Opened 10 years ago

Closed 10 years ago

#1229 closed Bug/Something is broken (fixed)

Salvage Emails sent to wrong server

Reported by: https://id.mayfirst.org/intranet-schr Owned by: https://id.mayfirst.org/jamie
Priority: Urgent Component: Tech
Keywords: dns mx record email ssl certificate Cc: awillem@…
Sensitive: no

Description

Hi Folks,

I was working with our DNS folks for the current site to establish a subdomain (intranet.schr.org) and point intranet-schr.mayfirst.org to that domain, but ran into some issues. As a result, a lot of emails over the weekend (all external emails) were send to albizu instead of the current email server. Here's my questions...

  1. What I wanted is for the schr.org everything (mail, etc) to not get touched. And at the same time, I wanted for the intranet.schr.org to get up as soon as possible so that I don't have to get a wildcard SSL certificate. So for the short-term, I created a subdomain on NetworkSolutions, but not understanding their interface, had the emails pointed to albizu. So when I look this morning in the "Maildir/new folder, I see a lot of emails... What I need is to get those emails back out once the problem has been fixed via Network Solutions so that everyone's email over the weekend and today goes to the right place.
  1. Is my understanding correct? I was seeing some weird activity in the logs for our intranet site (mostly non-malicious robot type stuff), and because this is a law office, it is really important that the site be secure right from the start, which I why I opted for the shorter term solution in #1166, to be followed soon by the long term solution.
  1. In the process of creating the csr and key, I went to the wiki on that. The instructions that you gave created a csr and key: intranet.schr.key/intranet.schr.csr instead of intranet.schr.org.csr and intranet.schr.org.key. When I did it the first way, the keys were rejected by the people I was buying the certificate from. When I did it the second way, they were accepted. So I am assuming that the instructions on your wiki are correct, and the ones in the 1177 were missing the .org part. I just wanted to make sure.

I appreciate your help.

Ana

Change History (6)

comment:1 Changed 10 years ago by https://id.mayfirst.org/intranet-schr

  • Cc awillem@… added

just fyi, i am watching this support ticket for information as we are still unable to retrieve or get emails coming from the outside world...

comment:2 follow-up: Changed 10 years ago by https://id.mayfirst.org/alfredo

I'm confused about a couple of things, Ana.

First thing, we don't have authority over this domain so the email should never be coming here. Network Solutions still has this domain. Are you saying you're finding email in the mail subdir on our servers? Was it that you established some record at NetSol to bounce your email? But the thing is there are not email adddresses here for the Center's domain so I don't understand how they got here. Were they "defaulted" and dropped in as non-existent users?

Second, robot activity on a site is normal and non-harmful (as you say). Having a secure site if there is any visitor-site interaction is always important but I'm fuzzy as to what, precisely, needs to be secured at this point in the site's development. Can you just give us a bit of an idea as to what you need secured? The certificate might not do what you need (I mean the secure layer that the cert identifies) or it might be unnecessary. I just can't tell without knowing a bit more.

Anyway, this is probably all wet since I haven't been following this situation but I guess I need a bit more info to try and help from here.

comment:3 in reply to: ↑ 2 Changed 10 years ago by https://id.mayfirst.org/intranet-schr

Replying to https://id.mayfirst.org/alfredo:

I'm confused about a couple of things, Ana.

First thing, we don't have authority over this domain so the email should never be coming here. Network Solutions still has this domain. Are you saying you're finding email in the mail subdir on our servers? Was it that you established some record at NetSol to bounce your email? But the thing is there are not email adddresses here for the Center's domain so I don't understand how they got here. Were they "defaulted" and dropped in as non-existent users?

Hi Alfredo,

What happened is that, on Friday, when I was on the phone with the folks at Network Solutions, the information that they gave me was incomplete. We wanted to create a subdomain, and have that subdomain point to you all, using the static IP. What happened was on their interface, it asked for an email server, and I put in albizu.mayfirst.org - not understanding that this would screw everything up. And it did. We got everything switched back earlier - so hopefully by the end of the day today, that will not be happening. However, there seem to have been email messages that were picked up by albizu in the meantime, as evidenced when I go into /users/Maildir/new/ and see that there are a lot of entries there...

What I need to be able to do is get any email that was sent to ablizu during the screw up (if indeed there was any) sent back into the system so that our proper email server can get them. If found a link online: http://osdir.com/ml/mail.maildrop/2006-04/msg00024.html that talks about a script:

for f in $MAILDIR/new/* do sendmail user@domain <$f done

but I'm not sure if it would work or from where/how I should excecute it. The basic idea is that I pointed the mx record to albizu accidentally, and we need to get those emails out and back to the people who they were originally sent to. I do not know how outgoing mail was effected (it isn't clear) and so if there is a way that I can see that from Albizu, that would also be great.

Second, robot activity on a site is normal and non-harmful (as you say). Having a secure site if there is any visitor-site interaction is always important but I'm fuzzy as to what, precisely, needs to be secured at this point in the site's development. Can you just give us a bit of an idea as to what you need secured? The certificate might not do what you need (I mean the secure layer that the cert identifies) or it might be unnecessary. I just can't tell without knowing a bit more.

We are a law office, and deal with death penalty cases and civil cases, and likely have a lot of enemies within the power elite legal mishmash folk. The intranet site will have a lot of conversations about cases, strategies, etc, that it would be bad for the folks who don't like us to be able to get their hands on. We may also have some documents stored there, in which case it's even more important that these documents would not get into hands of people we do not want seeing them as they could have information about legal strategy, etc.

Is that the information you were looking for?

Thanks for any help you can provide...

Ana

Anyway, this is probably all wet since I haven't been following this situation but I guess I need a bit more info to try and help from here.

comment:4 Changed 10 years ago by https://id.mayfirst.org/alfredo

Okay, great! Recovering email -- any script that would send email back would have to be specially installed so I'm going to await jamie's return tomorrow (Tuesday) to figure out what we should do. In the meantime, don't do any script installation on your end. We'll help you deal with this and anyway that stuff is now safe so another few hours probably aren't going to hurt that much.

Two approaches to the intranet site that should be implemented:

1 -- Secure layer (which you're doing)

2 -- Basic visitor security -- i.e. close off that site to non-authorized users (which you can easily do based on what you have up there) . And you should have any problem at all. I think a separate intranet site is the way to do things and that's set up over here properly so you're all set. All you have to do is implement the security stuff which is what you're doing.

I think your approach is 100 percent solid. Do you need our help with any of this?

comment:5 Changed 10 years ago by https://id.mayfirst.org/jamie

Just now getting back in town and scanning the queue...

The mail script you copied above should work almost as is. You can run it by first ssh'ing in as the user who owns the mailbox that the messages were delivered to. Then type:

for f in Maildir/new/*; do mail real-user@domain.org <$f; done

Replace "real-user@…" with the actual email address you want to send the messages to.

Another approach would be to configure an email program like Thunderbird to connect via IMAP to both albizu and to the existing server. Then, you could simply drag the messages from one Inbox to the other.

As for the security stuff - I had some suggestions in comment 4 of ticket 1177. Let's continue the discussion there.

comment:6 Changed 10 years ago by https://id.mayfirst.org/intranet-schr

  • Resolution set to fixed
  • Status changed from new to closed

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.