Scheduled Forum update, upgrade, maintenance planned: 1800 UTC - May 28.

[reinob]

Hello,

I have noticed that the SPF record for forums.debian.net states:

Code: Select all

forums.debian.net.	3307	IN	TXT	"v=spf1 ip4:159.69.48.177 ~all"

but e-mail can actually be delivered over IPv6 (2a01:4f8:1c17:7bb3::1), which results in SPF considering the address "neither permitted nor denied".

Perhaps the SPF record should be changed to "v=spf1 mx ~all", so that as long as the MX resolves (A or AAAA) to the right address, then everything's fine.

[reinob]

Hello,

The DMARC record for forums.debian.net points to _dmarc.forums.portalias.net, which states:

Code: Select all

_dmarc.forums.portalias.net. 600 IN	TXT	
	"v=DMARC1;
		p=quarantine;
		sp=quarantine;
		pct=100;
		rua=mailto:root@forums.debian.net;
		ruf=mailto:root@forums.debian.net;
		ri=86400;
		aspf=r;
		adkim=r;
		fo=1;"

(pretty-printed, for convenience)

However, you cannot send e-mail to root@forums.debian.net, as it responds with:

Code: Select all

	450 4.1.1 <root@forums.debian.net>: Recipient address rejected: User
	unknown in virtual alias table (in reply to RCPT TO command)

Why would anyone want to write to that address?
Because that's what the DMARC record is asking for :)
So if your e-mail server honors DMARC, and accordingly sends DMARC reports, it fails, because the address you gave for reporting doesn't exist/accept mail, which is kinda impolite.. :)

[donald]

And yet ....



-------- Forwarded Message --------
Subject: Dmarc Aggregate Report Domain: {forums.debian.net} Submitter: {Amazon SES} Date:xxxxxx Report-ID: {xxxxxx-xxxx-xxx-xxx-xxxxxxx}
From: postmaster@amazonses.com
To: root@forums.debian.net

This MIME email was sent through Amazon SES.

[donald]

Hello,

I have noticed that the SPF record for forums.debian.net states:

Code: Select all

forums.debian.net.	3307	IN	TXT	"v=spf1 ip4:159.69.48.177 ~all"

but e-mail can actually be delivered over IPv6 (2a01:4f87bb3::1), which results in SPF considering the address "neither permitted nor denied".

Perhaps the SPF record should be changed to "v=spf1 mx ~all", so that as long as the MX resolves (A or AAAA) to the right address, then everything's fine.

I'm not sure what you are getting at here to be honest, there was a large thread about this with perhaps all of the information you need.

Merging with viewtopic.php?p=800581#p800581

[dilberts_left_nut]

The only parameter in the SPF record is the listed ipv4 address. If the mail source doesn't match that, (including if it emanates from an ipv6 address) it gets the ~a (softfail).
It's also up to the recipient what they do with that info.
Does the postfix actually send via the ipv6 address?
I've only ever seen mail from the ipv4 address.

[donald]

Does the postfix actually send via the ipv6 address?
I've only ever seen mail from the ipv4 address.

I believe native behavior is to send via IPv6 or IPv4 depending on the recipient MTA.

[reinob]

re. SPF: I received forum notifications at my server over IPv6.
The SPF record should contain every address the MTA can use to send e-mails.

(and yes, I was aware of the fact that the forum mail wasn't up to standards until recently — triggered by gmail enforcing SPF/DKIM for larger senders, but as it is now, SPF will fail whenever IPv6 is used for delivery — maybe the server is configured to use IPv4 whenever talking to Google, which is a workaround, but the SPF record should be correct in all cases, if only for the sake of, well, correctness :)

[reinob]

And yet ....



-------- Forwarded Message --------
Subject: Dmarc Aggregate Report Domain: {forums.debian.net} Submitter: {Amazon SES} Date:xxxxxx Report-ID: {xxxxxx-xxxx-xxx-xxx-xxxxxxx}
From: postmaster@amazonses.com
To: root@forums.debian.net

This MIME email was sent through Amazon SES.

At least during the period October 31st through November 3rd the server (plethora.debian.net) always replied with 4.1.1 "Recipient address rejected".

As of yesterday/today it seems to work again.

[dilberts_left_nut]

re. SPF: I received forum notifications at my server over IPv6.
The SPF record should contain every address the MTA can use to send e-mails.

Yes.

[donald]

And yet ....



-------- Forwarded Message --------
Subject: Dmarc Aggregate Report Domain: {forums.debian.net} Submitter: {Amazon SES} Date:xxxxxx Report-ID: {xxxxxx-xxxx-xxx-xxx-xxxxxxx}
From: postmaster@amazonses.com
To: root@forums.debian.net

This MIME email was sent through Amazon SES.

At least during the period October 31st through November 3rd the server (plethora.debian.net) always replied with 4.1.1 "Recipient address rejected".

As of yesterday/today it seems to work again.

And yet ....

10/31, 11/1, 11/2, 11/3. 11/4, and today 11/5.

I'm not being edgy with you, this took quite some time to set up. I can admit that I could have gotten an aspect of it incorrectly, but you are saying it is not working while I am seeing the reports and the addresses all work. Do you want more IPv6 support here? Is this the issue?

[reinob]

@donald,

I reported two things, but have been merged and intermixed.

The first thing was: the forums.debian.net *can and does* send e-mail over IPv6, and yet its SPF record does not list the IPv6 address(es) that it can use. They should be added to the SPF record. Otherwise, depending on configuration, some (receiving) servers may reject e-mails or place them into the spam folder, etc.

The second thing was: for some reason the server was refusing to accept DMARC reports being sent from my e-mail server, with the error "Recipient address rejected: User unknown in virtual alias table (in reply to RCPT TO command)"

Apparently you don't/didn't have that error, which would indicate that the server is giving a wrong error code in some cases. Maybe it didn't want to accept e-mails from my server, and instead of saying "go away" it used that misleading error message. Maybe the server does have some hiccups and sometimes it considers root@forums.debian.net to be an invalid address. I don't know, because the only visibility I have is from the sending side.

I have posted the two topics as "feedback" in the hope that they will be looked at, and hopefully also fixed. But of course I have personally no problem with this. My server does not reject on SPF softfail, so it's OK. Maybe Google will place forum notifications in the spam folder if/when they are delivered over IPv6, but that's not my problem (but I thought this was the problem you tried to solve by adding SPF/DKIM/DMARC).

And your server is (unfortunately) not the only one which randomly refuses the very DMARC reports it requests, so I can just add it to my no_dmarc_reporting list (in rspamd) and forget about it.

So that's it from my side. Hopefully I'm not coming across as "edgy" to you either.
Maybe I expected a different reaction ("oh, we'll look at it"), but that's OK :)

[donald]

@reinob

Ahhhh, I get it. I can take a peek at this in a bit. We may have a move coming up soon and I'd rather not mess with any server side configuration but on the new instance we can expand on it for fuller support and not just http(s). This might help with some other IP issues we've had with bots. Thank you.

Edit: I merged your 2 prior threads into this one as this thread spoke about SPF/DMARC/DKIM.