I've added bastion.fedoraproject.org to the record.

Should sync out and be active in the next hour. Please let us know if this doesn't solve the issue...

Unfortunately, it does not solve the issue - and I don't have an idea why. Mails from something@lists.fedoraproject.org -> alias@fedoraproject.org -> own-em@il.address are affected by this only, as it seems.

Can you attach full headers from one of the emails?

SPF and forwarding ends in tears usually. ;(

Any news here?

Whoops, sorry.

{{{
From devel-bounces@lists.fedoraproject.org Wed Sep 12 14:45:53 2012
Return-Path: devel-bounces@lists.fedoraproject.org
X-Spam-Level:
X-Spam-Status: No, score=0.55 required=5.00 tests=RP_MATCHES_RCVD,SPF_HELO_SOFTFAIL
Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org [209.132.181.2])
by mail.linuxnetz.de (8.14.5/8.14.5) with ESMTP id q8CCjh5R018807
for redhat@linuxnetz.de; Wed, 12 Sep 2012 14:45:47 +0200
Received: by bastion01.phx2.fedoraproject.org (Postfix)
id 45AE5209FC; Wed, 12 Sep 2012 12:45:39 +0000 (UTC)
Delivered-To: robert@fedoraproject.org
Received: from lists.fedoraproject.org (collab03.vpn.fedoraproject.org [192.168.1.70])
by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id EA5CD209C5;
Wed, 12 Sep 2012 12:45:38 +0000 (UTC)
Received: from collab03.fedoraproject.org (localhost [127.0.0.1])
by lists.fedoraproject.org (Postfix) with ESMTP id 70C1A41F8B;
Wed, 12 Sep 2012 12:45:38 +0000 (UTC)
X-Original-To: devel@lists.fedoraproject.org
Delivered-To: devel@lists.fedoraproject.org
Received: from smtp-mm03.fedoraproject.org (vm4.fedora.ibiblio.org
[152.19.134.143])
by lists.fedoraproject.org (Postfix) with ESMTP id 4E4514079A;
Wed, 12 Sep 2012 12:45:36 +0000 (UTC)
Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org
[209.132.181.2])
by smtp-mm03.fedoraproject.org (Postfix) with ESMTP id A523B40087;
Wed, 12 Sep 2012 12:45:35 +0000 (UTC)
Received: from releng03.phx2.fedoraproject.org
(releng03.phx2.fedoraproject.org [10.5.125.67])
by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id 6361A208C8;
Wed, 12 Sep 2012 12:45:35 +0000 (UTC)
Received: by releng03.phx2.fedoraproject.org (Postfix, from userid 751)
id 4CCB01C0BC6; Wed, 12 Sep 2012 12:45:35 +0000 (UTC)
Date: Wed, 12 Sep 2012 12:45:35 +0000
From: Fedora Rawhide Report rawhide@fedoraproject.org
To: devel@lists.fedoraproject.org, test@lists.fedoraproject.org
Subject: rawhide report: 20120912 changes
Message-ID: 20120912124535.GA31939@releng03.phx2.fedoraproject.org
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-12-10)
X-BeenThere: devel@lists.fedoraproject.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Development discussions related to Fedora devel@lists.fedoraproject.org
List-Id: Development discussions related to Fedora
<devel.lists.fedoraproject.org>
List-Unsubscribe: https://admin.fedoraproject.org/mailman/options/devel,
devel-request@lists.fedoraproject.org?subject=unsubscribe
List-Archive: http://lists.fedoraproject.org/pipermail/devel/
List-Post: devel@lists.fedoraproject.org
List-Help: devel-request@lists.fedoraproject.org?subject=help
List-Subscribe: https://admin.fedoraproject.org/mailman/listinfo/devel,
devel-request@lists.fedoraproject.org?subject=subscribe
Content-Type: text/plain; charset="utf-8"
Sender: devel-bounces@lists.fedoraproject.org
Errors-To: devel-bounces@lists.fedoraproject.org
X-Scanned-By: MIMEDefang 2.73
Content-Transfer-Encoding: 8bit
}}}

Can you take one of these emails, save it to a file and run:

spamassassin -D < email >& email.out

and attach the email.out output here?

SPF related things from the output (one block):

{{{
...
Sep 12 21:51:41.207 [16143] dbg: spf: checking to see if the message has a Received-SPF header that we can use
Sep 12 21:51:41.338 [16143] dbg: spf: using Mail::SPF for SPF checks
Sep 12 21:51:41.339 [16143] dbg: spf: checking HELO (helo=lists.fedoraproject.org, ip=192.168.1.70)
Sep 12 21:51:41.343 [16143] dbg: dns: providing a callback for id: 22685/lists.fedoraproject.org/SPF/IN
Sep 12 21:51:41.462 [16143] dbg: dns: providing a callback for id: 25369/lists.fedoraproject.org/TXT/IN
Sep 12 21:51:41.565 [16143] dbg: dns: providing a callback for id: 22363/lists.fedoraproject.org/MX/IN
Sep 12 21:51:41.570 [16143] dbg: dns: providing a callback for id: 884/smtp-mm02.fedoraproject.org/A/IN
Sep 12 21:51:41.710 [16143] dbg: dns: providing a callback for id: 45015/smtp-mm03.fedoraproject.org/A/IN
Sep 12 21:51:41.715 [16143] dbg: dns: providing a callback for id: 46499/smtp-mm01.fedoraproject.org/A/IN
Sep 12 21:51:41.873 [16143] dbg: dns: providing a callback for id: 16608/bastion.fedoraproject.org/A/IN
Sep 12 21:51:41.877 [16143] dbg: dns: providing a callback for id: 31305/bastion02.fedoraproject.org/A/IN
Sep 12 21:51:41.907 [16143] dbg: dns: providing a callback for id: 33752/bastion01.fedoraproject.org/A/IN
Sep 12 21:51:41.939 [16143] dbg: spf: query for /192.168.1.70/lists.fedoraproject.org: result: softfail, comment: , text: Mechanism '~all' matched
Sep 12 21:51:41.944 [16143] dbg: dkim: author rawhide@fedoraproject.org, not in any dkim whitelist
Sep 12 21:51:41.950 [16143] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks
Sep 12 21:51:41.951 [16143] dbg: spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping
Sep 12 21:51:41.952 [16143] dbg: FreeMail: RULE (__freemail_reply) check_freemail_replyto
Sep 12 21:51:41.952 [16143] dbg: FreeMail: envelope sender looks bulk, skipping check: devel-bounces@lists.fedoraproject.org
Sep 12 21:51:41.959 [16143] dbg: rules: devel-bounces@lists.fedoraproject.org MATCHES relay collab03.vpn.fedoraproject.org (fedoraproject.org)
Sep 12 21:51:41.960 [16143] dbg: rules: ran eval rule __RP_MATCHES_RCVD ======> got hit (1)
Sep 12 21:51:41.962 [16143] dbg: rules: ran eval rule SPF_HELO_SOFTFAIL ======> got hit (1)
Sep 12 21:51:41.967 [16143] dbg: FreeMail: RULE (FREEMAIL_REPLYTO_END_DIGIT) check_freemail_header regex:\d@
Sep 12 21:51:41.968 [16143] dbg: FreeMail: address from header Reply-To: development discussions related to fedora devel@lists.fedoraproject.org
Sep 12 21:51:41.970 [16143] dbg: rules: devel-bounces@lists.fedoraproject.org MATCHES relay collab03.vpn.fedoraproject.org (fedoraproject.org)
Sep 12 21:51:41.972 [16143] dbg: rules: ran eval rule RP_MATCHES_RCVD ======> got hit (1)
Sep 12 21:51:41.973 [16143] dbg: FreeMail: RULE (__freemail_replyto) check_freemail_replyto
Sep 12 21:51:41.973 [16143] dbg: FreeMail: envelope sender looks bulk, skipping check: devel-bounces@lists.fedoraproject.org
Sep 12 21:51:41.977 [16143] dbg: FreeMail: RULE (__freemail_hdr_replyto) check_freemail_header
Sep 12 21:51:41.977 [16143] dbg: FreeMail: address from header Reply-To: development discussions related to fedora devel@lists.fedoraproject.org
Sep 12 21:51:41.978 [16143] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check
Sep 12 21:51:41.980 [16143] dbg: FreeMail: RULE (FREEMAIL_ENVFROM_END_DIGIT) check_freemail_header regex:\d@
Sep 12 21:51:41.980 [16143] dbg: FreeMail: address from header EnvelopeFrom: devel-bounces@lists.fedoraproject.org
Sep 12 21:51:41.984 [16143] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check
...
}}}

So, the thing it's complaining about seems to be the internal vpn ip of lists.fedoraproject.org.

(the 192.168.0.70).

I suppose we could masquerade that, but thats a great deal of hassle.

We could just add it to the spf record, but adding a 192.168.x.x ip there may make it easy to show a 'pass' spf for a spam.

Can you whitelist it somewhere? Or perhaps we should just drop the spf record entirely.

Thoughts?

Feel free to reopen if there's action we can take here.