Page MenuHomePhabricator
Create Task
Maniphest T317574

Hide the client IP address in the SMTP Received header for authenticated relay clients
Closed, ResolvedPublic
Actions

Description

Emails that are sent via authenticated relay to the foundation are flagged as SPF softfail by google. This is due to how we relay emails to google.

[1] smtp auth -> [2] mx1001.wikimedia.org -> [3] google

This flow produces the following header:

Received: from [104.131.61.189] (port=56008 helo=mbuki-mvuki) by mx1001.wikimedia.org with esmtpsa
  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <qualtrics@wikimedia.org>) id 1oXqAN-001aL2-OT for jhathaway@wikimedia.org; Mon, 12 Sep 2022 20:36:27 +0000

Even though the [2] hop is allowed to send as wikimedia.org gmail flags the mail as a SOFTFAIL because hop [1] is not allowed to send as wikimedia.org according to our SPF record.

To avoid the softfail we should hide the IP address when an email arrives via authenticated SMTP.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
postfix: add sasl auth headeroperations/puppetproduction+7 -4
mail::mx: Modify the Received headeroperations/puppetproduction+20 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

jhathaway created this task.Sep 12 2022, 8:58 PM
jhathaway updated the task description. (Show Details)Sep 12 2022, 9:20 PM
gerritbot added a comment.Sep 12 2022, 9:24 PM

Change 831625 had a related patch set uploaded (by JHathaway; author: JHathaway):

[operations/puppet@production] mail::mx: Modify the Received header

https://gerrit.wikimedia.org/r/831625

gerritbot added a project: Patch-For-Review.Sep 12 2022, 9:24 PM
gerritbot added a comment.Sep 14 2022, 2:06 PM

Change 831625 merged by JHathaway:

[operations/puppet@production] mail::mx: Modify the Received header

https://gerrit.wikimedia.org/r/831625

TAndic added a comment.Sep 14 2022, 2:17 PM

@jhathaway confirming it worked! Sent you a test email as well in case you're curious/want to have the record.

jhathaway added a comment.Sep 14 2022, 2:18 PM
In T317574#8236259, @TAndic wrote:

@jhathaway confirming it worked! Sent you a test email as well in case you're curious/want to have the record.

great, thanks for the confirmation

Maintenance_bot removed a project: Patch-For-Review.Sep 14 2022, 2:30 PM
jhathaway closed this task as Resolved.Dec 4 2023, 4:04 PM
gerritbot added a comment.Apr 26 2024, 3:47 PM

Change #1024734 had a related patch set uploaded (by JHathaway; author: JHathaway):

[operations/puppet@production] postfix: add sasl auth header

https://gerrit.wikimedia.org/r/1024734

gerritbot added a project: Patch-For-Review.Apr 26 2024, 3:47 PM
gerritbot added a comment.May 6 2024, 2:53 PM

Change #1024734 merged by JHathaway:

[operations/puppet@production] postfix: add sasl auth header

https://gerrit.wikimedia.org/r/1024734

Maintenance_bot removed a project: Patch-For-Review.May 6 2024, 3:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits