tickets #134300
openDKIM/SPF situation wrt gmail
0%
Description
Hi,
splitting this out of https://progress.opensuse.org/issues/132197, emails from SUSE to Google mailservers bounce:
550-5.7.26 This mail is unauthenticated, which poses a security risk to the 550-5.7.26 sender and Gmail users, and has been blocked. The sender must 550-5.7.26 authenticate with at least one of SPF or DKIM. For this message, 550-5.7.26 DKIM checks did not pass and SPF check for [opensuse.org] did not 550-5.7.26 pass with ip: [2001:67c:2178:6::1c]. The sender should visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for 550 5.7.26 instructions on setting up authentication. r14-20020adff10e000000b003141e952e3csi6435517wro.1036 - gsmtp (in reply to end of DATA command))
$ dig opensuse.org TXT|grep spf
opensuse.org. 1780 IN TXT "v=spf1 include:_spf.opensuse.org ?all"
$ dig _spf.opensuse.org TXT|grep ^_spf
_spf.opensuse.org. 287 IN TXT "v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip4:195.135.220.0/23 ip6:2001:67c:2178:8::/64 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 mx ?all"
- Any objections to me adding the IP addresses of
smtp-out{1,2}.suse.dethere? - What is our DKIM situation, I noticed some resolved tickets with the same issue in the past but couldn't quite find if it's supposed to be configured.
Updated by pjessen 11 months ago
- Subject changed from DKIM/SPF situation to DKIM/SPF situation wrt gmail
crameleon wrote:
Hi @pjessen, maybe you have some input?
Salu Georg - you know me, always something to add, but no, not this time. I think it is a good idea to bring it out as a separate issue, though.
I'll sum it up as I see it.
To recap - we have some 700-800 openSUSE members, ie. people who have been granted membership status based on their contributions.
Along with membership status goes an @opensuse.org email alias which can be forwarded to wherever to receive mails. To send email from an alias address, one just "does it".
I tried setting up the SPF record for opensuse.org to say "permit from everywhere", but Google did not like this. Next I reverted to an SPF policy of ?all which means 'neutral', aka 'none'. Google does not like this either. Mail to gmail addresses are always refused. There may be other email providers with similar policies.
To have an SPF policy for opensuse.org that Google accepts, would mean all openSUSE members using an SMTP relay (aka smarthost) that we provide. Adding a DKIM signature could easily be done.
I am certain I have pointed this out earlier, just as I have pointed out that this requires a lot of work and a full-time email administrator.
Speaking for myself, I am not prepared to do this as an unpaid volunteer. I am available for hire though 😀
Updated by pjessen 11 months ago
crameleon wrote:
- Any objections to me adding the IP addresses of
smtp-out{1,2}.suse.dethere?
Nope, that is fine.
- What is our DKIM situation, I noticed some resolved tickets with the same issue in the past but couldn't quite find if it's supposed to be configured.
We don't do DKIM.
Updated by crameleon 11 months ago
I remember the situation with @opensuse.org aliases and us not having a full mail setup for the community now. This would be a great addition for the future but rightfully a maintenance intensive operation. Thank you for recapping.
In this particular case the mail is originating from SUSE mailservers, could this be bogus ("no reply") @opensuse.org addresses used by SUSE operated services? Unfortunately the logs are a difficult to find the origins from a Gmail bounce in, I tried to search for other entries with the to= address, but the successful deliveries do not have the from field tracked. I found a few failed deliveries from noreply@opensuse.org though, I think that is used as a sender by OBS?
I'll extend the SPF record, though I fear it will not help with the lack of DKIM. And funnily enough, even if it found the right channels, changing such email to originate from a @suse.$tld mailserver would likely raise the old complaint about "$SERVICE sends email from the wrong domain" again. :-)
Edit: added the DNS records instead, one less thing to get outdated quickly:
-_spf.opensuse.org 300 IN TXT "v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip4:195.135.220.0/23 ip6:2001:67c:2178:8::/64 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 mx ?all"
+_spf.opensuse.org 300 IN TXT "v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip4:195.135.220.0/23 ip6:2001:67c:2178:8::/64 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 a:smtp-out1.suse.de a:smtp-out2.suse.de mx ?all"
Updated by crameleon 11 months ago
Upon trying it with a test account, I found the IDP portal to send email from noreply@suse.de even to community accounts, so my link to the other ticket is bogus.
Updated by pjessen 11 months ago
crameleon wrote:
I'll extend the SPF record, though I fear it will not help with the lack of DKIM.
Extending the record will at least not hurt, and it should mean Google will accept mails sent over those two mailservers. Our DMARC policy is "inactive" (I forget the correct word).
Makes me wonder if we might add:
ip6:2000::/4
ip4:0.0.0.0/0
Wouldn't that solve the Gmail issue? Unless Google is being really really clever.
Edit: added the DNS records instead, one less thing to get outdated quickly:
-_spf.opensuse.org 300 IN TXT "v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip4:195.135.220.0/23 ip6:2001:67c:2178:8::/64 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 mx ?all" +_spf.opensuse.org 300 IN TXT "v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip4:195.135.220.0/23 ip6:2001:67c:2178:8::/64 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 a:smtp-out1.suse.de a:smtp-out2.suse.de mx ?all"
Looks good.