyspf versions prior to 2.0.11. http://bmsi.com/pipermail/pymilter/2014-December/000377.html</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div id="question" dir="en" lang="en" xml:lang="en"> <div class="yui-g"> <ul class="horizontal" id="horizontal-menu"> <li><a class="menu-link-history sprite list" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+history">History</a></li> <li><a class="menu-link-linkbug sprite add" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+linkbug">Link existing bug</a></li> <li><a class="menu-link-makebug sprite add" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+makebug" title="Create a bug report from this question.">Create bug report</a></li> <li><a class="menu-link-linkfaq sprite add" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+linkfaq" title="Link this question to a FAQ.">Link to a FAQ</a></li> <li><a class="menu-link-createfaq sprite add" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+createfaq" title="Create a new FAQ from this question.">Create a new FAQ</a></li> </ul> </div> <div align="center"> To post a message you must <a href="+login">log in</a>. </div> </div> </div> </div><!-- yui-b --> </div><!-- yui-main --> <div id="side-portlets" class="yui-b side"> <div id="involvement" class="portlet"> <ul class="involvement"> <li class="single"> <a class="sprite answers" href="https://answers.launchpad.net/pypolicyd-spf/+addquestion"> Ask a question </a> </li> </ul> </div> <div id="global-actions" class="portlet vertical"> <ul> <li> <a class="menu-link-edit sprite modify edit" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+edit">Edit question</a> </li> </ul> </div> <div class="portlet" id="subscribers"> <h2>Subscribers</h2> <div id="current_user_subscription"> <div><a class="menu-link-subscription sprite add" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+subscribe" title="You will receive email notifications about updates to this question">Subscribe</a></div> </div> <div> <div><a class="menu-link-addsubscriber sprite add" href="https://answers.launchpad.net/pypolicyd-spf/+question/258212/+addsubscriber" title="Launchpad will email that person whenever this question changes">Subscribe someone else</a></div> </div> <div id="other-question-subscribers"></div> </div> </div><!-- yui-b side --> </div><!-- yui-t4 --> <div id="footer" class="footer"> <div class="lp-arcana"> <div class="lp-branding"> <a href="https://launchpad.net/"><img src="/@@/launchpad-footer-logo.svg" alt="Launchpad" width="65" height="18" /></a> • <a href="https://launchpad.net/+tour">Take the tour</a> • <a href="https://help.launchpad.net/">Read the guide</a> <form id="globalsearch" method="get" accept-charset="UTF-8" action="https://launchpad.net/+search"> <input type="search" id="search-text" name="field.text" /> <input type="image" src="/@@/search" style="vertical-align:5%" alt="Search Launchpad" /> </form> </div> </div> <div class="colophon"> © 2004 <a href="http://canonical.com/">Canonical Ltd.</a> • <a href="https://launchpad.net/legal">Terms of use</a> • <a href="https://www.ubuntu.com/legal/dataprivacy">Data privacy</a> • <a href="/feedback">Contact Launchpad Support</a> • <a href="http://blog.launchpad.net/">Blog</a> • <a href="https://canonical.com/careers">Careers</a> • <a href="https://ubuntu.social/@launchpadstatus">System status</a> <span id="lp-version"> • 78860d9 (<a href="https://dev.launchpad.net/">Get the code!</a>) </span> </div> </div> </div><!-- yui-d0--> <script id="json-cache-script">LP.cache = {"related_features": {}, "context": {"self_link": "https://answers.launchpad.net/api/devel/pypolicyd-spf/+question/258212", "web_link": "https://answers.launchpad.net/pypolicyd-spf/+question/258212", "resource_type_link": "https://answers.launchpad.net/api/devel/#question", "id": 258212, "title": "No valid SPF record for included Google SPF records", "description": "Hi,\n\nI'm running postfix-policyd-spf-python 1.3.1 on Ubuntu 14.04 and everything seems to be working fine with one significant exception: SPF checks for sender domains that have _spf.google.com included in their SPF record fail with the following error:\n\n spfcheck: pyspf result: \"['Permerror', 'SPF Permanent Error: No valid SPF record for included domain: _spf.google.com:\n include:_spf.google.com', 'mailfrom']\"\n\nThe _spf.google.com domain is used for domains hosted with Google Apps. This problems occurs with our own domain ('geneity.co.uk') as well as with others that have Google's SPF record included. I've verified our SPF record with a number of online SPF checkers and the result is always OK.\n\nHere is the debug output for such a failed SPF check, hope someone can shed some light on this:\n\npostfix/smtpd[417]: connect from mail-wi0-f178.google.com[209.85.212.178]\npostfix/smtpd[417]: Anonymous TLS connection established from mail-wi0-f178.google.com[209.85.212.178]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)\npolicyd-spf[453]: Read line: \"request=smtpd_access_policy\"\npolicyd-spf[453]: Read line: \"protocol_state=RCPT\"\npolicyd-spf[453]: Read line: \"protocol_name=ESMTP\"\npolicyd-spf[453]: Read line: \"client_address=209.85.212.178\"\npolicyd-spf[453]: Read line: \"client_name=mail-wi0-f178.google.com\"\npolicyd-spf[453]: Read line: \"reverse_client_name=mail-wi0-f178.google.com\"\npolicyd-spf[453]: Read line: \"helo_name=mail-wi0-f178.google.com\"\npolicyd-spf[453]: Read line: \"\u003cemail address hidden\u003e\"\npolicyd-spf[453]: Read line: \"\u003cemail address hidden\u003e\"\npolicyd-spf[453]: Read line: \"recipient_count=0\"\npolicyd-spf[453]: Read line: \"queue_id=\"\npolicyd-spf[453]: Read line: \"instance=1a1.54746599.c5b7a.0\"\npolicyd-spf[453]: Read line: \"size=1999\"\npolicyd-spf[453]: Read line: \"etrn_domain=\"\npolicyd-spf[453]: Read line: \"stress=\"\npolicyd-spf[453]: Read line: \"sasl_method=\"\npolicyd-spf[453]: Read line: \"sasl_username=\"\npolicyd-spf[453]: Read line: \"sasl_sender=\"\npolicyd-spf[453]: Read line: \"ccert_subject=\"\npolicyd-spf[453]: Read line: \"ccert_issuer=\"\npolicyd-spf[453]: Read line: \"ccert_fingerprint=\"\npolicyd-spf[453]: Read line: \"ccert_pubkey_fingerprint=\"\npolicyd-spf[453]: Read line: \"encryption_protocol=TLSv1\"\npolicyd-spf[453]: Read line: \"encryption_cipher=ECDHE-RSA-RC4-SHA\"\npolicyd-spf[453]: Read line: \"encryption_keysize=128\"\npolicyd-spf[453]: Read line: \"\"\npolicyd-spf[453]: Found the end of entry\npolicyd-spf[453]: Config: {'debugLevel': 4, 'HELO_reject': 'SPF_Not_Pass', 'PermError_reject': 'False', 'TempError_Defer': 'False', 'Lookup_Time': 20, 'Mail_From_reject': 'Fail', 'Header\n_Type': 'SPF', 'Mail_From_pass_restriction': 'PERMIT', 'defaultSeedOnly': 1, 'Void_Limit': 2, 'HELO_pass_restriction': 'PERMIT', 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0/104,::1'}\npolicyd-spf[453]: Cached data for this instance: []\npolicyd-spf[453]: spfcheck: pyspf result: \"['None', '', 'helo']\"\npolicyd-spf[453]: None; identity=helo; client-ip=209.85.212.178; helo=mail-wi0-f178.google.com;\n \u003cemail address hidden\u003e; \u003cemail address hidden\u003e \npolicyd-spf[453]: spfcheck: pyspf result: \"['Permerror', 'SPF Permanent Error: No valid SPF record for included domain:\n _spf.google.com: include:_spf.google.com', 'mailfrom']\"\npolicyd-spf[453]: Permerror; identity=mailfrom; client-ip=209.85.212.178; helo=mail-wi0-f178.google.com;\n \u003cemail address hidden\u003e; \u003cemail address hidden\u003e \npolicyd-spf[453]: Action: prepend: Text: Received-SPF: Permerror (SPF Permanent Error: No valid SPF record for included\n domain: _spf.google.com: include:_spf.google.com) identity=mailfrom; client-ip=209.85.212.178;\n helo=mail-wi0-f178.google.com; \u003cemail address hidden\u003e; \u003cemail address hidden\u003e", "status": "Solved", "language_link": "https://answers.launchpad.net/api/devel/+languages/en", "owner_link": "https://answers.launchpad.net/api/devel/~andre-esser-4-deactivatedaccount", "assignee_link": null, "answerer_link": "https://answers.launchpad.net/api/devel/~andre-esser-4-deactivatedaccount", "answer_link": null, "date_created": "2014-11-25T11:30:16.018021+00:00", "date_due": null, "date_last_query": "2014-11-25T17:12:36.077434+00:00", "date_last_response": "2014-11-25T16:50:26.400282+00:00", "date_solved": "2014-11-25T17:12:36.077434+00:00", "target_link": "https://answers.launchpad.net/api/devel/pypolicyd-spf", "messages_collection_link": "https://answers.launchpad.net/api/devel/pypolicyd-spf/+question/258212/messages", "http_etag": "\"2c93d99d8977c52c9f46abf253af1e4bf07caab2-ebda2a810594cebada1ac0c6545f4a893f5cca50\""}};</script> </body> <!-- Facet name: answers Page type: main_side Has global search: True Has application tabs: True Has side portlets: True At least 75 queries/external actions issued in 0.65 seconds Features: {'profiling.enabled': None, 'hard_timeout': '5000', 'js.yui_version': None, 'app.mainsite_only.canonical_url': None, 'app.maintenance_message': None, 'baselayout.careers_link.disabled': None, 'visible_render_time': None} r78860d9 --> </html>