#2750 closed task (fixed)
mail aliases fail anti-spoof measures
| Reported by: | strk | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Sysadmin Contract 2022-II |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
I've experienced failures in sending mail to some @osgeo.org aliases, whereas the receiving SMTP (GMail, in particular) refused to accept my mails, reporting them as "unauthenticated".
It looks like adding a (deprecated) "ptr" indication in the SPF record for my domain allows mail to be delivered to the GMail receiver, but this could be a side-effect of "ptr" records being too expensive and thus skipped by the checker (allowing to bypass the check).
This ticket is to better understand WHAT domain would the receiver be checking (is postfix changing the Sender address?).
Some pointers:
https://serverfault.com/questions/635293/postfix-as-email-forwarder-to-gmail-spf-problems https://serverfault.com/questions/896791/postfix-forwarding-spf-issues-sender-rewrite
Change History (14)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
@strk
What puzzles me is I get your messages when you send to Mantra. Do you get bounces when you send to Mantra? Or is that handled differently because it is more than one person redirect? I would think your emails would be treated the same and bounce since my domains are all on gmail. Or is it only an issue when sending to a @gmail.com address because then that is governed by gmails rules instead of how the domain owner configures their spf.
comment:3 by , 2 years ago
I don't think I ever got bounces when sending to mantra alias. Do you get those bounces if you drop the PTR elements from your SPF ? That element is deprecated: https://dmarcian.com/ptr-mechanisms-in-spf-records/
comment:4 by , 2 years ago
Remove from osgeo or my domain. I've never had issue receiving or sending from an osgeo.org account.
But since it is deprecated I should probably remove from osgeo.org. We still have ptr in there.
comment:5 by , 2 years ago
ah nevermind I thought we had ptr on osgeo.org but no we don't. We just have a and ip4
comment:6 by , 2 years ago
okay I took off ptr from my domain, but now I see I was reading this all wrong.
I guess osgeo is spoofing your address and my address when we send, so it was your mail server complaining.
When I sent to mantra and see the email that comes to my other account, it comes thru fine:
but distinctly has:
SPF: FAIL with IP 140.211.15.3 google.com: domain of <my email address I was sending from> does not designate 140.211.15.3 as permitted sender
because lists.osgeo.org is trying to spoof my address. But why that doesn't fail or even get dumped into spam is puzzling. I'll try neteler again later to see if removing ptr on mine made a difference.
follow-up: 10 comment:7 by , 2 years ago
Right, all mails to mantra alias come with failing SPF, like this:
Received-SPF: softfail (spool2: transitioning domain of education.gouv.fr does not designate 140.211.15.3 as permitted sender)
Evidently OSGeo Postfix will NOT drop these emails, so we still receive them
comment:8 by , 2 years ago
I'm actually not sure if it's the OSGeo Postfix that would make it pass or not or the final (destination) smtp.
Like: is it possible that (say) Markus would NOT receive some mails which instead land successfully in our mailboxes ? Is Markus on the mantra list ?
comment:10 by , 2 years ago
Replying to strk:
Right, all mails to mantra alias come with failing SPF, like this:
Received-SPF: softfail (spool2: transitioning domain of education.gouv.fr does not designate 140.211.15.3 as permitted sender)Evidently OSGeo Postfix will NOT drop these emails, so we still receive them
But we should not be all receiving them. GMail should drop when OSGeo tries to send to me spoofing you? I thought we have at least one gmail.com account on mantra still. I know Jay complained and he had a gmail account but I always got his emails to my knowledge and he was getting mantra emails, just being rejected when sending to gmail accounts sometimes. Anyway I think I have a gmail only account lying around somewhere, I'll test before and after I make some changes.
comment:11 by , 2 years ago
Testing, I think recent change to sac mailing list might have broken tracs ability to send.
comment:13 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Okay I have installed postsrsd more or less as detailed in - https://serverfault.com/questions/635293/postfix-as-email-forwarder-to-gmail-spf-problems
and I am now seeing SPF success where it was failing before and it no longer shows we are trying to spoof the sender.
cd ~ apt install postsrsd sudo postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001" sudo postconf -e "sender_canonical_classes = envelope_sender" sudo postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002" sudo postconf -e "recipient_canonical_classes = envelope_recipient" systemctl enable postsrsd systemctl status postsrsd postfix reload
I'm going to assume that fixes this issue. Feel free to reopen if you think it doesn't.
comment:14 by , 2 years ago
I also disabled backward compatibility with
sudo postconf compatibility_level=2 sudo postfix reload
Thanks for the links strk.