remove the mozilla.org/mozilla.com domains from the authorized recipients on dm-mail01/02

RESOLVED FIXED

Status

mozilla.org Graveyard
Server Operations
--
minor
RESOLVED FIXED
8 years ago
3 years ago

People

(Reporter: justdave, Assigned: justdave)

Tracking

Bug Flags:
needs-downtime +

Details

(Whiteboard: 11/03/2009 @ 7pm)

We currently have dm-mail03 set up to handle mozilla.com and mozilla.org, and allow inbound mail only from postini (since postini is the MX for those domains).

dm-mail01/02 *used* to be the MX for those domains, and is still set up as such.  We still get spammers periodically ignoring the MX records and sending mail there anyway for mozilla.org/mozilla.com, which currently gets accepted (unless the spam filters nail it).

The final nail in this entry point will be to remove mozilla.org and mozilla.com from the relay_domains and transport_maps options on dm-mail01/02 so that mail for those domains will no longer be accepted on those servers.

Users who authenticate, or send mail from inside the firewall, will still have their mail accepted (but it'll probably go through postini on the way back in) :)
This will be a pretty instantaneous change, and *probably* won't really affect anything, but just in case, it ought to be announced when we're going to do it.
Flags: needs-downtime+
Just for clarification, this won't affect mail destined for tinderbox.mozilla.org (which is a separate domain)
Is it possible to whitelist stuff coming from sm-try-master.mozilla.org? The Try Server sends a ton of mail everyday, and I suspect it would get postini'ed pretty quickly, since each item of mail is formatted similarly.
Oh, we've also got a bunch of mail being sent from various masters: production-master, production-master02, talos-master at a minimum, which goes to a bunch of @mozilla.com addresses, including release@
(In reply to comment #4)
> Oh, we've also got a bunch of mail being sent from various masters:
> production-master, production-master02, talos-master at a minimum, which goes
> to a bunch of @mozilla.com addresses, including release@

cm-keymaster01.b.m.o also sends emails. 

justdave: is it possible to whitelist *.build.mozilla.org? That doesnt identify  all the former-qa machines which are not in the build network, but it might help make your whitelisting job easier?
Where do they all send *to*?  If they're using "smtp.mozilla.org" they should be fine (because that points at dm-mail03, which is what will still handle those domains)
Assignee: server-ops → justdave
(In reply to comment #6)
> Where do they all send *to*?  If they're using "smtp.mozilla.org" they should
> be fine (because that points at dm-mail03, which is what will still handle
> those domains)

They use mail.build.mozilla.org or smtp.mozilla.org - which are the same machine. Looks like we don't need to do anything special, then.

Comment 8

8 years ago
when is this scheduled for?

Updated

8 years ago
Whiteboard: 11/03/2009 @ 7pm
(In reply to comment #8)
> when is this scheduled for?

55 minutes ago, and was done then. :)
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.