Page MenuHomePhabricator
Create Task
Maniphest T116806

phabricator.wikimedia.org has no SPF record
Closed, ResolvedPublic
Actions

Description

Per T54556, T115416#1735435

Details

SubjectRepoBranchLines +/-
Add SPF record to phabricator.wikimedia.orgoperations/dnsmaster+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Nemo_bis created this task.Oct 27 2015, 7:10 PM
Nemo_bis raised the priority of this task from to High.
Nemo_bis updated the task description. (Show Details)
Nemo_bis added projects: Mail, DNS.
Nemo_bis added subscribers: Legoktm, MoritzMuehlenhoff, Quiddity and 20 others.
Quiddity unsubscribed.Oct 27 2015, 7:24 PM
Aklapper raised the priority of this task from High to Needs Triage.Oct 28 2015, 12:31 PM
Aklapper triaged this task as High priority.
Aklapper added a project: Phabricator.
Aklapper set Security to None.

I don't see how this has gotten (more) urgent recently. Could you elaborate?

nshahquinn-wmf unsubscribed.Dec 8 2015, 11:40 PM
Aklapper added a project: Traffic.Feb 23 2016, 6:12 PM
Restricted Application added a project: SRE. · View Herald TranscriptFeb 23 2016, 6:12 PM
gerritbot subscribed.Mar 31 2016, 10:25 AM

Change 280644 had a related patch set uploaded (by Mschon):
added SPF record to phabricator.wikimedia.org

https://gerrit.wikimedia.org/r/280644

gerritbot added a project: Patch-For-Review.Mar 31 2016, 10:25 AM
BBlack added subscribers: chasemp, BBlack.Apr 6 2016, 6:30 PM

So, the gerrit change is held up on comments about mx ?all vs mx -all. Are we confident phab emails only come from our mxes? ping @chasemp and/or @faidon? If so, mx -all is probably better.

Qgil unsubscribed.Apr 6 2016, 7:59 PM
chasemp added a comment.Apr 7 2016, 1:02 PM

@BBlack -- I hope this is what you are asking for, but our server using our mx's is the only valid source of a phabricator.wikimedia.org email.

We use the normal list of smart hosts:

https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/role/manifests/phabricator/main.pp;03892b1108ab95d1d45a579ae0164dd673eac535$50

BBlack added a comment.Apr 7 2016, 1:10 PM

ok, so we should amend the patch to use -all and merge that

faidon added a comment.Apr 7 2016, 1:51 PM

-all, like other antispam features (DMARC etc.) works poorly with mailing lists/reforwarders. If we're sure that there aren't any Phabricator emails directed to mailing lists, go for it.

greg added a comment.Apr 7 2016, 3:33 PM

Unless some team has a team list specified for their team project contact (I highly highly doubt it), the only thing I know of is/was wikibugs-l, which isn't used anymore (see: http://blog.gmane.org/gmane.org.wikimedia.mediawiki.bugs, for some reason https://lists.wikimedia.org/mailman/listinfo/wikibugs-l doesn't have a visible archive).

Can you think of any, @Aklapper ?

Nemo_bis added a comment.Apr 7 2016, 4:53 PM

http://markmail.org/search/?q=from%3Aphabricator.wikimedia.org is empty, unlike http://markmail.org/search/?q=from%3Agerrit.wikimedia.org , so the main mailing lists are unaffected. Monthly statistics https://lists.wikimedia.org/pipermail/wikitech-l/2016-April/085151.html use a @wikimedia.org address so that's probably the standard to follow in any case.

Aklapper added a comment.Apr 8 2016, 10:50 AM
In T116806#2186995, @greg wrote:

Unless some team has a team list specified for their team project contact (I highly highly doubt it), the only thing I know of is/was wikibugs-l, which isn't used anymore (see: http://blog.gmane.org/gmane.org.wikimedia.mediawiki.bugs, for some reason https://lists.wikimedia.org/mailman/listinfo/wikibugs-l doesn't have a visible archive).

Can you think of any, @Aklapper ?

If I understand the question correctly:

BBlack added a comment.Apr 12 2016, 9:15 PM

I'm confused - I think the last message above indicates we *do* have phab sending emails to mailing lists, which means we should use ?all, but the latest update to https://gerrit.wikimedia.org/r/#/c/280644/ is a switch to -all?

greg added a comment.Apr 12 2016, 9:17 PM

Right. Based on (at least?) those 3 accounts -> mailing lists, I guess we should use ?all.

scfc added a comment.Apr 12 2016, 11:18 PM

Sending mails to mailing lists shouldn't matter as those rewrite the envelope header. The problem lies with forwarders that don't do that, for example Toolforge: If I would use scfc@tools.wmflabs.org for my Phabricator account, it would be delivered by the Toolforge mail server without any authority of phabricator.wikimedia.org (cf. T120225). IMVHO using such dumb forwarders is a behaviour that should be discouraged and not worked around.

Dzahn subscribed.EditedMay 5 2016, 5:14 AM

ping, we need reviews for https://gerrit.wikimedia.org/r/#/c/280644/ scfc's comment might mean a -1, i don't know personally, i just want to say a reply of any kind on Gerrit would be great.

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptMay 5 2016, 5:14 AM
Nemo_bis added a comment.May 7 2016, 9:18 AM

IMVHO using such dumb forwarders is a behaviour that should be discouraged

How common is such a forwarding mechanism? Email aliases are common, if the exim default is to be "dumb" then let's use ?all.

BBlack added a comment.May 7 2016, 2:44 PM

Even if we can't come to a firm consensus on which of ?all or -all is the most-appropriate setting, I think both sides of that debate would agree that ?all is better than no SPF record at all. Perhaps we should amend to that and merge for now, and then debate upgrading to -all separately.

Platonides subscribed.May 9 2016, 11:12 PM

@scfc in that case, your server should not reject based on SPF for accounts that you forwared there. There are many ways to treat SPF, the most versatile when you simply annotate then filter into spam.

The proper policy is -all IMHO

gerritbot added a comment.May 10 2016, 10:54 AM

Change 280644 merged by Faidon Liambotis:
Add SPF record to phabricator.wikimedia.org

https://gerrit.wikimedia.org/r/280644

Dzahn closed this task as Resolved.May 10 2016, 5:53 PM
Dzahn claimed this task.

Now it has an SPF record.

;; QUESTION SECTION:
;phabricator.wikimedia.org.	IN	TXT

;; ANSWER SECTION:
phabricator.wikimedia.org. 3600	IN	TXT	"v=spf1 mx -all"
Dzahn reassigned this task from Dzahn to Mschon.May 10 2016, 5:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits