Page MenuHomePhabricator
Create Task
Maniphest T208281

Set up SPF, DKIM, etc. for new cloud MX servers
Closed, ResolvedPublic
Actions

Description

Follow-up from T41785

Related Objects
Search...

Event Timeline

Krenair created this task.Oct 30 2018, 12:35 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 30 2018, 12:35 AM
Krenair added a subtask: T41785: Create a Cloud VPS SMTP smarthost.Oct 30 2018, 12:36 AM
Krenair added a comment.Oct 30 2018, 12:41 AM

Current wmflabs.org TXT is v=spf1 mx ?all, with MX records pointing at the prod MXes - I doubt those prod MXes can handle inbound mail for labs right now so I wonder why they're there.
we should probably fix that

Krenair added a project: Mail.Oct 30 2018, 12:43 AM
Krenair added a subscriber: faidon.
In T208281#4704984, @Krenair wrote:

I doubt those prod MXes can handle inbound mail for labs right now so I wonder why they're there.

although this happened and I have no idea why: https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/293057/ - do you remember @faidon?

faidon added a comment.Oct 30 2018, 11:03 AM

Yes, this was because of T137160. wmflabs.org inbound emails are being handled by prod MXes right now, with only a handful of aliases being defined.

Krenair added a subscriber: herron.Oct 30 2018, 11:55 AM

Thanks, had forgotten about that. So I guess we'd need to make mx-in servers too...

faidon added a comment.Oct 30 2018, 12:59 PM

Not necessarily! For what we're currently doing -just aliasing a handful of aliases to a few people- I think it's fine as it is (but if the cloud admin team wants that separate for some reason, that's their call of course). We're not crossing any prod/WMCS barriers as it is, so I don't consider this a security issue.

If at some point in the future we want to do smarter things like dynamic lookups to OpenStack APIs or LDAP to route inbound emails to WMCS project owners or stuff like that (similar to what tools.wmflabs.org's MX does right now) then it would probably be a good idea to split it up to its own thing.

Krenair added a comment.Oct 30 2018, 2:25 PM
In T208281#4706016, @faidon wrote:

We're not crossing any prod/WMCS barriers as it is

I suppose we can infer from this that the private aliases entries for wmflabs.org don't send off to any other labs mail servers in a way that wouldn't be permitted to other random internet servers.

In T208281#4706016, @faidon wrote:

If at some point in the future we want to do smarter things like dynamic lookups to OpenStack APIs or LDAP to route inbound emails to WMCS project owners or stuff like that (similar to what tools.wmflabs.org's MX does right now) then it would probably be a good idea to split it up to its own thing.

Yeah.

Krenair added a comment.Oct 30 2018, 2:28 PM

So to me it sounds like we have to keep the MX record pointing at prod and set the SPF TXT record to:
v=spf1 mx ip4:185.15.56.18 ip4:185.15.56.19 ?all
(I don't think there's a way to include mx-out01/mx-out02 by name instead of IP without using MX?)

herron added a comment.Nov 2 2018, 8:08 PM
In T208281#4706209, @Krenair wrote:

So to me it sounds like we have to keep the MX record pointing at prod and set the SPF TXT record to:
v=spf1 mx ip4:185.15.56.18 ip4:185.15.56.19 ?all

Looks good to me

herron moved this task from Backlog to In Progress on the Mail board.Nov 2 2018, 8:09 PM
Krenair added a comment.Nov 2 2018, 8:12 PM
In T208281#4717077, @herron wrote:
In T208281#4706209, @Krenair wrote:

So to me it sounds like we have to keep the MX record pointing at prod and set the SPF TXT record to:
v=spf1 mx ip4:185.15.56.18 ip4:185.15.56.19 ?all

Looks good to me

Thanks, record updated.

Stashbot subscribed.Nov 2 2018, 8:12 PM

Mentioned in SAL (#wikimedia-cloud) [2018-11-02T20:12:27Z] <Krenair> Updated TXT record for T208281 - just added the new mx-out IPs

herron moved this task from In Progress to Radar on the Mail board.Nov 9 2018, 9:33 PM
herron closed subtask T41785: Create a Cloud VPS SMTP smarthost as Resolved.Nov 26 2018, 9:05 PM
GTirloni triaged this task as Medium priority.Mar 21 2019, 8:12 PM
GTirloni added a project: cloud-services-team (Kanban).
bd808 mentioned this in T249114: E-mails from noreply@pypi.org to tools.pywikibot@tools.wmflabs.org are not forwarded to certain recipients due to SPF.Apr 1 2020, 9:23 PM
bd808 mentioned this in T249237: Fix Cloud VPS and Toolforge mail servers to work with the modern internet.Apr 2 2020, 4:36 PM
bd808 added a parent task: T249237: Fix Cloud VPS and Toolforge mail servers to work with the modern internet.Apr 2 2020, 7:54 PM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
AntiCompositeNumber subscribed.Oct 6 2021, 3:45 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 9:44 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
Stashbot added a comment.Jul 4 2023, 12:32 PM

Mentioned in SAL (#wikimedia-cloud) [2023-07-04T12:32:28Z] <taavi> configure DKIM signing for wmflabs.org and wmcloud.org on mx-out servers T208281

taavi closed this task as Resolved.Jul 4 2023, 1:19 PM
taavi claimed this task.
taavi subscribed.

I'm tentatively closing this. The mx-out servers now DKIM sign outgoing e-mails. In addition, there's now a SPF policy for wmcloud.org which allows WMF production networks and the mx-out floating IPs and softfails everything else.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits