Faidon Liambotis has submitted this change and it was merged.
Change subject: exim: split phab_relay into a separate config erb
......................................................................
exim: split phab_relay into a separate config erb
Copy the exim4.conf.SMTP_IMAP_MM.erb template into a separate one for
Phabricator and remove all the conditionals in there that do not match
the combination of options supplied by role::phabricator::main.
This change is a non-functional change; it has been tested and results
into a zero-diff, excluding whitespace changes and the removal of a
couple of unused/unreferenced domain lists.
Change-Id: Id98c05bef7356ac4b9f2db49799d2d53b1931c1e
---
M manifests/mail.pp
A templates/exim/exim4.conf.phab.erb
2 files changed, 204 insertions(+), 2 deletions(-)
Approvals:
Faidon Liambotis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/mail.pp b/manifests/mail.pp
index e584797..4638fc7 100644
--- a/manifests/mail.pp
+++ b/manifests/mail.pp
@@ -61,8 +61,13 @@
include privateexim::listserve
include exim4::ganglia
- $config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb')
- $filter_template = template('exim/system_filter.conf.erb')
+ if $phab_relay {
+ $config_template = template('exim/exim4.conf.phab.erb')
+ $filter_template = template('exim/system_filter.conf.erb')
+ } else {
+ $config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb')
+ $filter_template = template('exim/system_filter.conf.erb')
+ }
class { 'exim4':
variant => 'heavy',
diff --git a/templates/exim/exim4.conf.phab.erb
b/templates/exim/exim4.conf.phab.erb
new file mode 100644
index 0000000..0a8898b
--- /dev/null
+++ b/templates/exim/exim4.conf.phab.erb
@@ -0,0 +1,197 @@
+# This file is managed by puppet
+
+##########
+# Macros #
+##########
+
+CONFDIR=/etc/exim4
+
+###############################
+# Main configuration settings #
+###############################
+
+domainlist system_domains = @
+domainlist local_domains = <%= @local_domains.join(" : ") %>
+
+# a list of domains to always respond defer; used for emergencies or planned
downtimes
+domainlist defer_domains = lsearch;CONFDIR/defer_domains
+
+# Standard lists
+domainlist phab_domains = phabricator.wikimedia.org
+
+hostlist wikimedia_nets = <; <%=
scope.lookupvar('network::constants::all_networks').join(" ; ") %>
+hostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ;
+
+# Administration
+log_selector = +address_rewrite +all_parents +delivery_size +deliver_time
+incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error
+smtp_syntax_error +tls_cipher +tls_peerdn
+message_logs = false
+
+# Policy control
+acl_smtp_connect = acl_check_connect
+acl_smtp_rcpt = acl_check_rcpt
+acl_smtp_data = acl_check_data
+
+# Allow Phab, RT, OTRS to use any sender address
+untrusted_set_sender = *
+local_from_check = false
+
+system_filter = CONFDIR/system_filter
+
+# Resource control
+check_spool_space = 50M
+smtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets
+smtp_accept_queue_per_connection = 500
+
+deliver_queue_load_max = 800.0
+queue_only_load = 100.0
+remote_max_parallel = 500
+
+smtp_connect_backlog = 128
+smtp_receive_timeout = 1m
+smtp_accept_max = 4000
+smtp_accept_max_per_host = ${if
match_ip{$sender_host_address}{+wikimedia_nets}{50}{5}}
+smtp_accept_reserve = 100
+
+# Lookups
+host_lookup = *
+rfc1413_hosts =
+
+# Other
+never_users = root : daemon : bin
+ignore_bounce_errors_after = 0h
+
+# force Gmail over IPv4 due to reports of bad spam reputation over IPv6
+dns_ipv4_lookup = gmail-smtp-in.l.google.com : aspmx.l.google.com
+
+###############################
+# Access Control Lists (ACLs) #
+###############################
+
+begin acl
+
+acl_check_rcpt:
+
+ # Accept if the source is local SMTP (a pipe)
+ accept hosts = :
+
+ # Deny if the local part contains @, %, /, | or !, or starts with a dot
+ deny local_parts = ^.*[@%!/|] : ^\\.
+
+ # Accept relaying from networks we control. Note: no address
verification
+ # is done at this point, which is good for mail submission, but may
render
+ # recipient callout verification by affected hosts useless.
+ accept domains = ! +local_domains
+ hosts = +relay_from_hosts
+ control = submission/sender_retain
+
+ # Require recipient domain to be local, or a domain we relay for
+ require message = Relay not permitted
+ domains = +local_domains : +relay_domains
+ set acl_m_relayed = yes
+
+ # use this only for emergencies or planned downtimes
+ defer message = Administratively set to defer
+ domains = +defer_domains
+
+ # Accept mail for postmaster without further policy checking,
+ # for compliance with the RFCs
+ accept local_parts = postmaster : abuse
+ set acl_m2 = skip_spamd
+
+ # Verify the recipient address for local domains, or require the
+ # recipient domain to exist for remote domains
+ require verify = recipient
+
+ accept
+
+acl_check_connect:
+ # We only accept mail from our own mail relays
+ require message = This server does not accept external mail
+ hosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets
+
+ accept
+
+acl_check_data:
+ accept
+
+###########
+# Routers #
+###########
+
+begin routers
+
+# Use the system aliasfile /etc/aliases for system domains
+system_aliases:
+ driver = redirect
+ domains = +system_domains
+ data = ${lookup{$local_part}lsearch{/etc/aliases}}
+ pipe_transport = address_pipe
+ allow_fail
+ allow_defer
+ forbid_file
+
+# Mail destined for Phabricator
+
+eat:
+ driver = redirect
+ domains = +phab_domains
+ local_parts = no-reply
+ data = :blackhole:
+
+phabricator_bound:
+ driver = redirect
+ domains = +phab_domains
+ redirect_router = phab
+ data = general$local_part_suffix@$domain
+ no_verify
+
+phab:
+ driver = accept
+ domains = +phab_domains
+ transport = phab_pipe
+
+<% if !@smart_route_list.empty? then -%>
+# Send all mail not destined for the local machine via a set of
+# mail relays ("smart hosts")
+smart_route:
+ driver = manualroute
+ transport = remote_smtp
+ # Local mail is undeliverable and remote mail is forwarded
+ route_list = !+local_domains <%= @smart_route_list.join(":") %>
+<% end %>
+
+##############
+# Transports #
+##############
+
+begin transports
+
+# Generic remote SMTP transport
+
+remote_smtp:
+ driver = smtp
+ hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0
+
+# Generic pipe local delivery transport (for use by alias/forward files)
+
+address_pipe:
+ driver = pipe
+ return_output
+
+# phabricator transport
+phab_pipe:
+ driver = pipe
+ batch_max = 5
+ command = /usr/local/bin/phab_epipe.py
+ environment = $address_data
+ user = mail
+ group = mail
+ return_fail_output
+
+###############
+# Retry rules #
+###############
+
+begin retry
+
+* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
--
To view, visit https://gerrit.wikimedia.org/r/216636
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Id98c05bef7356ac4b9f2db49799d2d53b1931c1e
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Rush <r...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
