Page MenuHomePhabricator
Create Task
Maniphest T352902

enable lists.wikimedia.org or wikimedia.org email addresses to receive dmarc reports for *.wmflabs.org
Closed, DeclinedPublic
Actions

Description

In T347512: Some emails from The Wikipedia Library aren't being received as expected we configured dmarc for the twl.wmflabs.org zone which we manage ourselves. However, we're currently not able to receive dmarc reports from email providers since we've only implemented outbound email via the cloud vps relays. An external destination verification record could enable lists.wikimedia.org or wikimedia.org addresses to receive dmarc reports for *.wmflabs.org. Something like

*.wmflabs.org._report._dmarc.wikimedia.org.		60	IN	TXT	"v=DMARC1"

or maybe

*.wmflabs.org._report._dmarc.lists.wikimedia.org.	60	IN	TXT	"v=DMARC1"

should enable us to set one of our email addresses as the dmarc report recipient for the twl.wmflabs.org zone.

Related Objects

Event Timeline

jsn.sherman created this task.Dec 6 2023, 6:44 PM
Restricted Application added subscribers: Sadads, Aklapper. · View Herald TranscriptDec 6 2023, 6:44 PM
jsn.sherman mentioned this in T347512: Some emails from The Wikipedia Library aren't being received as expected.Dec 6 2023, 6:45 PM
jsn.sherman renamed this task from enable lists.wikimedia.org or wikimedia.org addresses to receive dmarc reports for *.wmflabs.org to enable lists.wikimedia.org or wikimedia.org email addresses to receive dmarc reports for *.wmflabs.org.Dec 6 2023, 6:55 PM
herron added subscribers: jhathaway, MoritzMuehlenhoff, herron.Dec 6 2023, 8:55 PM

In cases where outbound mail delivery is important basic inbound mail handling should be configured for the (sub)domain and any from addresses too, this way things like bounces, messages to abuse@, callbacks, dmarc, etc can be properly handled.

Even in the case of a noreply@ address it will be better for that address to successfully deliver mail to /dev/null or :blackhole: than to have users to receive a bounce to the effect of Message not delivered Your message couldnt be delivered to noreply@twl.wmflabs.org because the remote server is misconfigured.

cc @jhathaway @MoritzMuehlenhoff

Samwalton9-WMF subscribed.Dec 6 2023, 9:17 PM
jsn.sherman added a comment.Dec 6 2023, 10:27 PM

For inbound mail delivery: What are our options that avoid exposing an unmaintained mail server to the Internet? Internal mail routing config, Split DNS, etc?

jijiki triaged this task as Medium priority.Dec 7 2023, 4:10 PM
jijiki removed a project: SRE.
jhathaway added a comment.Dec 8 2023, 6:34 PM

@herron & @jsn.sherman what do you think about the following:

Email
DMARC:
  • adkim=s, strict, allowing a match on the fully qualified domain of of the RFC5322.From(twl.wmflabs.org) and the dkim domain key d=twl.wmflabs.org
  • aspf, SPF will fail, since twl.wmflabs.org is not authorized to send as wmflabs.org in its RFC5321.MailFrom

Messages should still pass dmarc, since adkim should pass

Glossary
  • RFC5321.MailFrom, SMTP protocol level From
  • RFC5322.From, From in email body
jsn.sherman changed the task status from Open to In Progress.Dec 11 2023, 3:09 PM
jsn.sherman claimed this task.
jsn.sherman added a project: Moderator-Tools-Team (Kanban).
In T352902#9393485, @jhathaway wrote:

@herron & @jsn.sherman what do you think about the following:

Email
DMARC:
  • adkim=s, strict, allowing a match on the fully qualified domain of of the RFC5322.From(twl.wmflabs.org) and the dkim domain key d=twl.wmflabs.org
  • aspf, SPF will fail, since twl.wmflabs.org is not authorized to send as wmflabs.org in its RFC5321.MailFrom

Messages should still pass dmarc, since adkim should pass

Glossary
  • RFC5321.MailFrom, SMTP protocol level From
  • RFC5322.From, From in email body

Thanks for the suggestion! It seems reasonable to me. Our smtp class isn't currently setup for that, but we're already extending it for dkim, so I'll try adding in mailfrom and see how it looks in our staging environment.

jsn.sherman moved this task from Ready to In Progress on the Moderator-Tools-Team (Kanban) board.Dec 11 2023, 3:09 PM
jsn.sherman added a comment.Dec 11 2023, 6:51 PM

It's looking pretty good to me on staging:

Original Message
Message ID	<170232041148.496.15449658617977877352@d8809f1bfd60>
Created at:	Mon, Dec 11, 2023 at 12:46 PM (Delivered after 0 seconds)
From:		Wikipedia Library Card Staging <staging@twl.wmflabs.org>
To:		***@gmail.com
Subject:	New comment on your Wikipedia Library application
SPF:		PASS with IP 185.15.56.18 Learn more
DKIM:		'PASS' with domain twl.wmflabs.org Learn more
Authentication-Results: mx.google.com;
       dkim=neutral (no key) header.i=@twl.wmflabs.org header.s=wmcs header.b=GVmvX11v;
       dkim=pass header.i=@twl.wmflabs.org header.s=staging header.b="P5m08mQ/";
       spf=pass (google.com: domain of bounce@wmflabs.org designates 185.15.56.18 as permitted sender) smtp.mailfrom=bounce@wmflabs.org

If this solves the return path concern, we'll get it put into production.

jsn.sherman moved this task from In Progress to Code review on the Moderator-Tools-Team (Kanban) board.Dec 11 2023, 7:06 PM

PR here:
https://github.com/WikipediaLibrary/TWLight/pull/1237

taavi subscribed.Dec 11 2023, 7:13 PM

bounces@wmflabs.org does not seem to exist in the aliases file or route anywhere else.

taavi@mx1001 ~ $ sudo exim4 -bt bounces@wmflabs.org
bounces@wmflabs.org is undeliverable: Address bounces@wmflabs.org does not exist

What's exactly the intention with that? Any new names should preferrably use wmcloud.org instead of wmflabs.org and bounces@ seems very generic so I'd rather not add any special configuration for that for a single project.

jsn.sherman added a comment.Dec 11 2023, 7:41 PM
In T352902#9397617, @taavi wrote:

bounces@wmflabs.org does not seem to exist in the aliases file or route anywhere else.
[...]

bounce@wmflabs.org was the address suggested by @jhathaway and is what I tested. Does that exist already, or it also not a thing?

taavi added a comment.Dec 12 2023, 2:29 PM

No, that's not configured either.

jsn.sherman added a comment.Dec 12 2023, 4:55 PM

hmm; I see that exim is configured to use root@wmcloud.org, which is what I see when I test with the mail command. Would that resolve the return path concern?

jsn.sherman added a comment.Dec 14 2023, 6:30 PM
In T352902#9400607, @jsn.sherman wrote:

hmm; I see that exim is configured to use root@wmcloud.org, which is what I see when I test with the mail command. Would that resolve the return path concern?

In the absence of feedback, I'm going to go ahead with this change since I believe it is an improvement over an non-existent sender address.

Scardenasmolinar moved this task from Code review to QA on the Moderator-Tools-Team (Kanban) board.Dec 18 2023, 3:08 PM
jsn.sherman closed this task as Declined.Dec 19 2023, 7:35 PM

The original request for an EDV record has not been addressed so I'm marking this as declined, as it seems that it has been in practice.
If somebody knowledgeable on this topic thinks fulfilling the original request is reasonable, please feel free to reopen.

jsn.sherman moved this task from QA to Done on the Moderator-Tools-Team (Kanban) board.Dec 19 2023, 8:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL