Page MenuHomePhabricator
Create Task
Maniphest T47828

Implement mail aliases for Cloud-VPS projects (<novaproject>@wmcloud.org)
Open, LowPublic
Actions

Description

Project membership information can be pulled from the OpenStack keystone API.

The Toolforge project itself has something like this that routes emails for <tool>@tools.wmflabs.org to the shared tool account where it can be processed using .forward files. That processing is LDAP based, using a lookup script and exim4 configuration.

Possible implementations:

  • *@<project>.wmcloud.org forwards to project admins
  • <project>@<something>.wmcloud.org forwards to project admins
  • <project>-(admins|members)@<something>.wmcloud.org forwards to project admins/members
  • ...

Having some kind of optional per-project address -> destination mapping similar to the Toolforge feature would also be nice, but that is not necessary for an initial implementation.

Ideally this base feature can also be leveraged to fix T61142: root@<labs-instance> should email project admins either directly or indirectly.

Details

Reference
bz45828

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 1:25 AM
bzimport added a project: Cloud-VPS.
bzimport set Reference to bz45828.
Krinkle created this task.Mar 7 2013, 7:07 AM
Aklapper removed RyanLane as the assignee of this task.Apr 26 2015, 12:11 PM
Aklapper added a project: Cloud-Services.Apr 29 2015, 12:18 PM
faidon mentioned this in T41785: Create a Cloud VPS SMTP smarthost.Aug 30 2017, 7:08 PM
bd808 added a parent task: T174608: Improve SMTP inbound/outbound services.Aug 30 2017, 7:36 PM
bd808 added subscribers: herron, bd808, Legoktm.
In T41785#3567033, @Legoktm wrote:

I was actually just asking @bd808 about the status of mail access for Cloud VPS projects yesterday. At least for my use case, it would be great if mail to <something>@<projectname>.wmflabs.org (where something is fixed string(s) or any string) just worked for forwarding to the project members, without any setup required in the individual project.

In T41785#3567268, @bd808 wrote:
In T41785#3567033, @Legoktm wrote:

it would be great if mail to <something>@<projectname>.wmflabs.org (where something is fixed string(s) or any string) just worked for forwarding to the project members, without any setup required in the individual project.

I'd love to see some solution for this too. One potentially tricky step here is that project membership information has been moved out of the LDAP directory and is now completely managed in OpenStack's keystone API. Next tricky step is that <projectname>.wmflabs.org does not exist in DNS by default. This could be handled by the *.wmflabs.org MX record suggested by @herron in T41785#3566374 though. It is possible for projectX to register an HTTP proxy named projectY.wmflabs.org which could complicate/confuse things based on hostname level forwarding. It might be simpler to use addresses like <projectname>@<vps mail relay identifier>.wmflabs.org for the "contact a project's members" use-case. <vps mail relay identifier> could be something like projects or vps.

bd808 merged a task: T166349: Support per project user email address $project-admins@wmflabs.org.Aug 30 2017, 8:01 PM
bd808 added subscribers: Paladox, Zppix, Dzahn, Aklapper.
bd808 renamed this task from Labs: Implement mail aliases for projects (<novaproject>@wmflabs.org) to Implement mail aliases for Cloud-VPS projects (<novaproject>@wmflabs.org).Aug 30 2017, 8:15 PM
bd808 removed a project: Cloud-Services.
bd808 updated the task description. (Show Details)
Framawiki subscribed.Aug 30 2017, 9:51 PM
Krinkle unsubscribed.Sep 4 2017, 7:58 PM
Dzahn unsubscribed.Sep 6 2017, 5:33 PM
zhuyifei1999 subscribed.Feb 14 2018, 10:45 PM
Krinkle awarded a token.Feb 15 2018, 12:25 AM
GTirloni added a project: cloud-services-team (Kanban).Mar 21 2019, 6:58 PM
Nintendofan885 subscribed.Aug 25 2020, 11:47 AM
Legoktm mentioned this in T128715: Add all Cloud VPS project administrators to the Prometheus notification group for each project.Oct 20 2020, 5:15 PM
bd808 renamed this task from Implement mail aliases for Cloud-VPS projects (<novaproject>@wmflabs.org) to Implement mail aliases for Cloud-VPS projects (<novaproject>@wmcloud.org).Oct 20 2020, 5:19 PM
bd808 updated the task description. (Show Details)
Nintendofan885 updated the task description. (Show Details)Oct 20 2020, 5:25 PM
Nintendofan885 updated the task description. (Show Details)
Nintendofan885 updated the task description. (Show Details)
bd808 mentioned this in T215217: deployment-prep (beta cluster): Code stewardship request.Nov 30 2020, 8:45 PM
dpifke subscribed.Nov 30 2020, 9:28 PM
Krenair subscribed.Dec 1 2020, 1:50 AM
taavi subscribed.Mar 6 2021, 7:53 AM
Legoktm added a comment.Mar 29 2021, 8:42 PM

Another usecase for this: https://gerrit.wikimedia.org/r/c/operations/puppet/+/675352/1 root@ cronspam, etc. should go to the VPS maintainers, not whomever answers root@wmcloud.org.

bd808 mentioned this in T281600: Request creation of wikinewsie VPS project.May 3 2021, 7:20 PM
taavi added a project: User-Majavah.Jul 11 2021, 1:25 PM

I have a use case for this as well (T128715), so I'll work on this at some point unless someone else is faster or explicitely wants to deal with mail server configuration. My plan for this is the following, questions and feedback are appreciated.

  1. Add mail servers in WMCS that deal with incoming mail for WMCS domains. Those will likely exist in the "cloudinfra" project, and be either co-located with the outgoing mail servers (mx-out*) or have their own dedicated servers. Currently wmflabs.org is handled by production mx*.wikimedia.org (and sends some aliases to Andrew only), while wmcloud.org, wikimediacloud.org and wikimedia.cloud have no MX records. This first iteration can be rather simple and do nothing except respond to some important pre-defined addresses (root@, security@, abuse@, so on) by forwarding those to some TBD group of people.
  2. Add support for username@wmcloud.org forwarding, like username@toolforge.org currently forwards to the LDAP-defined address for Toolforge user "username". We can likely adapt the lookup script Toolforge uses and replace "project-tools" with "project-bastion" (which is IMO a suitable check for Cloud VPS access).
    • do we need forwarding config support, like we have with ~/.forward on Toolforge? if so, how?
  3. Finally we add support for project forwards. I'm not exactly sure which form those will take yet, but will likely be implemented as a Exim redirect script that loads the list of project members / admins from LDAP or Keystone and returns them in the form of "shellname1@wmcloud.org, shellname2@wmcloud.org". Exim is smart enough to note those addresses have additional forwarding rules set.
Chlod subscribed.Aug 4 2021, 6:37 AM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 9:47 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
bd808 mentioned this in T347512: Some emails from The Wikipedia Library aren't being received as expected.Nov 30 2023, 10:53 PM
bd808 added a comment.Dec 1 2023, 12:26 AM
In T47828#7203503, @taavi wrote:
  1. Add support for username@wmcloud.org forwarding, like username@toolforge.org currently forwards to the LDAP-defined address for Toolforge user "username". We can likely adapt the lookup script Toolforge uses and replace "project-tools" with "project-bastion" (which is IMO a suitable check for Cloud VPS access).
    • do we need forwarding config support, like we have with ~/.forward on Toolforge? if so, how?

I don't think that adding specialty forwards at the Developer account level is necessary. We could add support for <account>+<arbitrary suffix>@wmcloud.org style subaddressing fairly easily via local_part_suffix config in exim.

bd808 added a comment.Dec 1 2023, 12:30 AM

When poking at T347512: Some emails from The Wikipedia Library aren't being received as expected I realized that we will probably also need to create SPF records for each <project>.wmcloud.org subdomain if we go with the subdomain per-project option or folks will end up surprised when they try to send mail with their <something>@<project>.wmcloud.org addresses as the envelope From.

Frostly subscribed.Jan 7 2024, 8:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL