Hi.
TLDR; We have an issue with accessing fedora SMTP server from the new provider's cluster where cfp.fedoraproject.org is running as this provider is blocking port 25 for outgoing communication. Would it be possible to open port 587 for SMTP as well? Until that users are affected by ERROR 504 (will be handled in CfP) and the email communication is blocked. See report below.
This issue is present at CFP for the creative freedom summit site (cfp.fedoraproject.org). When people submit a talk , it end with a 504, gateway timeout. The talk is properly submitted, but there is no user feedback, which is not great (will be handled separately).
The problem is caused by sending mail after a submissison. I checked the DB, and the smtp server for that specific CFP is the fedora one, on port 25. And that's blocked by the firewall.
From the pod, it can't connect to smtp-auth-cc-rdu01.fedoraproject.org port 25:
bash-4.4$ cat < /dev/tcp/8.43.85.71/22 SSH-2.0-OpenSSH_9.0
I have a response, so the port is open (and my magic bash command work)
Port 25, same server ( smtp-auth-cc-rdu01.fedoraproject.org is 8.43.85.71 ): bash-4.4$ cat < /dev/tcp/8.43.85.71/25
There is no response, so the port is not reachable.
On a server without a outgoing firewall, it display the right prompt immediately
$ cat < /dev/tcp/8.43.85.71/25 220 smtp-auth-cc-rdu01.fedoraproject.org ESMTP Postfix
I checked the DB, all others smtp providers configured use SMTP port 587, which is made specifically to send mail with authentication (so not blocked in the name of spam filtering by a ton of people). This one use port 25, and there is no port 587 opened on the server and this is not configured on the mail server side, so we can't just switch right now.
From here, there is multiple solutions:
I think solution 2 is the easiest, but that requires to discuss with Fedora folks first as they might have specific requirements regarding their mail domain. If the conference is attached to using only free software, we (OSPO) can provides a alternative to the aforementioned providers (who are arguably not free software), as we have the same setup as Fedora in the same location (and even maybe on server sitting next to each others), except port 587 is opened and usable.
Solution 1 depend on Fedora's infra team willingness to do some changes in their playbooks. I took a look yesterday night, and that's not a trivial task, as that part of the configuration would requires a bit of re-factoring and is a bit messy and also critical. However, i think that's the best solution longer term (but then, it might turn in a longer initiative, and that's not going to help for getting a quick fix)
To give a few more information
we can offer a relay in the community cage (on mx1.osci.io), but we want to clarify that's ok for Fedora folks.
Also, a super dirty fast solution could be to use xinetd to relay port 587 to 25 on the server (so 1 file, 1 package, 1 service) (as the difference between submission and smtp port is that submission is supposed to always ask for password).
Metadata Update from @zlopez: - Issue priority set to: None (was: Needs Review) - Issue tagged with: high-gain, low-trouble, ops
I created a PR in ansible repository to allow port 587. I will wait for @kevin to review first.
As I noted in the comment. It will enable 587, but it may not work because postfix needs to be set up to accept emails properly (the last part of the comment from @misc ). Getting that 'correctly' can be problematic as it can have knock-on effects. AKA because 587 is expected to be authorized senders (aka with a password) spamassassin or other tools may assume email is 'more ok'. I don't know what spamassassin assumes these days so it would need to be checked.
Also this server is for sending to mailing lists on mailman. It isn't clear in the first ticket what they are trying to send to so it could be that additional changes in mailman may be required.
Yes, we need to enable postfix there to listen on 587.
smooge: this one is specifically for servers that need to send to us and have a username/password. ;) Specifically this cfp service, but also copr and some other things now...
After looking a bit closer to the ansible playbooks, I think I was wrong and the change is simpler than what I said to jridky.
It seems that copying ./roles/base/files/postfix/master.cf/master.cf to ./roles/base/files/postfix/master.cf/master.cf.smtp-auth and uncommenting line 10 to 13 (mostly line 10 and 11, the others are already by default in main.cf) in the newly copied file would be sufficient (+ the firewall part zlopez already did).
So as I do not know how to rebase and push on folks PR (and I am maybe not authorized), I made another PR to complete @zlopez one on https://pagure.io/fedora-infra/ansible/pull-request/1637
(sorry Michal for stealing the fix)
Commit e48db0aa fixes this issue
I've pushed that PR + a few extra commits and it seems working to me now. Can you please test?
Metadata Update from @kevin: - Issue status updated to: Open (was: Closed)
Email properly delivered, but ended in the spam folder. That might be caused by the fact, that the confirmation email template is blank. But this is event's admin issue.
Thanks for the fix.
Metadata Update from @zlopez: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.