Re: A mail relay server for Debian Members is live

[Ansgar <ansgar@43-1.org>]

On Mon, 2022-08-15 at 23:09 +0530, Praveen Arimbrathodiyil wrote:
> I would like to bring up the issue of providers with strict SPF
> record, for example disroot.org
> 
> dig -t TXT disroot.org has the relevant line,
> disroot.org.            3600    IN      TXT     "v=spf1 a mx -all"
> 
> which means people using disroot.org to receive debian.org forwarded 
> mails cannot receive any mails sent from other disroot.org users. I
> have also seen rejections with some other mail servers with strict
> SPF enforced.
> 
> Can we enable SRS [1] on the forwarding mail server to mitigate this?
> This would also be relevant for @debconf.org aliases too.

SRS doesn't help with that as it will still look like forged mail.

To not look like forged mail, the "From" header field (not the
envelope) has to be validated with either DKIM or SPF.  disroot.org
says this is supposed to be the case for mail from their domain:

  _dmarc.disroot.org. [...] TXT "v=DMARC1; p=quarantine; adkim=s; aspf=s;  [...]"

This requirement is not met by SRS, so SRS isn't really useful.

You need to ask disroot.org users to:

 - make sure all their outgoing mail is DKIM-signed,
 - not send mail forwarded via the BTS (breaks DKIM signatures),
 - not send mail to @d.o lists that break DKIM signatures (most are
   fine, but depends on the DKIM-signature).

Ansgar