On Wednesday, May 06, 2015 09:58:57 AM James B. Byrne wrote: > On Wed, May 6, 2015 09:45, Tobi wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Hi list > > > > I know it's technically not a postfix issue :-) But maybe someone else > > here on this list has the same problem. > > I'm using Postfix with postfix-policyd-spf-perl About 4 or 5 days ago > > I started to get error messages from postfix for mails from Amazon. > > The log shows > > > > << > > May 6 15:33:12 mail1 postfix/policy-spf[10692]: Policy > > action=DEFER_IF_PERMIT SPF-Result=marketplace.amazon.de ... > > spf1.amazon.com: Unknown error on DNS 'TXT' lookup of > > 'spf1.amazon.com' > > May 6 15:33:12 mail1 postfix/smtpd[10069]: NOQUEUE: reject: RCPT from > > a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]: 450 4.7.1 > > <tobs...@brain-force.ch>: Recipient address rejected: > > SPF-Result=marketplace.amazon.de ... spf1.amazon.com: Unknown error on > > DNS 'TXT' lookup of 'spf1.amazon.com'; > > from=<comm-bounces+bbc-message-a370530b4pb...@marketplace.amazon.de> > > to=<tobs...@brain-force.ch> proto=ESMTP > > helo=<a0-3.smtp-out.eu-west-1.amazonses.com> > > May 6 15:33:37 mail1 postfix/smtpd[10069]: disconnect from > > a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3] > > > > > > I did not change anything on the server side. I tried to verify the > > SPF records from Amazon with > > http://www.kitterman.com/spf/validate.html but the tests were always > > successfull. > > Does anyone have this problem too with Amazon? Or does anyone have an > > idea how to solve it? > > > > Thanks > > dig spf1.amazon.com TXT > > ;; ANSWER SECTION: > spf1.amazon.com. 900 IN TXT "spf2.0/pra ip4:207.171.160.0/19 > ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27 > ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 > ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all" > spf1.amazon.com. 900 IN TXT "v=spf1 ip4:207.171.160.0/19 > ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27 > ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 > ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all" > > Amazon has screwed up their spf records. A DNS host can have only ONE > spf TXT RR and that must not contain or recursively resolve to more > than TEN tags. > > You will have to contact the DNS maintainer for the amazon.com zone > > ;; AUTHORITY SECTION: > amazon.com. 60 IN SOA dns-external-master.amazon.com. > root.amazon.com. 2010112764 180 60 3024000 60 > > Who evidently is reached via r...@amazon.com. Good luck with that.
No. That's not it. One of those is a v=spf1 SPF record and the other is a spf2.0 Sender ID record. Much more likely the issue is the use of EDNS0. In the part of the dig output you didn't include, you probably got: ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 and ;; MSG SIZE rcvd: 611 I would guess that they published a new record that pushed them outside the size of a UDP packet, so it used EDNS0, and there's some incompatible box in the middle (and there wasn't such a box similarly in between amazon and my SPF validator). Followups should probably go to: https://answers.launchpad.net/postfix-policyd-spf-perl Scott K
