Mails through deployment-mx SPF & DKIM fails
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	01tonythomas
	Jan 21 2015, 5:09 PM

Description

Currently we have deployment wiki ( deployment-mediawiki02.eqiad.wmflabs ) sending out mails through our new deployment-mx ( deployment-mx.eqiad.wmflabs ). Currently, it fails the SPF test with the following message ( on gmail )

Received: from deployment-mx.eqiad.wmflabs ([208.80.155.193])
        by mx.google.com with ESMTP id vf16si6663448igb.43.2015.01.21.09.04.45
        for <01tonythomas@gmail.com>;
        Wed, 21 Jan 2015 09:04:45 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning 01tonythomas@gmail.com does not designate 208.80.155.193 as permitted sender) client-ip=208.80.155.193;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning 01tonythomas@gmail.com does not designate 208.80.155.193 as permitted sender) smtp.mail=01tonythomas@gmail.com;
       dkim=fail header.i=@wikimedia.org;
       dmarc=fail (p=NONE dis=NONE) header.from=gmail.com

Currently only deployment-prep instance use deployment-mx as per https://github.com/wikimedia/operations-puppet/blob/2356ee6e3155a5a486452c9e37e6ff2a2f891e49/manifests/realm.pp#L166

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	exim: Permit DKIM domain to be changed by hiera	operations/puppet	production	+7 -6

Customize query in gerrit

Related Objects

Mentioned In: T249237: Fix Cloud VPS and Toolforge mail servers to work with the modern internet
T249114: E-mails from noreply@pypi.org to tools.pywikibot@tools.wmflabs.org are not forwarded to certain recipients due to SPF
T203036: Designate/pdns breaks at semicolons in DNS record TXT values
T203035: Designate DNS TXT records max length is 255 chars (Horizon reports vague "Error: Unable to create the record set.")

Event Timeline

01tonythomas created this task.Jan 21 2015, 5:09 PM

01tonythomas raised the priority of this task from to Needs Triage.

01tonythomas updated the task description. (Show Details)

01tonythomas added projects: acl*sre-team, Beta-Cluster-Infrastructure.

01tonythomas added subscribers: 01tonythomas, Jgreen, faidon and 2 others.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 21 2015, 5:09 PM

01tonythomas set Security to Software security bug.Jan 21 2015, 5:10 PM

Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 21 2015, 5:10 PM

Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

Restricted Application added a project: acl*security. · View Herald Transcript

Krenair subscribed.Jan 21 2015, 5:29 PM

Are SPF and DKIM set at all for labs? It's probably better to test this on testwiki.

At any rate, this is not a security issue.

Setting to Low priority because I'm not sure how much of a pain this would be to Do Right in Beta Cluster (versus just testing that in production).

@faidon: thoughts on payoff/cost for setting up SPF/DKIM for the Beta Cluster mx?

Krenair changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 10 2016, 3:32 AM

Krenair changed the edit policy from "Custom Policy" to "All Users".

Is this still current?

Probably, I should probably add an SPF record allowing this host to send mail

I've added SPF and DMARC (p=none) records. Haven't done DKIM yet.

Alright so I had some run-ins with Designate while trying to do DKIM (turns out you can't use a 2048 bit RSA key because that puts your public key over a length limit - looks like prod is on 1024 bit anyway - and you just get HTTP 500s when making the DNS change, and semicolons in records lead to broken DNS responses), but I do have a working DNS record now. Just need to puppetise the exim config change to set the domain name

Change 439791 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] exim: Permit DKIM domain to be changed by hiera

https://gerrit.wikimedia.org/r/439791

gerritbot added a project: Patch-For-Review.Jun 11 2018, 11:46 PM

Gmail is now showing, with that cherry-picked (+labs/private puppetmaster local addition):
SPF: PASS with IP 208.80.155.138 Learn more
DKIM: 'PASS' with domain beta.wmflabs.org Learn more

Need to look into wikimedia vs. wiki-mail selector - haven't made a key for wiki-mail yet.

Edit: Not entirely convinced I'll be able to get wikimedia vs. wiki-mail set up exactly like prod inside the labs network - it seems to care about interfaces and public IPs and things, which we probably can't do until we have neutron.

Change 439791 merged by Herron:
[operations/puppet@production] exim: Permit DKIM domain to be changed by hiera

https://gerrit.wikimedia.org/r/439791

And actually something I heard the other day made it sound like we may not be able to do that by default with our neutron setup either.

Anyway although we may struggle to make beta behaviour exactly mirror prod, the initial purpose of this ticket is fulfilled - mail from beta passes SPF and DKIM.

Krenair mentioned this in T203035: Designate DNS TXT records max length is 255 chars (Horizon reports vague "Error: Unable to create the record set.").Aug 28 2018, 10:45 PM

Krenair mentioned this in T203036: Designate/pdns breaks at semicolons in DNS record TXT values.Aug 28 2018, 10:52 PM

bd808 mentioned this in T249114: E-mails from noreply@pypi.org to tools.pywikibot@tools.wmflabs.org are not forwarded to certain recipients due to SPF.Apr 1 2020, 9:23 PM

bd808 mentioned this in T249237: Fix Cloud VPS and Toolforge mail servers to work with the modern internet.Apr 2 2020, 4:36 PM

Mails through deployment-mx SPF & DKIM failsClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Mails through deployment-mx SPF & DKIM fails
Closed, ResolvedPublic
Actions