= phenomenon = My local SpamAssassin 3.3.x instance claims SPF_HELO_SOFTFAIL for e-mails received from @lists.fedoraproject.org, relevant header line in e-mail is:
{{{ Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org [209.132.181.2]) }}}
= reason = SpamAssassin rule http://wiki.apache.org/spamassassin/Rules/SPF_HELO_SOFTFAIL applies as it seems:
{{{ $ host -t TXT lists.fedoraproject.org lists.fedoraproject.org descriptive text "v=spf1 mx a:bastion03.fedoraproject.org a:bastion02.fedoraproject.org a:bastion01.fedoraproject.org ~all" $ }}}
= recommendation = Either include bastion.fedoraproject.org into the SPF record in DNS or change the HELO/EHLO in Postfix accordingly.
I've added bastion.fedoraproject.org to the record.
Should sync out and be active in the next hour. Please let us know if this doesn't solve the issue...
Unfortunately, it does not solve the issue - and I don't have an idea why. Mails from something@lists.fedoraproject.org -> alias@fedoraproject.org -> own-em@il.address are affected by this only, as it seems.
Can you attach full headers from one of the emails?
SPF and forwarding ends in tears usually. ;(
Any news here?
Whoops, sorry.
{{{ From devel-bounces@lists.fedoraproject.org Wed Sep 12 14:45:53 2012 Return-Path: devel-bounces@lists.fedoraproject.org X-Spam-Level: X-Spam-Status: No, score=0.55 required=5.00 tests=RP_MATCHES_RCVD,SPF_HELO_SOFTFAIL Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org [209.132.181.2]) by mail.linuxnetz.de (8.14.5/8.14.5) with ESMTP id q8CCjh5R018807 for redhat@linuxnetz.de; Wed, 12 Sep 2012 14:45:47 +0200 Received: by bastion01.phx2.fedoraproject.org (Postfix) id 45AE5209FC; Wed, 12 Sep 2012 12:45:39 +0000 (UTC) Delivered-To: robert@fedoraproject.org Received: from lists.fedoraproject.org (collab03.vpn.fedoraproject.org [192.168.1.70]) by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id EA5CD209C5; Wed, 12 Sep 2012 12:45:38 +0000 (UTC) Received: from collab03.fedoraproject.org (localhost [127.0.0.1]) by lists.fedoraproject.org (Postfix) with ESMTP id 70C1A41F8B; Wed, 12 Sep 2012 12:45:38 +0000 (UTC) X-Original-To: devel@lists.fedoraproject.org Delivered-To: devel@lists.fedoraproject.org Received: from smtp-mm03.fedoraproject.org (vm4.fedora.ibiblio.org [152.19.134.143]) by lists.fedoraproject.org (Postfix) with ESMTP id 4E4514079A; Wed, 12 Sep 2012 12:45:36 +0000 (UTC) Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org [209.132.181.2]) by smtp-mm03.fedoraproject.org (Postfix) with ESMTP id A523B40087; Wed, 12 Sep 2012 12:45:35 +0000 (UTC) Received: from releng03.phx2.fedoraproject.org (releng03.phx2.fedoraproject.org [10.5.125.67]) by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id 6361A208C8; Wed, 12 Sep 2012 12:45:35 +0000 (UTC) Received: by releng03.phx2.fedoraproject.org (Postfix, from userid 751) id 4CCB01C0BC6; Wed, 12 Sep 2012 12:45:35 +0000 (UTC) Date: Wed, 12 Sep 2012 12:45:35 +0000 From: Fedora Rawhide Report rawhide@fedoraproject.org To: devel@lists.fedoraproject.org, test@lists.fedoraproject.org Subject: rawhide report: 20120912 changes Message-ID: 20120912124535.GA31939@releng03.phx2.fedoraproject.org MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-12-10) X-BeenThere: devel@lists.fedoraproject.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Development discussions related to Fedora devel@lists.fedoraproject.org List-Id: Development discussions related to Fedora <devel.lists.fedoraproject.org> List-Unsubscribe: https://admin.fedoraproject.org/mailman/options/devel, devel-request@lists.fedoraproject.org?subject=unsubscribe List-Archive: http://lists.fedoraproject.org/pipermail/devel/ List-Post: devel@lists.fedoraproject.org List-Help: devel-request@lists.fedoraproject.org?subject=help List-Subscribe: https://admin.fedoraproject.org/mailman/listinfo/devel, devel-request@lists.fedoraproject.org?subject=subscribe Content-Type: text/plain; charset="utf-8" Sender: devel-bounces@lists.fedoraproject.org Errors-To: devel-bounces@lists.fedoraproject.org X-Scanned-By: MIMEDefang 2.73 Content-Transfer-Encoding: 8bit }}}
Can you take one of these emails, save it to a file and run:
spamassassin -D < email >& email.out
and attach the email.out output here?
SPF related things from the output (one block):
{{{ ... Sep 12 21:51:41.207 [16143] dbg: spf: checking to see if the message has a Received-SPF header that we can use Sep 12 21:51:41.338 [16143] dbg: spf: using Mail::SPF for SPF checks Sep 12 21:51:41.339 [16143] dbg: spf: checking HELO (helo=lists.fedoraproject.org, ip=192.168.1.70) Sep 12 21:51:41.343 [16143] dbg: dns: providing a callback for id: 22685/lists.fedoraproject.org/SPF/IN Sep 12 21:51:41.462 [16143] dbg: dns: providing a callback for id: 25369/lists.fedoraproject.org/TXT/IN Sep 12 21:51:41.565 [16143] dbg: dns: providing a callback for id: 22363/lists.fedoraproject.org/MX/IN Sep 12 21:51:41.570 [16143] dbg: dns: providing a callback for id: 884/smtp-mm02.fedoraproject.org/A/IN Sep 12 21:51:41.710 [16143] dbg: dns: providing a callback for id: 45015/smtp-mm03.fedoraproject.org/A/IN Sep 12 21:51:41.715 [16143] dbg: dns: providing a callback for id: 46499/smtp-mm01.fedoraproject.org/A/IN Sep 12 21:51:41.873 [16143] dbg: dns: providing a callback for id: 16608/bastion.fedoraproject.org/A/IN Sep 12 21:51:41.877 [16143] dbg: dns: providing a callback for id: 31305/bastion02.fedoraproject.org/A/IN Sep 12 21:51:41.907 [16143] dbg: dns: providing a callback for id: 33752/bastion01.fedoraproject.org/A/IN Sep 12 21:51:41.939 [16143] dbg: spf: query for /192.168.1.70/lists.fedoraproject.org: result: softfail, comment: , text: Mechanism '~all' matched Sep 12 21:51:41.944 [16143] dbg: dkim: author rawhide@fedoraproject.org, not in any dkim whitelist Sep 12 21:51:41.950 [16143] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks Sep 12 21:51:41.951 [16143] dbg: spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping Sep 12 21:51:41.952 [16143] dbg: FreeMail: RULE (__freemail_reply) check_freemail_replyto Sep 12 21:51:41.952 [16143] dbg: FreeMail: envelope sender looks bulk, skipping check: devel-bounces@lists.fedoraproject.org Sep 12 21:51:41.959 [16143] dbg: rules: devel-bounces@lists.fedoraproject.org MATCHES relay collab03.vpn.fedoraproject.org (fedoraproject.org) Sep 12 21:51:41.960 [16143] dbg: rules: ran eval rule __RP_MATCHES_RCVD ======> got hit (1) Sep 12 21:51:41.962 [16143] dbg: rules: ran eval rule SPF_HELO_SOFTFAIL ======> got hit (1) Sep 12 21:51:41.967 [16143] dbg: FreeMail: RULE (FREEMAIL_REPLYTO_END_DIGIT) check_freemail_header regex:\d@ Sep 12 21:51:41.968 [16143] dbg: FreeMail: address from header Reply-To: development discussions related to fedora devel@lists.fedoraproject.org Sep 12 21:51:41.970 [16143] dbg: rules: devel-bounces@lists.fedoraproject.org MATCHES relay collab03.vpn.fedoraproject.org (fedoraproject.org) Sep 12 21:51:41.972 [16143] dbg: rules: ran eval rule RP_MATCHES_RCVD ======> got hit (1) Sep 12 21:51:41.973 [16143] dbg: FreeMail: RULE (__freemail_replyto) check_freemail_replyto Sep 12 21:51:41.973 [16143] dbg: FreeMail: envelope sender looks bulk, skipping check: devel-bounces@lists.fedoraproject.org Sep 12 21:51:41.977 [16143] dbg: FreeMail: RULE (__freemail_hdr_replyto) check_freemail_header Sep 12 21:51:41.977 [16143] dbg: FreeMail: address from header Reply-To: development discussions related to fedora devel@lists.fedoraproject.org Sep 12 21:51:41.978 [16143] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check Sep 12 21:51:41.980 [16143] dbg: FreeMail: RULE (FREEMAIL_ENVFROM_END_DIGIT) check_freemail_header regex:\d@ Sep 12 21:51:41.980 [16143] dbg: FreeMail: address from header EnvelopeFrom: devel-bounces@lists.fedoraproject.org Sep 12 21:51:41.984 [16143] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check ... }}}
So, the thing it's complaining about seems to be the internal vpn ip of lists.fedoraproject.org.
(the 192.168.0.70).
I suppose we could masquerade that, but thats a great deal of hassle.
We could just add it to the spf record, but adding a 192.168.x.x ip there may make it easy to show a 'pass' spf for a spam.
Can you whitelist it somewhere? Or perhaps we should just drop the spf record entirely.
Thoughts?
Feel free to reopen if there's action we can take here.
Login to comment on this ticket.