Project

General

Profile

Bug #16256

Bug #16121: Migrate our Schleuder lists outside of boum.org

SPF issue while sending mail to lists hosted by puscii

Added by geb 9 months ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Infrastructure
Target version:
Start date:
12/28/2018
Due date:
% Done:

0%

Spent time:
Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:

Description

Hi,

I just noticed that a mail I sent a few days ago was refused with a SPF error :

<xxxxxxxxxxx>: host needa.puscii.nl[94.142.245.196] said: 550
5.7.23 <>: Recipient address rejected: Message
rejected due to: SPF fail - not authorized. Please see
http://www.openspf.net/Why?s=mfrom;id=yyyyyyy@zzzzzzzz.com;ip=198.167.222.108;r=&lt;UNKNOWN>
(in reply to RCPT TO command)

Apparently, the IP which was checked for SPF was not the original sending IP but one of the boum.org MX: mx10.investici.org.

Can send the full Bounce on request.

[I dare assigning you this bug groente as you seems to have been involved with the recent list hosting change, and putting in a high priority, hope you won't mind ..]


Related issues

Related to Tails - Feature #16217: Migrate some of our Schleuder lists to puscii Resolved 12/11/2018
Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) Confirmed 06/30/2017

History

#1 Updated by geb 9 months ago

  • Blocks Feature #16217: Migrate some of our Schleuder lists to puscii added

#2 Updated by geb 9 months ago

Just to complete : 198.167.222.108 aka mx10.investici.org seems to be used for rerouting the mails and should not be checked in SPFs checks.

#3 Updated by intrigeri 9 months ago

  • Parent task set to #16121

#4 Updated by intrigeri 9 months ago

  • Category set to Infrastructure
  • Status changed from New to Confirmed
  • Target version set to Tails_3.12

#5 Updated by intrigeri 9 months ago

  • Blocks deleted (Feature #16217: Migrate some of our Schleuder lists to puscii)

#6 Updated by intrigeri 9 months ago

  • Blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#7 Updated by intrigeri 9 months ago

  • Related to Feature #16217: Migrate some of our Schleuder lists to puscii added

#8 Updated by intrigeri 9 months ago

I've reported this problem to groente yesterday over email. Now we have a ticket to track it. Thanks geb :)

#9 Updated by geb 9 months ago

A quick and dirty fix could be to:
- Disable SPF checks from mails emitted by boum.org's MX. For example by adding boum.org's MX to my_networks and ensuring permit_mynetworks is in smtp_recipient_restriction before check_policy_service (maybe no ideal as my_networks could be used for other things, dont remind)
- Whitelisting those IPs in SPF.
Both would require boum.org's MX to do SPF checking and so on.

#10 Updated by groente 9 months ago

  • Status changed from Confirmed to In Progress

boum.org's MX is now whitelisted in the SPF policy

#11 Updated by groente 9 months ago

  • Priority changed from High to Normal

mailflow works again, but without SPF we need other protections against spam.
options are to:

- ask A/I to reject incoming mail that breaks SPF
- improve on the amavisd/sa

#12 Updated by anonym 8 months ago

  • Target version changed from Tails_3.12 to Tails_3.13

#13 Updated by groente 7 months ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF