Page MenuHomePhabricator

Mails through deployment-mx SPF & DKIM fails
Closed, ResolvedPublic

Description

Currently we have deployment wiki ( deployment-mediawiki02.eqiad.wmflabs ) sending out mails through our new deployment-mx ( deployment-mx.eqiad.wmflabs ). Currently, it fails the SPF test with the following message ( on gmail )

Received: from deployment-mx.eqiad.wmflabs ([208.80.155.193])
        by mx.google.com with ESMTP id vf16si6663448igb.43.2015.01.21.09.04.45
        for <01tonythomas@gmail.com>;
        Wed, 21 Jan 2015 09:04:45 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning 01tonythomas@gmail.com does not designate 208.80.155.193 as permitted sender) client-ip=208.80.155.193;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning 01tonythomas@gmail.com does not designate 208.80.155.193 as permitted sender) smtp.mail=01tonythomas@gmail.com;
       dkim=fail header.i=@wikimedia.org;
       dmarc=fail (p=NONE dis=NONE) header.from=gmail.com

Currently only deployment-prep instance use deployment-mx as per https://github.com/wikimedia/operations-puppet/blob/2356ee6e3155a5a486452c9e37e6ff2a2f891e49/manifests/realm.pp#L166

Event Timeline

01tonythomas raised the priority of this task from to Needs Triage.
01tonythomas updated the task description. (Show Details)
01tonythomas added subscribers: 01tonythomas, Jgreen, faidon and 2 others.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 21 2015, 5:10 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript

Are SPF and DKIM set at all for labs? It's probably better to test this on testwiki.

At any rate, this is not a security issue.

greg triaged this task as Low priority.Jan 29 2015, 5:34 PM
greg removed a project: acl*security.
greg changed Security from Software security bug to None.
greg moved this task from To Triage to Backlog on the Beta-Cluster-Infrastructure board.
greg subscribed.

Setting to Low priority because I'm not sure how much of a pain this would be to Do Right in Beta Cluster (versus just testing that in production).

@faidon: thoughts on payoff/cost for setting up SPF/DKIM for the Beta Cluster mx?

Krenair changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 10 2016, 3:32 AM
Krenair changed the edit policy from "Custom Policy" to "All Users".

Probably, I should probably add an SPF record allowing this host to send mail

I've added SPF and DMARC (p=none) records. Haven't done DKIM yet.

Alright so I had some run-ins with Designate while trying to do DKIM (turns out you can't use a 2048 bit RSA key because that puts your public key over a length limit - looks like prod is on 1024 bit anyway - and you just get HTTP 500s when making the DNS change, and semicolons in records lead to broken DNS responses), but I do have a working DNS record now. Just need to puppetise the exim config change to set the domain name

Change 439791 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] exim: Permit DKIM domain to be changed by hiera

https://gerrit.wikimedia.org/r/439791

Gmail is now showing, with that cherry-picked (+labs/private puppetmaster local addition):
SPF: PASS with IP 208.80.155.138 Learn more
DKIM: 'PASS' with domain beta.wmflabs.org Learn more

Need to look into wikimedia vs. wiki-mail selector - haven't made a key for wiki-mail yet.

Edit: Not entirely convinced I'll be able to get wikimedia vs. wiki-mail set up exactly like prod inside the labs network - it seems to care about interfaces and public IPs and things, which we probably can't do until we have neutron.

Change 439791 merged by Herron:
[operations/puppet@production] exim: Permit DKIM domain to be changed by hiera

https://gerrit.wikimedia.org/r/439791

And actually something I heard the other day made it sound like we may not be able to do that by default with our neutron setup either.

Krenair claimed this task.

Anyway although we may struggle to make beta behaviour exactly mirror prod, the initial purpose of this ticket is fulfilled - mail from beta passes SPF and DKIM.