Opened 2 years ago

Last modified 2 years ago

#1500 assigned

Add AWS servers for new clearinghouse and portal to MX records for geni.net

Reported by: hdempsey@bbn.com Owned by: hdempsey@bbn.com
Priority: major Milestone:
Component: GPO Version: SPIRAL8
Keywords: Cc:
Dependencies:

Description

Create MX records for the two AWS servers currently in testing with UKY so that they can send mail that won't be bounced because they aren't authorized servers for GENI.

Change History (22)

comment:1 Changed 2 years ago by hdempsey@bbn.com

Owner: changed from somebody to hdempsey@bbn.com
Status: newassigned

comment:2 Changed 2 years ago by hdempsey@bbn.com

The current host addresess, names, and suggested GENI CNAMES (names from Tom)

52.207.161.119 ec2-52-207-161-119.compute-1.amazonaws.com ch1.geni.net

54.80.225.141 ec2-54-80-225-141.compute-1.amazonaws.com portal1.geni.net

comment:3 Changed 2 years ago by hdempsey@bbn.com

I'm just going to do the MX part of this first. This is a temporary change requested by Hussam to support testing, and not something we want to keep around for a long time, because if our real mail server goes down, these machines will be listed as secondary mail servers, even though they don't function that way. Eventually, these two hosts will be the real clearinghouse and portal and replace the existing ones.

comment:4 Changed 2 years ago by hdempsey@bbn.com

Here's the diff. The preference value is set to 20, instead of 10, which is what we use for the real mail server daulis.bbn.com.

diff type.geni.net type.geni.net.new 20a21,22

IN MX 20 ec2-54-80-225-141.compute-1.amazonaws.com. IN MX 20 ec2-52-207-161-119.compute-1.amazonaws.com.

comment:5 Changed 2 years ago by hdempsey@bbn.com

<formatting gets me every time>

diff type.geni.net type.geni.net.new 20a21,22

IN MX 20 ec2-54-80-225-141.compute-1.amazonaws.com.

IN MX 20 ec2-52-207-161-119.compute-1.amazonaws.com.

comment:6 Changed 2 years ago by hdempsey@bbn.com

Owner: changed from hdempsey@bbn.com to agosain@bbn.com

Per http://groups.geni.net/syseng/wiki/OpsDNS#ManagingDNSforgeni.net

please review the change, so I can commit it.

comment:7 Changed 2 years ago by hdempsey@bbn.com

Just to be clear, that type.geni.net file to be edited is from geni-inf/GENI-CVS.BBN.COM/puppet/modules/bind/files/zones

comment:8 Changed 2 years ago by agosain@bbn.com

Owner: changed from agosain@bbn.com to hdempsey@bbn.com

Looks good to me. since we do not maintain amazonaws.com we dont need a A record.

comment:9 Changed 2 years ago by hdempsey@bbn.com

Committed. Then committed again to properly update the serial number.

comment:10 Changed 2 years ago by hdempsey@bbn.com

Pushed to aqua

comment:11 Changed 2 years ago by hdempsey@bbn.com

New MX servers showing up in lookup:

host -t mx geni.net geni.net mail is handled by 10 daulis.bbn.com. geni.net mail is handled by 20 ec2-52-207-161-119.compute-1.amazonaws.com. geni.net mail is handled by 20 ec2-54-80-225-141.compute-1.amazonaws.com.

comment:12 Changed 2 years ago by hdempsey@bbn.com

Tested email to help@geni.net and it was successfully received. Also tested hdempsey@geni.net, which hasn't showed up yet, but with the Raytheon forwarding changes, I can't really predict how long that might take to show up, so not going to worry about it.

comment:13 Changed 2 years ago by hdempsey@bbn.com

Let Hussam know we had made this change, so he can re-try sending test emails. Keeping the ticket open until I find out if this change will fix the email delivery issue, per Hussam's test.

comment:14 Changed 2 years ago by hdempsey@bbn.com

Got an interesting fail from daulis on the hdempsey@geni.net mail finally (below). Not sure if it is a Raytheon-only problem or something other sites may see. I tried an email from an external site to the same geni.net address to see if daulis makes the same complaint for that.

THIS IS A WARNING MESSAGE ONLY

YOU DO NOT NEED TO RESEND YOUR MESSAGE

The original message was received at Wed, 7 Dec 2016 15:43:22 GMT

from ma-mailout10.rtnmail.ray.com [147.25.130.27]

----- Transcript of session follows -----

... while talking to daulis.bbn.com.:

DATA

<<< 451 Temporary local problem - please try later

<hdempsey@geni.net>... Deferred: 451 Temporary local problem - please try later

<<< 503 valid RCPT command must precede DATA

Warning: message still undelivered after 4 hours

Will keep trying until message is 3 days old

----- Message header follows -----

Return-Path: <heidi.dempsey@raytheon.com>

Received: from ma-mailout10.rtnmail.ray.com (ma-mailout10.rtnmail.ray.com

[147.25.130.27])

by bos-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with

ESMTP id uB7FhLPL031513

(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)

for <hdempsey@geni.net>; Wed, 7 Dec 2016 15:43:22 GMT

Received: from 008-smtp-out.ray.com ([23.103.8.81])

by ma-mailout10.rtnmail.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id

uB7FhLeN005884

(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)

for <hdempsey@geni.net>; Wed, 7 Dec 2016 15:43:21 GMT

Received: from SN1PR0601MB016.008f.mgd2.msft.net (23.103.8.84) by

SN1PR0601MB013.008f.mgd2.msft.net (23.103.8.81) with Microsoft SMTP Server

(version=TLS1_2, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.721.19; Wed, 7

Dec 2016 15:43:19 +0000

Received: from SN1PR0601MB016.008f.mgd2.msft.net ([23.103.8.84]) by

SN1PR0601MB016.008f.mgd2.msft.net ([23.103.8.84]) with mapi id

15.01.0721.017; Wed, 7 Dec 2016 15:43:19 +0000

From: Heidi DEMPSEY <heidi.dempsey@raytheon.com>

To: "hdempsey@geni.net" <hdempsey@geni.net>

Subject: post AWS add test

Thread-Topic: post AWS add test

Thread-Index: AQHSUKCifNgOynDD2kOk03W0ECsCZA==

Date: Wed, 7 Dec 2016 15:43:19 +0000

Message-ID: <d64efd6582e044e6b022c6bd61a6a738@SN1PR0601MB016.008f.mgd2.msft.net>

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

x-originating-ip: [23.103.8.132]

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

MIME-Version: 1.0

X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:

definitions=2016-12-07_05:

signatures=0

comment:15 Changed 2 years ago by hdempsey@bbn.com

Status: assignedaccepted

comment:16 Changed 2 years ago by hdempsey@bbn.com

OK, Hussam ran the test, and found two issues: 1) no-reply@geni.net fails as a sender because daulis complains there is no such user. Sending with a user that does exist (help@geni.net) is refused with a message that the mail server isn't configured to accept relay mail from the AWS server. That means there must be a configuation change I need to make somewhere in the EXIM software. Yuck!

comment:17 Changed 2 years ago by hdempsey@bbn.com

Looks like exim.conf.erb is the place to do this by entering the IP addresses of the AWS hosts as relay hosts.

comment:18 Changed 2 years ago by hdempsey@bbn.com

I'm not sure if I will need to do more, because daulis now uses TLS (since Sept.) due to Raytheon audit issues. Checking with Peter, who did the TLS changes.

comment:19 Changed 2 years ago by peter.stickney@bbn.com

For reference, the TLS changes I made are here. http://groups.geni.net/syseng/ticket/6787

Jogging my own memory, the four lines I added in September merely advertise the fact that we are running TLS to any host that will listen. The other three lines are boring, they point to the cert and what port to listen on. So as far as TLS and Amazon goes, I think we are all set already.

Something I discovered when testing all this back then was the fact that exim can run test/simulated smtp sessions using the -bh flag, possibly the -bhc flag, which skips sender verification. Check the man page. This might be useful in that you can see the transaction in real time and no actual mail gets sent.

https://github.com/Exim/exim/wiki/TroubleShooting

comment:20 Changed 2 years ago by hdempsey@bbn.com

Owner: changed from hdempsey@bbn.com to peter.stickney@bbn.com
Status: acceptedassigned

Assigning to Peter because he's making changes to this file for unrelated DNS issues anyway.

comment:21 Changed 2 years ago by hdempsey@bbn.com

Just to be clear, that's to make sure we only change one thing at a time--not both overlapping. ;-)

comment:22 Changed 2 years ago by peter.stickney@bbn.com

Owner: changed from peter.stickney@bbn.com to hdempsey@bbn.com

OK, the change is in. At first I was getting the same refusal because no-reply@geni.net is not a valid user. I edited /etc/mail/aliases to add no-reply and direct it to /dev/null.

Here's how I tested and confirmed. I ran this from mail.geni.net, it simulates a smtp session from the given IP, which in this case is the amazon host.

/usr/sbin/exim -bh 54.80.225.141
helo ec2-54-80-225-141.compute-1.amazonaws.com
mail from:<no-reply@geni.net>
rcpt to:<pstickne@geni.net>
data
this is a test
.
LOG: 1cHFUI-0007fh-TV <= no-reply@geni.net H=ec2-54-80-225-141.compute-1.amazonaws.com [54.80.225.141] P=smtp S=240 for pstickne@geni.net
250 OK id=1cHFUI-0007fh-TV

I'd still like to see Hussam test it on the actual amazon host.

Note: See TracTickets for help on using tickets.