infra/tickets
23
8
Fork 1
Code Issues 88 Projects Wiki Activity Actions

some improvements on smtp-auth-cc-rdu01.fedoraproject.org #12835

New issue
Open
opened 2025-10-06 20:10:40 +00:00 by kevin · 12 comments
kevin commented 2025-10-06 20:10:40 +00:00
Owner
Copy link

A few improvements we need to do on this machine.

This vm is used to relay (authenticated) emails out to people from various places (copr cron outputs, flock / conference stuff, packager reports).

  1. It would be nice to adjust postfix config to not leak the headers/ips from the orig systems, ie something like https://serverfault.com/a/998993 or the like

  2. The ssl cert on this machine is a self signed one, but it's also expired. Would be nice to generate a new one and make sure to keep it up to date.

A few improvements we need to do on this machine. This vm is used to relay (authenticated) emails out to people from various places (copr cron outputs, flock / conference stuff, packager reports). 1. It would be nice to adjust postfix config to not leak the headers/ips from the orig systems, ie something like https://serverfault.com/a/998993 or the like 2. The ssl cert on this machine is a self signed one, but it's also expired. Would be nice to generate a new one and make sure to keep it up to date.
james commented 2025-10-07 19:07:20 +00:00
Member
Copy link

Metadata Update from @james:

  • Issue priority set to: Waiting on Assignee (was: Needs Review)
  • Issue tagged with: low-gain, medium-trouble
**Metadata Update from @james**: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, medium-trouble
kevin commented 2025-11-06 22:43:07 +00:00
Author
Owner
Copy link

The cert has been fixed.

The config change hasn't been done yet.

The cert has been fixed. The config change hasn't been done yet.
gotmax23 commented 2025-11-07 21:33:29 +00:00
Copy link

I imported the new self-signed cert into my local trust store and tried to run the orphans email script without disabling tls verification. It now fails with Error: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead. Would it be possible to fix this or to use a letsencrypt cert? If the server can have port 80 opened, one could be gotten with the HTTP-01 challenge and auto-renewed with certbot or similar.

I imported the new self-signed cert into my local trust store and tried to run the orphans email script without disabling tls verification. It now fails with `Error: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead`. Would it be possible to fix this or to use a letsencrypt cert? If the server can have port 80 opened, one could be gotten with the HTTP-01 challenge and auto-renewed with certbot or similar.
kevin commented 2026-01-20 00:15:50 +00:00
Author
Owner
Copy link

I don't think I like the idea of running a web server on this instance just for this... it exposes it a lot more. :(

@james might you be able to look at a new cert without this problem above?

I don't think I like the idea of running a web server on this instance just for this... it exposes it a lot more. :( @james might you be able to look at a new cert without this problem above?
gotmax23 commented 2026-04-14 14:47:33 +00:00
Copy link

Any updates here, particularly about the Postfix config changes? The cert issue I can at least work around by locally disabling TLS verification, but I can't work around the Postfix IP leaking.

Any updates here, particularly about the Postfix config changes? The cert issue I can at least work around by locally disabling TLS verification, but I can't work around the Postfix IP leaking.
zlopez self-assigned this 2026-04-22 10:45:06 +00:00
zlopez commented 2026-04-22 10:45:47 +00:00
Owner
Copy link

So I created this PR to add the config changes. But let's wait for freeze to end before merging it.

So I created this [PR](https://forge.fedoraproject.org/infra/ansible/pulls/3297) to add the config changes. But let's wait for freeze to end before merging it.
zlopez commented 2026-05-05 07:57:42 +00:00
Owner
Copy link

The PR is now merged and the IP should be hidden. @gotmax23 Could you check if this is what you wanted?

The PR is now merged and the IP should be hidden. @gotmax23 Could you check if this is what you wanted?
gotmax23 commented 2026-05-07 03:13:02 +00:00
Copy link

Yes, the headers look good now. Thanks zlopez!

Yes, the headers look good now. Thanks zlopez!
zlopez commented 2026-05-07 10:00:28 +00:00
Owner
Copy link

Anything else we need to do here or is this OK to close now?

Anything else we need to do here or is this OK to close now?
zlopez commented 2026-05-25 08:46:21 +00:00
Owner
Copy link

Closing this as done, as there doesn't seem to be anything needed from our side.

Closing this as done, as there doesn't seem to be anything needed from our side.
gotmax23 commented 2026-05-26 22:26:40 +00:00
Copy link

zlopez wrote in #12835 (comment):

Anything else we need to do here or is this OK to close now?

No, the TLS cert issue is still outstanding.

zlopez wrote in https://forge.fedoraproject.org/infra/tickets/issues/12835#issuecomment-698458: > Anything else we need to do here or is this OK to close now? No, the TLS cert issue is still outstanding.
zlopez reopened this issue 2026-06-01 11:21:03 +00:00
zlopez commented 2026-06-01 11:22:27 +00:00
Owner
Copy link

@james I see Kevin mentioned you regarding the tls cert issue. Could you look into it?

@james I see Kevin mentioned you regarding the tls cert issue. Could you look into it?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
announcement

   
anubis
Issues related to anubis

  
authentication
Authentication related issues

  
aws
Issues related to Amazon Web Services

  
backlog
Tasks that will take longer then ~4 hours to do

  
blocked
Issue is blocked

  
bodhi
Issues with Bodhi

  
ci
Continuous Integration

  
cloud
Items in FedoraInfraCloud or COmmunishift

  
communishift
issues/questions about os.edorainfracloud.org ( Community OpenShift)

  
copr
COPR system (run by other team)

  
database
Issues related to databases

  
day-to-day
These are small self contained tasks that are part of normal operations, but are async from sprint planning.

  
dc-move
Items related to datacenter move

  
deprecated
Tools which Infrastructure may not be able to fix

  
dev
Tasks requiring some dev work

  
discourse
outsourced tool

  
dns
Changes or problems with DNS

  
downloads
rsync,dl.fp.o,AWS,torrents

  
easyfix

   
epel
Issues relating to epel

  
firmitas

   
forgejo_migration
Request migration to the new forge

  
Gain
High
 task that gets us a lot / is important / makes many people happy

  
Gain
Low
 tasks that gets us little / isn't very important / makes only 1 person or few happy

  
Gain
Medium
 task that gets us some / is somewhat important / makes some people happy

  
gitlab

   
greenwave
Issues with greenwave

  
hardware
Problem is with Fedora Infrastructure Owned/Leased Hardware

  
help wanted

   
high-trouble
task that is complex/long/difficult

  
koji
Issues with the build system

  
koschei
Items needing Koschei team

  
lists
issues with lists

  
low-trouble
task that is easy/short

  
medium-trouble
task that is medium complex / difficult

  
mirrorlists
Way to tell systems where downloads are

  
monitoring

   
Needs investigation

   
odcs
On Demand Compose Service issues

  
OpenShift
Issues with OpenShift

  
ops
ops problem now...

  
outage

   
packager_workflow_blocker
Blocks the packager workflow

  
pagure
Issues with pagure.io

  
permissions
Items which need permissions set in outside tools

  
Priority
Needs Review
 Priority of Needs Review

  
Priority
Next Meeting
 Priority of Next Meeting

  
Priority
🔥 URGENT 🔥
 Priority of 🔥 URGENT 🔥

  
Priority
Waiting on Assignee
 Priority of Waiting on Assignee

  
Priority
Waiting on External
 Priority of Waiting on External

  
Priority
Waiting on Reporter
 Priority of Waiting on Reporter

  
rabbitmq
issues with the message broker

  
release-monitoring
release-monitoring.org (Anitya)

  
releng
For problems which should be in the releng ticket system

  
request-for-resources

   
s390x
The secondary architecture hardware and problems related with it

  
security

   
SMTP
Email issues outside of lists (DMARC, SPF, aliases)

  
sprint-0

   
sprint-1

   
src.fp.o
Issues related to src.fedoraproject.org

  
staging
Issues in staging

  
unfreeze
Patches to be applied after freeze is lifted

  
waiverdb
Issues with waiverdb

  
websites-general
General items with a website focus

  
wiki
Issues with the Wiki

  
Backlog Status
Needs Review
 Work items that have been created or updated but need review, refinement, or approval before they can be considered ready for sprint planning.

  
Backlog Status
Ready
 Work items that have been reviewed, refined, and are ready to be committed to a sprint. These items have clear requirements and can be worked on immediately when capacity is available.

  
chore
Work that needs to be done but doesn't add new functionality or fix bugs. Maintenance tasks that keep the system running smoothly and the codebase clean.

  
documentation
Work focused on creating, updating, or improving documentation for users, developers, or system administrators.

  
points
01
 A task that is simple, small, and has very little uncertainty. It should be easy enough for any team member to pick up and complete quickly, without a lot of discussion or research.

  
points
02
 This is a task that is slightly more complex or larger than a "1." It might involve two or three simple steps, but the outcome is still very clear and there's little uncertainty.

  
points
03
 Medium-sized task with some noticeable complexity. It might require a bit more thought or collaboration. The steps are well-defined, but it's not a trivial change.

  
points
05
 A significant piece of work. It has more complexity and a higher degree of uncertainty than smaller tasks. It might require some research, a design discussion, or collaboration across multiple teams.

  
points
08
 Complex task with a lot of uncertainty. It's often the largest size that a team will consider for a single sprint. It likely requires a detailed breakdown and multiple team members to complete.

  
points
13
 Any task that feels like it's a "13" or more is considered an Epic. These are too large and uncertain to be worked on in a single sprint and should be broken down.

  
Priority
High
 This is for work that is critical and needs to be addressed in the next sprint. It's often for urgent bugs, important features, or a major piece of technical debt that is blocking other work.

  
Priority
Low
 This is for work that is good to do but not urgent. It's a candidate for being worked on when there's extra time or when it rises in importance. It can stay in the backlog for a longer period.

  
Priority
Medium
 This is for important work that should be done soon, but isn't as urgent as a high-priority item. It will likely be considered for the next 1-2 sprints.

  
Sprint Status
Blocked
 Work items that cannot progress due to external dependencies, blockers, or issues that need resolution.

  
Sprint Status
Done
 Work items that have been completed, reviewed, and integrated. No further work is needed within the current sprint.

  
Sprint Status
In Progress
 Work items currently being worked on by a team member. Active development, research, or implementation is happening.

  
Sprint Status
Review
 Work items that are complete but need review, testing, or approval before being marked as done.

  
Sprint Status
To Do
 Work items that are committed to the sprint but haven't been started yet. These items are ready to be picked up by team members.

  
Technical Debt
Work that addresses shortcuts, workarounds, or suboptimal implementations that were done previously to meet deadlines. These items improve code quality, maintainability, or performance without adding new features.

  
Work Item
Bug
 Issues where the system is not working as intended or designed. Bugs represent deviations from expected behavior.

  
Work Item
Epic
 Large initiatives that are broken down into multiple smaller work items (user stories, tasks, bugs). Epics represent significant features or projects that span multiple sprints.

  
Work Item
Spike
 Time-boxed research, investigation, or proof-of-concept work to reduce uncertainty or explore solutions. Spikes help inform future development decisions.

  
Work Item
Task
 Used to break down larger user stories into smaller, manageable implementation pieces. They focus on the specific technical steps needed to deliver the user story's value.

  
Work Item
User Story
 User-facing features or functionality that can be framed from a user perspective, describing what someone wants to accomplish and why.

No labels
announcement
anubis
authentication
aws
backlog
blocked
bodhi
ci
cloud
communishift
copr
database
day-to-day
dc-move
deprecated
dev
discourse
dns
downloads
easyfix
epel
firmitas
forgejo_migration
Gain
High
Gain
Low
Gain
Medium
gitlab
greenwave
hardware
help wanted
high-trouble
koji
koschei
lists
low-trouble
medium-trouble
mirrorlists
monitoring
Needs investigation
odcs
OpenShift
ops
outage
packager_workflow_blocker
pagure
permissions
Priority
Needs Review
Priority
Next Meeting
Priority
🔥 URGENT 🔥
Priority
Waiting on Assignee
Priority
Waiting on External
Priority
Waiting on Reporter
rabbitmq
release-monitoring
releng
request-for-resources
s390x
security
SMTP
sprint-0
sprint-1
src.fp.o
staging
unfreeze
waiverdb
websites-general
wiki
Backlog Status
Needs Review
Backlog Status
Ready
chore
documentation
points
01
points
02
points
03
points
05
points
08
points
13
Priority
High
Priority
Low
Priority
Medium
Sprint Status
Blocked
Sprint Status
Done
Sprint Status
In Progress
Sprint Status
Review
Sprint Status
To Do
Technical Debt
Work Item
Bug
Work Item
Epic
Work Item
Spike
Work Item
Task
Work Item
User Story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
zlopez
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
infra/tickets#12835
No description provided.