[MediaWiki-commits] [Gerrit] exim: split phab_relay into a separate config erb - change (operations/puppet)
Faidon Liambotis has uploaded a new change for review.
https://gerrit.wikimedia.org/r/216636
Change subject: exim: split phab_relay into a separate config erb
..
exim: split phab_relay into a separate config erb
Copy the exim4.conf.SMTP_IMAP_MM.erb template into a separate one for
Phabricator and remove all the conditionals in there that do not match
the combination of options supplied by role::phabricator::main.
This change is a non-functional change; it has been tested and results
into a zero-diff, excluding whitespace changes and the removal of a
couple of unused/unreferenced domain lists.
Change-Id: Id98c05bef7356ac4b9f2db49799d2d53b1931c1e
---
M manifests/mail.pp
A templates/exim/exim4.conf.phab.erb
2 files changed, 212 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/36/216636/1
diff --git a/manifests/mail.pp b/manifests/mail.pp
index f11c919..0b159a1 100644
--- a/manifests/mail.pp
+++ b/manifests/mail.pp
@@ -61,8 +61,13 @@
include privateexim::listserve
include exim4::ganglia
-$config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb')
-$filter_template = template('exim/system_filter.conf.erb')
+if $phab_relay {
+$config_template = template('exim/exim4.conf.phab.erb')
+$filter_template = template('exim/system_filter.conf.erb')
+} else {
+$config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb')
+$filter_template = template('exim/system_filter.conf.erb')
+}
class { 'exim4':
variant => 'heavy',
diff --git a/templates/exim/exim4.conf.phab.erb
b/templates/exim/exim4.conf.phab.erb
new file mode 100644
index 000..20d98dc
--- /dev/null
+++ b/templates/exim/exim4.conf.phab.erb
@@ -0,0 +1,205 @@
+# This file is managed by puppet
+
+##
+# Macros #
+##
+
+CONFDIR=/etc/exim4
+
+###
+# Main configuration settings #
+###
+
+domainlist system_domains = @
+domainlist local_domains = <%= @local_domains.join(" : ") %>
+
+# a list of domains to always respond defer; used for emergencies or planned
downtimes
+domainlist defer_domains = lsearch;CONFDIR/defer_domains
+
+# Standard lists
+domainlist phab_domains = phabricator.wikimedia.org
+
+hostlist wikimedia_nets = <; <%=
scope.lookupvar('network::constants::all_networks').join(" ; ") %>
+hostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ;
+
+# Administration
+log_selector = +address_rewrite +all_parents +delivery_size +deliver_time
+incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error
+smtp_syntax_error +tls_cipher +tls_peerdn
+message_logs = false
+
+# Policy control
+acl_smtp_connect = acl_check_connect
+acl_smtp_rcpt = acl_check_rcpt
+acl_smtp_data = acl_check_data
+
+# Allow Phab, RT, OTRS to use any sender address
+untrusted_set_sender = *
+local_from_check = false
+
+system_filter = CONFDIR/system_filter
+
+# Resource control
+check_spool_space = 50M
+smtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets
+smtp_accept_queue_per_connection = 500
+
+deliver_queue_load_max = 800.0
+queue_only_load = 100.0
+remote_max_parallel = 500
+
+smtp_connect_backlog = 128
+smtp_receive_timeout = 1m
+smtp_accept_max = 4000
+smtp_accept_max_per_host = ${if
match_ip{$sender_host_address}{+wikimedia_nets}{50}{5}}
+smtp_accept_reserve = 100
+
+# Lookups
+host_lookup = *
+rfc1413_hosts =
+
+# Other
+never_users = root : daemon : bin
+ignore_bounce_errors_after = 0h
+
+# force Gmail over IPv4 due to reports of bad spam reputation over IPv6
+dns_ipv4_lookup = gmail-smtp-in.l.google.com : aspmx.l.google.com
+
+###
+# Access Control Lists (ACLs) #
+###
+
+begin acl
+
+acl_check_rcpt:
+
+ # Accept if the source is local SMTP (a pipe)
+ accept hosts = :
+
+ # Deny if the local part contains @, %, /, | or !, or starts with a dot
+ deny local_parts = ^.*[@%!/|] : ^\\.
+
+ # Accept relaying from networks we control. Note: no address
verification
+ # is done at this point, which is good for mail submission, but may
render
+ # recipient callout verification by affected hosts useless.
+ accept domains = ! +local_domains
+ hosts = +relay_from_hosts
+ control = submission/sender_retain
+
+ # Require recipient domain to be local, or a domain we relay for
+ require message = Relay not permitted
+ domains = +local_domains : +relay_domains
+ set acl_m_relayed = yes
+
+ # use this only for emergencies or planned downtimes
+ defer message = Administratively set to defer
+ domains = +defer_domains
+
+ # Accept mail for postmaster without further policy checking,
+ # for compliance with the RFCs
+ accept loc
[MediaWiki-commits] [Gerrit] exim: split phab_relay into a separate config erb - change (operations/puppet)
Faidon Liambotis has submitted this change and it was merged.
Change subject: exim: split phab_relay into a separate config erb
..
exim: split phab_relay into a separate config erb
Copy the exim4.conf.SMTP_IMAP_MM.erb template into a separate one for
Phabricator and remove all the conditionals in there that do not match
the combination of options supplied by role::phabricator::main.
This change is a non-functional change; it has been tested and results
into a zero-diff, excluding whitespace changes and the removal of a
couple of unused/unreferenced domain lists.
Change-Id: Id98c05bef7356ac4b9f2db49799d2d53b1931c1e
---
M manifests/mail.pp
A templates/exim/exim4.conf.phab.erb
2 files changed, 204 insertions(+), 2 deletions(-)
Approvals:
Faidon Liambotis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/mail.pp b/manifests/mail.pp
index e584797..4638fc7 100644
--- a/manifests/mail.pp
+++ b/manifests/mail.pp
@@ -61,8 +61,13 @@
include privateexim::listserve
include exim4::ganglia
-$config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb')
-$filter_template = template('exim/system_filter.conf.erb')
+if $phab_relay {
+$config_template = template('exim/exim4.conf.phab.erb')
+$filter_template = template('exim/system_filter.conf.erb')
+} else {
+$config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb')
+$filter_template = template('exim/system_filter.conf.erb')
+}
class { 'exim4':
variant => 'heavy',
diff --git a/templates/exim/exim4.conf.phab.erb
b/templates/exim/exim4.conf.phab.erb
new file mode 100644
index 000..0a8898b
--- /dev/null
+++ b/templates/exim/exim4.conf.phab.erb
@@ -0,0 +1,197 @@
+# This file is managed by puppet
+
+##
+# Macros #
+##
+
+CONFDIR=/etc/exim4
+
+###
+# Main configuration settings #
+###
+
+domainlist system_domains = @
+domainlist local_domains = <%= @local_domains.join(" : ") %>
+
+# a list of domains to always respond defer; used for emergencies or planned
downtimes
+domainlist defer_domains = lsearch;CONFDIR/defer_domains
+
+# Standard lists
+domainlist phab_domains = phabricator.wikimedia.org
+
+hostlist wikimedia_nets = <; <%=
scope.lookupvar('network::constants::all_networks').join(" ; ") %>
+hostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ;
+
+# Administration
+log_selector = +address_rewrite +all_parents +delivery_size +deliver_time
+incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error
+smtp_syntax_error +tls_cipher +tls_peerdn
+message_logs = false
+
+# Policy control
+acl_smtp_connect = acl_check_connect
+acl_smtp_rcpt = acl_check_rcpt
+acl_smtp_data = acl_check_data
+
+# Allow Phab, RT, OTRS to use any sender address
+untrusted_set_sender = *
+local_from_check = false
+
+system_filter = CONFDIR/system_filter
+
+# Resource control
+check_spool_space = 50M
+smtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets
+smtp_accept_queue_per_connection = 500
+
+deliver_queue_load_max = 800.0
+queue_only_load = 100.0
+remote_max_parallel = 500
+
+smtp_connect_backlog = 128
+smtp_receive_timeout = 1m
+smtp_accept_max = 4000
+smtp_accept_max_per_host = ${if
match_ip{$sender_host_address}{+wikimedia_nets}{50}{5}}
+smtp_accept_reserve = 100
+
+# Lookups
+host_lookup = *
+rfc1413_hosts =
+
+# Other
+never_users = root : daemon : bin
+ignore_bounce_errors_after = 0h
+
+# force Gmail over IPv4 due to reports of bad spam reputation over IPv6
+dns_ipv4_lookup = gmail-smtp-in.l.google.com : aspmx.l.google.com
+
+###
+# Access Control Lists (ACLs) #
+###
+
+begin acl
+
+acl_check_rcpt:
+
+ # Accept if the source is local SMTP (a pipe)
+ accept hosts = :
+
+ # Deny if the local part contains @, %, /, | or !, or starts with a dot
+ deny local_parts = ^.*[@%!/|] : ^\\.
+
+ # Accept relaying from networks we control. Note: no address
verification
+ # is done at this point, which is good for mail submission, but may
render
+ # recipient callout verification by affected hosts useless.
+ accept domains = ! +local_domains
+ hosts = +relay_from_hosts
+ control = submission/sender_retain
+
+ # Require recipient domain to be local, or a domain we relay for
+ require message = Relay not permitted
+ domains = +local_domains : +relay_domains
+ set acl_m_relayed = yes
+
+ # use this only for emergencies or planned downtimes
+ defer message = Administratively set to defer
+ domains = +defer_domains
+
+ # Accept mail for postmaster without further policy checking,
+ # for compliance with the RFCs
+ accept local_parts = postmaster : abuse
+
