1 |
This is the official infra response re SPF in this case. |
2 |
|
3 |
On Mon, Dec 05, 2016 at 12:03:02PM -0500, Michael Orlitzky wrote: |
4 |
> Something is not "off" with our mail servers, and there is currently no |
5 |
> way to prevent "From" spoofing without significant collateral damage. |
6 |
Correct. |
7 |
|
8 |
Infra does maintain an SPF page as well. |
9 |
https://wiki.gentoo.org/wiki/Project:Infrastructure/SPF |
10 |
|
11 |
A lot of developers prefer to send mail out via their own mailservers, |
12 |
and not use the Gentoo mailserver for outgoing mail. This means we |
13 |
either need to allow them declare those servers, or make sure their mail |
14 |
won't be rejected anyway. |
15 |
|
16 |
Our base SPF rule as pointed out: |
17 |
gentoo.org. IN TXT "v=spf1 mx ptr include:%{l}.%{o}.spf.gentoo.org. ?all" |
18 |
|
19 |
Most important is the ?all on the end, but the include bit needs further |
20 |
explanation. |
21 |
|
22 |
We have 4 choices for the terminal rule: |
23 |
|
24 |
+all - allow everything. NOPE! |
25 |
-all - strictly disallow everything not explicitly permitted. NOPE! |
26 |
~all - softfail everything not explicitly permitted. MAYBE... |
27 |
?all - make no statement. MAYBE... |
28 |
|
29 |
There's an additional wrinkle, in that not all SPF validation |
30 |
implementations support SPF macros. Notable this includes Gmail when |
31 |
I last checked. SPF also has recursion depth problems (eg it's easy to |
32 |
exceed the max depth in the specification). |
33 |
|
34 |
If the macros are NOT supported, then using "~all" will result in |
35 |
SpamAssassin contributing +1 to toward the spam score. "?all" will |
36 |
contribute 0.0 to the score. |
37 |
|
38 |
If the SPF implementation does supports macros, a developer with |
39 |
their own mail server can get their own record (gentooSPF in LDAP): |
40 |
| robbat2.gentoo.org.spf.gentoo.org. IN TXT "v=spf1 include:_spf.orbis-terrarum.net ~all" |
41 |
So the complete evaluation is: |
42 |
"mx ptr include:_spf.orbis-terrarum.net ~all ?all" |
43 |
(_spf.orbis-terrarum.net expands to IP blocks and back to Gentoo) |
44 |
And if you try to forge mail from me, you will get a SPF SOFTFAIL. |
45 |
|
46 |
If the SPF implementation does NOT support macros, the SPF |
47 |
evaluation is: |
48 |
"mx ptr ?all" |
49 |
And, if you tried to forge mail from me, it will be accepted. |
50 |
|
51 |
Furthermore, we have some wildcards for the implementations that DO |
52 |
support macros, to help improve scores and catch known cases: |
53 |
lists.gentoo.org.spf.gentoo.org. IN TXT "v=spf1 a:lists.gentoo.org -all" |
54 |
*.lists.gentoo.org.spf.gentoo.org. IN TXT "v=spf1 a:lists.gentoo.org -all" |
55 |
*.gentoo.org.spf.gentoo.org. IN TXT "v=spf1 ~all" (for unknown |
56 |
developer names) |
57 |
|
58 |
-- |
59 |
Robin Hugh Johnson |
60 |
Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer |
61 |
E-Mail : robbat2@g.o |
62 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
63 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |