Re: How to set up a SPF policy when emails are redirected through GNOME?

[Jehan Pagès <jehan marmottard gmail com>]

Hello,

On Mon, Mar 21, 2016 at 3:37 PM, Andrea Veri <av gnome org> wrote:
> 2016-03-21 14:51 GMT+01:00 Jehan Pagès <jehan marmottard gmail com>:
>
> > For instance emails coming from redhat.com which has a strict SPF
> > policy (-all) cannot reach me to @gnome.org or @gimp.org.
> > Would anyone have any advice on how to properly keep SPF filtering
> > with emails coming through aliases on third-party servers (GNOME
> > servers in my case, but a general solution would be good)? For the
> > time being, I had to deactivate my SPF checks because that's really
> > not acceptable as it is now.
> > Thanks.
>
> You are probably misunderstanding how SPF actually works behind the
> scenes.

It is highly possible and I am expecting to learn things. :-)

> The gnome.org DNS zone file has a TXT record containing a
> relaxed SPF rule (v=spf1 mx ?all) which tells any mail server out
> there to just go ahead and ignore the SPF check itself. On a related
> note SPF records (through the TXT RR) are only consulted by the
> recipient mail servers to find out whether the originating sender's
> mail server is *allowed* to relay e-mails on behalf of a specific
> domain. redhat.com having a strict SPF policy rule won't affect the
> e-mails you receive to your @gnome.org or @gimp.org addresses but will
> only help recipient mail servers to discard any e-mail (having
> redhat.com as the sending domain) originating from an IP / DNS not
> listed on the SPF record published for the redhat.com domain.

So I may be indeed misunderstanding something, but here is the exact
thing which happened:

- someone @redhat.com sent me an email on my @gimp.org alias.
- smtp.gnome.org forwarded the email to my actual email @girinstud.io.
- my postfix server got a connection from smtp.gnome.org (and not any
of redhat.com IPs), for a message labelled as coming from a
@redhat.com address, and therefore rejected the email because of
strict redhat.com SPF records. It came back in error to smtp.gnome.org
(then to the original @redhat.com sender who warned me with another
email directly to the finale address, otherwise I would never have
known) with the error:

> Message rejected due to: SPF fail - not authorized. Please see
>    http://www.openspf.net/Why?s=mfrom;id=XXX redhat com;ip=209.132.180.187

Basically I understand my postfix installation checked that
209.132.180.187 (smtp.gnome.org) was not in the SPF records of
redhat.com, and since redhat.com's SPF record is strict (-all), it
simply rejected this email coming from an unauthorized IP for a
redhat.com email. Except that smtp.gnome.org was relaying this email
on behalf of me, the recipient, not on behalf of the sender.

Basically the problem here is that my personal server considered
smtp.gnome.org as sender server (which makes sense, since you cannot
trust headers, otherwise any spam server could as well just pretend to
be relaying from whatever IP is in a domain SPF record).

So you are right when you say it won't affect the email received on
@gnome.org or @gimp.org. But it affects it when I receive it on my
actual finale address, since it appears always coming from
smtp.gnome.org from my server's point of view.

Only solution I seem to think of right now is to simply not doing any
SPF check if the email is coming from smtp.gnome.org. Not sure if and
how this is possible to have selective SPF checks depending on the
sending server. Maybe you have a better solution?

Or really I misunderstand something? Because what you wrote, that is
already what I think I understand of SPF.
Thanks.

Jehan

> --
> Cheers,
>
> Andrea
>
> Debian Developer,
> Fedora / EPEL packager,
> GNOME Infrastructure Team Coordinator,
> GNOME Foundation Board of Directors Secretary,
> GNOME Foundation Membership & Elections Committee Chairman
>
> Homepage: http://www.gnome.org/~av



-- 
ZeMarmot open animation film
http://film.zemarmot.net
Patreon: https://patreon.com/zemarmot