[MediaWiki-commits] [Gerrit] exim: split rt_relay into a separate config erb - change (operations/puppet)
Faidon Liambotis has submitted this change and it was merged.
Change subject: exim: split rt_relay into a separate config erb
..
exim: split rt_relay into a separate config erb
Copy the exim4.conf.SMTP_IMAP_MM.erb template into a separate one for RT
and remove all the conditionals in there that do not match the
combination of options supplied by role::requesttracker.
This change is a non-functional change; it has been tested and results
into a zero-diff, excluding whitespace changes and the removal of a
couple of unused/unreferenced domain lists.
Change-Id: Ibb583b0f7c462997fff3c8e19b1e7ce7f2c2ff90
---
M manifests/mail.pp
A templates/exim/exim4.conf.rt.erb
2 files changed, 227 insertions(+), 0 deletions(-)
Approvals:
Faidon Liambotis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/mail.pp b/manifests/mail.pp
index 4638fc7..9e0ab97 100644
--- a/manifests/mail.pp
+++ b/manifests/mail.pp
@@ -64,6 +64,9 @@
if $phab_relay {
$config_template = template('exim/exim4.conf.phab.erb')
$filter_template = template('exim/system_filter.conf.erb')
+} elsif $rt_relay {
+$config_template = template('exim/exim4.conf.rt.erb')
+$filter_template = template('exim/system_filter.conf.erb')
} else {
$config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb')
$filter_template = template('exim/system_filter.conf.erb')
diff --git a/templates/exim/exim4.conf.rt.erb b/templates/exim/exim4.conf.rt.erb
new file mode 100644
index 000..f3e072a
--- /dev/null
+++ b/templates/exim/exim4.conf.rt.erb
@@ -0,0 +1,224 @@
+# This file is managed by puppet
+
+##
+# Macros #
+##
+
+CONFDIR=/etc/exim4
+
+###
+# Main configuration settings #
+###
+
+domainlist system_domains = @
+domainlist local_domains = %= @local_domains.join( : ) %
+
+# a list of domains to always respond defer; used for emergencies or planned
downtimes
+domainlist defer_domains = lsearch;CONFDIR/defer_domains
+
+# Standard lists
+domainlist rt_domains = rt.wikimedia.org
+
+hostlist wikimedia_nets = ; %=
scope.lookupvar('network::constants::all_networks').join( ; ) %
+hostlist relay_from_hosts = ; @[] ; 127.0.0.1 ; ::1 ;
+
+# Administration
+log_selector = +address_rewrite +all_parents +delivery_size +deliver_time
+incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error
+smtp_syntax_error +tls_cipher +tls_peerdn
+message_logs = false
+
+# Policy control
+acl_smtp_connect = acl_check_connect
+acl_smtp_rcpt = acl_check_rcpt
+acl_smtp_data = acl_check_data
+
+# Allow Phab, RT, OTRS to use any sender address
+untrusted_set_sender = *
+local_from_check = false
+
+system_filter = CONFDIR/system_filter
+
+# Resource control
+check_spool_space = 50M
+smtp_reserve_hosts = ; 127.0.0.1 ; ::1 ; +wikimedia_nets
+smtp_accept_queue_per_connection = 500
+
+deliver_queue_load_max = 800.0
+queue_only_load = 100.0
+remote_max_parallel = 500
+
+smtp_connect_backlog = 128
+smtp_receive_timeout = 1m
+smtp_accept_max = 4000
+smtp_accept_max_per_host = ${if
match_ip{$sender_host_address}{+wikimedia_nets}{50}{5}}
+smtp_accept_reserve = 100
+
+# Lookups
+host_lookup = *
+rfc1413_hosts =
+
+# Other
+never_users = root : daemon : bin
+ignore_bounce_errors_after = 0h
+
+# force Gmail over IPv4 due to reports of bad spam reputation over IPv6
+dns_ipv4_lookup = gmail-smtp-in.l.google.com : aspmx.l.google.com
+
+###
+# Access Control Lists (ACLs) #
+###
+
+begin acl
+
+acl_check_rcpt:
+
+ # Accept if the source is local SMTP (a pipe)
+ accept hosts = :
+
+ # Deny if the local part contains @, %, /, | or !, or starts with a dot
+ deny local_parts = ^.*[@%!/|] : ^\\.
+
+ # Accept relaying from networks we control. Note: no address
verification
+ # is done at this point, which is good for mail submission, but may
render
+ # recipient callout verification by affected hosts useless.
+ accept domains = ! +local_domains
+ hosts = +relay_from_hosts
+ control = submission/sender_retain
+
+ # Require recipient domain to be local, or a domain we relay for
+ require message = Relay not permitted
+ domains = +local_domains : +relay_domains
+ set acl_m_relayed = yes
+
+ # use this only for emergencies or planned downtimes
+ defer message = Administratively set to defer
+ domains = +defer_domains
+
+ # Accept mail for postmaster without further policy checking,
+ # for compliance with the RFCs
+ accept local_parts = postmaster : abuse
+ set acl_m2 = skip_spamd
+
+ # Verify the recipient address for local domains, or require the
+ # recipient domain to exist for remote domains
+
[MediaWiki-commits] [Gerrit] exim: split rt_relay into a separate config erb - change (operations/puppet)
Faidon Liambotis has uploaded a new change for review.
https://gerrit.wikimedia.org/r/216637
Change subject: exim: split rt_relay into a separate config erb
..
exim: split rt_relay into a separate config erb
Copy the exim4.conf.SMTP_IMAP_MM.erb template into a separate one for RT
and remove all the conditionals in there that do not match the
combination of options supplied by role::requesttracker.
This change is a non-functional change; it has been tested and results
into a zero-diff, excluding whitespace changes and the removal of a
couple of unused/unreferenced domain lists.
Change-Id: Ibb583b0f7c462997fff3c8e19b1e7ce7f2c2ff90
---
M manifests/mail.pp
A templates/exim/exim4.conf.rt.erb
2 files changed, 235 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/37/216637/1
diff --git a/manifests/mail.pp b/manifests/mail.pp
index 0b159a1..cd271f9 100644
--- a/manifests/mail.pp
+++ b/manifests/mail.pp
@@ -64,6 +64,9 @@
if $phab_relay {
$config_template = template('exim/exim4.conf.phab.erb')
$filter_template = template('exim/system_filter.conf.erb')
+} elsif $rt_relay {
+$config_template = template('exim/exim4.conf.rt.erb')
+$filter_template = template('exim/system_filter.conf.erb')
} else {
$config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb')
$filter_template = template('exim/system_filter.conf.erb')
diff --git a/templates/exim/exim4.conf.rt.erb b/templates/exim/exim4.conf.rt.erb
new file mode 100644
index 000..9122fae
--- /dev/null
+++ b/templates/exim/exim4.conf.rt.erb
@@ -0,0 +1,232 @@
+# This file is managed by puppet
+
+##
+# Macros #
+##
+
+CONFDIR=/etc/exim4
+
+###
+# Main configuration settings #
+###
+
+domainlist system_domains = @
+domainlist local_domains = %= @local_domains.join( : ) %
+
+# a list of domains to always respond defer; used for emergencies or planned
downtimes
+domainlist defer_domains = lsearch;CONFDIR/defer_domains
+
+# Standard lists
+domainlist rt_domains = rt.wikimedia.org
+
+hostlist wikimedia_nets = ; %=
scope.lookupvar('network::constants::all_networks').join( ; ) %
+hostlist relay_from_hosts = ; @[] ; 127.0.0.1 ; ::1 ;
+
+# Administration
+log_selector = +address_rewrite +all_parents +delivery_size +deliver_time
+incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error
+smtp_syntax_error +tls_cipher +tls_peerdn
+message_logs = false
+
+# Policy control
+acl_smtp_connect = acl_check_connect
+acl_smtp_rcpt = acl_check_rcpt
+acl_smtp_data = acl_check_data
+
+# Allow Phab, RT, OTRS to use any sender address
+untrusted_set_sender = *
+local_from_check = false
+
+system_filter = CONFDIR/system_filter
+
+# Resource control
+check_spool_space = 50M
+smtp_reserve_hosts = ; 127.0.0.1 ; ::1 ; +wikimedia_nets
+smtp_accept_queue_per_connection = 500
+
+deliver_queue_load_max = 800.0
+queue_only_load = 100.0
+remote_max_parallel = 500
+
+smtp_connect_backlog = 128
+smtp_receive_timeout = 1m
+smtp_accept_max = 4000
+smtp_accept_max_per_host = ${if
match_ip{$sender_host_address}{+wikimedia_nets}{50}{5}}
+smtp_accept_reserve = 100
+
+# Lookups
+host_lookup = *
+rfc1413_hosts =
+
+# Other
+never_users = root : daemon : bin
+ignore_bounce_errors_after = 0h
+
+# force Gmail over IPv4 due to reports of bad spam reputation over IPv6
+dns_ipv4_lookup = gmail-smtp-in.l.google.com : aspmx.l.google.com
+
+###
+# Access Control Lists (ACLs) #
+###
+
+begin acl
+
+acl_check_rcpt:
+
+ # Accept if the source is local SMTP (a pipe)
+ accept hosts = :
+
+ # Deny if the local part contains @, %, /, | or !, or starts with a dot
+ deny local_parts = ^.*[@%!/|] : ^\\.
+
+ # Accept relaying from networks we control. Note: no address
verification
+ # is done at this point, which is good for mail submission, but may
render
+ # recipient callout verification by affected hosts useless.
+ accept domains = ! +local_domains
+ hosts = +relay_from_hosts
+ control = submission/sender_retain
+
+ # Require recipient domain to be local, or a domain we relay for
+ require message = Relay not permitted
+ domains = +local_domains : +relay_domains
+ set acl_m_relayed = yes
+
+ # use this only for emergencies or planned downtimes
+ defer message = Administratively set to defer
+ domains = +defer_domains
+
+ # Accept mail for postmaster without further policy checking,
+ # for compliance with the RFCs
+ accept local_parts = postmaster : abuse
+ set acl_m2 = skip_spamd
+
+ # Verify the recipient address for local domains, or require the
+ # recipient
