tickets #165644
openSPF records of opensuse.org is not correct
0%
Description
Hello
The SPF records of opensuse.org are misconfigured with respects to mails
coming from lists.opensuse.org
For example the the mails from lists using IPV4 addresses come from:
195.135.223.51 ( mx1.opensuse.org )
195.135.223.52 ( mx2.opensuse.org )
these ip addresses are not in spf records of opensuse.org causing mails
to fail SPF tests. also the SPF records are too permissive and ripe for
spoofing and malicious use.
However the mails from lists using IPV6 addresses come from:
2a07:de40:b27e:1209::12 ( mx2.infra.opensuse.org )
2a07:de40:b27e:1209::11 ( mx1.infra.opensuse.org )
these ip address are in SPF record hence SPF test is passed when
receiving mails from these addresses.
The SPF record for opensuse.org is:
v=spf1 include:_spf.opensuse.org ?all
which expands to:
v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16
ip4:149.44.0.0/16 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64
a:smtp-out1.suse.de a:smtp-out2.suse.de a:mx1.infra.opensuse.org
a:mx2.infra.opensuse.org mx ?all
there is no mx1.opensuse.org/mx2.opensuse.org in SPF records.
Further the “mx” entry in records is with respect to domain
_spf.opensuse.org ( which doesn’t has a mx record ).this mx entry WILL
NOT apply to opensuse.org domain.
In summary i see 3 problems here.
- inconsistencies in IPV4 and IPV6 Mail delivery.
- incorrect SPF records.
- Too permissive SPF is prone to abuse.
Hope you guys will be able to fix it.
Please pass it on to relevant people if this is not the right email
address.
Thanks
admin
akritrim AI