tickets #165644
openSPF records of opensuse.org is not correct
0%
Description
Hello
The SPF records of opensuse.org are misconfigured with respects to mails
coming from lists.opensuse.org
For example the the mails from lists using IPV4 addresses come from:
195.135.223.51 ( mx1.opensuse.org )
195.135.223.52 ( mx2.opensuse.org )
these ip addresses are not in spf records of opensuse.org causing mails
to fail SPF tests. also the SPF records are too permissive and ripe for
spoofing and malicious use.
However the mails from lists using IPV6 addresses come from:
2a07:de40:b27e:1209::12 ( mx2.infra.opensuse.org )
2a07:de40:b27e:1209::11 ( mx1.infra.opensuse.org )
these ip address are in SPF record hence SPF test is passed when
receiving mails from these addresses.
The SPF record for opensuse.org is:
v=spf1 include:_spf.opensuse.org ?all
which expands to:
v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16
ip4:149.44.0.0/16 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64
a:smtp-out1.suse.de a:smtp-out2.suse.de a:mx1.infra.opensuse.org
a:mx2.infra.opensuse.org mx ?all
there is no mx1.opensuse.org/mx2.opensuse.org in SPF records.
Further the “mx” entry in records is with respect to domain
_spf.opensuse.org ( which doesn’t has a mx record ).this mx entry WILL
NOT apply to opensuse.org domain.
In summary i see 3 problems here.
- inconsistencies in IPV4 and IPV6 Mail delivery.
- incorrect SPF records.
- Too permissive SPF is prone to abuse.
Hope you guys will be able to fix it.
Please pass it on to relevant people if this is not the right email
address.
Thanks
admin
akritrim AI
Updated by crameleon 2 months ago
- Has duplicate tickets #165671: Fwd: SPF records of opensuse.org is not correct added
Updated by crameleon about 1 month ago
- Status changed from New to In Progress
- Assignee set to crameleon
Updated by crameleon about 1 month ago
- Status changed from In Progress to Feedback
Hello,
thank you very much for reaching out with detailed information, which I was able to verify.
I changed the implicit mx SPF tag to an explicit one by applying the following patch to the TXT record at _spf.opensuse.org:
-_spf.opensuse.org 1800 IN TXT "v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 a:smtp-out1.suse.de a:smtp-out2.suse.de a:mx1.infra.opensuse.org a:mx2.infra.opensuse.org mx ?all"
+_spf.opensuse.org 1800 IN TXT "v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 a:smtp-out1.suse.de a:smtp-out2.suse.de a:mx1.infra.opensuse.org a:mx2.infra.opensuse.org mx:opensuse.org ?all"
Of course, in theory only the addresses behind the A records would have been needed - the AAAA records behind mx1.opensuse.org and mx2.opensuse.org, which are considered through the MX record behind opensuse.org, are superfluous, as only the ones behind mx{1,2}.infra.opensuse.org are relevant for SPF. But it is deemed a better compromise than hardcoding more IP addresses.
Just for your better understanding, the asymmetric addresses are due to our proxy setup (inbound traffic goes through the reverse proxy, but outbound traffic originates directly from the backend machine).
I expect the issue to be resolved, but please let me know should you notice anything else.
Regarding your concern about the permissive SPF setup, this is unfortunately by design. Since we do not have an authenticated SMTP setup, our users use aliases which they use to send from arbitrary mail servers.
Best,
Georg
Updated by crameleon 3 days ago
- Related to tickets #168877: Re: Some issues receiving mails: IPv6 / DNS/ SPF added