[MediaWiki-commits] [Gerrit] operations/puppet[production]: tools: add an exim sender blocklist

Tue, 12 Sep 2017 19:48:49 -0700 

BryanDavis has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/377697 )

Change subject: tools: add an exim sender blocklist
......................................................................

tools: add an exim sender blocklist

Add an /etc/exim4/deny_senders.list file that can be used to selectively
deny sending outbound mail based on the envelope sender's address.

Change-Id: Ifc3c017ec84ff9645bc265f8ecd420c260aa44a8
---
M modules/toollabs/manifests/mailrelay.pp
M modules/toollabs/templates/mail-relay.exim4.conf.erb
2 files changed, 16 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/97/377697/1

diff --git a/modules/toollabs/manifests/mailrelay.pp 
b/modules/toollabs/manifests/mailrelay.pp
index 4fb54f6..8803c78 100644
--- a/modules/toollabs/manifests/mailrelay.pp
+++ b/modules/toollabs/manifests/mailrelay.pp
@@ -25,6 +25,17 @@
                             '/usr/local/sbin/maintainers'],
     }
 
+    # Outbound sender blocklist
+    file { '/etc/exim4/deny_senders.list':
+        ensure  => present,
+        owner   => 'root',
+        group   => 'Debian-exim',
+        mode    => '0440',
+        replace => false,
+        require => Package['exim4-config'],
+        notify  => Service['exim4'],
+    }
+
     file { '/usr/local/sbin/localuser':
         ensure => file,
         owner  => 'root',
diff --git a/modules/toollabs/templates/mail-relay.exim4.conf.erb 
b/modules/toollabs/templates/mail-relay.exim4.conf.erb
index 2b6d93a..7422a1e 100644
--- a/modules/toollabs/templates/mail-relay.exim4.conf.erb
+++ b/modules/toollabs/templates/mail-relay.exim4.conf.erb
@@ -51,6 +51,7 @@
 
 acl_smtp_rcpt = acl_check_rcpt
 acl_smtp_data = acl_check_data
+acl_smtp_mail = acl_check_mail
 
 never_users = root
 
@@ -99,6 +100,10 @@
 acl_check_data:
   accept
 
+acl_check_mail:
+  deny senders = /etc/exim4/deny_senders.list
+  accept
+
 ###########
 # Routers #
 ###########

-- 
To view, visit https://gerrit.wikimedia.org/r/377697
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ifc3c017ec84ff9645bc265f8ecd420c260aa44a8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BryanDavis <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to