Page MenuHomePhabricator

Set up A-based SPF for tools.wmflabs.org
Closed, DeclinedPublic

Description

Currently, the SPF record reads

v=spf1 mx -all

which requires that every mail sender can also receive mail. For testing, it would be very convenient to have a server that can send mail, but that does not receive external mail yet. For this purpose, I created a new subdomain

mailsender.tools.wmflabs.org

which has an A record for both mail servers (208.80.155.162/mailrelay-02 and 208.80.155.188/mail). The SPF record can then be adjusted to

v=spf1 a:mailsender.tools.wmflabs.org -all

or

v=spf1 a:mailsender.tools.wmflabs.org mx -all

Testing with http://www.kitterman.com/spf/validate.html indicates this works correctly.

Event Timeline

valhallasw raised the priority of this task from to Needs Triage.
valhallasw updated the task description. (Show Details)
valhallasw added a project: Toolforge.
valhallasw subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
valhallasw triaged this task as Medium priority.Aug 2 2015, 1:12 PM
coren removed coren as the assignee of this task.Nov 17 2015, 2:42 PM

This needs to be revisited once the LDAP backend has changed (since the opendj schema does not properly allow TXT records in domain entries)

What's the ETA for the LDAP backend change? I'm also confused why this is
blocking changing the current record -- that record got in there somehow?
Keep in mind this is a blocker for the backup mail server.

What's the ETA for the LDAP backend change? I'm also confused why this is
blocking changing the current record -- that record got in there somehow?
Keep in mind this is a blocker for the backup mail server.

The LDAP servers have been migrated to OpenLDAP and the dnsdomain2 schema is now supported. Let me know if anything needs to be changed on the OpenLDAP side of the new labs LDAP servers.

Note LDAP is now irrelevant here as we're using Designate instead.

Using Designate, projectadmins should be able to edit DNS records like this whenever they want.

This was part of an implementation of T96299: Move tools-mail to trusty, T97574: Provision and test tools-mailrelay-02 et al., but the implementation got stalled for various reasons. I don't think I'm going to come back to it anytime soon, and a new implementation might choose a different approach -- so closing this for now.