Faidon has submitted this change and it was merged.
Change subject: exim: revert DKIM signing for wikimedia.org
......................................................................
exim: revert DKIM signing for wikimedia.org
There's currently two problem with the DKIM signing on remote_smtp. The
first one is that sodium also serves as a backup MX, relaying mails to
mchenry, so it would happily sign unrelated incoming mails (e.g. spam)
with our domain.
The second problem is that even if we switch dkim_domain to
$sender_host_address (effectively signing only with From:
@wikimedia.org), it will still happily accept spoofed mails with From
@wikimedia.org To: @wikimedia.org and sign them, which isn't really the
intended behavior.
So we really need to not sign relayed traffic at all and this can't
happen with some refactoring & splitting transports. Revert this for
now, as it's really wrong to sign potentially spoofed mails in the
meantime.
(this has been reverted manually soon after signing was merged, so this
wasn't live for long)
Change-Id: I3f04c3e7ac05881532f83cd34628a69f9c925b54
---
M templates/exim/exim4.conf.SMTP_IMAP_MM.erb
1 file changed, 5 insertions(+), 9 deletions(-)
Approvals:
Faidon: Looks good to me, approved
jenkins-bot: Verified
diff --git a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
index 525c20d..a6e694c 100644
--- a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
+++ b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
@@ -345,7 +345,7 @@
<% if mediawiki_relay == "true" then -%>
# Route mail generated by MediaWiki differently
wiki_mail:
-domains = ! +local_domains
+ domains = ! +local_domains
driver = dnslookup
condition = ${if
and{{match_ip{$interface_address}{WIKI_INTERFACE}}{eqi{$header_X-Mailer:}{MediaWiki
mailer}}}}
errors_to = w...@wikimedia.org
@@ -668,12 +668,6 @@
<% if (enable_otrs_server == "false" ) -%>
interface = <; <%= outbound_ips.join(" ; ") %>
<% end -%>
-<% if ( enable_mail_relay != "false" ) -%>
- dkim_domain = wikimedia.org
- dkim_selector = wikimedia
- dkim_private_key = /etc/exim4/dkim/wikimedia.org-wikimedia.key
- dkim_canon = relaxed
-<% end -%>
<% if enable_mailman == "true" -%>
list_smtp:
@@ -683,12 +677,14 @@
helo_data = lists.wikimedia.org
dkim_domain = lists.wikimedia.org
dkim_selector = wikimedia
- dkim_private_key = /etc/exim4/dkim/lists.wikimedia.org-wikimedia.key
+ dkim_private_key = ${if
exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}
dkim_canon = relaxed
<% end -%>
<% if mediawiki_relay == "true" -%>
# Transport for sending out automated bulk (wiki) mail
+# DKIM signed with wikimedia.org irrespective of actual sender domain
+# but using a separate selector that only allows "wiki" as the local part
bulk_smtp:
driver = smtp
hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0
@@ -696,7 +692,7 @@
helo_data = <; wiki-mail.wikimedia.org ; lists.wikimedia.org
dkim_domain = wikimedia.org
dkim_selector = wiki-mail
- dkim_private_key = /etc/exim4/dkim/wikimedia.org-wiki-mail.key
+ dkim_private_key = ${if
exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}
dkim_canon = relaxed
<% end -%>
--
To view, visit https://gerrit.wikimedia.org/r/80189
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I3f04c3e7ac05881532f83cd34628a69f9c925b54
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon <fai...@wikimedia.org>
Gerrit-Reviewer: Faidon <fai...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
