openSUSE admin

---------- Forwarded message ---------
From: chandan chandan@akritrim.net
Date: Thu, Aug 22, 2024 at 11:32 AM
Subject: Fwd: SPF records of opensuse.org is not correct
To: project@lists.opensuse.org

message from admin.

-------- Original Message --------
Subject: SPF records of opensuse.org is not correct
Date: 2024-08-22 09:25
From: admin abuse@akritrim.net
To: abuse@opensuse.org
Cc: project@lists.opensuse.org

Hello

The SPF records of opensuse.org are misconfigured with respects to mails
coming from lists.opensuse.org

For example the the mails from lists using IPV4 addresses come from:

195.135.223.51 ( mx1.opensuse.org )

195.135.223.52 ( mx2.opensuse.org )

these ip addresses are not in spf records of opensuse.org causing mails
to fail SPF tests. also the SPF records are too permissive and ripe for
spoofing and malicious use.

However the mails from lists using IPV6 addresses come from:

2a07:de40:b27e:1209::12 ( mx2.infra.opensuse.org )

2a07:de40:b27e:1209::11 ( mx1.infra.opensuse.org )

these ip address are in SPF record hence SPF test is passed when
receiving mails from these addresses.

The SPF record for opensuse.org is:

v=spf1 include:_spf.opensuse.org ?all

which expands to:

v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16
ip4:149.44.0.0/16 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64
a:smtp-out1.suse.de a:smtp-out2.suse.de a:mx1.infra.opensuse.org
a:mx2.infra.opensuse.org mx ?all

there is no mx1.opensuse.org/mx2.opensuse.org in SPF records.

Further the “mx” entry in records is with respect to domain
_spf.opensuse.org ( which doesn’t has a mx record ).this mx entry WILL
NOT apply to opensuse.org domain.

In summary i see 3 problems here.

1. inconsistencies in IPV4 and IPV6 Mail delivery.
2. incorrect SPF records.
3. Too permissive SPF is prone to abuse.

Hope you guys will be able to fix it.
Please pass it on to relevant people if this is not the right email
address.

Thanks
admin
akritrim AI

--

Best regards

Luboš Kocman
openSUSE Leap Release Manager