Services

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category HyperMail/Mail Service → Mail Service Issue
  • Assigned To
    Márcio Silva
    André Silva
  • Operating System All
  • Severity Critical
  • Priority Very High
  • Reported Version Any
  • Due in Version Starfix
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Services
Opened by Jean Louis - 15/06/2018
Last edited by André Silva - 28/06/2018

FS#1012 - hyperbola.info having incorrect SPF records (or usage of IPs)

As reported here: https://forums.hyperbola.info/viewtopic.php?id=110

the domain Hyperbola.info is using such SPF record that does not allow the IP address 185.26.126.154 to send emails from bissen.hyperbola.info as seen on: https://mxtoolbox.com/SuperTool.aspx?action=spf%3ahyperbola.info&run=toolpage

Correct the SPF record as to enable deliveries of emails.

This is negatively impacting Hyperbola project in public mail servers which may consider hyperbola.info domain as domain sending spam.

Jun 10 11:12:41 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:14:57 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:16:02 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:16:50 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:17:28 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:18:17 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:19:12 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:21:01 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:21:37 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:22:22 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:22:36 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:22:54 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 10 11:23:09 stw1 courieresmtpd: error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Closed by  André Silva
28.06.2018 20:00
Reason for closing:  Fixed
Jean Louis commented on 19.06.2018 10:32

Do you need help?

That issue is easily resolved.

Make list of all server names from where you are sending emails. Include either server names or include their IP addresses in the SPF.

If you need help, feel free to ask. I can help you setup SPF without problems, this issue shall be solved within 10 minutes, not within days.

error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail
bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 18 10:44:30 stw1 courieresmtpd:
error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail
bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jun 18 10:44:46 stw1 courieresmtpd:
error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail
bissen.hyperbola.info: Address does not pass the Sender Policy Framework
Jean Louis commented on 19.06.2018 10:39

I am using s6 DNS tools from http://skarnet.org/software/s6-dns/

So:

s6-dnstxt hyperbola.info
"v=spf1 include:_mailcust.gandi.net -all"

That means you are allowing emails to be sent ONLY FROM: _mailcust.gandi.net host.

The host: _mailcust.gandi.net does not resolve to any IP address.

Hyperbola.info MX records are:

$ s6-dnsmx hyperbola.info
10 spool.mail.gandi.net.
50 fb.mail.gandi.net.

Often people send emails from the same MX host, but it need not be.

For example you are sending from: 185.26.126.154 which resolves to xvm-126-154.dc2.ghst.net. but you are using the host name bissen.hyperbola.info which also resolves to 185.26.126.154

Both MX records are not using that IP/hosts:

admin→ s6-dnsip4 spool.mail.gandi.net
217.70.178.1
[~]
admin→ s6-dnsip4 fb.mail.gandi.net
217.70.178.215
217.70.178.216
217.70.178.217

So what you need to do if you wish to send from IP: 185.26.126.154 is to have following SPF record:

"v=spf1 mx a a:bissen.hyperbola.info -all"

and that way you are going to allow email to be sent from MX hosts designated if it is the case, but if not, you can remove it, and you are allowing to send from hyperbola.info and also from bissen.hyperbola.info while -all means no other hosts are allowed to send email.

Admin
André Silva commented on 19.06.2018 14:38
s6-dnstxt hyperbola.info
"v=spf1 include:_mailcust.gandi.net -all"
That means you are allowing emails to be sent ONLY FROM: _mailcust.gandi.net host.
The host: _mailcust.gandi.net does not resolve to any IP address.

_mailcust.gandi.net comes by default from Gandi services to resolve Hyperbola team email addresses, so i think coadde could try add bissen.hyperbola.info to solve this issue, eg:

"v=spf1 +include:_mailcust.gandi.net +a:bissen.hyperbola.info -all"

Jean Louis commented on 19.06.2018 21:16

but _mailcust.gandi.net is not resolving to anything, so duplicating a bug as given my your provider does not lead anywhere.

DNS is always under control of the domain owner. Whatever error provider makes does not need to be duplicated by domain owner.

Jean Louis commented on 19.06.2018 21:21

Also check here, as maybe you have duplicate SPF record in the DNS:

https://app.dmarcanalyzer.com/dns/spf?simple=

You should have either SPF record or the SPF string recorded in the TXT record. But not two of them.

Jean Louis commented on 19.06.2018 21:25

Aha now I understand, that

s6-dnstxt _mailcust.gandi.net
"v=spf1 ip4:217.70.176.0/21 ip6:2001:4b98:c::/48 ip4:217.70.186.186 ip4:217.70.186.176 ip4:217.70.184.158 ip4:217.70.185.10 ip4:217.70.186.165 ip4:155.133.132.131 ip6:2001:4b99:1:252::131 ip4:155.133.138.131 ip6:2001:4b98:dc5:252::131 ip4:155.133.142.131 ip6:2001:4b98:dc6:252::131 ?all"

so when you say "include" it is including the SPF of _mailcust.gandi.net (domain does not resolve, but TXT record does resolve to that above SPF) so all those IP addresses are allowed.

And there is collision between -all (in your SPF) and ?all in _mailcust.gandi.net SPF record.

Why not simply determine from which servers are you sending emails, and use just those servers and nothing else.

Admin
André Silva commented on 19.06.2018 23:16
Why not simply determine from which servers are you sending emails, and use just those servers and nothing else.

Ok, thank you for your suggestion, i didn't know about "include", then i think it's the way, eg:

"v=spf1 +a:fb.mail.gandi.net +a:spool.mail.gandi.net +a:bissen.hyperbola.info -all"

fb.mail.gandi.net and spool.mail.gandi.net are MX records for the Hyperbola team emails and bissen.hyperbola.info for public ones (eg. mailing lists).

Jean Louis commented on 24.06.2018 07:40

Your SPF record is not correct, and email get rejected:

Jun 22 21:04:38 stw1 courieresmtpd:
error,relay=::ffff:185.26.126.154,from=<sysadmin@hyperbola.info>: 517 SPF fail
bissen.hyperbola.info: Address does not pass the Sender Policy Framework
admin-> spfquery --helo bissen.hyperbola.info --ip 185.26.126.154
fail
Please see http://www.openspf.net/Why?s=helo;id=bissen.hyperbola.info;ip=185.26.126.154;r=stw1.rcdrun.com
bissen.hyperbola.info: Sender is not authorized by default to use 'bissen.hyperbola.info' in 'helo' identity (mechanism '-all' matched)
Received-SPF: fail (bissen.hyperbola.info: Sender is not authorized by default to use 'bissen.hyperbola.info' in 'helo' identity (mechanism '-all' matched)) receiver=stw1.rcdrun.com; identity=helo; helo=bissen.hyperbola.info; client-ip=185.26.126.154

That is because you keep TXT record for SPF for bissen.hyperbola.info like following:

admin-> s6-dnstxt bissen.hyperbola.info
"v=spf1 -all"

So that seems that somebody who really have no clue is setting the SPF, which is not responsible. Imagine if you would have business receiving orders and you need to get in touch with the client.

It should be clear here:
http://www.openspf.net/Why?s=helo;id=bissen.hyperbola.info;ip=185.26.126.154;r=stw1.rcdrun.com

Jean Louis commented on 24.06.2018 07:55

Look here:
https://mxtoolbox.com/SuperTool.aspx?action=spf%3ahyperbola.info%3a185.26.126.154&run=toolpage

so what you are doing, you are setting SPF record for hyperbola.info and sending from bissen.hyperbola.info, however in the SPF record for bissen.hyperbola.info you don't allow anybody to send email from there.

So please, if you are to send email from bissen.hyperbola.info then please allow that domain and IP address to send email.

Admin
André Silva commented on 24.06.2018 17:25
So please, if you are to send email from bissen.hyperbola.info then please allow that domain and IP address to send email.

Thank you for your help, i let our sysadmin know about it.

So that seems that somebody who really have no clue is setting the SPF, which is not responsible.

Please mind your civility, see our "Hyperbola and anti-discrimination" from our social contract for further details.

Jean Louis commented on 24.06.2018 17:37

Hello André,

I am sorry André, for you being offended.

There is absolutely no discrimination from my side, and I cannot see how you come onto that, it is not relevant.

When I said somebody is not responsible, that relates to somebody not being responsible as simple as that. There is no need that you explain me opposite if there was no opposite.

Admin
André Silva commented on 27.06.2018 16:54
Hello André,
I am sorry André, for you being offended.
There is absolutely no discrimination from my side, and I cannot see how you come onto that, it is not relevant.
When I said somebody is not responsible, that relates to somebody not being responsible as simple as that. There is no need that you explain me opposite if there was no opposite.

Ok, since our sysadmin is so busy, i've made some changes in our server configuration. I would know if it's working well to close this task.

Jean Louis commented on 27.06.2018 21:34

To me it looks very fine, and that your email system is working well, and emails delivered to SPF aware mail servers.

Received: from bissen.hyperbola.info (xvm-126-154.dc2.ghst.net
        [::ffff:185.26.126.154])
        (TLS: TLSv1/SSLv3,256bits,AES256-GCM-SHA384)
        by stw1.rcdrun.com with ESMTPS; Wed, 27 Jun 2018 09:55:06 -0700
        id 0000000000089E37.000000005B33C16B.00005183
Received-SPF: pass (Address passes the Sender Policy Framework)
        SPF=HELO;
        sender=bissen.hyperbola.info;
        remoteip=::ffff:185.26.126.154;
        remotehost=xvm-126-154.dc2.ghst.net;
        helo=bissen.hyperbola.info;
        receiver=stw1.rcdrun.com;
Received-SPF: pass (Address passes the Sender Policy Framework)
        SPF=MAILFROM;
        sender=sysadmin@hyperbola.info;
        remoteip=::ffff:185.26.126.154;
        remotehost=xvm-126-154.dc2.ghst.net;
        helo=bissen.hyperbola.info;
        receiver=stw1.rcdrun.com;
Received: from [::1] (port=49037 helo=issues.hyperbola.info)
        by bissen.hyperbola.info with esmtp (Exim 4.89)
        (envelope-from <sysadmin@hyperbola.info>)
        id 1fYDib-00037q-6R; Wed, 27 Jun 2018 13:54:57 -0300
Admin
André Silva commented on 28.06.2018 13:02

ok, thank you for let me know, i'm closing this task then.

Date User Effort (H:M)

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing