|Open||None||T249237 Fix Cloud VPS and Toolforge mail servers to work with the modern internet|
|Open||None||T208281 Set up SPF, DKIM, etc. for new cloud MX servers|
|Resolved||herron||T41785 Create a Cloud VPS SMTP smarthost|
|Resolved||bd808||T174618 Request creation of project-smtp VPS project|
|Resolved||herron||T206261 Routing RFC1918 private IP addresses to/from WMCS floating IPs|
- Mentioned In
- T249237: Fix Cloud VPS and Toolforge mail servers to work with the modern internet
T249114: E-mails from email@example.com to firstname.lastname@example.org are not forwarded to certain recipients due to SPF
- Mentioned Here
- T137160: Outgoing mail to wikimedia.org not working on new labs instance
T41785: Create a Cloud VPS SMTP smarthost
Current wmflabs.org TXT is v=spf1 mx ?all, with MX records pointing at the prod MXes - I doubt those prod MXes can handle inbound mail for labs right now so I wonder why they're there.
we should probably fix that
Not necessarily! For what we're currently doing -just aliasing a handful of aliases to a few people- I think it's fine as it is (but if the cloud admin team wants that separate for some reason, that's their call of course). We're not crossing any prod/WMCS barriers as it is, so I don't consider this a security issue.
If at some point in the future we want to do smarter things like dynamic lookups to OpenStack APIs or LDAP to route inbound emails to WMCS project owners or stuff like that (similar to what tools.wmflabs.org's MX does right now) then it would probably be a good idea to split it up to its own thing.
I suppose we can infer from this that the private aliases entries for wmflabs.org don't send off to any other labs mail servers in a way that wouldn't be permitted to other random internet servers.
So to me it sounds like we have to keep the MX record pointing at prod and set the SPF TXT record to:
v=spf1 mx ip4:184.108.40.206 ip4:220.127.116.11 ?all
(I don't think there's a way to include mx-out01/mx-out02 by name instead of IP without using MX?)