DevHeads.net

SERVFAIL Errors

Hi All

Any ideas on how I can sort sort below?

Feb 12 10:24:48 mail postfix/smtpd[17207]: NOQUEUE: reject: RCPT from
unknown[196.14.170.132]: 450 4.7.1 <SALES@xxxx>: Recipient address
rejected: SPF-Result=medscheme.co.za: 'SERVFAIL' error on DNS 'MX'
lookup of 'cluster1a.sa.messagelabs.com';
from=< ... at Medscheme dot co.za> to=<SALES@xxxxxx> proto=ESMTP
helo=<mail1.bemta18.messagelabs.com>

It does not appear that cluster1a.sa.messagelabs.com does not have an IP
when I do a dig.

Regards

Comments

Re: SERVFAIL Errors

By Viktor Dukhovni at 02/12/2014 - 16:43

The IP address is irrelevant, it fails when you do an MX lookup:

$ dig -t mx cluster1a.sa.messagelabs.com

; <<>> DiG 9.8.0rc1 <<>> -t mx cluster1a.sa.messagelabs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30517
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cluster1a.sa.messagelabs.com. IN MX

;; Query time: 444 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 12 20:40:15 2014
;; MSG SIZE rcvd: 46

The SPF records in question are broken (use an MX name that is not
supported by messagelabs). Likely the DNS for this name is handled
by a DNS load-balancing appliance that is poorly prepared to handle
unexpected RR types (i.e. is a broken hack that works only in the
expected case).

Re: SERVFAIL Errors

By Viktor Dukhovni at 02/12/2014 - 18:07

The breakage is deep! When you ask the authoritative server for
an MX record, it returns instead an A record for the requested name
and an MX record for an unrelated name (whose A record is in turn
in the additional section):

$ dig -t mx cluster1a.sa.messagelabs.com @ns.us.symsaas.net

; <<>> DiG 9.8.0rc1 <<>> -t mx cluster1a.sa.messagelabs.com @ns.us.symsaas.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34142
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cluster1a.sa.messagelabs.com. IN MX

;; ANSWER SECTION:
cluster1a.sa.messagelabs.com. 30 IN A 196.14.170.67
cluster1.sa.messagelabs.com. 30 IN MX 10 cluster1.sa.messagelabs.com.

;; AUTHORITY SECTION:
sa.messagelabs.com. 500 IN NS ns.us.symsaas.net.
sa.messagelabs.com. 500 IN NS ns.eu.symsaas.net.
sa.messagelabs.com. 500 IN NS ns.ap.symsaas.net.

;; ADDITIONAL SECTION:
cluster1.sa.messagelabs.com. 30 IN A 196.14.170.83

;; Query time: 13 msec
;; SERVER: 67.219.252.10#53(67.219.252.10)
;; WHEN: Wed Feb 12 21:59:42 2014
;; MSG SIZE rcvd: 174

I've not seen such creative mishandling of DNS for a while. If
anyone on this list is at Symantec (or Messagelabs), please report this
to the folks who operate the DNS gear. It is broken.

Re: SERVFAIL Errors

By lists@rhsoft.net at 02/12/2014 - 16:12

Am 12.02.2014 21:04, schrieb Dave Johnson:
how do you imagine that?
you refused to post "postconf -n"
please re-read the welcome message

it has, it does appear your DNS has or had a problem
why panic in case of a *temporary* error?
4xx = temporary error
5xx = permanent error

;; ANSWER SECTION:
cluster1a.sa.messagelabs.com. 4 IN A 196.14.170.83

Re: SERVFAIL Errors

By Wietse Venema at 02/12/2014 - 16:11

Dave Johnson:
Postfix does no SPF lookups. You are using a third-party policy plugin.
Ask them for support.

Wietse