tickets #156502
openmx1 attempts connections to {discourse01,obsreview,paste}.i.o.o on port 25 over IPv4
0%
Description
The following is repeatedly observed:
Mar 03 17:20:20 asgard1 kernel: [asgard] Forward Dropped: IN=os-mail OUT=nat64 MACSRC=52:54:00:02:76:42 MACDST=d2:e1:4b:98:46:1f MACPROTO=0800 SRC=172.16.131.11 DST=172.16.164.160 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10313 DF PROTO=TCP SPT=39428 DPT=25 SEQ=3606642437 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
Mar 03 17:22:19 asgard1 kernel: [asgard] Forward Dropped: IN=os-mail OUT=nat64 MACSRC=52:54:00:02:76:42 MACDST=d2:e1:4b:98:46:1f MACPROTO=0800 SRC=172.16.131.11 DST=172.16.164.163 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=33073 DF PROTO=TCP SPT=51932 DPT=25 SEQ=2072061109 ACK=0 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 OPT
172.16.131.11 -> mx1.i.o.o (native)
172.16.164.160 -> discourse01.i.o.o (NAT64)
172.16.164.163 -> obsreview.i.o.o (NAT64)
TCP/25 -> SMTP (probably)
SMTP connectivity from mx* to discourse01 is expected, we permitted it in the past - however, it may not happen over IPv4. It needs to use IPv6 connectivity.
SMTP connectivity from mx* to obsreview is not expected, it should preferably be stopped on the source instead of having it run into firewall denials.
Updated by pjessen 10 months ago
I don't see any issue in $SUBJ, and I believe it is to be expected. mx1 will attempt to connect using ipv6, but will fall back to ipv4 when it does not work:
2024-03-03T00:25:04.172309+00:00 mx1 postfix/smtp[25170]: 2F7BB55FC: host discourse01.infra.opensuse.org[2a07:de40:b27e:1203::b47] said: 451 4.3.5 <noreply@forums.opensuse.org>: Recipient address rejected: Server configuration problem (in reply to RCPT TO command)
2024-03-03T00:25:04.176808+00:00 mx1 postfix/smtp[25169]: 24068575A: host discourse01.infra.opensuse.org[2a07:de40:b27e:1203::b47] said: 451 4.3.5 <a@forums.opensuse.org>: Recipient address rejected: Server configuration problem (in reply to RCPT TO command)
2024-03-03T00:25:04.184583+00:00 mx1 postfix/smtp[25175]: D1BC4579F: host discourse01.infra.opensuse.org[2a07:de40:b27e:1203::b47] said: 451 4.3.5 <noreply@forums.opensuse.org>: Recipient address rejected: Server configuration problem (in reply to RCPT TO command)
Updated by crameleon 10 months ago
Hi,
from the network side, it should work:
mx1 (mx1.o.o):~ # nc -6vz discourse01 25
Connection to discourse01 25 port [tcp/smtp] succeeded!
Then the issue with discourse01 is https://progress.opensuse.org/issues/137999?
Updated by pjessen 10 months ago
crameleon wrote in #note-4:
Hi,
from the network side, it should work:
mx1 (mx1.o.o):~ # nc -6vz discourse01 25 Connection to discourse01 25 port [tcp/smtp] succeeded!Then the issue with discourse01 is https://progress.opensuse.org/issues/137999?
Yup. Basically a poor mailserver config in need of some TLC. For instance, unknown addresses should be receive a permanent eject.
Updated by pjessen 10 months ago
- Is duplicate of tickets #137999: discourse01 - said 451 4.3.5 <zyka@forums.opensuse.org>: Recipient address rejected: Server configuration problem added
Updated by crameleon 5 months ago
- Subject changed from mx1 attempts connections to {discourse01,obsreview}.i.o.o on port 25 over IPv4 to mx1 attempts connections to {discourse01,obsreview,paste}.i.o.o on port 25 over IPv4
It seems to partially be bounce emails
E69B9796C 3543 Thu Jul 25 02:56:10 MAILER-DAEMON
(delivery temporarily suspended: connect to paste.infra.opensuse.org[2a07:de40:b27e:1203::c2]:25: Permission denied)
paste@paste.infra.opensuse.org
I'm not sure what paste.i.o.o would be sending that would even receive bounces, but maybe those should be re-routed to admin-auto@ somehow ?
Updated by cboltz 5 months ago ยท Edited
postcat -q $queueid helps to find out what's going on ;-)
The paste mails/bounces are caused by nuke_bad_patterns.rb running as paste. I added MAILTO=root to the crontab, but maybe adding >/dev/null might make more sense.
One of the forum bounce I checked is more interesting:
<wsch****@ameritech.net>: host al-ip4-mx-vip1.prodigy.net[144.160.235.143]
said: 553 5.3.0 alph732 DNSBL:RBL 521< 195.135.223.51 >_is_blocked.For
assistance forward this error to abuse_rbl@abuse-att.net (in reply to MAIL
FROM command)
So it looks like we ended up on their blacklist, and should ask to get removed.
Updated by cboltz 5 months ago
paste.i.o.o needed two additional changes to finally get mails from the paste user to admin-auto:
- main.cf:
mydestination = paste.infra.opensuse.orgso that the machine feels responsible for its own mails and applies /etc/aliases (we should probably salt this - makes sense on all VMs) - master.cf: restored original file from the postfix package (see master.cf_paste for the old, non-working previous file)
Updated by cboltz 5 months ago
main.cf mydestination gets fixed by https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/1997