-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Two people (one an Alpine developer) have complained to me that they can not send email to me on my opensuse.org alias, because it gets bounced to them with this message from from a suse.de server:
The mail system
<robin.listas (aatt) telefonica.net> (expanded from <carlos.e.r (aatt) opensuse.org>): host tnetmx.telefonica.net[86.109.99.69] said: 522 - Failed SPF (in reply to MAIL FROM command)
I just sent emails to my opensuse address from gmail and from another account, and both got through, so I can't replicate the problem, nor do I have full headers.
I don't know how to investigate this, where lies the problem: on the opensuse redirector, on my ISP being too strict, on the sender side not supporting spf or setting data incorrectly, or what?
In case there is a problem with the opensuse redirector I ask here first, otherwise I'll move to another list.
- -- Cheers
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
Hi,
Two people (one an Alpine developer) have complained to me that they can not send email to me on my opensuse.org alias, because it gets bounced to them with this message from from a suse.de server:
The mail system
<robin.listas (aatt) telefonica.net> (expanded from <carlos.e.r (aatt) opensuse.org>): host tnetmx.telefonica.net[86.109.99.69] said: 522 - Failed SPF (in reply to MAIL FROM command)
It looks like the Telefonica host rejects due to a failing SPF check. My guess is that the sender's SPF record does not include the opensuse forwarding host. (obviously). Forwarding of mails is a typical problem with SPF. Usually the forwarding server is advised to implement SRS.
Issues with any opensuse.org infrastructure are probably best reported to the admin@opensuse.org ticketing system, rather than here where they might not get the attention of anyone who's able to help
On 25 November 2014 at 09:44, Per Jessen per@computer.org wrote:
Carlos E. R. wrote:
Hi,
Two people (one an Alpine developer) have complained to me that they can not send email to me on my opensuse.org alias, because it gets bounced to them with this message from from a suse.de server:
The mail system
<robin.listas (aatt) telefonica.net> (expanded from <carlos.e.r (aatt) opensuse.org>): host tnetmx.telefonica.net[86.109.99.69] said: 522 - Failed SPF (in reply to MAIL FROM command)
It looks like the Telefonica host rejects due to a failing SPF check. My guess is that the sender's SPF record does not include the opensuse forwarding host. (obviously). Forwarding of mails is a typical problem with SPF. Usually the forwarding server is advised to implement SRS.
-- Per Jessen, Zürich (7.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
-- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
Richard Brown wrote:
Issues with any opensuse.org infrastructure are probably best reported to the admin@opensuse.org ticketing system, rather than here where they might not get the attention of anyone who's able to help
Agree. Anyway, we've looked at this issue before -
http://osdir.com/ml/linux.suse.opensuse.project/2008-08/msg00005.html
Solutions such as https://github.com/roehling/postsrsd might be worth a closer look.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-11-25 09:44, Per Jessen wrote:
It looks like the Telefonica host rejects due to a failing SPF check. My guess is that the sender's SPF record does not include the opensuse forwarding host. (obviously). Forwarding of mails is a typical problem with SPF. Usually the forwarding server is advised to implement SRS.
That's what I'm starting to think. My ISP has probably switched to a strict SPF check, and that the sender ISP requests hard failure, no softfail.
In that case, there is nothing that opensuse.org can do.
I found in google two ways to check it:
nslookup -q=txt gmx.com
dig gmx.com txt host localhost
and I get:
;; ANSWER SECTION: gmx.com. 83796 IN TXT "v=spf1 ip4:213.165.64.0/23 ip4:74.208.5.64/26 ip4:74.208.122.0/26 ip4:212.227.126.128/25 ip4:212.227.15.0/24 ip4:212.227.17.0/27 ip4:74.208.4.192/26 ip4:82.165.159.0/24 ip4:50.22.171.0/28 -all" gmx.com. 83796 IN TXT "google-site-verification=YxvYPeuavgDRQDYTX-3dSD3JNMsDn5yO7loiNot-h0Q"
And looking at the wikipedia:
http://en.wikipedia.org/wiki/Sender_Policy_Framework#Implementation
ALL Matches always; used for a default result like -all for all IPs not matched by prior mechanisms.
- - (minus) for FAIL, the mail should be rejected (see below).
My reading is that the sender ISP requests hard fail for IPs not in that list, and my ISP complies. opensuse.org triggers the failure, because redirection breaks SPF, so there is nothing to tell the administrators here because there is nothing they can do
Am I reading it right, or am I mistaken?
The only thing they can do is create something else instead of a redirector, like a real mail service. For instance, ieee.org had a redirector service, and they switched about a year ago to google services with real email instead, which avoids this problem.
And that would be indeed a matter for this mail list, I believe. :-?
- -- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-11-25 09:44, Per Jessen wrote:
It looks like the Telefonica host rejects due to a failing SPF check. My guess is that the sender's SPF record does not include the opensuse forwarding host. (obviously). Forwarding of mails is a typical problem with SPF. Usually the forwarding server is advised to implement SRS.
That's what I'm starting to think. My ISP has probably switched to a strict SPF check, and that the sender ISP requests hard failure, no softfail.
In that case, there is nothing that opensuse.org can do.
There is, see SRS.
My reading is that the sender ISP requests hard fail for IPs not in that list, and my ISP complies.
Right.
opensuse.org triggers the failure, because redirection breaks SPF, so there is nothing to tell the administrators here because there is nothing they can do
They could install/apply SRS. For openSUSE, I think it would be quite a reasonable thing to do.
The only thing they can do is create something else instead of a redirector, like a real mail service. For instance, ieee.org had a redirector service, and they switched about a year ago to google services with real email instead, which avoids this problem.
Only if you use the google service. I just have my mail forwarded.
I think Richard Brown was correct, it's a matter for whoever looks after the openSUSE.org redirection service. Maybe admin@opensuse.org.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-11-25 20:42, Per Jessen wrote:
Carlos E. R. wrote:
In that case, there is nothing that opensuse.org can do.
There is, see SRS.
Ah. I'll have a look.
I think Richard Brown was correct, it's a matter for whoever looks after the openSUSE.org redirection service. Maybe admin@opensuse.org.
Ok, then.
- -- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-11-25 22:21, Carlos E. R. wrote:
I think Richard Brown was correct, it's a matter for whoever looks after the openSUSE.org redirection service. Maybe admin@opensuse.org.
Ok, then.
Done. tickets #4876
- -- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)