[MediaWiki-commits] [Gerrit] exim: split rt_relay into a separate config erb - change (operations/puppet)
Faidon Liambotis has submitted this change and it was merged. Change subject: exim: split rt_relay into a separate config erb .. exim: split rt_relay into a separate config erb Copy the exim4.conf.SMTP_IMAP_MM.erb template into a separate one for RT and remove all the conditionals in there that do not match the combination of options supplied by role::requesttracker. This change is a non-functional change; it has been tested and results into a zero-diff, excluding whitespace changes and the removal of a couple of unused/unreferenced domain lists. Change-Id: Ibb583b0f7c462997fff3c8e19b1e7ce7f2c2ff90 --- M manifests/mail.pp A templates/exim/exim4.conf.rt.erb 2 files changed, 227 insertions(+), 0 deletions(-) Approvals: Faidon Liambotis: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/mail.pp b/manifests/mail.pp index 4638fc7..9e0ab97 100644 --- a/manifests/mail.pp +++ b/manifests/mail.pp @@ -64,6 +64,9 @@ if $phab_relay { $config_template = template('exim/exim4.conf.phab.erb') $filter_template = template('exim/system_filter.conf.erb') +} elsif $rt_relay { +$config_template = template('exim/exim4.conf.rt.erb') +$filter_template = template('exim/system_filter.conf.erb') } else { $config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb') $filter_template = template('exim/system_filter.conf.erb') diff --git a/templates/exim/exim4.conf.rt.erb b/templates/exim/exim4.conf.rt.erb new file mode 100644 index 000..f3e072a --- /dev/null +++ b/templates/exim/exim4.conf.rt.erb @@ -0,0 +1,224 @@ +# This file is managed by puppet + +## +# Macros # +## + +CONFDIR=/etc/exim4 + +### +# Main configuration settings # +### + +domainlist system_domains = @ +domainlist local_domains = %= @local_domains.join( : ) % + +# a list of domains to always respond defer; used for emergencies or planned downtimes +domainlist defer_domains = lsearch;CONFDIR/defer_domains + +# Standard lists +domainlist rt_domains = rt.wikimedia.org + +hostlist wikimedia_nets = ; %= scope.lookupvar('network::constants::all_networks').join( ; ) % +hostlist relay_from_hosts = ; @[] ; 127.0.0.1 ; ::1 ; + +# Administration +log_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn +message_logs = false + +# Policy control +acl_smtp_connect = acl_check_connect +acl_smtp_rcpt = acl_check_rcpt +acl_smtp_data = acl_check_data + +# Allow Phab, RT, OTRS to use any sender address +untrusted_set_sender = * +local_from_check = false + +system_filter = CONFDIR/system_filter + +# Resource control +check_spool_space = 50M +smtp_reserve_hosts = ; 127.0.0.1 ; ::1 ; +wikimedia_nets +smtp_accept_queue_per_connection = 500 + +deliver_queue_load_max = 800.0 +queue_only_load = 100.0 +remote_max_parallel = 500 + +smtp_connect_backlog = 128 +smtp_receive_timeout = 1m +smtp_accept_max = 4000 +smtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+wikimedia_nets}{50}{5}} +smtp_accept_reserve = 100 + +# Lookups +host_lookup = * +rfc1413_hosts = + +# Other +never_users = root : daemon : bin +ignore_bounce_errors_after = 0h + +# force Gmail over IPv4 due to reports of bad spam reputation over IPv6 +dns_ipv4_lookup = gmail-smtp-in.l.google.com : aspmx.l.google.com + +### +# Access Control Lists (ACLs) # +### + +begin acl + +acl_check_rcpt: + + # Accept if the source is local SMTP (a pipe) + accept hosts = : + + # Deny if the local part contains @, %, /, | or !, or starts with a dot + deny local_parts = ^.*[@%!/|] : ^\\. + + # Accept relaying from networks we control. Note: no address verification + # is done at this point, which is good for mail submission, but may render + # recipient callout verification by affected hosts useless. + accept domains = ! +local_domains + hosts = +relay_from_hosts + control = submission/sender_retain + + # Require recipient domain to be local, or a domain we relay for + require message = Relay not permitted + domains = +local_domains : +relay_domains + set acl_m_relayed = yes + + # use this only for emergencies or planned downtimes + defer message = Administratively set to defer + domains = +defer_domains + + # Accept mail for postmaster without further policy checking, + # for compliance with the RFCs + accept local_parts = postmaster : abuse + set acl_m2 = skip_spamd + + # Verify the recipient address for local domains, or require the + # recipient domain to exist for remote domains +
[MediaWiki-commits] [Gerrit] exim: split rt_relay into a separate config erb - change (operations/puppet)
Faidon Liambotis has uploaded a new change for review. https://gerrit.wikimedia.org/r/216637 Change subject: exim: split rt_relay into a separate config erb .. exim: split rt_relay into a separate config erb Copy the exim4.conf.SMTP_IMAP_MM.erb template into a separate one for RT and remove all the conditionals in there that do not match the combination of options supplied by role::requesttracker. This change is a non-functional change; it has been tested and results into a zero-diff, excluding whitespace changes and the removal of a couple of unused/unreferenced domain lists. Change-Id: Ibb583b0f7c462997fff3c8e19b1e7ce7f2c2ff90 --- M manifests/mail.pp A templates/exim/exim4.conf.rt.erb 2 files changed, 235 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/37/216637/1 diff --git a/manifests/mail.pp b/manifests/mail.pp index 0b159a1..cd271f9 100644 --- a/manifests/mail.pp +++ b/manifests/mail.pp @@ -64,6 +64,9 @@ if $phab_relay { $config_template = template('exim/exim4.conf.phab.erb') $filter_template = template('exim/system_filter.conf.erb') +} elsif $rt_relay { +$config_template = template('exim/exim4.conf.rt.erb') +$filter_template = template('exim/system_filter.conf.erb') } else { $config_template = template('exim/exim4.conf.SMTP_IMAP_MM.erb') $filter_template = template('exim/system_filter.conf.erb') diff --git a/templates/exim/exim4.conf.rt.erb b/templates/exim/exim4.conf.rt.erb new file mode 100644 index 000..9122fae --- /dev/null +++ b/templates/exim/exim4.conf.rt.erb @@ -0,0 +1,232 @@ +# This file is managed by puppet + +## +# Macros # +## + +CONFDIR=/etc/exim4 + +### +# Main configuration settings # +### + +domainlist system_domains = @ +domainlist local_domains = %= @local_domains.join( : ) % + +# a list of domains to always respond defer; used for emergencies or planned downtimes +domainlist defer_domains = lsearch;CONFDIR/defer_domains + +# Standard lists +domainlist rt_domains = rt.wikimedia.org + +hostlist wikimedia_nets = ; %= scope.lookupvar('network::constants::all_networks').join( ; ) % +hostlist relay_from_hosts = ; @[] ; 127.0.0.1 ; ::1 ; + +# Administration +log_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn +message_logs = false + +# Policy control +acl_smtp_connect = acl_check_connect +acl_smtp_rcpt = acl_check_rcpt +acl_smtp_data = acl_check_data + +# Allow Phab, RT, OTRS to use any sender address +untrusted_set_sender = * +local_from_check = false + +system_filter = CONFDIR/system_filter + +# Resource control +check_spool_space = 50M +smtp_reserve_hosts = ; 127.0.0.1 ; ::1 ; +wikimedia_nets +smtp_accept_queue_per_connection = 500 + +deliver_queue_load_max = 800.0 +queue_only_load = 100.0 +remote_max_parallel = 500 + +smtp_connect_backlog = 128 +smtp_receive_timeout = 1m +smtp_accept_max = 4000 +smtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+wikimedia_nets}{50}{5}} +smtp_accept_reserve = 100 + +# Lookups +host_lookup = * +rfc1413_hosts = + +# Other +never_users = root : daemon : bin +ignore_bounce_errors_after = 0h + +# force Gmail over IPv4 due to reports of bad spam reputation over IPv6 +dns_ipv4_lookup = gmail-smtp-in.l.google.com : aspmx.l.google.com + +### +# Access Control Lists (ACLs) # +### + +begin acl + +acl_check_rcpt: + + # Accept if the source is local SMTP (a pipe) + accept hosts = : + + # Deny if the local part contains @, %, /, | or !, or starts with a dot + deny local_parts = ^.*[@%!/|] : ^\\. + + # Accept relaying from networks we control. Note: no address verification + # is done at this point, which is good for mail submission, but may render + # recipient callout verification by affected hosts useless. + accept domains = ! +local_domains + hosts = +relay_from_hosts + control = submission/sender_retain + + # Require recipient domain to be local, or a domain we relay for + require message = Relay not permitted + domains = +local_domains : +relay_domains + set acl_m_relayed = yes + + # use this only for emergencies or planned downtimes + defer message = Administratively set to defer + domains = +defer_domains + + # Accept mail for postmaster without further policy checking, + # for compliance with the RFCs + accept local_parts = postmaster : abuse + set acl_m2 = skip_spamd + + # Verify the recipient address for local domains, or require the + # recipient