Fwd: SPF records of opensuse.org is not correct
message from admin. -------- Original Message -------- Subject: SPF records of opensuse.org is not correct Date: 2024-08-22 09:25 From: admin <abuse@akritrim.net> To: abuse@opensuse.org Cc: project@lists.opensuse.org Hello The SPF records of opensuse.org are misconfigured with respects to mails coming from lists.opensuse.org For example the the mails from lists using IPV4 addresses come from: 195.135.223.51 ( mx1.opensuse.org ) 195.135.223.52 ( mx2.opensuse.org ) these ip addresses are not in spf records of opensuse.org causing mails to fail SPF tests. also the SPF records are too permissive and ripe for spoofing and malicious use. However the mails from lists using IPV6 addresses come from: 2a07:de40:b27e:1209::12 ( mx2.infra.opensuse.org ) 2a07:de40:b27e:1209::11 ( mx1.infra.opensuse.org ) these ip address are in SPF record hence SPF test is passed when receiving mails from these addresses. The SPF record for opensuse.org is: v=spf1 include:_spf.opensuse.org ?all which expands to: v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 a:smtp-out1.suse.de a:smtp-out2.suse.de a:mx1.infra.opensuse.org a:mx2.infra.opensuse.org mx ?all there is no mx1.opensuse.org/mx2.opensuse.org in SPF records. Further the “mx” entry in records is with respect to domain _spf.opensuse.org ( which doesn’t has a mx record ).this mx entry WILL NOT apply to opensuse.org domain. In summary i see 3 problems here. 1. inconsistencies in IPV4 and IPV6 Mail delivery. 2. incorrect SPF records. 3. Too permissive SPF is prone to abuse. Hope you guys will be able to fix it. Please pass it on to relevant people if this is not the right email address. Thanks admin akritrim AI
I did forward your email to admin@opensuse.org Please watch conversation here https://progress.opensuse.org/issues/165671 On Thu, Aug 22, 2024 at 11:32 AM chandan <chandan@akritrim.net> wrote:
message from admin.
-------- Original Message -------- Subject: SPF records of opensuse.org is not correct Date: 2024-08-22 09:25 From: admin <abuse@akritrim.net> To: abuse@opensuse.org Cc: project@lists.opensuse.org
Hello
The SPF records of opensuse.org are misconfigured with respects to mails coming from lists.opensuse.org
For example the the mails from lists using IPV4 addresses come from:
195.135.223.51 ( mx1.opensuse.org )
195.135.223.52 ( mx2.opensuse.org )
these ip addresses are not in spf records of opensuse.org causing mails to fail SPF tests. also the SPF records are too permissive and ripe for spoofing and malicious use.
However the mails from lists using IPV6 addresses come from:
2a07:de40:b27e:1209::12 ( mx2.infra.opensuse.org )
2a07:de40:b27e:1209::11 ( mx1.infra.opensuse.org )
these ip address are in SPF record hence SPF test is passed when receiving mails from these addresses.
The SPF record for opensuse.org is:
v=spf1 include:_spf.opensuse.org ?all
which expands to:
v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 a:smtp-out1.suse.de a:smtp-out2.suse.de a:mx1.infra.opensuse.org a:mx2.infra.opensuse.org mx ?all
there is no mx1.opensuse.org/mx2.opensuse.org in SPF records.
Further the “mx” entry in records is with respect to domain _spf.opensuse.org ( which doesn’t has a mx record ).this mx entry WILL NOT apply to opensuse.org domain.
In summary i see 3 problems here.
1. inconsistencies in IPV4 and IPV6 Mail delivery. 2. incorrect SPF records. 3. Too permissive SPF is prone to abuse.
Hope you guys will be able to fix it. Please pass it on to relevant people if this is not the right email address.
Thanks admin akritrim AI
-- Best regards Luboš Kocman openSUSE Leap Release Manager
participants (2)
-
chandan -
Lubos Kocman