Andrew Bogott has uploaded a new change for review. https://gerrit.wikimedia.org/r/68011
Change subject: Refactor exim::rt to use the new exim template. ...................................................................... Refactor exim::rt to use the new exim template. Change-Id: I6dd5b30257643528da3e8bf671e8736bd87e495f --- D files/exim/exim4.rt.conf M manifests/mail.pp M templates/exim/exim4.conf.SMTP_IMAP_MM.erb 3 files changed, 60 insertions(+), 222 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/11/68011/1 diff --git a/files/exim/exim4.rt.conf b/files/exim/exim4.rt.conf deleted file mode 100644 index dd06e5e..0000000 --- a/files/exim/exim4.rt.conf +++ /dev/null @@ -1,209 +0,0 @@ -# Exim 4 configuration file for streber.wikimedia.org -# Written on 2010-08-10 by Mark Bergsma <[email protected]> - -########## -# Macros # -########## - -CONFDIR=/etc/exim4 - -############################### -# Main configuration settings # -############################### - -# Standard lists -hostlist wikimedia_nets = <; 208.80.152.0/22 ; 91.198.174.0/24 ; 2620:0:860::/46 ; 10.0.0.0/16 -domainlist system_domains = @ - -domainlist local_domains = +system_domains -domainlist rt_domains = rt.wikimedia.org -hostlist rt_mail_from_hosts = mchenry.wikimedia.org -hostlist relay_from_hosts = <; @[] - -# Interfaces -daemon_smtp_ports = smtp - -# Administration -log_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn - -# Policy control -acl_smtp_connect = acl_check_connect -acl_smtp_rcpt = acl_check_rcpt - -helo_try_verify_hosts = * - -# Allow RT to use any sender address -untrusted_set_sender = * -local_from_check = false - -# Resource control -check_spool_space = 50M -deliver_queue_load_max = 75.0 -queue_only_load = 50.0 -smtp_accept_max = 100 -smtp_accept_max_per_host = 10 -smtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets -smtp_accept_reserve = 20 -smtp_accept_queue_per_connection = 500 -remote_max_parallel = 25 -smtp_connect_backlog = 32 - -# Lookups -host_lookup = * -rfc1413_hosts = -rfc1413_query_timeout = 5s - -# Other -never_users = root : daemon : bin -ignore_bounce_errors_after = 0h - -############################### -# Access Control Lists (ACLs) # -############################### - -begin acl - -acl_check_connect: - # We only accept mail from our own mail relays - require message = This server does not accept external mail - hosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets - - accept - -acl_check_rcpt: - - # Accept if the source is local SMTP (a pipe) - - accept hosts = : - - # Deny if the local part contains @, %, /, | or !, or starts with a dot - - deny local_parts = ^.*[@%!/|] : ^\\. - - # Accept relaying from networks we control. Note: no address verification - # is done at this point, which is good for mail submission, but may render - # recipient callout verification by affected hosts useless. - - accept hosts = +rt_mail_from_hosts : +relay_from_hosts - - # Require recipient domain to be local, or a domain we relay for - - require message = Relay not permitted - domains = +local_domains - - # { recipient domain is under our administrative control } - - # Verify the recipient address for local domains, or require the - # recipient domain to exist for remote domains - - require verify = recipient - - # Mail can be safely accepted here, but we may want to do more - # rfc compliance checking and spam filtering. - - # Trust that the mail relay has done all checking - - accept - - -########### -# Routers # -########### - -begin routers - -# Use the system aliasfile /etc/aliases for system domains - -system_aliases: - driver = redirect - domains = +system_domains - data = ${lookup{$local_part}lsearch{/etc/aliases}} - pipe_transport = address_pipe - allow_fail - allow_defer - forbid_file - -# Mail destined for RT - -# This router checks whether the local part consists of solely digits, -# and assumes this is the ticket number of an existing ticket if this is -# the case. It rewrites the address to the general queue, and puts the -# ticket nr in $address_data, where the rt_pipe transport can access it. - -rt_ticket: - driver = redirect - domains = +rt_domains - local_part_suffix = -comment - local_part_suffix_optional - condition = ${if match{$local_part}{\N^\d+$\N}{yes}{no}} - address_data = EXTENSION=$local_part - data = general$local_part_suffix@$domain - redirect_router = rt - no_verify - -rt: - driver = accept - domains = +rt_domains - local_part_suffix = -comment - local_part_suffix_optional - transport = rt_pipe - - -# Send all mail not destined for the local machine via a set of -# mail relays ("smart hosts") - -smart_route: - driver = manualroute - transport = remote_smtp - route_list = * mchenry.wikimedia.org:lists.wikimedia.org - -############## -# Transports # -############## - -begin transports - -# Generic remote SMTP transport - -remote_smtp: - driver = smtp - hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0 - -# Generic pipe local delivery transport (for use by alias/forward files) - -address_pipe: - driver = pipe - return_output - -# RT transport -rt_pipe: - driver = pipe - command = /usr/bin/rt-mailgate --queue $local_part \ - --action "${if eq{$local_part_suffix}{-comment}{comment}{correspond}}" \ - --extension ticket --url http://rt.wikimedia.org - environment = $address_data - user = mail - group = mail - return_fail_output - - -############### -# Retry rules # -############### - -begin retry - -* * F,2h,15m; G,16h,1h,1.5; F,4d,6h - -################# -# Rewrite rules # -################# - -begin rewrite - -# Rewrite RT -www-data@$primary_hostname [email protected] Fq - -# Rewrite the envelope From for mails from internal servers in *.wmnet, -# as they are usually rejected by sender domain address verification. -*@$primary_hostname [email protected] F diff --git a/manifests/mail.pp b/manifests/mail.pp index e015e4a..351d767 100644 --- a/manifests/mail.pp +++ b/manifests/mail.pp @@ -89,19 +89,15 @@ } class rt { - class { "exim::config": queuerunner => "combined" } - Class["exim::config"] -> Class[exim::rt] - - file { - "/etc/exim4/exim4.conf": - require => Package[exim4-config], - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/exim/exim4.rt.conf"; - } - - include exim::service + class { exim::roled: + outbound_ips => [ "208.80.154.4", "2620:0:861:1::2" ], + local_domains => [ "+system_domains" ], + enable_mail_relay => "secondary", + enable_mailman => "false", + rt_relay => "true", + enable_mail_submission => "true", + enable_spamassassin => "true" + } } class smtp { @@ -142,6 +138,7 @@ $enable_imap_delivery="false", $enable_mail_submission="false", $mediawiki_relay="false", + $rt_relay="false", $enable_spamassassin="false", $outbound_ips=[ $ipaddress ], $hold_domains=[] ) { diff --git a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb index 0a14673..b60a88f 100644 --- a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb +++ b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb @@ -54,6 +54,10 @@ domainlist rt_domains = rt.wikimedia.org domainlist spamassassin_domains = * +<% if rt_relay == "true" then -%> +hostlist rt_mail_from_hosts = mchenry.wikimedia.org +<% end -%> + hostlist wikimedia_nets = <; <%= scope.lookupvar('network::constants::all_networks').join(" ; ") %> hostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ; <% if enable_mail_relay != "false" -%><%= scope.lookupvar('network::constants::external_networks').join(" ; ") %>; 10.0.0.0/8<% end %> # Relay @mx_secondary domains only to these hosts @@ -76,6 +80,12 @@ <% if enable_mail_relay != "false" then -%> helo_try_verify_hosts = * +<% end -%> + +<% if rt_relay == "true" then -%> +# Allow RT to use any sender address +untrusted_set_sender = * +local_from_check = false <% end -%> system_filter = CONFDIR/system_filter @@ -293,6 +303,27 @@ ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16 cannot_route_message = Cannot route to remote domain $domain no_more +<% end -%> + +<% if rt_relay == "true" then -%> +rt_ticket: + driver = redirect + domains = +rt_domains + local_part_suffix = -comment + local_part_suffix_optional + condition = ${if match{$local_part}{\N^\d+$\N}{yes}{no}} + address_data = EXTENSION=$local_part + data = general$local_part_suffix@$domain + redirect_router = rt + no_verify + +rt: + driver = accept + domains = +rt_domains + local_part_suffix = -comment + local_part_suffix_optional + transport = rt_pipe + <% end -%> # Use the system aliasfile /etc/aliases for system domains @@ -573,6 +604,19 @@ driver = pipe return_output +<% if rt_relay == "true" then -%> +# RT transport +rt_pipe: + driver = pipe + command = /usr/bin/rt-mailgate --queue $local_part \ + --action "${if eq{$local_part_suffix}{-comment}{comment}{correspond}}" \ + --extension ticket --url https://rt.wikimedia.org + environment = $address_data + user = mail + group = mail + return_fail_output +<% end -%> + <% if enable_mailman == "true" then -%> # Mailman pipe transport # Rewrite body headers of old mailing list addresses to new ones @@ -690,6 +734,12 @@ begin rewrite <% end %> + +<% if rt_relay == "true" then -%> +# Rewrite RT +www-data@$primary_hostname [email protected] Fq +<% end -%> + <% if enable_mailman == "true" then -%> \N^.*@(mail\.)?wiki[mp]edia\.org$\N "${if exists{MAILMAN_LISTS_HOME/lists/$local_part/config.pck}{[email protected]}fail}" ct <% end %> -- To view, visit https://gerrit.wikimedia.org/r/68011 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I6dd5b30257643528da3e8bf671e8736bd87e495f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
