broken ISP in china

Vernon Schryver vjs at rhyolite.com
Mon Feb 18 23:35:19 UTC 2013 

> From: Lyle Giese <lyle at lcrcomputer.net>

> attention and I tried to email the client in China and got this back:
>
> For <robin at xxxxx.com.cn> <mailto:robin at medtecs.com.cn>, Site 
> (xxxxx.com.cn/<ipv4 address>) said: 559 sorry , your helo/ehlo and 
> domain in mail are invalid, you don't connect from there. (#5.5.9)
>
> Because this started within 24 hours of when I published the DS record 

I'd remove the TXT record for lcrcomputer.net and try again in 24
hours after your TTL expires.  In other words, could your SPF record
be triggering the mail problem?  What is the relationship between
medtecs.com.cn and xxxxx.com.cn?  If your mail must be forwarded
to reach robin at medtecs.com.cn, then your SPF record demands that
it be rejected after the first hop.
I also wonder about the "ptr" mechanism in your SPF record.  RFC 4408
discourages the use of "ptr".  The Received: header added by ISC
was unhappy with your reverse DNS, although it looks ok to me now:

   Received: from mail3.lcrcomputer.net (unknown [IPv6:2607:fcb8:1800:7::3])
     by mx.pao1.isc.org (Postfix) with ESMTP
     for <bind-users at lists.isc.org>; Mon, 18 Feb 2013 22:07:46 +0000 (UTC)
     (envelope-from lyle at lcrcomputer.net)

Contrary to the early marketing manure followed by the years of cult
chanting, outside the narrow situations where it can be handy, SPF is
useless and ignored (~all or ?all) or harmful (-all).  SPF can be
useful for authenticating bulk mail, although DKIM is better because
of SPF's problem with forwarding.  (Of course, plenty of bulk mail is
not spam, such as this message after it hits the reflector.  Bulk mail
is any set of practically identical messages.  Spam is bulk email that
is also unsolicited.)

If you turn on DMARC to get reports about rejections by adding something
like this line to your DNS zone:
  _dmarc 300 TXT  "v=DMARC1; p=none; rua=mailto:XXX at lcrcomputer.com;"
and send again to this mailing list, then within days or a week, the
mailbox XXX at lcrcomputer.com should get reports of mail that would have
been rejected by your SPF record.  If any of your correspondents forward
private mail from you to Google, Microsoft, or similar, you will also
get reports about those rejections.

I've not tried p=none, but recent experiments with 
          300  TXT  "v=spf1 mx -all"
   _dmarc 300  TXT  "v=DMARC1; p=reject; rua=mailto:XXX at rhyolite.com;"
generated reports of my messages being rejected because they had been
forwarded by lists.isc.org.  Look at the headers for your copies of
your own messages to this mailing list and consider your SPF record.
(I use short TTLs on _dmarc and SPF RRs to remove them quickly.)

See http://www.dmarc.org/ about DMARC, but read it with marketing-speak
filters set to high.  For example, "DMARC Protects 60 Percent of Global
Consumer Mailboxes" makes sense only for a narrow meaning of "protect"
after you notice the absence of _dmarc records for Google, Yahoo, and
Microsoft.

See also http://www.dmarc.org/about.html   Some of the "receivers" on
that page probably send more mail than some of the "senders," so those
two words must have special meanings.  DMARC is evidently intended to let
"(bulk mail) senders" such as American Greetings, BoA, etc. monitor
and control their DKIM and SPF authenticators and check inbox placement
rates at "(bulk mail) receivers" such as AOL, Comcast, etc.

DMARC is also unintentionally great for showing the old "use SPF to
protect yourself from spammers" to be the marketing nonsense and cult
nonsense for in most cases that it has always been.


Vernon Schryver    vjs at rhyolite.com

More information about the bind-users mailing list