Red Hat IT forwarded an issue to me today about a recipient of @fedoraproject.org having an issue with addresses from @redhat.com. The issue is that in forwarding email addresses we aren't rewriting headers so it looks like we are sending redhat.com addresses from a non Red Hat server. The suggested fix is to have procmail rewrite the envelope for these to say soemthing like From noreply@fedoraproject.org so that SPF and similar filters can work.
I wanted to get some opinions on this
http://www.openspf.org/FAQ/Forwarding http://www.irbs.net/internet/postfix/0401/0970.html
https://fedorahosted.org/fedora-infrastructure/ticket/2220
On Mon, Jun 14, 2010 at 14:25:42 -0600, Stephen John Smoogen smooge@gmail.com wrote:
Red Hat IT forwarded an issue to me today about a recipient of @fedoraproject.org having an issue with addresses from @redhat.com. The issue is that in forwarding email addresses we aren't rewriting headers so it looks like we are sending redhat.com addresses from a non Red Hat server. The suggested fix is to have procmail rewrite the envelope for these to say soemthing like From noreply@fedoraproject.org so that SPF and similar filters can work.
That will break other things. SPF and forwarding don't go well together. If you really need to do it, there is supposed to a standard for rewriting the envelope sender address that could be used to forward bounces back to redhat.com via fedoraproject.org. The recipient could also relax the checks on their end and accept email from fedoraproject.org servers.
On Mon, 2010-06-14 at 15:57 -0500, Bruno Wolff III wrote:
On Mon, Jun 14, 2010 at 14:25:42 -0600, Stephen John Smoogen smooge@gmail.com wrote:
Red Hat IT forwarded an issue to me today about a recipient of @fedoraproject.org having an issue with addresses from @redhat.com. The issue is that in forwarding email addresses we aren't rewriting headers so it looks like we are sending redhat.com addresses from a non Red Hat server. The suggested fix is to have procmail rewrite the envelope for these to say soemthing like From noreply@fedoraproject.org so that SPF and similar filters can work.
That will break other things. SPF and forwarding don't go well together. If you really need to do it, there is supposed to a standard for rewriting the envelope sender address that could be used to forward bounces back to redhat.com via fedoraproject.org. The recipient could also relax the checks on their end and accept email from fedoraproject.org servers.
I just read that standard - it could be the single oddest thing I ever read and I'm positive we do not want to implement it.
I like mdomsch's idea that @redhat.com should change from -all to ~all
-sv
On Mon, Jun 14, 2010 at 17:05:35 -0400, seth vidal skvidal@fedoraproject.org wrote:
I like mdomsch's idea that @redhat.com should change from -all to ~all
That solves messages from Redhat, but not all messages to the person who complained. As it is their server doing the rejecting and it will reject other messages from servers that publish spf records. However, solving the problem for redhat.com may cover the vast majority of the problem.
infrastructure@lists.fedoraproject.org