Bug #16256

SPF issue while sending mail to lists hosted by puscii

Added by geb 2018-12-28 11:15:57 . Updated 2019-02-13 16:17:32 .

Status:
Resolved
Priority:
Normal
Assignee:
groente
Category:
Infrastructure
Target version:
Start date:
2018-12-28
Due date:
% Done:

0%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

Hi,

I just noticed that a mail I sent a few days ago was refused with a SPF error :

>: host needa.puscii.nl[94.142.245.196] said: 550
> 5.7.23 <tails-fundraising@boum.org>: Recipient address rejected: Message
> rejected due to: SPF fail - not authorized. Please see
> http://www.openspf.net/Why?s=mfrom;id=yyyyyyy@zzzzzzzz.com;ip=198.167.222.108;r=<UNKNOWN>
> (in reply to RCPT TO command)

Apparently, the IP which was checked for SPF was not the original sending IP but one of the boum.org MX: mx10.investici.org.

Can send the full Bounce on request.

[I dare assigning you this bug groente as you seems to have been involved with the recent list hosting change, and putting in a high priority, hope you won’t mind ..]


Subtasks


Related issues

Related to Tails - Feature #16217: Migrate some of our Schleuder lists to puscii Resolved 2018-12-11
Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) Confirmed 2017-06-30

History

#1 Updated by geb 2018-12-28 11:17:14

  • blocks Feature #16217: Migrate some of our Schleuder lists to puscii added

#2 Updated by geb 2018-12-28 11:20:18

Just to complete : 198.167.222.108 aka mx10.investici.org seems to be used for rerouting the mails and should not be checked in SPFs checks.

#3 Updated by intrigeri 2018-12-28 11:20:46

#4 Updated by intrigeri 2018-12-28 11:20:59

  • Category set to Infrastructure
  • Status changed from New to Confirmed
  • Target version set to Tails_3.12

#5 Updated by intrigeri 2018-12-28 11:21:15

  • blocked by deleted (Feature #16217: Migrate some of our Schleuder lists to puscii)

#6 Updated by intrigeri 2018-12-28 11:21:20

  • blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#7 Updated by intrigeri 2018-12-28 11:21:40

  • related to Feature #16217: Migrate some of our Schleuder lists to puscii added

#8 Updated by intrigeri 2018-12-28 11:22:10

I’ve reported this problem to groente yesterday over email. Now we have a ticket to track it. Thanks geb :)

#9 Updated by geb 2018-12-28 11:30:45

A quick and dirty fix could be to:

- Disable SPF checks from mails emitted by boum.org’s MX. For example by adding boum.org’s MX to my_networks and ensuring permit_mynetworks is in smtp_recipient_restriction before check_policy_service (maybe no ideal as my_networks could be used for other things, dont remind)
- Whitelisting those IPs in SPF.
Both would require boum.org’s MX to do SPF checking and so on.

#10 Updated by groente 2018-12-28 17:11:08

  • Status changed from Confirmed to In Progress

boum.org’s MX is now whitelisted in the SPF policy

#11 Updated by groente 2019-01-03 10:03:45

  • Priority changed from High to Normal

mailflow works again, but without SPF we need other protections against spam.
options are to:

- ask A/I to reject incoming mail that breaks SPF
- improve on the amavisd/sa

#12 Updated by anonym 2019-01-30 11:59:36

  • Target version changed from Tails_3.12 to Tails_3.13

#13 Updated by groente 2019-02-13 16:17:32

  • Status changed from In Progress to Resolved