[onionmx] SPF and OnionMX (Was: Meeting?)

doobry doobry at systemli.org
Fri Mar 2 19:57:52 CET 2018 

Hi there,

first thanks a lot for the minutes. Unfortunately I couldn't make it to
the meeting. I've some thoughts to share on the SPF issues though ...

Am 27.02.2018 um 20:42 schrieb intrigeri:
> SPF failures
> ------------
> 
> This might be specific to Riseup's setup. Or not.
> 
> Riseup sends an email over the Onion to the immerda mailing list
> server, the ML server tries to deliver email to list subscribers over
> the Onion too, Riseup's spam filtering sees the message coming this
> way it does some SPF thing and flags the message as spam. A few good
> people tried to solve this and failed so far.
> 
> Corresponding RISEUP_SPF_TRUE SpamAssassin rule:
> 
>      # if the header from says it is from riseup.net, but spf fails, then score +5
>       header __RISEUP_FROM From =~ /\briseup\.net\b/i
>       meta RISEUP_SPF_TRUE (__RISEUP_FROM && (SPF_SOFTFAIL || SPF_FAIL))
>       describe RISEUP_SPF_TRUE  Claims to be from riseup, but is not
>       score RISEUP_SPF_TRUE 5.0
> 
> It might be caused by mismatch between From header, SPF record,
> EHLO etc.
> 
> Some ML software now rewrite From to avoid such issues with DMARC.
> Message came from Mailman 2.1.15 (according to headers), maybe immerda
> should update to 2.1.18 where DMARC is available
> (https://wiki.list.org/DEV/DMARC mailman DMARC support)
>       
> Bypassing spam checks for email coming from 127.0.0.1 over Tor
> might be OK currently but it won't scale once OnionMX succeeds.

My assumption is that this is not related to Mailman's DMARC support at
all. According to the Mailman DMARC docs[1], Mailman starting from
2.1.18 rewrites the From: header *only* if the original sending domain
has a DMARC policy of 'p=reject' and 'p=quarantine'. Gladly, the latter
is true only for very few domains (yahoo and gmail being among them,
riseup.net not).

Apart from that, the From: header is irrelevant for SPF checks, so
Spamassassins SPF checks will not care about rewritten From: headers.
The relevant header for SPF (fortunately - and other than for DMARC) is
the Envelope-From header.[2]

In other words: for mails from riseup.net over lists.immerda.ch back to
riseup.net, Mailman's DMARC support will not make a difference.

In my eyes, the problem is simpler - and more severe:

OnionMX breaks SPF in general. For mail received over Tor, the SPF
header will never match. The sending server is 127.0.0.1, and that will
never almost never match a SPF record for the domains from Envelope-From
sender.

There's simple reasons why only mails from riseup.net to riseup.net
suffer that much from this problem:

* Riseup is one of the few mail providers using OnionMX (or receiving
  mail via Tor) that has a hard SPF policy set ('-all' in the SPF
  record).
* Riseup has a custom Spamassassin rule (see above) that scores mail
  from riseup.net with a missmatched SPF record very high.

Or do I miss something?

Unfortunately, I don't have an easy solution to provide. In fact, my
understanding of OnoinMX breaking SPF and DKIM is a strong reason why we
don't participate in OnionMX yet at systemli.org. I would love to find a
good solution to this :)

Cheers,
 doobry


[1] https://wiki.list.org/DEV/DMARC#Mailman_2
[2] http://www.openspf.org/FAQ/Envelope_from_scope

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists-11.immerda.ch/pipermail/onionmx/attachments/20180302/d79010fc/attachment.sig>

More information about the onionmx mailing list