Filippo Giunchedi has uploaded a new change for review.
https://gerrit.wikimedia.org/r/160632
Change subject: partially enable outbound SMTP STARTTLS support
......................................................................
partially enable outbound SMTP STARTTLS support
The idea is to add another tls-enabled smtp transport to selectively enable
STARTTLS support for outbound mail.
The initial selection includes "internal" destinations like otrs/rt/phab and
remote destinations but strictly not user-facing (e.g. google apps)
Change-Id: I0f9505f4e2972411385f8ff303ee3d4cdbba4bf7
---
M templates/exim/exim4.conf.SMTP_IMAP_MM.erb
1 file changed, 14 insertions(+), 8 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/32/160632/1
diff --git a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
index 66559a1..6e12795 100644
--- a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
+++ b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
@@ -332,7 +332,7 @@
driver = manualroute
domains = +donate_domains
route_list = * barium.frack.eqiad.wmnet byname
- transport = remote_smtp
+ transport = remote_smtp_tls
# Route non-local domains (including +relay_domains) via DNS MX and A records
dnslookup:
@@ -470,7 +470,7 @@
{true}fail}
local_part_suffix = +*
local_part_suffix_optional
- transport = remote_smtp
+ transport = remote_smtp_tls
route_list = * aspmx.l.google.com
ldap_group:
@@ -482,7 +482,7 @@
{true}fail}
local_part_suffix = +*
local_part_suffix_optional
- transport = remote_smtp
+ transport = remote_smtp_tls
route_list = * aspmx.l.google.com
ldap_alias:
@@ -500,7 +500,7 @@
local_parts = lsearch;CONFDIR/imap_accounts
local_part_suffix = +*
local_part_suffix_optional
- transport = remote_smtp
+ transport = remote_smtp_tls
route_list = * sanger.wikimedia.org
# send phabricator.wm.org emails to Phabricator
@@ -508,14 +508,14 @@
driver = manualroute
domains = +phab_domains
route_list = * iridium.eqiad.wmnet byname
- transport = remote_smtp
+ transport = remote_smtp_tls
# Send RT mails to the RT server
rt:
driver = manualroute
domains = +rt_domains
route_list = * magnesium.wikimedia.org byname
- transport = remote_smtp
+ transport = remote_smtp_tls
# Query the OTRS MySQL server(s) for the existence of the queue address
# $local_part@$domain, and manually route to the OTRS server if
@@ -525,7 +525,7 @@
domains = +local_domains
condition = ${lookup mysql{OTRSQUERY}{true}fail}
route_list = * iodine.wikimedia.org byname
- transport = remote_smtp
+ transport = remote_smtp_tls
<% end %>
<% if enable_imap_delivery == true then -%>
# Run a custom user filter, e.g. to sort mail into subfolders
@@ -617,7 +617,7 @@
# mail relays ("smart hosts")
smart_route:
driver = manualroute
- transport = remote_smtp
+ transport = remote_smtp_tls
route_list = * <%= smart_route_list.join(":") %>
<% end %>
@@ -636,6 +636,12 @@
interface = <; <%= outbound_ips.join(" ; ") %>
<% end -%>
+remote_smtp_tls:
+ driver = smtp
+<% if !outbound_ips.empty? then -%>
+ interface = <; <%= outbound_ips.join(" ; ") %>
+<% end -%>
+
remote_smtp_signed:
driver = smtp
hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0
--
To view, visit https://gerrit.wikimedia.org/r/160632
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I0f9505f4e2972411385f8ff303ee3d4cdbba4bf7
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi <fgiunch...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
