I followed the instruction from
https://pagure.io/fedora-infrastructure/issue/8455#comment-913675, but this is
my first time I actually doing anything in postfix configuration, so I'm not
sure if everything I did is correct.
The SMTP port on the machine seems to be open according to group_vars for the
mailman_stg.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
This map wasn't there, causing bastion02 to basically reject emails.
So, instead just comment it out because we aren't using it anyhow.
We are luckly bastion01's postfix hasn't been restarted and breaking it
there.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
RHEL turned off chunking in postfix for various reasons. This causes a
lot of logs from spam and other servers. Turning off logging this as
it is not supported.
Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
This host needs to have it's own self signed certs and needs some more
config to allow the auth and allow authenticated users to relay.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need this to try and relay in emails.
It turns out to be bordering on impossible to do this sanely with our
current setup, so make a fedora vm that lets us use saslauthdb to have a
specific (small) list of users that can authenticate and relay emails
via bastion and out. We can't do this on rhel, because they don't build
the saslauthdb backend. We can't use any of the other backends because
they either don't work or would allow any fedora user to relay, which we
do not want.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is a hack to work around SPF screwing us for @fedoraproject.org
aliases. It only fixes email from @redhat.com, but due to bugzilla thats
a lot of email.
Without this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com sent out directly to gmail and gets rejected because
we aren't in the redhat.com SPF record.
With this:
bugzilla@redhat.com -> user@fedoraproject.org (expands) ->
user@gmail.com but sent to mx2.redhat.com to deliver. Since
mx2.redhat.com definitely is in the redhat.com SPF record the email is
delivered fine and SPF checks pass.
This won't help for other domains with -all SPF records, but at least it
helps for all the redhat.com emails, of which there are a lot going to
fedoraproject.org aliases. :)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Something is broken with smtp_tls_connection_reuse = yes, so disable it
for now. Also, setup a tls_policy map file and tell it to not use tls
for mx2.redhat.com. The normal smtp connection reuse works just fine, so
this will keep mail flowing until we can one day figure out why tls
connection reuse is busted.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We fixed the config in a PR from aheath1992 for most of the machines,
but we need to fix vpn (proxies in particular) and releng boxes now.
Also, while we are here, lets drop the phx2 file since it's not used
anymore.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Without this it wasn't caching tls connections and was going over the
small limit redhat.com mx had. Hopefully this gets mail flowing again.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
So, without this tlsproxy wasn't working and no connection reuse was
happening. With it, it seems to be processing away nicely and reusing
connections.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Recently, redhat.com changed internal MX servers. The new servers are
have rate limits on incoming emails from one ip and admins there don't
want to add a bunch of exceptions, so we need to adjust our end to not
flood connections to them. Currently, connections burst up to 100 (the
smtp postfix default) which goes over their limits and causes the
internal MX to reject emails from us for a while.
So, this change:
* Adds some domains to fast_flush. This allows us to use postqueue -s
domain to flush emails to a particular domain.
* Changes the smtp limit to 40. This is under the redhat.com limit.
* Has ansible actually install the master.cf.gateway on bastion servers.
Currently they were using the stock/default one.
* Enables the tlsproxy service, which is actually needed to get that tls
reuse working.
After these changes, we keep few connections to the redhat.com mx open,
but we reuse them and send more emails over existing connections. No
'too many connection emails' have happened since the changes.
The queue slowly seems to be processing down.
Since this was causing an outage of email, I have already applied these
things to bastion01, but I'd like to make sure we match up to whats in
ansible.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Right now we are hitting redhat.com mx server connection limits.
This might be because we are starting too many new connections at once.
Enabling this should reduce the new connections by reusing existing
ones.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Since we no longer have any machines in phx2, I have tried to remove
them from ansible. Note that there are still some places where we need
to remove them still: nagios, dhcp, named were not touched, and in cases
where it wasn't pretty clear what a conditional was doing I left it to
be cleaned up later.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
