The deadline for launching the Flock CFP is Tuesday, 23 May. We are going to use a new CFP system for Flock this year. This is the same system used by DevConf for their CFPs. It is an open source system developed by Red Hat. We will not have to pay nor host new infrastructure to use this system.
In order for us to use the system, we need to provide our own DNS record for the site and also provide SMTP credentials for outgoing mail to be sent to submitters, reviewers, and organizers. There are two asks:
cfp.fedoraproject.org
cfp-mysql-rhcfp.6923.rh-us-east-1.openshiftapps.com
These two asks will unblock the CFP and enable us to go public.
By Friday, 19 May. The timeline is tight but if we can get the DNS and SMTP set up by Friday, we'll be on track to launch.
So, we do not have smtp auth setup anywhere, so that would be a larger setup to do quickly.
Is there any way we could just allow it's ip address to relay? And if it's ip changes update that? Or does that open us up to other applications relaying?
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
Ah. Bummer on the SMTP auth. But there might be a way. Let me pass this on to the developer.
There is a worst case scenario that I use a Mailgun API token and pay for that, but it would be ideal to set it up with our legit mail servers.
I attached a screenshot of the SMTP server settings module in the CFP app:
<img alt="Screenshot of a settings page for SMTP server information. The form asks for a host, port, username, password, email alias, and reply-to email address." src="/fedora-infrastructure/issue/raw/files/d3a9a902e638c8c615c38e50924253024668deaf779aa68059ee6fef59bee5a4-Screenshot_2023-05-16_at_17-56-26_CfP_Portal.png" />
As you suggested @kevin, could we try an unauthenticated request sent from an allow-listed IP address? I am not SMTP savvy enough to know whether we can fill this and have it work without a username and password.
Is it possible for the allow-listed address to be a hostname and not an IP address? The hostname is static but I'm not sure about the IP address or how often it gets reassigned.
I will ask Josef whether there are more services running inside this OpenShift environment.
Well, until we allow the ip it's coming from it would just get a relaying denied message, but sure, you can try it and we can possibly use that to tell what IP it's appearing to come from.
We could use hostname, but I think it only resolves it at postfix start time, not every connection. I could be wrong tho...
Yeah, if this service could use a seperate ip from the normal outgoing ip of that cluster that would be fine too. (just so we don't have other things able to relay).
There are no other services running on the CFP OpenShift account, but it is running on a public AWS instance and there may be other services available at the IP address. The CFP developer cautioned that it could be unwise to allow-list an IP address. If it were bound to the host, that would be safer.
I could try plugging in information into this settings module and see what happens. What should I use for the host and port fields?
Also, just another idea… would it be possible to create an email address, e.g. cfp@fedoraproject.org, that we could use for sending mail? I'm not sure if we could set up an outgoing email account in this way or if we are not set up to do something like that.
cfp@fedoraproject.org
I've added the cname.
I think I can add auth without too much pain, I came up with a way to do it I think. I will try and implement that today.
Oh, and to answer:
we can create an alias for that that goes to whoever you like. We can't make a fas account named that and send with it, because we have 0 smtp auth setup currently, and we do not want to just allow all our users to relay (then spammers would just make an account and spew through our mail server).
So, I will be making a seperate auth db for these few users we need to do this with. (Hopefully)
ok, this turns out to be quite anoying. ;)
But I think I have something that might work.
Can you use the following settings:
Give that a try and see if it can send?
it should let you login, then relay it to bastion.fedoraproject.org which should send it out.
@kevin I used this information in the CFP system and also retrieved the password successfully. Thank you! :pray:
I think the work in this ticket is done. There might be some additional tweaking to do for getting it to work, but we can coordinate with the developer for this.
Great. Yeah, for the record:
I setup a new smtp-auth-cc-rdu01 vm in rdu2. On that vm I setup saslauth for postfix and added a cfp@fedoraproject.org to it's local db. I setup self signed ssl certs for the host to use with postfix. I set the relay host to 192.168.0.1 (bastion's vpn ip), which it allows to relay.
We still need to add some of this config to ansible, but now that we have it all working I can hold off on that until after it's finished being used.
Metadata Update from @kevin: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Email is go! :tada: Thanks so much for your help @kevin and @jridky. I know this request came on short notice and I appreciate both of you for making this work.
Have a good weekend.
Log in to comment on this ticket.