[Box-Admins] Who has access to gandi?

Thu Jan 7 15:33:40 UTC 2016

Hi Tobias,

On Thu, 7 Jan 2016, Tobias Pape wrote:

> Hi Levente,
>
>
> Sorry, I had to copy this from the archive (http://lists.squeakfoundation.org/pipermail/box-admins/2016-January/002120.html)
> because, as I said, I cannot get mail on my gmx account via the list.

My bad, sorry.

>
>> Hi Tobias,
>>
>> Only the SFC has access to the admin panel.
>> But such record already exists:
>>  	42.104.246.173.in-addr.arpa. 3600 IN	PTR	xvm-104-42.ghst.net.
>> And it points back to the IP as well:
>>  	xvm-104-42.ghst.net.	1200	IN	A	173.246.104.42
>> So, unless the servers of gmx are misconfigured, such change shouldn't
>> have any effect.
>
> No, that won't work for two reasons.
> First, Mailman (via qmail) names itself "box4.squeak.org"[1] in its HELO/EHLO
> phase but the PTR-RR says, as you stated, "xvm-104-42.ghst.net".
> This violates the SMTP RFC and hence we get blocked.
> We _could_ make qmail advertise "xvm-104-42.ghst.net" but this does
> not match our mx entries for squeakfoundation.org, and we would get blocked
> because of that.
>
> Second, GMX explicitly forbids "hoster-generated PTR-RR records"[2]:
> 	The delivering email server must have a static IP address. Additionally,
> 	it has to be configured correctly and needs to provide a valid HELO,
> 	as well as MX, A, and PTR resource records (reverse DNS entry).
> 	>>The PTR-RR in particular must not correspond to the preset generic
> 	record of the host.<<
> (emphasis mine)
> So we have to change.

The best is to ask Bradley to change it.

>
>
>>
>> What we could do is to set up a strict SPF record, because we don't want
>> any other sources to be considered valid senders by othe mailservers.
>> I'm thinking about something like "v=spf1 mx -all".
>>
>
> I did this already:
> squeakfoundation.org.	86396	IN	SPF	"v=spf3 mx a ptr ip4:173.246.104.42/32 a:box4.squeakfoundation.org a:box4.squeak.org include:squeak.org ~all"
> squeakfoundation.org.	86400	IN	TXT	"v=spf1 mx a ptr ip4:173.246.104.42/32 a:box4.squeakfoundation.org a:box4.squeak.org include:squeak.org ~all"

Cool.
According to wikipedia, ptr has been deprecated and should not be used.
I'm not sure about the use of softfail (~) either.

>
>
>
> Also I just found a Slack message from November that says:
> [22:57] craig @group: Bradley Kuhn from SFC says that box4 could disappear at any time if Gandi doesn't renew the donation, so we should get set up with Tony at Rackspace ASAP.

That would be pretty bad. We should find out the current status.

>
> I don't know what that means in terms of effort or in terms of other service support,
> but I can imagine that setting up mailman again will be quite laborious.

Tons of work.

Levente

>
>
> Best regards
> 	-Tobias
>
>
>
> [1]: that was "box4.squeakfoundation.org" until yesterday.
> [2]: http://postmaster.gmx.com/en/email-policy/
>> Levente
>>
>> On Thu, 7 Jan 2016, Tobias Pape wrote:
>>
>>> Hi all,
>>>
>>> who of the admins has access to the gandi control panel
>>> for box4? we need to set the RR-PTR for box4 so that,
>>> finally, GMX allows us to send mail again.
>>> I'd suggest putting
>>> 	box4.squeak.org
>>> in there.
>>>
>>> Please reply directly, I cannot get ml-mail via GMX *grml*
>>>
>>> best regards
>>> 	-Tobias
>>>
>>
>