[Box-Admins] Who has access to gandi?

Tobias Pape Das.Linux at gmx.de
Thu Jan 7 08:29:38 UTC 2016 

Hi Levente,


Sorry, I had to copy this from the archive (http://lists.squeakfoundation.org/pipermail/box-admins/2016-January/002120.html)
because, as I said, I cannot get mail on my gmx account via the list.

> Hi Tobias,
> 
> Only the SFC has access to the admin panel.
> But such record already exists:
>  	42.104.246.173.in-addr.arpa. 3600 IN	PTR	xvm-104-42.ghst.net.
> And it points back to the IP as well:
>  	xvm-104-42.ghst.net.	1200	IN	A	173.246.104.42
> So, unless the servers of gmx are misconfigured, such change shouldn't 
> have any effect.

No, that won't work for two reasons.
First, Mailman (via qmail) names itself "box4.squeak.org"[1] in its HELO/EHLO 
phase but the PTR-RR says, as you stated, "xvm-104-42.ghst.net". 
This violates the SMTP RFC and hence we get blocked.
We _could_ make qmail advertise "xvm-104-42.ghst.net" but this does
not match our mx entries for squeakfoundation.org, and we would get blocked
because of that.

Second, GMX explicitly forbids "hoster-generated PTR-RR records"[2]:
	The delivering email server must have a static IP address. Additionally, 
	it has to be configured correctly and needs to provide a valid HELO, 
	as well as MX, A, and PTR resource records (reverse DNS entry). 
	>>The PTR-RR in particular must not correspond to the preset generic 
	record of the host.<<
(emphasis mine)
So we have to change.


> 
> What we could do is to set up a strict SPF record, because we don't want 
> any other sources to be considered valid senders by othe mailservers. 
> I'm thinking about something like "v=spf1 mx -all".
> 

I did this already: 
squeakfoundation.org.	86396	IN	SPF	"v=spf3 mx a ptr ip4:173.246.104.42/32 a:box4.squeakfoundation.org a:box4.squeak.org include:squeak.org ~all"
squeakfoundation.org.	86400	IN	TXT	"v=spf1 mx a ptr ip4:173.246.104.42/32 a:box4.squeakfoundation.org a:box4.squeak.org include:squeak.org ~all"



Also I just found a Slack message from November that says:
​[22:57] craig @group: Bradley Kuhn from SFC says that box4 could disappear at any time if Gandi doesn't renew the donation, so we should get set up with Tony at Rackspace ASAP.

I don't know what that means in terms of effort or in terms of other service support,
but I can imagine that setting up mailman again will be quite laborious.


Best regards
	-Tobias



[1]: that was "box4.squeakfoundation.org" until yesterday.
[2]: http://postmaster.gmx.com/en/email-policy/
> Levente
> 
> On Thu, 7 Jan 2016, Tobias Pape wrote:
> 
> > Hi all,
> >
> > who of the admins has access to the gandi control panel
> > for box4? we need to set the RR-PTR for box4 so that,
> > finally, GMX allows us to send mail again.
> > I'd suggest putting
> > 	box4.squeak.org
> > in there.
> >
> > Please reply directly, I cannot get ml-mail via GMX *grml*
> >
> > best regards
> > 	-Tobias
> >
>

More information about the Box-Admins mailing list