| 1 |
This is the official infra response re SPF in this case. |
| 2 |
|
| 3 |
On Mon, Dec 05, 2016 at 12:03:02PM -0500, Michael Orlitzky wrote: |
| 4 |
> Something is not "off" with our mail servers, and there is currently no |
| 5 |
> way to prevent "From" spoofing without significant collateral damage. |
| 6 |
Correct. |
| 7 |
|
| 8 |
Infra does maintain an SPF page as well. |
| 9 |
https://wiki.gentoo.org/wiki/Project:Infrastructure/SPF |
| 10 |
|
| 11 |
A lot of developers prefer to send mail out via their own mailservers, |
| 12 |
and not use the Gentoo mailserver for outgoing mail. This means we |
| 13 |
either need to allow them declare those servers, or make sure their mail |
| 14 |
won't be rejected anyway. |
| 15 |
|
| 16 |
Our base SPF rule as pointed out: |
| 17 |
gentoo.org. IN TXT "v=spf1 mx ptr include:%{l}.%{o}.spf.gentoo.org. ?all" |
| 18 |
|
| 19 |
Most important is the ?all on the end, but the include bit needs further |
| 20 |
explanation. |
| 21 |
|
| 22 |
We have 4 choices for the terminal rule: |
| 23 |
|
| 24 |
+all - allow everything. NOPE! |
| 25 |
-all - strictly disallow everything not explicitly permitted. NOPE! |
| 26 |
~all - softfail everything not explicitly permitted. MAYBE... |
| 27 |
?all - make no statement. MAYBE... |
| 28 |
|
| 29 |
There's an additional wrinkle, in that not all SPF validation |
| 30 |
implementations support SPF macros. Notable this includes Gmail when |
| 31 |
I last checked. SPF also has recursion depth problems (eg it's easy to |
| 32 |
exceed the max depth in the specification). |
| 33 |
|
| 34 |
If the macros are NOT supported, then using "~all" will result in |
| 35 |
SpamAssassin contributing +1 to toward the spam score. "?all" will |
| 36 |
contribute 0.0 to the score. |
| 37 |
|
| 38 |
If the SPF implementation does supports macros, a developer with |
| 39 |
their own mail server can get their own record (gentooSPF in LDAP): |
| 40 |
| robbat2.gentoo.org.spf.gentoo.org. IN TXT "v=spf1 include:_spf.orbis-terrarum.net ~all" |
| 41 |
So the complete evaluation is: |
| 42 |
"mx ptr include:_spf.orbis-terrarum.net ~all ?all" |
| 43 |
(_spf.orbis-terrarum.net expands to IP blocks and back to Gentoo) |
| 44 |
And if you try to forge mail from me, you will get a SPF SOFTFAIL. |
| 45 |
|
| 46 |
If the SPF implementation does NOT support macros, the SPF |
| 47 |
evaluation is: |
| 48 |
"mx ptr ?all" |
| 49 |
And, if you tried to forge mail from me, it will be accepted. |
| 50 |
|
| 51 |
Furthermore, we have some wildcards for the implementations that DO |
| 52 |
support macros, to help improve scores and catch known cases: |
| 53 |
lists.gentoo.org.spf.gentoo.org. IN TXT "v=spf1 a:lists.gentoo.org -all" |
| 54 |
*.lists.gentoo.org.spf.gentoo.org. IN TXT "v=spf1 a:lists.gentoo.org -all" |
| 55 |
*.gentoo.org.spf.gentoo.org. IN TXT "v=spf1 ~all" (for unknown |
| 56 |
developer names) |
| 57 |
|
| 58 |
-- |
| 59 |
Robin Hugh Johnson |
| 60 |
Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer |
| 61 |
E-Mail : robbat2@g.o |
| 62 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 63 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives