tickets #168877
openRe: Some issues receiving mails: IPv6 / DNS/ SPF
0%
Description
Hi Johannes,
let me forward your mail to our ticket system.
With some luck, having you in CC should give you a copy of the ticket
activity. Otherwise I'll add you manually to the ticket so that you get
updated when someone replies.
I'll also add a few comments inline.
Am Donnerstag, 24. Oktober 2024, 08:44 schrieb Johannes Weberhofer:
Dear Sir or Madam!
You seem to use several SMTP servers for outgng e-mails. I receive
mailscorrectly from 2a07:de40:b27e:1209::12 (mx2.infra.opensuse.org)Received: from mailgw.weberhofer.at (localhost.localdomain
[127.0.0.1]) by mailgw.weberhofer.at (Proxmox) with ESMTP id
945411C1AB9 forjweberhofer@weberhofer.at; Wed, 23 Oct 2024 16:01:30
+0200 (CEST) Received-SPF: pass (opensuse.org: Sender is authorized
to use 'srs0=unkm=rt=lists.opensuse.org=factory-bounces@opensuse.org'
in 'mfrom' identity (mechanism 'include:_spf.opensuse.org' matched))
receiver=mailgw.weberhofer.at; identity=mailfrom;
envelope-from="srs0=unkm=rt=lists.opensuse.org=factory-bounces@opensu
se.org"; helo=mx2.opensuse.org; client-ip="2a07:de40:b27e:1209::12"
Received: from mx2.opensuse.org (mx2.infra.opensuse.org
[IPv6:2a07:de40:b27e:1209::12]) (using TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client
certificate requested)
by mailgw.weberhofer.at (Proxmox) with ESMTPS
forjweberhofer@weberhofer.at; Wed, 23 Oct 2024 16:01:28
+0200
(CEST)But I also reveive mails from 2a07:de40:b27e:1209::11 that announces
itself as mx1.opensuse.org, but a reverse lookup results in
mx1.infra.opensuse.org
Oops, we should fix that ;-)
Delivered-To:jweberhofer@weberhofer.at
Return-Path:SRS0=41Gv=RT=lists.opensuse.org=buildservice-bounces@opens
use.org Received-SPF: pass (opensuse.org: Sender is authorized to use
'srs0=41gv=rt=lists.opensuse.org=buildservice-bounces@opensuse.org'
in 'mfrom' identity (mechanism 'include:_spf.opensuse.org' matched))
receiver=mailgw.weberhofer.at; identity=mailfrom;
envelope-from="srs0=41gv=rt=lists.opensuse.org=buildservice-bounces@o
pensuse.org"; helo=mx1.opensuse.org;
client-ip="2a07:de40:b27e:1209::11" Received: from mx1.opensuse.org
(unknown [IPv6:2a07:de40:b27e:1209::11]) (using TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client
certificate requested)
by mailgw.weberhofer.at (Proxmox) with ESMTPS
forjweberhofer@weberhofer.at; Wed, 23 Oct 2024 22:27:31
+0200
(CEST) Received: from mailman3.infra.opensuse.org
(mailman3.infra.opensuse.org [IPv6:2a07:de40:b27e:1203::b46]) by
mx1.opensuse.org (Postfix) with ESMTP id E6E1743FA;
Wed, 23 Oct 2024 20:27:20 +0000 (UTC)Your SPF Record misses the outgoing servers IPv6 range
(2a07:de40:b27e:1209::/64, I guess), too .
Indeed, 2a07:de40:b27e:1204::/64 is missing there.
Additionally I have recognized, that the SPF TXT-record for the main
domain, and in the included "_spf.opensuse.org" record the entry ends
with a "?all", which allows sending of all other. If possible, I'd
recommend to change that to "-all"!
That's not possible - openSUSE Members have to use their own mailserver
if they want to send mails with their @opensuse.org mail address.
"?all" is already problematic when sending to some mail providers, but
using "-all" would make the @opensuse.org mail addresses completely
unusable.
The SPF record of the list.opensuse.org domain only allows sending via
the MX servers, which do not include any IPv6 addresses. It would
possibly be better to include the (corrected) "_spf.opensuse.org"
entry instead of the MX setting.
I'm not sure if I can follow you here. The SPF record allows "mx", and
both mx1 and mx2 have v4 and v6 addresses:
host -t txt lists.opensuse.org¶
lists.opensuse.org descriptive text "v=spf1 mx ~all"
host lists.opensuse.org¶
lists.opensuse.org has address 195.135.223.50
lists.opensuse.org has IPv6 address 2a07:de40:b27e:1204::10
lists.opensuse.org mail is handled by 42 mx2.opensuse.org.
lists.opensuse.org mail is handled by 42 mx1.opensuse.org.
host mx1.opensuse.org¶
mx1.opensuse.org has address 195.135.223.51
mx1.opensuse.org has IPv6 address 2a07:de40:b27e:1204::51
host mx2.opensuse.org¶
mx2.opensuse.org has address 195.135.223.52
mx2.opensuse.org has IPv6 address 2a07:de40:b27e:1204::52
So - what exactly is the problem?
Regards,
Christian Boltz¶
Als Autofahrer würden die sich vergleichbar in einen PKW setzen der
nicht abschliessbar ist und kein Zündschloss besitzt, dazu noch ein
Zettel an der Tür, "Fahr mich, ich stehe zur Verfügung und bin
Vollgetankt." [Thomas Templin in suse-linux über unsichere Passwörter]
Checklist
- mx1 reverse lookup should be mx1.o.o, not mx1.infra.o.o
- 2a07:de40:b27e:1204::/64 is missing in _spf.o.o
- check (and maybe fix) SPF for lists.o.o - needs clarification from reporter
- _spf.o.o: change mx[12].infra.o.o to mx[12].o.o
Updated by crameleon 3 days ago
- Related to tickets #165644: SPF records of opensuse.org is not correct added
Updated by crameleon 3 days ago
The reverse DNS is somewhat by design, all reverse IPv6 reverse records point to the machine FQDN ( .infra.opensuse.org). I understand that can cause confusion when a machine is also reachable externally over a service FQDN. There's unfortunately not a way to differentiate between machine and service in reverse lookups (unless one implements split horizon DNS, which we rather avoid), hence I figured the machine FQDNs make the most sense in PTR records as they are at least not specific to any given service and also won't cause issues with backend systems using reverse lookups as part of internal authorization (if I remember correctly, PostgreSQL does that).
If it causes issues for a particular public service (in this case, with email, I guess non-matching forward and reverse records could trigger spam filtering?) we can of course make an exception but should validate no database connectivity breaks.
Updated by cboltz 2 days ago
- Checklist item _spf.o.o: change mx[12].infra.o.o to mx[12].o.o added
To answer your deleted comment ;-) - a:mx1.infra.opensuse.org a:mx2.infra.opensuse.org is useless because it does not resolve in public DNS. We probably should change it to mx[12].opensuse.org (without .infra)
Updated by crameleon 2 days ago
It does resolve in public DNS, but it has different addresses (from the backend instead of the proxy servers). Your change is fine, but I'm not sure it's necessary. In SPF only the outbound addresses should matter, which are the ones behind mx{1,2}.i.o.o. The range you added contains the proxy servers, which are used only for inbound mail.
Updated by crameleon 2 days ago · Edited
Let me explain more thoroughly:
- outbound SMTP originates from mx1.i.o.o (2a07:de40:b27e:1209::11) and mx2.i.o.o (2a07:de40:b27e:1209::12)
- inbound SMTP goes towards mx1.o.o (2a07:de40:b27e:1204::51) and mx2.o.o (2a07:de40:b27e:1204::52)
The original setup of the SPF record was to facilitate the former, the outbound, addresses (through the a:mx1.i.o.o and a:mx2.i.o.o entries), because those are what other mail servers will see upon receiving mail from openSUSE.
If you remove mx1.i.o.o and mx2.i.o.o, then SPF for IPv6 will fail.
The additional ip6: entry you added does not hurt, but does not help much either, from my current understanding.
My original comment gave a wrong picture, hence I removed it.
Updated by jweberhofer@weberhofer.at 1 day ago
Regarding reverse lookup to "host mx2.opensuse.org": It's correct, sorry to raise a non existing issue.
Updated by jweberhofer@weberhofer.at 1 day ago
I would set the smtp-greeting to the mx(1|2).infra.opensuse.org names and set the reverse-lookup for IPv4 and IPv6 to the same. This should fix the issues. The IPv6 reverse lookup works nicely now, but reverse lookup for IPv4 addresses are not yet configured.
In the SPF-Records, the outbound IP(4|6) addresses should be listed; there is no need to add the incoming mx servers, except they are used for sending outgoing mails, too (bounces or stuff like that).
I understand the reason for using the tilde sign in the SPF records, which makes the other settings a little bit meaningless.
Thanks for investigation and for keeping opensuse running!