- Status Closed
- Percent Complete
- Task Type Bug Report
- Category HyperMail/Mail Service → Mail Service Issue
-
Assigned To
coadde Emulatorman - Operating System All
- Severity Critical
- Priority Very High
- Reported Version Any
- Due in Version Starfix
-
Due Date
Undecided
- Votes
- Private
Attached to Project: Services
Opened by gnusupport - 15/06/2018
Last edited by Emulatorman - 28/06/2018
Opened by gnusupport - 15/06/2018
Last edited by Emulatorman - 28/06/2018
FS#1012 - hyperbola.info having incorrect SPF records (or usage of IPs)
As reported here: https://forums.hyperbola.info/viewtopic.php?id=110
the domain Hyperbola.info is using such SPF record that does not allow the IP address 185.26.126.154 to send emails from bissen.hyperbola.info as seen on: https://mxtoolbox.com/SuperTool.aspx?action=spf%3ahyperbola.info&run=toolpage
Correct the SPF record as to enable deliveries of emails.
This is negatively impacting Hyperbola project in public mail servers which may consider hyperbola.info domain as domain sending spam.
Jun 10 11:12:41 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:14:57 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:16:02 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:16:50 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:17:28 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:18:17 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:19:12 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:21:01 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:21:37 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:22:22 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:22:36 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:22:54 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework Jun 10 11:23:09 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Do you need help?
That issue is easily resolved.
Make list of all server names from where you are sending emails. Include either server names or include their IP addresses in the SPF.
If you need help, feel free to ask. I can help you setup SPF without problems, this issue shall be solved within 10 minutes, not within days.
I am using s6 DNS tools from http://skarnet.org/software/s6-dns/
So:
s6-dnstxt hyperbola.info
"v=spf1 include:_mailcust.gandi.net -all"
That means you are allowing emails to be sent ONLY FROM: _mailcust.gandi.net host.
The host: _mailcust.gandi.net does not resolve to any IP address.
Hyperbola.info MX records are:
$ s6-dnsmx hyperbola.info
10 spool.mail.gandi.net.
50 fb.mail.gandi.net.
Often people send emails from the same MX host, but it need not be.
For example you are sending from: 185.26.126.154 which resolves to xvm-126-154.dc2.ghst.net. but you are using the host name bissen.hyperbola.info which also resolves to 185.26.126.154
Both MX records are not using that IP/hosts:
admin→ s6-dnsip4 spool.mail.gandi.net
217.70.178.1
[~]
admin→ s6-dnsip4 fb.mail.gandi.net
217.70.178.215
217.70.178.216
217.70.178.217
So what you need to do if you wish to send from IP: 185.26.126.154 is to have following SPF record:
"v=spf1 mx a a:bissen.hyperbola.info -all"
and that way you are going to allow email to be sent from MX hosts designated if it is the case, but if not, you can remove it, and you are allowing to send from hyperbola.info and also from bissen.hyperbola.info while -all means no other hosts are allowed to send email.
_mailcust.gandi.net comes by default from Gandi services to resolve Hyperbola team email addresses, so i think coadde could try add bissen.hyperbola.info to solve this issue, eg:
"v=spf1 +include:_mailcust.gandi.net +a:bissen.hyperbola.info -all"
but _mailcust.gandi.net is not resolving to anything, so duplicating a bug as given my your provider does not lead anywhere.
DNS is always under control of the domain owner. Whatever error provider makes does not need to be duplicated by domain owner.
Also check here, as maybe you have duplicate SPF record in the DNS:
https://app.dmarcanalyzer.com/dns/spf?simple=
You should have either SPF record or the SPF string recorded in the TXT record. But not two of them.
Aha now I understand, that
s6-dnstxt _mailcust.gandi.net
"v=spf1 ip4:217.70.176.0/21 ip6:2001:4b98:c::/48 ip4:217.70.186.186 ip4:217.70.186.176 ip4:217.70.184.158 ip4:217.70.185.10 ip4:217.70.186.165 ip4:155.133.132.131 ip6:2001:4b99:1:252::131 ip4:155.133.138.131 ip6:2001:4b98:dc5:252::131 ip4:155.133.142.131 ip6:2001:4b98:dc6:252::131 ?all"
so when you say "include" it is including the SPF of _mailcust.gandi.net (domain does not resolve, but TXT record does resolve to that above SPF) so all those IP addresses are allowed.
And there is collision between -all (in your SPF) and ?all in _mailcust.gandi.net SPF record.
Why not simply determine from which servers are you sending emails, and use just those servers and nothing else.
Ok, thank you for your suggestion, i didn't know about "include", then i think it's the way, eg:
fb.mail.gandi.net and spool.mail.gandi.net are MX records for the Hyperbola team emails and bissen.hyperbola.info for public ones (eg. mailing lists).
Your SPF record is not correct, and email get rejected:
That is because you keep TXT record for SPF for bissen.hyperbola.info like following:
So that seems that somebody who really have no clue is setting the SPF, which is not responsible. Imagine if you would have business receiving orders and you need to get in touch with the client.
It should be clear here:
http://www.openspf.net/Why?s=helo;id=bissen.hyperbola.info;ip=185.26.126.154;r=stw1.rcdrun.com
Look here:
https://mxtoolbox.com/SuperTool.aspx?action=spf%3ahyperbola.info%3a185.26.126.154&run=toolpage
so what you are doing, you are setting SPF record for hyperbola.info and sending from bissen.hyperbola.info, however in the SPF record for bissen.hyperbola.info you don't allow anybody to send email from there.
So please, if you are to send email from bissen.hyperbola.info then please allow that domain and IP address to send email.
Thank you for your help, i let our sysadmin know about it.
Please mind your civility, see our "Hyperbola and anti-discrimination" from our social contract for further details.
Hello André,
I am sorry André, for you being offended.
There is absolutely no discrimination from my side, and I cannot see how you come onto that, it is not relevant.
When I said somebody is not responsible, that relates to somebody not being responsible as simple as that. There is no need that you explain me opposite if there was no opposite.
Ok, since our sysadmin is so busy, i've made some changes in our server configuration. I would know if it's working well to close this task.
To me it looks very fine, and that your email system is working well, and emails delivered to SPF aware mail servers.
Received: from bissen.hyperbola.info (xvm-126-154.dc2.ghst.net [::ffff:185.26.126.154]) (TLS: TLSv1/SSLv3,256bits,AES256-GCM-SHA384) by stw1.rcdrun.com with ESMTPS; Wed, 27 Jun 2018 09:55:06 -0700 id 0000000000089E37.000000005B33C16B.00005183 Received-SPF: pass (Address passes the Sender Policy Framework) SPF=HELO; sender=bissen.hyperbola.info; remoteip=::ffff:185.26.126.154; remotehost=xvm-126-154.dc2.ghst.net; helo=bissen.hyperbola.info; receiver=stw1.rcdrun.com; Received-SPF: pass (Address passes the Sender Policy Framework) SPF=MAILFROM; sender=sysadmin@hyperbola.info; remoteip=::ffff:185.26.126.154; remotehost=xvm-126-154.dc2.ghst.net; helo=bissen.hyperbola.info; receiver=stw1.rcdrun.com; Received: from [::1] (port=49037 helo=issues.hyperbola.info) by bissen.hyperbola.info with esmtp (Exim 4.89) (envelope-from <sysadmin@hyperbola.info>) id 1fYDib-00037q-6R; Wed, 27 Jun 2018 13:54:57 -0300ok, thank you for let me know, i'm closing this task then.