[Box-Admins] [squeak-dev] SqueakMap down?

Mon Sep 7 15:15:54 UTC 2020

Hi Tobias,

On Mon, 7 Sep 2020, Tobias Pape wrote:

>
>> On 07.09.2020, at 01:32, Levente Uzonyi <leves at caesar.elte.hu> wrote:
>>
>> Hi Tobias,
>>
>> On Sun, 6 Sep 2020, Tobias Pape wrote:
>>
>>> Hi
>>>
>>>> On 06.09.2020, at 19:03, Levente Uzonyi <leves at caesar.elte.hu> wrote:
>>>>
>>>> Hi All,
>>>>
>>>> (CC'd board as well)
>>>>
>>>> I have restarted the image. It seemed to have been locked up by trying to send a password recovery email directly from the server instead of using our own mail server[1].
>>>> This is bad practice and the IP of the server has been rightfully added to some spam blacklists, hence the blocked image (which expects that email sending always succeeds...).
>>>> Outgoing emails should go through our own mail server. This needs to be changed ASAP, as I suppose a few more password reminders will result in a locked up image again.
>>>
>>> Maybe an outgoing iptables filter on port 25 for everything except adele.box alias mail.squeak.org would help avoid accidental blacklisting in the future ?
>>
>> Indeed. I've just set that up. But, I think it won't solve the problem.
>> SqueakMap connects to the local mail server which (as I understand) forwards all emails to mail.squeak.org - aka adele.
>> ted is not whitelisted on mail.squeak.org, so all emails are rejected by adele due to ted's IP being blacklisted on zen.spamhaus.org.
>> ted's IP is blacklisted due to policy, so that can't be changed:
>> https://www.spamhaus.org/pbl/query/PBL1660625
>>
>> So, I think the solution is to either whitelist ted on adele, or make SqueakMap connect to adele directly. The latter won't solve the issue with other emails, like logwatch.
>
> Ted is whitelisted, as are all our servers, as long as they  use the private IP (starting with 10.) as originating IP:
>
> adele% cat /etc/postfix/main.cf
> …
> mynetworks = 127.0.0.0/8 10.177.128.0/17 10.208.128.0/17 162.242.237.143/32

ted is not among those prefixes, as its IP address begins with 10.176.
Where are these ranges coming from?
Should I add ted there?

> …
>
> ted% ip a
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>    inet 162.242.226.14/24 brd 162.242.226.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>    inet 10.176.130.111/19 brd 10.176.159.255 scope global eth1
> …
>
>
> In any case, the servers I set up, I _think_ I preferred postfix; however, I always put adele as relay. That als should fix it…

adele's firewall rules didn't allow connections to port 25 from 
10.0.0.0/8. I just enabled that.

Also, ted is trying to connect the public IP of adele (via 
mail.squeak.org). Unless there's some routing magic in place right now 
redirecting packets to the internal network, ted will not be whitelisted 
on adele.
That can be changed, but then ted is still not whitelisted because of 
mynetworks.

Levente

>
> Best regards
> 	-Tobias
>
>>
>> If other servers also have their own local relays, then more images sending emails will run into this issue.
>>
>>
>> Levente
>>
>>> Best
>>> 	-Tobias
>>>
>>>>
>>>>
>>>> Levente
>>>>
>>>> [1] Relevant parts of the stack trace in case someone wants to have a look at the image:
>>>>
>>>> SMUtilities class>>mail:subject:message:
>>>> SMUtilities class>>mailPassword:for:
>>>> [] in SMSqueakMapView>>mailnewpassword {[username value isEmptyOrNil
>>>> ifFalse: [account := model accountForUsername...]}
>>>>
>>>>
>>>> On Sat, 5 Sep 2020, David T. Lewis wrote:
>>>>
>>>>> Forwarding to the box-admins list.
>>>>>
>>>>> The web interface for map.squeak.org is not responding, and updating
>>>>> a SqueakMap Package Loader from Squeak is not working. Presumably the
>>>>> server needs to be bumped.
>>>>>
>>>>> I'm not sure who has the keys to this?
>>>>>
>>>>> Thanks,
>>>>> Dave
>>>>>
>>>>>
>>>>> On Sat, Sep 05, 2020 at 03:44:45PM -0400, Phil B wrote:
>>>>>> It doesn't appear to be responding to requests (gateway time-out)
>
>
>