[MediaWiki-commits] [Gerrit] mail: add inbound TLS support for main MXes - change (operations/puppet)

Wed, 23 Sep 2015 06:03:34 -0700 

Faidon Liambotis has submitted this change and it was merged.

Change subject: mail: add inbound TLS support for main MXes
......................................................................


mail: add inbound TLS support for main MXes

Support STARTTLS on our primary mail exchanges. Also add a monitoring
check for it, that also checks for the certificate's expiry date and
warns 30 day in advance.

Bug: T101452
Change-Id: Ia03c93948d7ffdeaedccd166fd3ed42ab05ae9a2
---
M manifests/role/mail.pp
M modules/icinga/templates/check_commands/smtp.cfg.erb
M templates/exim/exim4.conf.mx.erb
3 files changed, 15 insertions(+), 5 deletions(-)

Approvals:
  Faidon Liambotis: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/manifests/role/mail.pp b/manifests/role/mail.pp
index 9571cfd..e3ef8c7 100644
--- a/manifests/role/mail.pp
+++ b/manifests/role/mail.pp
@@ -86,7 +86,7 @@
 
     monitoring::service { 'smtp':
         description   => 'Exim SMTP',
-        check_command => 'check_smtp',
+        check_command => 'check_smtp_tls',
     }
 
     ferm::service { 'exim-smtp':
diff --git a/modules/icinga/templates/check_commands/smtp.cfg.erb 
b/modules/icinga/templates/check_commands/smtp.cfg.erb
index 70e40cf..cb67197 100644
--- a/modules/icinga/templates/check_commands/smtp.cfg.erb
+++ b/modules/icinga/templates/check_commands/smtp.cfg.erb
@@ -1,6 +1,11 @@
-# 'check_smtp' command definition
-define command{
+define command {
         command_name    check_smtp
-        # workaround Debian #578333
+        # workaround Debian #578333 with -F
         command_line    $USER1$/check_smtp -F <%= @fqdn %> -H $HOSTADDRESS$
-        }
+}
+
+define command {
+        command_name    check_smtp_tls
+        # set critical days for expiry to 30
+        command_line    $USER1$/check_smtp -F <%= @fqdn %> -H $HOSTADDRESS$ 
--starttls -D 30
+}
diff --git a/templates/exim/exim4.conf.mx.erb b/templates/exim/exim4.conf.mx.erb
index 0206791..ac55aaf 100644
--- a/templates/exim/exim4.conf.mx.erb
+++ b/templates/exim/exim4.conf.mx.erb
@@ -79,6 +79,11 @@
 never_users = root : daemon : bin
 ignore_bounce_errors_after = 0h
 
+# TLS
+tls_certificate = /etc/ssl/localcerts/mail.wikimedia.org.chained.crt
+tls_privatekey = /etc/ssl/private/mail.wikimedia.org.key
+tls_advertise_hosts = *
+
 # force Gmail over IPv4 due to reports of bad spam reputation over IPv6
 dns_ipv4_lookup = gmail-smtp-in.l.google.com : aspmx.l.google.com
 

-- 
To view, visit https://gerrit.wikimedia.org/r/240351
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ia03c93948d7ffdeaedccd166fd3ed42ab05ae9a2
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to