Issue 2551388
Created on 2025-01-11 09:32 by cmeerw, last changed 2025-01-19 20:18 by rouilj.
|
| msg8254 |
Author: [hidden] (cmeerw) |
Date: 2025-01-11 09:32 |
|
emails from this roundup instance fail SPF checks:
emails have an envelope-from of <roundup-admin@python.org>, but the SPF policy for
python.org does not allow emails to be sent from that server:
H=bugs.nyc1.psf.io [167.71.181.142] Warning: SPF softfail
SPF record currently shows:
v=spf1 mx a:mail.wooz.org ip4:188.166.95.178/32 ip6:2a03:b0c0:2:d0::71:1 include:stspg-
customer.com include:_spf.google.com include:mailgun.org ~all
|
| msg8256 |
Author: [hidden] (rouilj) |
Date: 2025-01-11 17:18 |
|
Hi Christof:
I opened https://github.com/python/psf-salt/issues/546 and pinged EE Durbin on IRC.
PSF doesn't use roundup anymore but they are still nice enough to host our tracker.
I don't know if this host sends other email, so this might be intentional.
|
| msg8258 |
Author: [hidden] (cmeerw) |
Date: 2025-01-11 18:03 |
|
Maybe instead of changing the SPF record for python.org, the envelope from for these emails
should be changed to something @roundup-tracker.org (and changing the SPF record for roundup-
tracker)?
|
| msg8259 |
Author: [hidden] (rouilj) |
Date: 2025-01-11 19:16 |
|
Hi Christof:
[changing envelope address away from psf.org to roundup-tracker.org]
That's possible I think. But we are trying to not be a burden on them.
They have a small team and it's overworked. However, my guess is that the
psf maintainers would like less spam from the roundup tracker. Also they
would not miss my occasionally asking them for an error email.
Currently roundup-tracker.org's MX point to bugs.python.org. So it would
be a bit involved as roundup has no smtp assets of it's own, so we would
still need to piggyback on PSF. They maintain their systems via salt and
I would need to figure out how to inject a
roundup-tracker-admin@issues.roundup-tracker.org or some such alias, but
that might also need their help.
What's interesting is roundup-tracker.org's spf is:
ip4:66.96.140.128.0/18
which is some net range that seems vaguely familiar, but I can't place it.
I wonder if it was the old PSF psf.upfronthosting.co.za infrastructure
IP range. At the very least, it should be changed to some address we
currently have use of.
|
| msg8274 |
Author: [hidden] (EWDurbin) |
Date: 2025-01-15 13:33 |
|
We've updated the email configuration to send via our mailgun account.
I tested each instance by issuing a password reset, and see SPF and DKIM both being PASS.
This should be resolved.
|
| msg8275 |
Author: [hidden] (EWDurbin) |
Date: 2025-01-15 13:35 |
|
Hm, password reset emails are fine, but the emails from this message came through as a DKIM fail... looking closer.
|
| msg8276 |
Author: [hidden] (EWDurbin) |
Date: 2025-01-15 13:46 |
|
Reverted to using the previous configuration for now.
Seems like a good option is adding a roundup-tracker.org configuration to our mailgun account, which would just require a couple DNS
entries to be added on the zone:
smtp._domainkey.roundup-tracker.org IN TXT k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyKRxsc7RPZD6wH83707zeLF21mtQWjxKc9Bb8DhqWBQ4U3jQEf/xiMK3pLl
gcMhNspeWywTgwTv80xczsFyqiU6aULQZZSemY3abRsPbic7XwTXku3U3pUp8l6FGgC3i+NCIHNpE+p53maziKfAB7kWb0VgjYbbpsm+1
sWcSEilYWgAccI9HyZmsWirl5ipA3mPDBmheLdv8v2xshepWN4xLplPd4aoAMpDjYvmtd/UEnlnj73zJUyfJNxyCt9P+Xz7eKBgJ7Z1KHRQF
3tON3HgYHbhr5Ddq/bT8GpjMPVMu/7m7WmKxgLVJB6FntI06wRuXsgBSsMxlvOLZ1r0vHwIDAQAB
roundup-tracker.org IN TXTv=spf1 include:mailgun.org ~all
email.roundup-tracker.org IN CNAME mailgun.org
Then we could configure all emails from the instance to send on the roundup-tracker.org domain only (remove all references to
python.org), leaving MX records as is to allow the email gateway to continue working.
|
| msg8277 |
Author: [hidden] (rouilj) |
Date: 2025-01-15 14:13 |
|
Hi Ee:
I'll work on getting those 3 dns records changed/added.
-- rouilj
|
| msg8278 |
Author: [hidden] (rouilj) |
Date: 2025-01-15 14:34 |
|
Ee:
Just a couple of questions in case my DNS admin has them:
1) is there a recommended TTL on the dkim record? I think our default is 3600
2) I have seen DKIM records that have a left most DNS name that is related to the
email provider. I think this to allow multiple DKIM signed providers
A._domainkey, B._domainkey .... We have no plans on changing to multiple
providers, but I just wanted to make sure that a generic "smtp" was the correct
value since smtp._domainkey.python.org doesn't resolve as a TXT record.
Also Thomas Waldman, in case you are reading this, please remove the existing
SPF record with a:mail.wooz.org in it.
Thanks.
|
| msg8279 |
Author: [hidden] (EWDurbin) |
Date: 2025-01-15 14:38 |
|
1) 3600 is fine
2) That's the record generated by mailgun by default. But good catch. Use below instead:
mailgun._domainkey.roundup-tracker.org IN TXT k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt+atQsfTUo23u2T8mDwVe6oM42ZTKM0gmmM7dzKJUUdvSnBaXd+Xr
lEc69wYDWplbrEtVFmsCZ36l+JRIbEGGnzu+jpFr9aSOoR9+khptcHFUyaE0U8UZtqEnYs0UPLnGjxIgmEH+t1lIgSlJMAbMrNTRNW1y
QPx6SIdPR5XaXJaACEzrbPv0ZD73U1f66Fs/MPVHKKeW6WX0bh9sxBZP0/XQ3Qnw2+adEJh33SXf8zMlKT3Fvevv9txxdRd3q3X+u
m/9eJnrCf4OqQseUlzrOi6SQvG3EaVEW/3l9Q7/8RpU116OFcEtIooRZ2ktCmWuft3qOakq/neMzK2Lz15ywIDAQAB
|
| msg8281 |
Author: [hidden] (rouilj) |
Date: 2025-01-15 21:24 |
|
> 2) That's the record generated by mailgun by default. But good catch. Use below instead:
I still have my moments, that's what 20+ years as a sysadmin will do.
I have forwarded this on. Thanks.
|
| msg8284 |
Author: [hidden] (rouilj) |
Date: 2025-01-17 00:50 |
|
Ee, I am AFK all day tomorrow, but the DNS record info is done.
$ delv -i roundup-tracker.org TXT
roundup-tracker.org. 370 IN TXT "v=spf1 include:mailgun.org ~all"
$ delv -i email.roundup-tracker.org
email.roundup-tracker.org. 326 IN CNAME mailgun.org.
mailgun.org. 299 IN A 34.102.239.211
$ delv -i mailgun._domainkey.roundup-tracker.org TXT
mailgun._domainkey.roundup-tracker.org. 332 IN TXT
"k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt+atQsfTUo23u2T8mDwVe6oM42ZTKM0gmmM7d
zKJUUdvSnBaXd+XrlEc69wYDWplbrEtVFmsCZ36l+JRIbEGGnzu+jpFr9aSOoR9+khptcHFUyaE0U8UZtqEnYs0UPL
nGjxIgmEH+t1lIgSlJMAbMrNTRNW1yQPx6SIdPR5XaXJaACEzrbPv0ZD73U1f66Fs/MPVHKKeW6W"
"X0bh9sxBZP0/XQ3Qnw2+adEJh33SXf8zMlKT3Fvevv9txxdRd3q3X+um/9eJnrCf4OqQseUlzrOi6SQvG4EaVEW/3
l9Q7/8RpU116OFcEtIooRZ2ktCmWuft3qOakq/neMzK2Lz15ywIDAQAB"
I'll have Thomas update these with a TTL of 3600. It looks like it is at 600 currently.
|
| msg8285 |
Author: [hidden] (EWDurbin) |
Date: 2025-01-17 14:14 |
|
I see the records, but unfortunately mailgun refuses to validate for sending due to the silliest little difference (missing white space
after the semicolon):
-k=rsa; p=MIIBIjANBg...
+k=rsa;p=MIIBIjANBg...
Once that's cleared up we can proceed.
|
| msg8286 |
Author: [hidden] (rouilj) |
Date: 2025-01-18 05:30 |
|
Just sent email to my DNS master. I'll let you know when the change is done.
|
| msg8287 |
Author: [hidden] (rouilj) |
Date: 2025-01-18 13:32 |
|
The space has been added.
|
| msg8288 |
Author: [hidden] (EWDurbin) |
Date: 2025-01-18 16:28 |
|
Hm, appears that the space was a red-herring.
I see a stray replacement of a `4` with a `3` in the record that is currently live.
For obvious reasons, that would indeed cause a validation issue.
Here's a gist:
https://gist.github.com/ewdurbin/bb0d03a2ffce712cd6288b73ff69dc0f
|
| msg8290 |
Author: [hidden] (rouilj) |
Date: 2025-01-18 23:08 |
|
I have sent an updated record value from the gist to my dns manager.
|
| msg8291 |
Author: [hidden] (rouilj) |
Date: 2025-01-18 23:52 |
|
Hi Ee:
The new value is in place.
I compared what I pulled via DNS with the "value" in the gist.
Compared them in emacs and they looks the same (modulo some DNS
reformatting to handle the 256 byte boundary)...
Have a great day.
-- rouilj
|
| msg8300 |
Author: [hidden] (EWDurbin) |
Date: 2025-01-19 14:56 |
|
Thanks all.
Emails from this tracker should now be SPF and DKIM aligned.
|
| msg8301 |
Author: [hidden] (EWDurbin) |
Date: 2025-01-19 15:12 |
|
Confirmed that mail is sending, but note that users.sourceforge.net is greylisting mailgun. I'll monitor to see if it is eventually
accepted.
|
| msg8302 |
Author: [hidden] (EWDurbin) |
Date: 2025-01-19 15:43 |
|
Greylisting cleared, so this looks good to me! Let me know if any issues arise.
|
|
| Date |
User |
Action |
Args |
| 2025-01-19 20:18:15 | rouilj | set | status: open -> fixed
resolution: fixed |
| 2025-01-19 15:43:04 | EWDurbin | set | messages:
+ msg8302 |
| 2025-01-19 15:12:52 | EWDurbin | set | messages:
+ msg8301 |
| 2025-01-19 14:56:08 | EWDurbin | set | messages:
+ msg8300 |
| 2025-01-18 23:52:23 | rouilj | set | messages:
+ msg8291 |
| 2025-01-18 23:08:16 | rouilj | set | messages:
+ msg8290 |
| 2025-01-18 16:28:10 | EWDurbin | set | files:
+ Screenshot 2025-01-18 at 11.24.21 AM.png
messages:
+ msg8288 |
| 2025-01-18 13:32:51 | rouilj | set | messages:
+ msg8287 |
| 2025-01-18 05:30:40 | rouilj | set | messages:
+ msg8286 |
| 2025-01-17 14:14:07 | EWDurbin | set | messages:
+ msg8285 |
| 2025-01-17 00:50:28 | rouilj | set | messages:
+ msg8284 |
| 2025-01-15 21:24:38 | rouilj | set | status: new -> open
assignee: rouilj
messages:
+ msg8281 |
| 2025-01-15 14:38:25 | EWDurbin | set | messages:
+ msg8279 |
| 2025-01-15 14:34:41 | rouilj | set | messages:
+ msg8278 |
| 2025-01-15 14:13:03 | rouilj | set | messages:
+ msg8277 |
| 2025-01-15 13:46:53 | EWDurbin | set | messages:
+ msg8276 |
| 2025-01-15 13:35:27 | EWDurbin | set | messages:
+ msg8275 |
| 2025-01-15 13:33:36 | EWDurbin | set | nosy:
+ EWDurbin
messages:
+ msg8274 |
| 2025-01-11 19:16:45 | rouilj | set | messages:
+ msg8259 |
| 2025-01-11 18:03:22 | cmeerw | set | messages:
+ msg8258 |
| 2025-01-11 17:18:27 | rouilj | set | nosy:
+ rouilj
messages:
+ msg8256 |
| 2025-01-11 09:32:24 | cmeerw | create | |
|
