[OSGeo] #3447: lists.osgeo.org: SPF fail - not authorized

OSGeoTrac · September 30, 2025, 1:36pm

#3447: lists.osgeo.org: SPF fail - not authorized
----------------------+--------------------------------
Reporter: neteler | Owner: sac-tickets@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Keywords: mail, mailman, SFP
----------------------+--------------------------------
Today, being mailman list administrator of "grass-psc", I have received:

{{{
<mXXXXXXXXX.cYYYYYY@supsi.ch>: host mailgw2.supsi.ch[195.176.78.201] said:
     550 5.7.23 <SRS0=1wg2=4J=lists.osgeo.org=grass-psc-bounces@osgeo.org>:
     Sender address rejected: Message rejected due to: SPF fail - not
     authorized. Please see
Libraesva - SPF Why?
     (in reply to RCPT TO command)
}}}

Is there a way to fix this SFP issue?
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 30, 2025, 2:45pm

#3447: lists.osgeo.org: SPF fail - not authorized
--------------------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/DNS | Resolution:
Keywords: mail, mailman, SFP |
--------------------------------+----------------------------
Changes (by robe):

* component: SysAdmin => SysAdmin/DNS

Comment:

Strange looks like mail is going thru the osgeo9 .13 address

Here's what you can do: Contact the lists.osgeo.org postmaster and tell
them that they need to change lists.osgeo.org SPF record so that it
authorizes osgeo9.osgeo.osuosl.org (140.211.15.13). They should add this
to their SPF record:
a:osgeo9.osgeo.osuosl.org
Current SPF record:
v=spf1 mx a:mail.osgeo.org ip4:10.36.74.210 ip4:140.211.15.3
ip4:140.211.15.14 -all

I guess we can add the .13 and should fix the issue. It was probably a hit
or miss issue as I suppose it could broadcast any ip on the machine it is
hosted on.
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 30, 2025, 3:03pm

#3447: lists.osgeo.org: SPF fail - not authorized
--------------------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/DNS | Resolution:
Keywords: mail, mailman, SFP |
--------------------------------+----------------------------
Comment (by strk):

I think for now let's add all osgeo9 IP addresses to the SPF record, yes.

Those records are managed via Ansible:

Making sure you're not a bot!
deployment/src/branch/master/deployment/roles/dns-
records/defaults/main/spf.yml#L10
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 30, 2025, 3:04pm

#3447: lists.osgeo.org: SPF fail - not authorized
--------------------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/DNS | Resolution:
Keywords: mail, mailman, SFP |
--------------------------------+----------------------------
Comment (by strk):

Given that osgeo9 has multiple IP addresses we could probably drop the
hostname (the a:osgeo9.osgeo.osuosl.org) and only use the ip4 components.
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 30, 2025, 3:30pm

#3447: lists.osgeo.org: SPF fail - not authorized
--------------------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
Type: task | Status: closed
Priority: normal | Milestone: Unplanned
Component: SysAdmin/DNS | Resolution: fixed
Keywords: mail, mailman, SFP |
--------------------------------+----------------------------
Changes (by robe):

* resolution: => fixed
* status: new => closed

Comment:

Done in ansible - and pushed Making sure you're not a bot!
deployment/commit/9d26c7626dc3343061757b7b884c71554500c97a

Note made a change in osgeo_org that wasn't necessary so reverted that in:
Making sure you're not a bot!
deployment/commit/82146761c122bc9a2de1d2477c833677d0c2267f

I'm going to leave it as is for now too lazy to change again.
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 30, 2025, 3:37pm

#3447: lists.osgeo.org: SPF fail - not authorized
--------------------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
Type: task | Status: closed
Priority: normal | Milestone: Unplanned
Component: SysAdmin/DNS | Resolution: fixed
Keywords: mail, mailman, SFP |
--------------------------------+----------------------------
Comment (by robe):

One more mistake fixed in Making sure you're not a bot!
deployment/commit/a9cda41a92af491f367e72894e5de1b84efe1190

@strk I think we should keep the osgeo9.osgeo.osuosl.org one. That is an
ip address we don't control and if per chance OSU needs to change the ip,
we want mail to still work going thru it.
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

OSGeoTrac · October 23, 2025, 6:58pm

#3447: lists.osgeo.org: SPF fail - not authorized
--------------------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
Type: task | Status: closed
Priority: normal | Milestone: Unplanned
Component: SysAdmin/DNS | Resolution: fixed
Keywords: mail, mailman, SFP |
--------------------------------+----------------------------
Comment (by strk):

Regina we should know if we change IP address as those are also set via
Ansible, right ?
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.