Bug #16256
SPF issue while sending mail to lists hosted by puscii
0%
Description
Hi,
I just noticed that a mail I sent a few days ago was refused with a SPF error :
>
> 5.7.23 <tails-fundraising@boum.org>: Recipient address rejected: Message
> rejected due to: SPF fail - not authorized. Please see
> http://www.openspf.net/Why?s=mfrom;id=yyyyyyy@zzzzzzzz.com;ip=198.167.222.108;r=<UNKNOWN>
> (in reply to RCPT TO command)
Apparently, the IP which was checked for SPF was not the original sending IP but one of the boum.org MX: mx10.investici.org.
Can send the full Bounce on request.
[I dare assigning you this bug groente as you seems to have been involved with the recent list hosting change, and putting in a high priority, hope you won’t mind ..]
Subtasks
Related issues
Related to Tails - |
Resolved | 2018-12-11 | |
Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) | Confirmed | 2017-06-30 |
History
#1 Updated by geb 2018-12-28 11:17:14
- blocks
Feature #16217: Migrate some of our Schleuder lists to puscii added
#2 Updated by geb 2018-12-28 11:20:18
Just to complete : 198.167.222.108 aka mx10.investici.org seems to be used for rerouting the mails and should not be checked in SPFs checks.
#3 Updated by intrigeri 2018-12-28 11:20:46
- Parent task set to
Bug #16121
#4 Updated by intrigeri 2018-12-28 11:20:59
- Category set to Infrastructure
- Status changed from New to Confirmed
- Target version set to Tails_3.12
#5 Updated by intrigeri 2018-12-28 11:21:15
- blocked by deleted (
)Feature #16217: Migrate some of our Schleuder lists to puscii
#6 Updated by intrigeri 2018-12-28 11:21:20
- blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added
#7 Updated by intrigeri 2018-12-28 11:21:40
- related to
Feature #16217: Migrate some of our Schleuder lists to puscii added
#8 Updated by intrigeri 2018-12-28 11:22:10
I’ve reported this problem to groente yesterday over email. Now we have a ticket to track it. Thanks geb :)
#9 Updated by geb 2018-12-28 11:30:45
A quick and dirty fix could be to:
- Disable SPF checks from mails emitted by boum.org’s MX. For example by adding boum.org’s MX to my_networks and ensuring permit_mynetworks is in smtp_recipient_restriction before check_policy_service (maybe no ideal as my_networks could be used for other things, dont remind)
- Whitelisting those IPs in SPF.
Both would require boum.org’s MX to do SPF checking and so on.
#10 Updated by groente 2018-12-28 17:11:08
- Status changed from Confirmed to In Progress
boum.org’s MX is now whitelisted in the SPF policy
#11 Updated by groente 2019-01-03 10:03:45
- Priority changed from High to Normal
mailflow works again, but without SPF we need other protections against spam.
options are to:
- ask A/I to reject incoming mail that breaks SPF
- improve on the amavisd/sa
#12 Updated by anonym 2019-01-30 11:59:36
- Target version changed from Tails_3.12 to Tails_3.13
#13 Updated by groente 2019-02-13 16:17:32
- Status changed from In Progress to Resolved