Page MenuHomePhabricator
Create Task
Maniphest T422559

@wikimedia.org email addresses don't seem to be receiving emails sent by the test Phabricator instance
Open, LowPublicBUG REPORT
Actions

Description

Follow-up to T388022: Phabricator test project requires email verification but can't send email

Prior to T388022 being resolved, the Phabricator test-instance at https://phabricator.wmcloud.org couldn't send any emails at all (I believe), due to attempting to send them from a subdomain of .wmcloud.org that hadn't been configured for sending email (xref T388022#11233132).

Now, the test Phabricator instance can send at-least some email (addressed from phabricator-no-reply@wmcloud.org), but two separate individuals with email addresses ending in @wikimedia.org have confirmed that account-confirmation emails from the test-instance don't seem to be arriving in those email accounts (Dzahn in T388022#11783879, & Raine in #wikimedia-tech).

This task is to figure out why this is happening, and to try and fix it :D

Related Objects

Event Timeline

A_smart_kitten created this task.Tue, Apr 7, 9:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Apr 7, 9:07 PM
A_smart_kitten added a project: collaboration-services.Tue, Apr 7, 9:07 PM

I am tagging collaboration-services for your information only, feel free to triage as you see fit :)

A_smart_kitten mentioned this in T388022: Phabricator test project requires email verification but can't send email.Tue, Apr 7, 9:08 PM
taavi subscribed.Tue, Apr 7, 9:21 PM

Seems like mx-in*.wikimedia.org do not like these emails for whatever reason:

2026-04-07 19:39:51 1wACH9-00BqE5-1C ** phabricator-no-reply@wmcloud.org R=dnslookup_unsigned T=remote_smtp_unsigned H=mx-in2001.wikimedia.org [208.80.153.75] I=[172.16.2.248] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=yes DN="CN=mx-in1001.wikimedia.org": SMTP error from remote mail server after RCPT TO:<phabricator-no-reply@wmcloud.org>: 550 5.1.1 <phabricator-no-reply@wmcloud.org>: Recipient address rejected: User unknown in relay recipient table DT=0s
jeremyb subscribed.Tue, Apr 7, 10:42 PM
In T422559#11796709, @taavi wrote:

Seems like mx-in*.wikimedia.org do not like these emails for whatever reason

my first guess/interpretation without digging too hard is the destination MX is sending a new SMTP connection back to the no-reply address (maybe because envelope-from or from) and the wmcloud.org MX is saying it doesn't exist so then the original connection is rejected too.

see https://dev.to/sofiatarhonska/how-to-verify-email-address-without-sending-an-email-10jp#email-box-pinging

Peachey88 added a project: Mail.Wed, Apr 8, 12:26 AM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptWed, Apr 8, 12:26 AM
ABran-WMF moved this task from Incoming to Consultation on the collaboration-services board.Wed, Apr 8, 6:51 AM
ABran-WMF subscribed.
A_smart_kitten renamed this task from The test Phabricator instance doesn't seem to be successfully sending emails to @wikimedia.org addresses to @wikimedia.org email addresses don't seem to be receiving emails sent by the test Phabricator instance.Wed, Apr 8, 11:18 AM
A_smart_kitten added a subscriber: jhathaway.EditedWed, Apr 8, 11:43 AM

Yeah, I guess it seems like this might potentially be being caused by Wikimedia's production mail infra somewhere.

FWIW, these are some sample headers from an email the test-instance might send (as extracted from an email it sent to me the other day). [If SREs would like to examine a fuller version of an email's headers, let me know.]

Date: Sun, 5 Apr 2026 07:24:23 +0000
To: Phabricator <phabricator-no-reply@wmcloud.org>
From: a_smart_kitten__test <phabricator-no-reply@wmcloud.org>
Cc: [my email address]
Reply-to: a_smart_kitten__test
 <T178+public+a082557452deb877@phabricator.wmcloud.org>
Subject: [Maniphest] [Commented On] T178: test task with other assignee set

[Having the To: header be the no-reply email address itself seems interesting; but IIUC this is the same as what production-Phabricator does, and it seems like it's (somewhat) documented in upstream's docs.]

From doing some searching, I found the patch 'postfix: verify recipients when possible' (for T325406) from July 2024, which seems like it might be what's causing Wikimedia's MX servers to reject these emails from the test Phab instance. cc @jhathaway FYI / in case you have any thoughts.

I guess one way of solving this might be to add wmcloud.org to profile::postfix::mx::unverifiable_domains (& maybe also wmflabs.org, for completeness). But I don't know enough about this configuration to currently know e.g. whether that'd be a good way of solving this.
(It might be worth noting that phabricator.wikimedia.org is already listed under that Hiera key.)

Nintendofan885 updated the task description. (Show Details)Thu, Apr 9, 1:56 PM
LSobanski triaged this task as Low priority.Mon, Apr 13, 2:28 PM
Latkdo subscribed.Wed, Apr 15, 10:09 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits