Opened 6 years ago
Last modified 6 years ago
#1500 assigned
Add AWS servers for new clearinghouse and portal to MX records for geni.net
Reported by: | hdempsey@bbn.com | Owned by: | hdempsey@bbn.com |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | GPO | Version: | SPIRAL8 |
Keywords: | Cc: | ||
Dependencies: |
Description
Create MX records for the two AWS servers currently in testing with UKY so that they can send mail that won't be bounced because they aren't authorized servers for GENI.
Change History (22)
comment:1 Changed 6 years ago by
Owner: | changed from somebody to hdempsey@bbn.com |
---|---|
Status: | new → assigned |
comment:2 Changed 6 years ago by
comment:3 Changed 6 years ago by
I'm just going to do the MX part of this first. This is a temporary change requested by Hussam to support testing, and not something we want to keep around for a long time, because if our real mail server goes down, these machines will be listed as secondary mail servers, even though they don't function that way. Eventually, these two hosts will be the real clearinghouse and portal and replace the existing ones.
comment:4 Changed 6 years ago by
Here's the diff. The preference value is set to 20, instead of 10, which is what we use for the real mail server daulis.bbn.com.
diff type.geni.net type.geni.net.new 20a21,22
IN MX 20 ec2-54-80-225-141.compute-1.amazonaws.com. IN MX 20 ec2-52-207-161-119.compute-1.amazonaws.com.
comment:5 Changed 6 years ago by
<formatting gets me every time>
diff type.geni.net type.geni.net.new 20a21,22
IN MX 20 ec2-54-80-225-141.compute-1.amazonaws.com.
IN MX 20 ec2-52-207-161-119.compute-1.amazonaws.com.
comment:6 Changed 6 years ago by
Owner: | changed from hdempsey@bbn.com to agosain@bbn.com |
---|
Per http://groups.geni.net/syseng/wiki/OpsDNS#ManagingDNSforgeni.net
please review the change, so I can commit it.
comment:7 Changed 6 years ago by
Just to be clear, that type.geni.net file to be edited is from geni-inf/GENI-CVS.BBN.COM/puppet/modules/bind/files/zones
comment:8 Changed 6 years ago by
Owner: | changed from agosain@bbn.com to hdempsey@bbn.com |
---|
Looks good to me. since we do not maintain amazonaws.com we dont need a A record.
comment:9 Changed 6 years ago by
Committed. Then committed again to properly update the serial number.
comment:11 Changed 6 years ago by
New MX servers showing up in lookup:
host -t mx geni.net geni.net mail is handled by 10 daulis.bbn.com. geni.net mail is handled by 20 ec2-52-207-161-119.compute-1.amazonaws.com. geni.net mail is handled by 20 ec2-54-80-225-141.compute-1.amazonaws.com.
comment:12 Changed 6 years ago by
Tested email to help@geni.net and it was successfully received. Also tested hdempsey@geni.net, which hasn't showed up yet, but with the Raytheon forwarding changes, I can't really predict how long that might take to show up, so not going to worry about it.
comment:13 Changed 6 years ago by
Let Hussam know we had made this change, so he can re-try sending test emails. Keeping the ticket open until I find out if this change will fix the email delivery issue, per Hussam's test.
comment:14 Changed 6 years ago by
Got an interesting fail from daulis on the hdempsey@geni.net mail finally (below). Not sure if it is a Raytheon-only problem or something other sites may see. I tried an email from an external site to the same geni.net address to see if daulis makes the same complaint for that.
THIS IS A WARNING MESSAGE ONLY
YOU DO NOT NEED TO RESEND YOUR MESSAGE
The original message was received at Wed, 7 Dec 2016 15:43:22 GMT
from ma-mailout10.rtnmail.ray.com [147.25.130.27]
----- Transcript of session follows -----
... while talking to daulis.bbn.com.:
DATA
<<< 451 Temporary local problem - please try later
<hdempsey@geni.net>... Deferred: 451 Temporary local problem - please try later
<<< 503 valid RCPT command must precede DATA
Warning: message still undelivered after 4 hours
Will keep trying until message is 3 days old
----- Message header follows -----
Return-Path: <heidi.dempsey@raytheon.com>
Received: from ma-mailout10.rtnmail.ray.com (ma-mailout10.rtnmail.ray.com
[147.25.130.27])
by bos-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
ESMTP id uB7FhLPL031513
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <hdempsey@geni.net>; Wed, 7 Dec 2016 15:43:22 GMT
Received: from 008-smtp-out.ray.com ([23.103.8.81])
by ma-mailout10.rtnmail.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id
uB7FhLeN005884
(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
for <hdempsey@geni.net>; Wed, 7 Dec 2016 15:43:21 GMT
Received: from SN1PR0601MB016.008f.mgd2.msft.net (23.103.8.84) by
SN1PR0601MB013.008f.mgd2.msft.net (23.103.8.81) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.721.19; Wed, 7
Dec 2016 15:43:19 +0000
Received: from SN1PR0601MB016.008f.mgd2.msft.net ([23.103.8.84]) by
SN1PR0601MB016.008f.mgd2.msft.net ([23.103.8.84]) with mapi id
15.01.0721.017; Wed, 7 Dec 2016 15:43:19 +0000
From: Heidi DEMPSEY <heidi.dempsey@raytheon.com>
To: "hdempsey@geni.net" <hdempsey@geni.net>
Subject: post AWS add test
Thread-Topic: post AWS add test
Thread-Index: AQHSUKCifNgOynDD2kOk03W0ECsCZA==
Date: Wed, 7 Dec 2016 15:43:19 +0000
Message-ID: <d64efd6582e044e6b022c6bd61a6a738@SN1PR0601MB016.008f.mgd2.msft.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [23.103.8.132]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:
definitions=2016-12-07_05:
signatures=0
comment:15 Changed 6 years ago by
Status: | assigned → accepted |
---|
comment:16 Changed 6 years ago by
OK, Hussam ran the test, and found two issues: 1) no-reply@geni.net fails as a sender because daulis complains there is no such user. Sending with a user that does exist (help@geni.net) is refused with a message that the mail server isn't configured to accept relay mail from the AWS server. That means there must be a configuation change I need to make somewhere in the EXIM software. Yuck!
comment:17 Changed 6 years ago by
Looks like exim.conf.erb is the place to do this by entering the IP addresses of the AWS hosts as relay hosts.
comment:18 Changed 6 years ago by
I'm not sure if I will need to do more, because daulis now uses TLS (since Sept.) due to Raytheon audit issues. Checking with Peter, who did the TLS changes.
comment:19 Changed 6 years ago by
For reference, the TLS changes I made are here. http://groups.geni.net/syseng/ticket/6787
Jogging my own memory, the four lines I added in September merely advertise the fact that we are running TLS to any host that will listen. The other three lines are boring, they point to the cert and what port to listen on. So as far as TLS and Amazon goes, I think we are all set already.
Something I discovered when testing all this back then was the fact that exim can run test/simulated smtp sessions using the -bh flag, possibly the -bhc flag, which skips sender verification. Check the man page. This might be useful in that you can see the transaction in real time and no actual mail gets sent.
comment:20 Changed 6 years ago by
Owner: | changed from hdempsey@bbn.com to peter.stickney@bbn.com |
---|---|
Status: | accepted → assigned |
Assigning to Peter because he's making changes to this file for unrelated DNS issues anyway.
comment:21 Changed 6 years ago by
Just to be clear, that's to make sure we only change one thing at a time--not both overlapping. ;-)
comment:22 Changed 6 years ago by
Owner: | changed from peter.stickney@bbn.com to hdempsey@bbn.com |
---|
OK, the change is in. At first I was getting the same refusal because no-reply@geni.net is not a valid user. I edited /etc/mail/aliases
to add no-reply and direct it to /dev/null.
Here's how I tested and confirmed. I ran this from mail.geni.net, it simulates a smtp session from the given IP, which in this case is the amazon host.
/usr/sbin/exim -bh 54.80.225.141 helo ec2-54-80-225-141.compute-1.amazonaws.com mail from:<no-reply@geni.net> rcpt to:<pstickne@geni.net> data this is a test . LOG: 1cHFUI-0007fh-TV <= no-reply@geni.net H=ec2-54-80-225-141.compute-1.amazonaws.com [54.80.225.141] P=smtp S=240 for pstickne@geni.net 250 OK id=1cHFUI-0007fh-TV
I'd still like to see Hussam test it on the actual amazon host.
The current host addresess, names, and suggested GENI CNAMES (names from Tom)
52.207.161.119 ec2-52-207-161-119.compute-1.amazonaws.com ch1.geni.net
54.80.225.141 ec2-54-80-225-141.compute-1.amazonaws.com portal1.geni.net