Telefonica emails bouncing.

RESOLVED WONTFIX

Status

Infrastructure & Operations
Infrastructure: Mail
--
major
RESOLVED WONTFIX
4 years ago
4 years ago

People

(Reporter: w0ts0n, Unassigned)

Tracking

Details

(Reporter)

Description

4 years ago
We received this email from David:

Hi, 

I'm David Palomino, I'm not sure if you are the ones who usually have to deal with this issues (if it's not the case, sorry about that). 

It seems that we're rejecting any mails coming from @telefonica.com (and that's a big problem, as they are our main partners for FxOS . I've checked this with several colleagues in TEF, and all with the same result. 

I'm copying and pasting below the info provided by SMTP server from TEF. If you are not responsible of checking this, please just let me know how to raise this. 

Thanks a lot!
David


Información de diagnóstico para los administradores:
 
Generando servidor: smtptc.telefonica.com
 
dpalomino@mozilla.com
mozilla.com.s5a1.psmtp.com #<mozilla.com.s5a1.psmtp.com #5.0.0 smtp; 550 Sender Authorization check failed - psmtp> #SMTP#
 
Encabezados de mensajes originales:
 
Return-Path: <cristina.helguerasanchez@telefonica.com>
Received: from smtptc.telefonica.com (unknown [127.0.0.1])      by IMSVA (Postfix)
 with ESMTP id 2DCB288192        for <dpalomino@mozilla.com>; Wed, 10 Sep 2014
 11:58:02 +0200 (CEST)
Received: from ESTGVMSP101.EUROPE.telefonica.corp (unknown [10.92.4.9]) (using
 TLSv1 with cipher AES128-SHA (128/128 bits))    (No client certificate
 requested)      by smtptc.telefonica.com (Postfix) with ESMTPS id 12CF88816E    for
 <dpalomino@mozilla.com>; Wed, 10 Sep 2014 11:58:02 +0200 (CEST)
Received: from ESTGVMSP234.EUROPE.telefonica.corp
 ([fe80::709b:af58:f600:5455]) by ESTGVMSP101.EUROPE.telefonica.corp
 ([fe80::dcb3:36c9:e979:754d%11]) with mapi id 14.03.0146.002; Wed, 10 Sep
 2014 11:57:58 +0200
From: CRISTINA HELGUERA SANCHEZ <cristina.helguerasanchez@telefonica.com>
To: David Palomino <dpalomino@mozilla.com>
Subject: Draft agenda workshop
Thread-Topic: Draft agenda workshop
Thread-Index: Ac/M3O0VZvOxwCkVTFCLBCehOfcAaQAAJ5rA
Date: Wed, 10 Sep 2014 09:57:57 +0000
Message-ID: <7671CF9B5992944CA8B5C90A2E15BB952EC3D88F@ESTGVMSP234.EUROPE.telefonica.corp>
Accept-Language: es-ES, en-US
Content-Language: es-ES
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.92.4.9]
Content-Type: multipart/alternative;
        boundary="_000_7671CF9B5992944CA8B5C90A2E15BB952EC3D88FESTGVMSP234EURO_"
MIME-Version: 1.0
X-TM-AS-MML: No

I am investigating but if someone could look at this as a matter of Urgency since they are a large partner of Mozilla.
(Reporter)

Updated

4 years ago
Severity: normal → major
(Reporter)

Comment 1

4 years ago
"Another delivery report just 3 minutes ago: 

Reporting-MTA: dns; smtpar4.telefonica.com
X-Postfix-Queue-ID: 6E8B4160173
X-Postfix-Sender: rfc822; simon.callan@telefonica.com
Arrival-Date: Wed, 10 Sep 2014 09:23:48 -0300 (ART)

Final-Recipient: rfc822; dpalomino@mozilla.com
Original-Recipient: rfc822;dpalomino@mozilla.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mozilla.com.s5a1.psmtp.com
Diagnostic-Code: smtp; 550 Sender Authorization check failed - psmtp

But with other Telefonica users it's working now (but with different MTA). "
Comment hidden (obsolete)
(Reporter)

Comment 3

4 years ago
Dave, is there anything we can do to allow these emails through our Postini checks?
Comment hidden (obsolete)
(In reply to Ryan Watson [:w0ts0n] from comment #3)
> Dave, is there anything we can do to allow these emails through our Postini
> checks?

I don't think we can without completely disabling SPF checks, which I wouldn't recommend.

(In reply to Ryan Watson [:w0ts0n] from comment #1)
> But with other Telefonica users it's working now (but with different MTA).

^^^^ this is a big clue.  The sender is using an unauthorized MTA, the users who have it working are using the correct one.
Comment hidden (obsolete)
Comment hidden (obsolete)
Comment hidden (obsolete)
https://support.google.com/a/answer/4568483?hl=en

They need to eliminate one of those two SPF records, or combine them both into the same one.
So to summarize, now that I've thoroughly confused people as I posted stuff here as I found it, here's the real problem:

The problem is in telefonica.com's DNS.  They have 2 SPF records.  One of them matches the IP they're sending from, the other doesn't.  You're only allowed to have one.  Whichever one it finds first will get used. This means their mail will be randomly failing depending on the order the records are returned (which are returned at random by the nameserver).

The correct fix is to combine the two SPF records.  Right now they have:

telefonica.com descriptive text "v=spf1 mx ip4:158.230.100.102 ip4:200.81.36.136/31 ip4:200.81.42.136/31 ip4:200.106.240.18/31 ip4:200.106.242.18/31 ip4:200.205.95.100/31 ip4:200.51.236.83/31 ip4:81.47.204.76 ip4:195.76.34.108 ip4:200.81.36.15 ip4:194.224.58.62 ?all"
telefonica.com descriptive text "v=spf1 include:spf.protection.outlook.com -all"

They need to be combined into

telefonica.com descriptive text "v=spf1 mx ip4:158.230.100.102 ip4:200.81.36.136/31 ip4:200.81.42.136/31 ip4:200.106.240.18/31 ip4:200.106.242.18/31 ip4:200.205.95.100/31 ip4:200.51.236.83/31 ip4:81.47.204.76 ip4:195.76.34.108 ip4:200.81.36.15 ip4:194.224.58.62 include:spf.protection.outlook.com ?all"

Perhaps with the "?all" being a "-all" at the end instead, that choice would be up to them.

There is nothing else we can do on our end, they need to fix their DNS.
(Reporter)

Comment 11

4 years ago
Thank Dave. I'll see if I can get in contact with their IT team and pass the bug along.
Thanks a lot Dave and Ryan! I'll send this info to their IT team. 

Is it ok to cc them here in this bug?

Cheers!
David
Yes.
(Reporter)

Updated

4 years ago
Group: mozilla-employee-confidential
(Reporter)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
Hi, 

Just fyi, TEF originating mails are not being bounced right now, so working fine :-)

Thanks a lot to all of you for your help!
David
You need to log in before you can comment on or make changes to this bug.