Page MenuHomeSoftware Heritage

Email delivery issues from tate.softwareheritage.org (phabricator, mediawikis) to GMail
Open, HighPublic

Description

Emails from phabricator or mediawiki to addresses at gmail.com that haven't been contacted before seem to not be reaching their recipients (tested by adding my own gmail.com address to this phabricator account).

GMail has recently started bouncing emails for SPF failures or lack of valid DKIM signature, so that's probably what is happening to us.

Phabricator sends its emails using phabricator@tate.softwareheritage.org as envelope sender/return path, and forge@softwareheritage.org as From field.

  • tate.softwareheritage.org is not set up to receive (or send) emails: no SMTP server, no MX record, no SPF record. This means that we're not receiving any bounces (pretty bad), and the SPF can't validate (meh, but now becoming pretty bad too)
  • softwareheritage.org has no DKIM signing setup. It has a SPF record which only includes mailchimp (meh) and neutralizes other senders.

This combination means that phabricator mail can be rejected by stringent mail hosts, and spammed by others (no SPF, and no DKIM fallback on SPF mismatch).

We should work on the following items to improve our email deliverability:

  • review return path of all emails generated on SWH servers to make sure that it is eventually a deliverable email address.
  • improve the SPF records of softwareheritage.org (at least include the Inria and Gandi MXes as positive SPF matches)
  • consider introducing DKIM signing for emails From: xxx@softwareheritage.org outbound from our own servers (probably, by routing all outbound emails through a central mail server, instead of throwing it at the Inria SMTP server, and implementing outbound DKIM signing there.
  • when DKIM signing is implemented, provide an outbound email service to SWH staff so that their softwareheritage.org emails get DKIM-signed (*ugh*)

Event Timeline

olasd triaged this task as High priority.Mar 9 2022, 11:17 AM
olasd created this task.

Mail redirection of @softwareheritage.org is also broken, at least for ardumont: P1308. It still worked on 2022-03-02.

I've tried adding gandi and inria's outbound mail servers to @softwareheritage.org's SPF records.

I don't think there's any chance this will fix Gandi's redirects, as they don't use @softwareheritage.org in their return-path, they pass through what they receive unchanged.

To "solve" the redirect issue would need some form of SRS implemented, so that softwareheritage.org would only send emails with a return-path it controls, but last I had checked there weren't many implementations of that around...

Here is the email notifications received from bouncing email.
This email was received by Elisabetta when sending an email from Elisabetta.mori@softwareheritage.org to morane@softwareheritage.org:

---------- Forwarded message ---------
Da: Mail Delivery System <MAILER-DAEMON@relay7-d.mail.gandi.net>
Date: ven 12 ago 2022 alle ore 11:29
Subject: Undelivered Mail Returned to Sender
To: <bettygorf@gmail.com>


This is the mail system at host relay7-d.mail.gandi.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<morane.gg@gmail.com>: host gmail-smtp-in.l.google.com[142.251.5.27] said:
    550-5.7.26 This message does not pass authentication checks (SPF and DKIM
    both 550-5.7.26 do not pass). SPF check for [gmail.com] does not pass with
    ip: 550-5.7.26 [217.70.183.200].To best protect our users from spam, the
    message 550-5.7.26 has been blocked. Please visit 550-5.7.26
    https://support.google.com/mail/answer/81126#authentication for more 550
    5.7.26 information. 10-20020a056000154a00b00222c2996050si1313578wry.1010 -
    gsmtp (in reply to end of DATA command)