Page MenuHomePhabricator
Create Task
Maniphest T235401

Emails from discourse-mediawiki.wmflabs.org softfail SPF
Closed, DeclinedPublic
Actions

Description

So emails I get from discourse-mediawiki.wmflabs.org have an envelope sender of gmail.com (For VERP I guess. reply-to is also gmail so i guess all inbound mail is handled by gmail), but don't come from gmail. So they softfail SPF.

Example:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com does not designate 185.15.56.19 as permitted sender) smtp.mailfrom=discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com
Return-Path: <discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com>
Received: from mx-out02.wmflabs.org (instance-mx-out02.cloudinfra.wmflabs.org. [185.15.56.19])
        by mx.google.com with ESMTPS id d135si16525277qke.176.2019.10.13.22.37.34
        for <bawolff+wn@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 13 Oct 2019 22:37:34 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com does not designate 185.15.56.19 as permitted sender) client-ip=185.15.56.19;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com does not designate 185.15.56.19 as permitted sender) smtp.mailfrom=discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com
Received: from discourse-mw.discourse.eqiad.wmflabs ([172.16.7.141]:59240 helo=localhost.localdomain) by mx-out02.wmflabs.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com>) id 1iJt30-0005Tt-N5 for bawolff+wn@gmail.com; Mon, 14 Oct 2019 05:37:34 +0000

This isn't the worst thing in the world, as most spam filters greylist. But it isn't exactly ideal.

Related Objects
Search...

Event Timeline

Bawolff created this task.Oct 14 2019, 6:20 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 14 2019, 6:20 AM
Qgil added a project: Space.Oct 14 2019, 10:01 AM
Qgil subscribed.

I wonder whether this is a Discourse problem or "just" a problem of our interim setup for our Discourse instances in wmflabs.org.

Both discourse-mediawiki.wmflabs.org and discuss-space.wmflabs.org use mx-out02.wmflabs.org for system notifications but they rely on GMAIL POP3 mailboxes for receiving incoming mail and handle special notifications.

The idea is to use a @wikimedia.org email address at the end (whether that mailbox would still use the GMail infrastructure, I don't know).

Qgil triaged this task as Low priority.Oct 14 2019, 10:01 AM
Bawolff added a comment.Oct 14 2019, 9:06 PM

If this is going to be merged in other discourse, i wouldnt worry about it (unless the other discourse has same problem).

Basically its not sent from gmail, but bounces are configured to go to gmail (envelope-sender), so antispam software may consider it fraudulant and mark as spam

Aklapper unsubscribed.Oct 31 2019, 10:16 AM
Qgil removed a project: Space.Feb 18 2020, 2:11 PM
bd808 mentioned this in T249114: E-mails from noreply@pypi.org to tools.pywikibot@tools.wmflabs.org are not forwarded to certain recipients due to SPF.Apr 1 2020, 9:23 PM
bd808 mentioned this in T249237: Fix Cloud VPS and Toolforge mail servers to work with the modern internet.Apr 2 2020, 4:36 PM
bd808 added a parent task: T249237: Fix Cloud VPS and Toolforge mail servers to work with the modern internet.Apr 2 2020, 7:54 PM
herron subscribed.Apr 27 2020, 9:42 PM
In T235401#5573687, @Bawolff wrote:

If this is going to be merged in other discourse, i wouldnt worry about it (unless the other discourse has same problem).

Has this already happened? And if so has this issue persisted?

If yes (and if discourse supports this configuration) it might be worth trying to send outbound mail using a wmflabs.org noreply from address and appending a reply-to header containing the desired gmail POP address (is that discourse.mediawiki@gmail.com?). That should avoid forging a gmail.com from address while directing replies to the desired POP inbox.

Qgil added a comment.Apr 28 2020, 8:49 AM

Hi @herron,

Has this [the merge] already happened?

Nope. It is being discussed at T247010: Clarify future of discourse-mediawiki.wmflabs.org: Make the website read-only.

aborrero subscribed.Apr 28 2020, 11:57 AM

Do we know if the software support the configuration change that @herron is suggesting? Could we try it regardless of fate of the project? (just for research/documentation/bugfixing purposes)

Peachey88 subscribed.May 2 2020, 2:35 AM
Aklapper closed this task as Declined.Sep 8 2020, 1:17 PM

discourse-mediawiki.wmflabs.org has been made read-only hence declining this task.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits