Bug #16256: SPF issue while sending mail to lists hosted by puscii

Bug #16256

SPF issue while sending mail to lists hosted by puscii

Added by geb 2018-12-28 11:15:57 . Updated 2019-02-13 16:17:32 .

Status:

Resolved

Priority:

Normal

Assignee:

groente

Category:

Infrastructure

Target version:

Tails_3.13

Start date:

2018-12-28

Due date:

% Done:

Feature Branch:

Type of work:

Sysadmin

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Hi,

I just noticed that a mail I sent a few days ago was refused with a SPF error :

>: host needa.puscii.nl[94.142.245.196] said: 550
> 5.7.23 <tails-fundraising@boum.org>: Recipient address rejected: Message
> rejected due to: SPF fail - not authorized. Please see
> http://www.openspf.net/Why?s=mfrom;id=yyyyyyy@zzzzzzzz.com;ip=198.167.222.108;r=<UNKNOWN>
> (in reply to RCPT TO command)

Apparently, the IP which was checked for SPF was not the original sending IP but one of the boum.org MX: mx10.investici.org.

Can send the full Bounce on request.

[I dare assigning you this bug groente as you seems to have been involved with the recent list hosting change, and putting in a high priority, hope you won’t mind ..]

Subtasks

Related issues

Related to Tails - ~~Feature #16217~~: Migrate some of our Schleuder lists to puscii	Resolved	2018-12-11
Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure)	Confirmed	2017-06-30

History

#1 Updated by geb 2018-12-28 11:17:14

blocks ~~Feature #16217~~: Migrate some of our Schleuder lists to puscii added

#2 Updated by geb 2018-12-28 11:20:18

Just to complete : 198.167.222.108 aka mx10.investici.org seems to be used for rerouting the mails and should not be checked in SPFs checks.

#3 Updated by intrigeri 2018-12-28 11:20:46

Parent task set to ~~Bug #16121~~

#4 Updated by intrigeri 2018-12-28 11:20:59

Category set to Infrastructure
Status changed from New to Confirmed
Target version set to Tails_3.12

#5 Updated by intrigeri 2018-12-28 11:21:15

blocked by deleted (~~~~Feature #16217~~: Migrate some of our Schleuder lists to puscii~~)

#6 Updated by intrigeri 2018-12-28 11:21:20

blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#7 Updated by intrigeri 2018-12-28 11:21:40

related to ~~Feature #16217~~: Migrate some of our Schleuder lists to puscii added

#8 Updated by intrigeri 2018-12-28 11:22:10

I’ve reported this problem to groente yesterday over email. Now we have a ticket to track it. Thanks geb :)

#9 Updated by geb 2018-12-28 11:30:45

A quick and dirty fix could be to:

- Disable SPF checks from mails emitted by boum.org’s MX. For example by adding boum.org’s MX to my_networks and ensuring permit_mynetworks is in smtp_recipient_restriction before check_policy_service (maybe no ideal as my_networks could be used for other things, dont remind)
- Whitelisting those IPs in SPF.
Both would require boum.org’s MX to do SPF checking and so on.

#10 Updated by groente 2018-12-28 17:11:08

Status changed from Confirmed to In Progress

boum.org’s MX is now whitelisted in the SPF policy

#11 Updated by groente 2019-01-03 10:03:45

Priority changed from High to Normal

mailflow works again, but without SPF we need other protections against spam.
options are to:

- ask A/I to reject incoming mail that breaks SPF
- improve on the amavisd/sa

#12 Updated by anonym 2019-01-30 11:59:36

Target version changed from Tails_3.12 to Tails_3.13

#13 Updated by groente 2019-02-13 16:17:32

Status changed from In Progress to Resolved