[SAC] [OSGeo] #2750: mail aliases fail anti-spoof measures

OSGeoTrac · April 25, 2022, 10:34am

#2750: mail aliases fail anti-spoof measures
---------------------------+---------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Keywords:
---------------------------+---------------------------------------
I've experienced failures in sending mail to some @osgeo.org aliases,
whereas the receiving SMTP (GMail, in particular) refused to accept my
mails, reporting them as "unauthenticated".

It looks like adding a (deprecated) "ptr" indication in the SPF record for
my domain allows mail to be delivered to the GMail receiver, but this
could be a side-effect of "ptr" records being too expensive and thus
skipped by the checker (allowing to bypass the check).

This ticket is to better understand WHAT domain would the receiver be
checking (is postfix changing the Sender address?).

Some pointers:

https://serverfault.com/questions/635293/postfix-as-email-forwarder-to-
gmail-spf-problems
https://serverfault.com/questions/896791/postfix-forwarding-spf-issues-
sender-rewrite

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 25, 2022, 2:38pm

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by robe):

Thanks for the links strk.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 25, 2022, 2:51pm

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by robe):

@strk

What puzzles me is I get your messages when you send to Mantra. Do you
get bounces when you send to Mantra? Or is that handled differently
because it is more than one person redirect? I would think your emails
would be treated the same and bounce since my domains are all on gmail.
Or is it only an issue when sending to a @gmail.com address because then
that is governed by gmails rules instead of how the domain owner
configures their spf.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 25, 2022, 3:08pm

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by strk):

I don't think I ever got bounces when sending to mantra alias.
Do you get those bounces if you drop the PTR elements from your SPF ?
That element is deprecated: https://dmarcian.com/ptr-mechanisms-in-spf-
records/

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 25, 2022, 6:15pm

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by robe):

Remove from osgeo or my domain. I've never had issue receiving or sending
from an osgeo.org account.

But since it is deprecated I should probably remove from osgeo.org. We
still have ptr in there.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 25, 2022, 6:18pm

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by robe):

ah nevermind I thought we had ptr on osgeo.org but no we don't. We just
have a and ip4

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:5>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 25, 2022, 6:35pm

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by robe):

okay I took off ptr from my domain, but now I see I was reading this all
wrong.

I guess osgeo is spoofing your address and my address when we send, so it
was your mail server complaining.

When I sent to mantra and see the email that comes to my other account, it
comes thru fine:

but distinctly has:

{{{
SPF: FAIL with IP 140.211.15.3
google.com: domain of <my email address I was sending from> does not
designate 140.211.15.3 as permitted sender
}}}

because lists.osgeo.org is trying to spoof my address. But why that
doesn't fail or even get dumped into spam is puzzling. I'll try neteler
again later to see if removing ptr on mine made a difference.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 26, 2022, 8:17am

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by strk):

Right, all mails to mantra alias come with failing SPF,
like this:

{{{
Received-SPF: softfail (spool2: transitioning domain of education.gouv.fr
does not designate 140.211.15.3 as permitted sender)
}}}

Evidently OSGeo Postfix will NOT drop these emails, so
we still receive them

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:7>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 26, 2022, 8:18am

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by strk):

I'm actually not sure if it's the OSGeo Postfix that would make it
pass or not or the final (destination) smtp.

Like: is it possible that (say) Markus would NOT receive some mails
which instead land successfully in our mailboxes ? Is Markus on the
mantra list ?

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:8>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 26, 2022, 8:45am

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by neteler):

To my knowledge I am not on the mantra list.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:9>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 26, 2022, 2:19pm

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by robe):

Replying to [comment:7 strk]:
> Right, all mails to mantra alias come with failing SPF,
> like this:
>
> {{{
> Received-SPF: softfail (spool2: transitioning domain of
education.gouv.fr does not designate 140.211.15.3 as permitted sender)
> }}}
>
> Evidently OSGeo Postfix will NOT drop these emails, so
> we still receive them

But we should not be all receiving them. GMail should drop when OSGeo
tries to send to me spoofing you? I thought we have at least one
gmail.com account on mantra still. I know Jay complained and he had a
gmail account but I always got his emails to my knowledge and he was
getting mantra emails, just being rejected when sending to gmail accounts
sometimes. Anyway I think I have a gmail only account lying around
somewhere, I'll test before and after I make some changes.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:10>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

Javier_Jimenez_Shaw · April 28, 2022, 3:08pm

I was getting also strange emails from gdal and proj mailing lists… and now I do not get them any more.
My personal email (from may domain) is redirecting the emails to my gmail account.

The emails sent by lists.osgeo.org have a big yellow banner that says
“Gmail could not verify that it actually came from lists.osgeo.org. Avoid clicking links, downloading attachments or replying with personal information.”

In the headers I can see

ARC-Authentication-Results: i=1; [mx.google.com](http://mx.google.com);
       spf=fail ([google.com](http://google.com): domain of [gdal-dev-bounces@lists.osgeo.org](mailto:gdal-dev-bounces@lists.osgeo.org) does not designate 134.....204 as permitted sender)

This is happening since March 24th

The thing is that it is only happening with those lists (gdal-dev and proj).

With sac mailing list it has no problem (apparently). The header is a bit different

ARC-Authentication-Results: i=1; [mx.google.com](http://mx.google.com);
       dkim=pass (test mode) header.i=@[osgeo.org](http://osgeo.org) header.s=mail header.b=c0FiFf0V;
       dkim=neutral (body hash did not verify) header.i=@[osgeo.org](http://osgeo.org) header.s=mail header.b=AfjBJ1Hn;
       spf=fail ([google.com](http://google.com): domain of [sac-bounces@lists.osgeo.org](mailto:sac-bounces@lists.osgeo.org) does not designate 134......204 as permitted sender)

What is the difference?

Thanks

.___ ._ …_ … . .. .__ … __ . . . … … … . .
Entre dos pensamientos racionales
hay infinitos pensamientos irracionales.

On Tue, 26 Apr 2022 at 16:19, OSGeo <trac_osgeo@osgeo.org> wrote:

#2750: mail aliases fail anti-spoof measures
---------------------------±---------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------±---------------------------------------

Comment (by robe):

Replying to [comment:7 strk]:

Right, all mails to mantra alias come with failing SPF,
like this:

{{{
Received-SPF: softfail (spool2: transitioning domain of
education.gouv.fr does not designate 140.211.15.3 as permitted sender)
}}}

Evidently OSGeo Postfix will NOT drop these emails, so
we still receive them

But we should not be all receiving them. GMail should drop when OSGeo
tries to send to me spoofing you? I thought we have at least one
gmail.com account on mantra still. I know Jay complained and he had a
gmail account but I always got his emails to my knowledge and he was
getting mantra emails, just being rejected when sending to gmail accounts
sometimes. Anyway I think I have a gmail only account lying around
somewhere, I’ll test before and after I make some changes.

–
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:10>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

jmckenna · April 28, 2022, 3:28pm

I believe the SAC mailing list settings were not yet updated to "Munge From" as was requested for all lists (see the long discussion at https://trac.osgeo.org/osgeo/ticket/2475 ). I have now also updated the SAC mailing list settings to follow that as well.

-jeff

--
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/

On 2022-04-28 12:08 p.m., Javier Jimenez Shaw wrote:

I was getting also strange emails from gdal and proj mailing lists... and now I do not get them any more.
My personal email (from may domain) is redirecting the emails to my gmail account.

The emails sent by lists.osgeo.org <http://lists.osgeo.org> have a big yellow banner that says
"Gmail could not verify that it actually came from lists.osgeo.org <http://lists.osgeo.org>. Avoid clicking links, downloading attachments or replying with personal information."

In the headers I can see

ARC-Authentication-Results: i=1;mx.google.com <http://mx.google.com>;
        spf=fail (google.com <http://google.com>: domain ofgdal-dev-bounces@lists.osgeo.org <mailto:gdal-dev-bounces@lists.osgeo.org> does not designate 134.....204 as permitted sender)

This is happening since March 24th
The thing is that it is only happening with those lists (gdal-dev and proj).

With sac mailing list it has no problem (apparently). The header is a bit different

ARC-Authentication-Results: i=1;mx.google.com <http://mx.google.com>;
        dkim=pass (test mode) header.i=@osgeo.org <http://osgeo.org> header.s=mail header.b=c0FiFf0V;
        dkim=neutral (body hash did not verify) header.i=@osgeo.org <http://osgeo.org> header.s=mail header.b=AfjBJ1Hn;
        spf=fail (google.com <http://google.com>: domain ofsac-bounces@lists.osgeo.org <mailto:sac-bounces@lists.osgeo.org> does not designate 134......204 as permitted sender)

What is the difference?

Thanks
.___ ._ ..._ .. . ._. .___ .. __ . _. . __.. ... .... ._ .__
Entre dos pensamientos racionales
hay infinitos pensamientos irracionales.

On Tue, 26 Apr 2022 at 16:19, OSGeo <trac_osgeo@osgeo.org <mailto:trac_osgeo@osgeo.org>> wrote:

    #2750: mail aliases fail anti-spoof measures
    ---------------------------+----------------------------------------
      Reporter: strk | Owner: sac@…
      Type: task | Status: new
      Priority: normal | Milestone: Sysadmin Contract 2022-II
    Component: Systems Admin | Resolution:
      Keywords: |
    ---------------------------+----------------------------------------

    Comment (by robe):

      Replying to [comment:7 strk]:
      > Right, all mails to mantra alias come with failing SPF,
      > like this:
      >
      > {{{
      > Received-SPF: softfail (spool2: transitioning domain of
    education.gouv.fr <http://education.gouv.fr> does not designate
    140.211.15.3 as permitted sender)
      > }}}
      >
      > Evidently OSGeo Postfix will NOT drop these emails, so
      > we still receive them

      But we should not be all receiving them. GMail should drop when OSGeo
      tries to send to me spoofing you? I thought we have at least one
    gmail.com <http://gmail.com> account on mantra still. I know Jay
    complained and he had a
      gmail account but I always got his emails to my knowledge and he was
      getting mantra emails, just being rejected when sending to gmail
    accounts
      sometimes. Anyway I think I have a gmail only account lying around
      somewhere, I'll test before and after I make some changes.

    -- Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:10
    <https://trac.osgeo.org/osgeo/ticket/2750#comment:10>>
    OSGeo <https://osgeo.org/>
    OSGeo committee and general foundation issue tracker.
    _______________________________________________
    Sac mailing list
    Sac@lists.osgeo.org <mailto:Sac@lists.osgeo.org>
    https://lists.osgeo.org/mailman/listinfo/sac
    <https://lists.osgeo.org/mailman/listinfo/sac>

_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

OSGeoTrac · April 29, 2022, 11:02pm

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by robe):

Testing, I think recent change to sac mailing list might have broken tracs
ability to send.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:11>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 29, 2022, 11:05pm

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------

Comment (by robe):

nevermind its working.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:12>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

strk · May 1, 2022, 9:57pm

On Thu, Apr 28, 2022 at 12:28:56PM -0300, Jeff McKenna wrote:

I believe the SAC mailing list settings were not yet updated to "Munge From"
as was requested for all lists (see the long discussion at
https://trac.osgeo.org/osgeo/ticket/2475 ). I have now also updated the SAC
mailing list settings to follow that as well.

The reporter mentioned that SAC list was NOT having the problem,
does it mean "Munge From" will introduce the problem here too ?

--strk;

Javier_Jimenez_Shaw · May 2, 2022, 9:52am

Hi Sandro

I am not an expert in email services configuration. Recently I am having problems with SPF and GMail (they become more restrictive the last times). But I have a different behaviour with “sac” mailing list than with “gdal-dev”.

Is it possible that “sac” is using DKIM authentication and “gdal-dev” or “proj” don’t?

This is what I sent before:

I was getting also strange emails from gdal-dev and proj mailing lists… and now I do not get them any more.
My personal email (from may domain) is redirecting the emails to my gmail account.

The emails sent by lists.osgeo.org have a big yellow banner that says
“Gmail could not verify that it actually came from lists.osgeo.org. Avoid clicking links, downloading attachments or replying with personal information.”

In the headers I can see

ARC-Authentication-Results: i=1; [mx.google.com](http://mx.google.com);
       spf=fail ([google.com](http://google.com): domain of [gdal-dev-bounces@lists.osgeo.org](mailto:gdal-dev-bounces@lists.osgeo.org) does not designate 134.....204 as permitted sender)

This is happening since March 24th

The thing is that it is only happening with those lists (gdal-dev and proj).

With sac mailing list it has no problem (apparently). The header is a bit different

ARC-Authentication-Results: i=1; [mx.google.com](http://mx.google.com);
       dkim=pass (test mode) header.i=@[osgeo.org](http://osgeo.org) header.s=mail header.b=c0FiFf0V;
       dkim=neutral (body hash did not verify) header.i=@[osgeo.org](http://osgeo.org) header.s=mail header.b=AfjBJ1Hn;
       spf=fail ([google.com](http://google.com): domain of [sac-bounces@lists.osgeo.org](mailto:sac-bounces@lists.osgeo.org) does not designate 134......204 as permitted sender)

Thanks

.___ ._ …_ … . .. .__ … __ . . . … … … . .
Entre dos pensamientos racionales
hay infinitos pensamientos irracionales.

On Sun, 1 May 2022 at 23:57, Sandro Santilli <strk@kbt.io> wrote:

On Thu, Apr 28, 2022 at 12:28:56PM -0300, Jeff McKenna wrote:

I believe the SAC mailing list settings were not yet updated to “Munge From”
as was requested for all lists (see the long discussion at
https://trac.osgeo.org/osgeo/ticket/2475 ). I have now also updated the SAC
mailing list settings to follow that as well.

The reporter mentioned that SAC list was NOT having the problem,
does it mean “Munge From” will introduce the problem here too ?

–strk;

OSGeoTrac · May 9, 2022, 5:23am

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+----------------------------------------
Changes (by robe):

* status: new => closed
* resolution: => fixed

Comment:

Okay I have installed postsrsd more or less as detailed in -
https://serverfault.com/questions/635293/postfix-as-email-forwarder-to-
gmail-spf-problems

and I am now seeing SPF success where it was failing before and it no
longer shows we are trying to spoof the sender.

{{{
cd ~
apt install postsrsd
sudo postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001"
sudo postconf -e "sender_canonical_classes = envelope_sender"
sudo postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002"
sudo postconf -e "recipient_canonical_classes = envelope_recipient"
systemctl enable postsrsd
systemctl status postsrsd
postfix reload

}}}

I'm going to assume that fixes this issue. Feel free to reopen if you
think it doesn't.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:13>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · May 9, 2022, 5:34am

#2750: mail aliases fail anti-spoof measures
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2022-II
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+----------------------------------------
Comment (by robe):

I also disabled backward compatibility with

{{{
sudo postconf compatibility_level=2
sudo postfix reload
}}}
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2750#comment:14>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.