[onionmx] SPF and OnionMX (Was: Meeting?)
doobry
doobry at systemli.org
Fri Mar 2 21:53:21 CET 2018
Am 02.03.2018 um 19:57 schrieb doobry:
> Am 27.02.2018 um 20:42 schrieb intrigeri:
>> Bypassing spam checks for email coming from 127.0.0.1 over Tor
>> might be OK currently but it won't scale once OnionMX succeeds.
After further discussion, I think this would be the proper solution to
Riseup's problem.
SPF gets broken by OnionMX and incoming mail over Tor in general. So SPF
checks should be ignored for all incoming mail over Tor. That's
particularly true if failing SPF is rated as high as in Riseup's custom
RISEUP_SPF_TRUE check.
> My assumption is that this is not related to Mailman's DMARC support at
> all. According to the Mailman DMARC docs[1], Mailman starting from
> 2.1.18 rewrites the From: header *only* if the original sending domain
> has a DMARC policy of 'p=reject' and 'p=quarantine'. Gladly, the latter
> is true only for very few domains (yahoo and gmail being among them,
> riseup.net not).
> [...]
> In other words: for mails from riseup.net over lists.immerda.ch back to
> riseup.net, Mailman's DMARC support will not make a difference.
I now got pointed to the missing piece: Indeed, rewritten From headers
will fix the issue for Riseup, because the condition '__RISEUP_FROM' in
their custom rule doesn't apply anymore.
Still I don't like the idea to enforce header rewrites at mailinglists
just to fix a problem that's a combination of mail over tor and a custom
Riseup spam rule.
Especially as mailinglist servers out of our reach will continue to
*not* rewrite the From header for domains without DMARC header.
Again, the problem in general is, that mail over Tor breaks SPF. What do
you think about adding a policy rule like the following to OnionMX: Mail
servers that support receiving mail via Tor must disable (or mitigate)
all SPF checks for incoming mail over Tor.
Probably for most setups, incoming mail over Tor can be translated to
incoming mail from localhost.
Cheers,
doobry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists-11.immerda.ch/pipermail/onionmx/attachments/20180302/51a8da3d/attachment.sig>
More information about the onionmx
mailing list