View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001554 | Main CAcert Website | misc | public | 2023-10-02 20:33 | 2024-01-04 02:19 |
| Reporter | L10N | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | Default | OS | any | OS Version | any |
| Summary | 0001554: Mail from domain [cacert.org] fails to pass SPF checks | ||||
| Description | Every time I send an e-Mail to the cacert-support list, I get this answer: (see mail after the ----) - is this a problem of us or of them? - if it is from us, is a solution easy or complicated? ---------------------------------- SUBJECT: Undelivered Mail Returned to Sender FROM: Mail Delivery System <MAILER-DAEMON@fmfwd02.freemail.hu> This is the mail system at host fmfwd02.freemail.hu. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <szlcsb@gmail.com>: host gmail-smtp-in.l.google.com[74.125.71.26] said: 550-5.7.26 The MAIL FROM domain [cacert.org] has an SPF record with a hard fail 550-5.7.26 policy (-all) but it fails to pass SPF checks with the ip: 550-5.7.26 [46.107.16.135]. To best protect our users from spam and phishing, 550-5.7.26 the message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. t5-20020adfe445000000b0031ff1152941si12973458wrm.960 - gsmtp (in reply to end of DATA command) Reporting-MTA: dns; fmfwd02.freemail.hu X-Postfix-Queue-ID: 95BA41DD37 X-Postfix-Sender: rfc822; eruedin@cacert.org Arrival-Date: Mon, 2 Oct 2023 22:13:23 +0200 (CEST) Final-Recipient: rfc822; szlcsb@gmail.com Original-Recipient: rfc822;szlcsb@gmail.com Action: failed Status: 5.7.26 Remote-MTA: dns; gmail-smtp-in.l.google.com Diagnostic-Code: smtp; 550-5.7.26 The MAIL FROM domain [cacert.org] has an SPF record with a hard fail 550-5.7.26 policy (-all) but it fails to pass SPF checks with the ip: 550-5.7.26 [46.107.16.135]. To best protect our users from spam and phishing, 550-5.7.26 the message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. t5-20020adfe445000000b0031ff1152941si12973458wrm.960 - gsmtp | ||||
| Steps To Reproduce | Send any e-Mail to cacert-support@lists.cacert.org | ||||
| Tags | list, mail | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
From Peter J. Mello: attempted to add this to the Mantis ticket in the subject, but for some reason lack sufficient privileges on that system to contribute anything. Pulling the currently published DNS RR containing the SPF record for cacert.org was, of course, quite trivial and revealed itself as: cacert.org. IN TXT "v=spf1 a mx a:emailout.cacert.org a:secure.cacert.org a:www1.cacert.org ip4:213.154.225.230 ip6:2001:7b8:616:162:1::10 ip6:2001:7b8:616:28:50::11 -all" There exists more ambiguity than I'd like in the ticket, namely the nature of the inclusion of the host at freemail.hu in the message path, but assuming it's a legitimate part of the mailing list infrastructure, then the TXT RR shown above needs to be amended thusly in order to pass the SPF check again: cacert.org. IN TXT "v=spf1 a mx a:emailout.cacert.org a:secure.cacert.org a:www1.cacert.org ip4:213.154.225.230 ip6:2001:7b8:616:162:1::10 ip6:2001:7b8:616:28:50::11 include:freemail.hu -all" This would also seem an opportune moment to add a DMARC record to the domain to further thwart spammers, which I would propose be introduced with this configuration… _dmarc.cacert.org. IN TXT "v=DMARC1; p=quarantine; pct=100; aspf=s; ri=259200;" It also seems worth noting that one of the five nameservers appears to be dead, ns3.cacert.org, and another, ns4.cacert.org, presents a disparity between the IPv6 address it resolves to vs. the glue record associated with it from the parent name server. Hope this helps to speed a resolution for the ticket. |
|
|
our current SPF record contains "v=spf1 a mx a:emailout.cacert.org a:secure.cacert.org a:www1.cacert.org ip4:213.154.225.230 ip6:2001:7b8:616:162:1::10 ip6:2001:7b8:616:28:50::11 -all" this allows the following systems to send emails on behalf of cacert.org - our MX host email.cacert.org. -> 213.154.225.228 and 2001:7b8:616:162:2::228 - the A record (and AAAA) of emailout.cacert.org -> 213.154.225.239 and 2001:7b8:616:162:2::239 - secure.cacert.org 213.154.225.246 and 2001:7b8:3:9c::246 - www.cacert.org 213.154.225.245 and 2001:7b8:3:9c::245 - 213.154.225.230 and 2001:7b8:616:162:1::10 (addresses of infra02.cacert.org) - 2001:7b8:616:28:50::11 which is used for ping.cacert.org lists.cacert.org which is our mailing list host has its own SPF record: "v=spf1 ip4:213.154.225.231 ip6:2001:7b8:616:162:2::17 -all" This record contains the public addresses of lists.cacert.org only. Other systems and especially systems of freemail.hu should not send mail on behalf of cacert.org or lists.cacert.org addresses. We will not change the SPF records. We will check the nameserver inconsistencies for the IPv6 reverse DNS zone. |
|
|
side note: email from @cacert.org email addresses must be sent via the community mail server see https://wiki.cacert.org/Technology/TechnicalSupport/EndUserSupport/CommunityE-Mail for documentation |
|
|
Hello L10N, Is this your email address, or just something that appears in the gmail mail delivery failure log? szlcsb@gmail.com |
|
|
The address szlcsb@gmail.com should be AFAIK only an address in the example sent by user L10N. As the flaw reported by Peter J. Mello (admin@petermello.net) seemed to be similar, I copied the Peter's text from OTRS ticket s20231015.3 as the comment. As the former reporter (L10N) possibly also copied somebody's text, it is clear for me, that the user szlcsb@gmail.com has problems to send us a mail, Should send it to support@cacert.org and not to "cacert-support list", which is his list on his side and could contain the address "szlcsb@gmail.com". So please check what P. J. Mello reports. |
|
|
I checked the six mails still in my inbox. This are "answers" to mails sent by me with my @cacert.org address to the following mailiing lists: - CAcert-devel <cacert-devel@lists.cacert.org> - General Help <cacert-support@lists.cacert.org> Maybe it is just the address from a CAcert community member that did not update it's subscriptions while changing the e-mail-address? In this case, the admin of this two lists could just unsubscribe the szlcsb@ address from this lists? |
|
|
That is my opinion also, and I'm pretty sure I've investigated the error message and suggested exactly that in the past. The problem is that the listed email in the error message is not, or at least, SHOULD not, be the email actually subscribed to any list, as it instead should be an unknown/unlisted address with a @*.freemail.hu suffix, and THAT address is set to forward to the szlcsb@ address. But either address should be easily found, if it is subscribed to either list. I'll see, if I can get a list admin to help out. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-10-02 20:33 | L10N | New Issue | |
| 2023-10-02 20:33 | L10N | Tag Attached: list | |
| 2023-10-02 20:33 | L10N | Tag Attached: mail | |
| 2023-10-15 12:44 | alkas | Note Added: 0006196 | |
| 2023-10-15 15:09 | jandd | Note Added: 0006197 | |
| 2023-10-16 16:05 | jandd | Note Added: 0006198 | |
| 2024-01-03 16:30 | NoSubstitute | Note Added: 0006200 | |
| 2024-01-03 17:40 | alkas | Note Added: 0006201 | |
| 2024-01-04 00:00 | L10N | Note Added: 0006202 | |
| 2024-01-04 02:19 | NoSubstitute | Note Added: 0006203 |
