Last Comment Bug 524804 - remove the mozilla.org/mozilla.com domains from the authorized recipients on dm-mail01/02
: remove the mozilla.org/mozilla.com domains from the authorized recipients on ...
Status: RESOLVED FIXED
11/03/2009 @ 7pm
:
Product: mozilla.org Graveyard
Classification: Graveyard
Component: Server Operations (show other bugs)
: other
: All Other
: -- minor (vote)
: ---
Assigned To: Dave Miller [:justdave] (justdave@bugzilla.org)
: matthew zeier [:mrz]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-27 15:39 PDT by Dave Miller [:justdave] (justdave@bugzilla.org)
Modified: 2015-03-12 08:17 PDT (History)
6 users (show)
justdave: needs‑downtime+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Dave Miller [:justdave] (justdave@bugzilla.org) 2009-10-27 15:39:19 PDT
We currently have dm-mail03 set up to handle mozilla.com and mozilla.org, and allow inbound mail only from postini (since postini is the MX for those domains).

dm-mail01/02 *used* to be the MX for those domains, and is still set up as such.  We still get spammers periodically ignoring the MX records and sending mail there anyway for mozilla.org/mozilla.com, which currently gets accepted (unless the spam filters nail it).

The final nail in this entry point will be to remove mozilla.org and mozilla.com from the relay_domains and transport_maps options on dm-mail01/02 so that mail for those domains will no longer be accepted on those servers.

Users who authenticate, or send mail from inside the firewall, will still have their mail accepted (but it'll probably go through postini on the way back in) :)
Comment 1 Dave Miller [:justdave] (justdave@bugzilla.org) 2009-10-27 15:40:21 PDT
This will be a pretty instantaneous change, and *probably* won't really affect anything, but just in case, it ought to be announced when we're going to do it.
Comment 2 Dave Miller [:justdave] (justdave@bugzilla.org) 2009-10-27 15:51:21 PDT
Just for clarification, this won't affect mail destined for tinderbox.mozilla.org (which is a separate domain)
Comment 3 Ben Hearsum (:bhearsum) 2009-10-27 16:13:34 PDT
Is it possible to whitelist stuff coming from sm-try-master.mozilla.org? The Try Server sends a ton of mail everyday, and I suspect it would get postini'ed pretty quickly, since each item of mail is formatted similarly.
Comment 4 Ben Hearsum (:bhearsum) 2009-10-27 16:17:08 PDT
Oh, we've also got a bunch of mail being sent from various masters: production-master, production-master02, talos-master at a minimum, which goes to a bunch of @mozilla.com addresses, including release@
Comment 5 John O'Duinn [:joduinn] (please use "needinfo?" flag) 2009-10-28 16:18:03 PDT
(In reply to comment #4)
> Oh, we've also got a bunch of mail being sent from various masters:
> production-master, production-master02, talos-master at a minimum, which goes
> to a bunch of @mozilla.com addresses, including release@

cm-keymaster01.b.m.o also sends emails. 

justdave: is it possible to whitelist *.build.mozilla.org? That doesnt identify  all the former-qa machines which are not in the build network, but it might help make your whitelisting job easier?
Comment 6 Dave Miller [:justdave] (justdave@bugzilla.org) 2009-10-28 22:32:03 PDT
Where do they all send *to*?  If they're using "smtp.mozilla.org" they should be fine (because that points at dm-mail03, which is what will still handle those domains)
Comment 7 Ben Hearsum (:bhearsum) 2009-10-29 03:19:47 PDT
(In reply to comment #6)
> Where do they all send *to*?  If they're using "smtp.mozilla.org" they should
> be fine (because that points at dm-mail03, which is what will still handle
> those domains)

They use mail.build.mozilla.org or smtp.mozilla.org - which are the same machine. Looks like we don't need to do anything special, then.
Comment 8 matthew zeier [:mrz] 2009-10-29 09:08:49 PDT
when is this scheduled for?
Comment 9 Dave Miller [:justdave] (justdave@bugzilla.org) 2009-11-03 19:56:18 PST
(In reply to comment #8)
> when is this scheduled for?

55 minutes ago, and was done then. :)

Note You need to log in before you can comment on or make changes to this bug.