Add AWS servers for new clearinghouse and portal to MX records for geni.net

[hdempsey@bbn.com]

Create MX records for the two AWS servers currently in testing with UKY so that they can send mail that won't be bounced because they aren't authorized servers for GENI.

[hdempsey@bbn.com]

The current host addresess, names, and suggested GENI CNAMES (names from Tom)

52.207.161.119 ec2-52-207-161-119.compute-1.amazonaws.com ch1.geni.net

54.80.225.141 ec2-54-80-225-141.compute-1.amazonaws.com portal1.geni.net

[hdempsey@bbn.com]

I'm just going to do the MX part of this first. This is a temporary change requested by Hussam to support testing, and not something we want to keep around for a long time, because if our real mail server goes down, these machines will be listed as secondary mail servers, even though they don't function that way. Eventually, these two hosts will be the real clearinghouse and portal and replace the existing ones.

[hdempsey@bbn.com]

Here's the diff. The preference value is set to 20, instead of 10, which is what we use for the real mail server daulis.bbn.com.

diff type.geni.net type.geni.net.new 20a21,22

IN MX 20 ec2-54-80-225-141.compute-1.amazonaws.com. IN MX 20 ec2-52-207-161-119.compute-1.amazonaws.com.

[hdempsey@bbn.com]

<formatting gets me every time>

diff type.geni.net type.geni.net.new 20a21,22

IN MX 20 ec2-54-80-225-141.compute-1.amazonaws.com.

IN MX 20 ec2-52-207-161-119.compute-1.amazonaws.com.

[hdempsey@bbn.com]

Per ​http://groups.geni.net/syseng/wiki/OpsDNS#ManagingDNSforgeni.net

please review the change, so I can commit it.

[hdempsey@bbn.com]

Just to be clear, that type.geni.net file to be edited is from geni-inf/GENI-CVS.BBN.COM/puppet/modules/bind/files/zones

[agosain@bbn.com]

Looks good to me. since we do not maintain amazonaws.com we dont need a A record.

[hdempsey@bbn.com]

Committed. Then committed again to properly update the serial number.

[hdempsey@bbn.com]

Pushed to aqua

[hdempsey@bbn.com]

New MX servers showing up in lookup:

host -t mx geni.net geni.net mail is handled by 10 daulis.bbn.com. geni.net mail is handled by 20 ec2-52-207-161-119.compute-1.amazonaws.com. geni.net mail is handled by 20 ec2-54-80-225-141.compute-1.amazonaws.com.

[hdempsey@bbn.com]

Tested email to ​help@geni.net and it was successfully received. Also tested ​hdempsey@geni.net, which hasn't showed up yet, but with the Raytheon forwarding changes, I can't really predict how long that might take to show up, so not going to worry about it.

[hdempsey@bbn.com]

Let Hussam know we had made this change, so he can re-try sending test emails. Keeping the ticket open until I find out if this change will fix the email delivery issue, per Hussam's test.

[hdempsey@bbn.com]

Got an interesting fail from daulis on the ​hdempsey@geni.net mail finally (below). Not sure if it is a Raytheon-only problem or something other sites may see. I tried an email from an external site to the same geni.net address to see if daulis makes the same complaint for that.

THIS IS A WARNING MESSAGE ONLY

YOU DO NOT NEED TO RESEND YOUR MESSAGE

The original message was received at Wed, 7 Dec 2016 15:43:22 GMT

from ma-mailout10.rtnmail.ray.com [147.25.130.27]

----- Transcript of session follows -----

... while talking to daulis.bbn.com.:

DATA

<<< 451 Temporary local problem - please try later

<​hdempsey@geni.net>... Deferred: 451 Temporary local problem - please try later

<<< 503 valid RCPT command must precede DATA

Warning: message still undelivered after 4 hours

Will keep trying until message is 3 days old

----- Message header follows -----

Return-Path: <​heidi.dempsey@raytheon.com>

Received: from ma-mailout10.rtnmail.ray.com (ma-mailout10.rtnmail.ray.com

[147.25.130.27])

by bos-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with

ESMTP id uB7FhLPL031513

(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)

for <​hdempsey@geni.net>; Wed, 7 Dec 2016 15:43:22 GMT

Received: from 008-smtp-out.ray.com ([23.103.8.81])

by ma-mailout10.rtnmail.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id

uB7FhLeN005884

(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)

for <​hdempsey@geni.net>; Wed, 7 Dec 2016 15:43:21 GMT

Received: from SN1PR0601MB016.008f.mgd2.msft.net (23.103.8.84) by

SN1PR0601MB013.008f.mgd2.msft.net (23.103.8.81) with Microsoft SMTP Server

(version=TLS1_2, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.721.19; Wed, 7

Dec 2016 15:43:19 +0000

Received: from SN1PR0601MB016.008f.mgd2.msft.net ([23.103.8.84]) by

SN1PR0601MB016.008f.mgd2.msft.net ([23.103.8.84]) with mapi id

15.01.0721.017; Wed, 7 Dec 2016 15:43:19 +0000

From: Heidi DEMPSEY <​heidi.dempsey@raytheon.com>

To: "​hdempsey@geni.net" <​hdempsey@geni.net>

Subject: post AWS add test

Thread-Topic: post AWS add test

Thread-Index: AQHSUKCifNgOynDD2kOk03W0ECsCZA==

Date: Wed, 7 Dec 2016 15:43:19 +0000

Message-ID: <​d64efd6582e044e6b022c6bd61a6a738@SN1PR0601MB016.008f.mgd2.msft.net>

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

x-originating-ip: [23.103.8.132]

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

MIME-Version: 1.0

X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:

definitions=2016-12-07_05:

signatures=0

[hdempsey@bbn.com]

OK, Hussam ran the test, and found two issues: 1) ​no-reply@geni.net fails as a sender because daulis complains there is no such user. Sending with a user that does exist (​help@geni.net) is refused with a message that the mail server isn't configured to accept relay mail from the AWS server. That means there must be a configuation change I need to make somewhere in the EXIM software. Yuck!

[hdempsey@bbn.com]

Looks like exim.conf.erb is the place to do this by entering the IP addresses of the AWS hosts as relay hosts.

[hdempsey@bbn.com]

I'm not sure if I will need to do more, because daulis now uses TLS (since Sept.) due to Raytheon audit issues. Checking with Peter, who did the TLS changes.

[peter.stickney@bbn.com]

For reference, the TLS changes I made are here. ​http://groups.geni.net/syseng/ticket/6787

Jogging my own memory, the four lines I added in September merely advertise the fact that we are running TLS to any host that will listen. The other three lines are boring, they point to the cert and what port to listen on. So as far as TLS and Amazon goes, I think we are all set already.

Something I discovered when testing all this back then was the fact that exim can run test/simulated smtp sessions using the -bh flag, possibly the -bhc flag, which skips sender verification. Check the man page. This might be useful in that you can see the transaction in real time and no actual mail gets sent.

​https://github.com/Exim/exim/wiki/TroubleShooting

[hdempsey@bbn.com]

Assigning to Peter because he's making changes to this file for unrelated DNS issues anyway.

[hdempsey@bbn.com]

Just to be clear, that's to make sure we only change one thing at a time--not both overlapping. ;-)

[peter.stickney@bbn.com]

OK, the change is in. At first I was getting the same refusal because ​no-reply@geni.net is not a valid user. I edited /etc/mail/aliases to add no-reply and direct it to /dev/null.

Here's how I tested and confirmed. I ran this from mail.geni.net, it simulates a smtp session from the given IP, which in this case is the amazon host.

/usr/sbin/exim -bh 54.80.225.141
helo ec2-54-80-225-141.compute-1.amazonaws.com
mail from:<no-reply@geni.net>
rcpt to:<pstickne@geni.net>
data
this is a test
.
LOG: 1cHFUI-0007fh-TV <= no-reply@geni.net H=ec2-54-80-225-141.compute-1.amazonaws.com [54.80.225.141] P=smtp S=240 for pstickne@geni.net
250 OK id=1cHFUI-0007fh-TV

I'd still like to see Hussam test it on the actual amazon host.