Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627840 - Gentoo mail forwarding (aliases) cause SPF failures for incoming third-party mail
Summary: Gentoo mail forwarding (aliases) cause SPF failures for incoming third-party ...
Status: CONFIRMED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-14 16:02 UTC by Michał Górny
Modified: 2023-11-30 12:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-08-14 16:02:54 UTC 
Restricting to avoid spam on my address ;-).
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-08-15 05:11:46 UTC 
(repost of original description with email domain redacted)

Long story short, SPF doesn't work well with plain mail forwarding [1]. Let's consider a simple example:

1. I send a mail from mgorny@privatedomain.com to foo@gentoo.org,

2. foo@g.o has forwarding set, so gentoo.org forwards it to foo@example.com,

3. example.com looks up privatedomain's SPF and notices that gentoo.org is *not* allowed to send mail from that domain,

4. example.com rejects the mail and I get a bounce.

Now, the same problem applies to any third-party mail server with strict SPF record sending mail to @gentoo.org. The worst thing is, people who have mail forwarding enabled may not even know they're bouncing valid mail.

FWICS, there are two possible solutions [2] here:

1. Require everyone setting up mail forwarding (and people subscribing to Gentoo aliases) to whitelist the gentoo.org mail servers for SPF on their MTA.

2. Implement mail forwarding using SRS.

Option 1 has the advantage of requiring no changes on Gentoo end (besides documenting the problem). In this case, whoever wants to use forwarding needs to use MTA-specific way of whitelisting the forwarding server. However, I'm not convinced that all public mail services rejecting mail based on SPF actually support that.

Unless I'm mistaken, [3] suggests that on GMail you can do that via setting up a 'send mail as' address. While this would certainly work for developers forwarding their mail, I have serious doubts about users using this on project aliases and so on.

As for SRS, I suppose you know more about than I do. FWICS, it's main advantage is that it should work out-of-the-box for everybody. However, it means rewriting the 'From' address (which might not be a bad thing after all) and FWICS gmail requires some fancy 'SPAM' dance [3] to avoid penalizing us for forwarding spam.

[1]:http://www.openspf.org/FAQ/Forwarding
[2]:http://www.openspf.org/Best_Practices/Forwarding
[3]:https://support.google.com/a/answer/175365
Comment 3 Ulrich Müller gentoo-dev 2023-11-30 12:38:26 UTC 
FWIW, have you considered using mail-filter/postsrsd on woodpecker? It should normally work out of the box, with only a couple of lines in Postfix's main.cf.