Andrew Bogott has submitted this change and it was merged. Change subject: Refactor exim::rt to use the new exim template. ......................................................................
Refactor exim::rt to use the new exim template. Change-Id: I6dd5b30257643528da3e8bf671e8736bd87e495f --- D files/exim/exim4.rt.conf D manifests/mail.pp M manifests/site.pp R modules/exim/files/docroot/favicon.ico R modules/exim/files/docroot/favicon.png R modules/exim/files/docroot/robots.txt R modules/exim/files/exim4.listserver_aliases.conf R modules/exim/files/exim4.secondary_relay_domains.conf R modules/exim/files/mm_cfg.py R modules/exim/files/spamassassin.default A modules/exim/manifests/init.pp A modules/exim/manifests/mailman.pp A modules/exim/manifests/role/mediawiki.pp A modules/exim/manifests/role/rt.pp A modules/exim/manifests/role/simple-mail-sender.pp A modules/exim/manifests/spamassassin.pp R modules/exim/templates/exim4.conf.SMTP_IMAP_MM.erb R modules/exim/templates/exim4.default.erb R modules/exim/templates/exim4.donate.erb R modules/exim/templates/exim4.minimal.erb R modules/exim/templates/system_filter.conf.erb 21 files changed, 440 insertions(+), 576 deletions(-) Approvals: Andrew Bogott: Verified; Looks good to me, approved jenkins-bot: Verified diff --git a/files/exim/exim4.rt.conf b/files/exim/exim4.rt.conf deleted file mode 100644 index dd06e5e..0000000 --- a/files/exim/exim4.rt.conf +++ /dev/null @@ -1,209 +0,0 @@ -# Exim 4 configuration file for streber.wikimedia.org -# Written on 2010-08-10 by Mark Bergsma <[email protected]> - -########## -# Macros # -########## - -CONFDIR=/etc/exim4 - -############################### -# Main configuration settings # -############################### - -# Standard lists -hostlist wikimedia_nets = <; 208.80.152.0/22 ; 91.198.174.0/24 ; 2620:0:860::/46 ; 10.0.0.0/16 -domainlist system_domains = @ - -domainlist local_domains = +system_domains -domainlist rt_domains = rt.wikimedia.org -hostlist rt_mail_from_hosts = mchenry.wikimedia.org -hostlist relay_from_hosts = <; @[] - -# Interfaces -daemon_smtp_ports = smtp - -# Administration -log_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn - -# Policy control -acl_smtp_connect = acl_check_connect -acl_smtp_rcpt = acl_check_rcpt - -helo_try_verify_hosts = * - -# Allow RT to use any sender address -untrusted_set_sender = * -local_from_check = false - -# Resource control -check_spool_space = 50M -deliver_queue_load_max = 75.0 -queue_only_load = 50.0 -smtp_accept_max = 100 -smtp_accept_max_per_host = 10 -smtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets -smtp_accept_reserve = 20 -smtp_accept_queue_per_connection = 500 -remote_max_parallel = 25 -smtp_connect_backlog = 32 - -# Lookups -host_lookup = * -rfc1413_hosts = -rfc1413_query_timeout = 5s - -# Other -never_users = root : daemon : bin -ignore_bounce_errors_after = 0h - -############################### -# Access Control Lists (ACLs) # -############################### - -begin acl - -acl_check_connect: - # We only accept mail from our own mail relays - require message = This server does not accept external mail - hosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets - - accept - -acl_check_rcpt: - - # Accept if the source is local SMTP (a pipe) - - accept hosts = : - - # Deny if the local part contains @, %, /, | or !, or starts with a dot - - deny local_parts = ^.*[@%!/|] : ^\\. - - # Accept relaying from networks we control. Note: no address verification - # is done at this point, which is good for mail submission, but may render - # recipient callout verification by affected hosts useless. - - accept hosts = +rt_mail_from_hosts : +relay_from_hosts - - # Require recipient domain to be local, or a domain we relay for - - require message = Relay not permitted - domains = +local_domains - - # { recipient domain is under our administrative control } - - # Verify the recipient address for local domains, or require the - # recipient domain to exist for remote domains - - require verify = recipient - - # Mail can be safely accepted here, but we may want to do more - # rfc compliance checking and spam filtering. - - # Trust that the mail relay has done all checking - - accept - - -########### -# Routers # -########### - -begin routers - -# Use the system aliasfile /etc/aliases for system domains - -system_aliases: - driver = redirect - domains = +system_domains - data = ${lookup{$local_part}lsearch{/etc/aliases}} - pipe_transport = address_pipe - allow_fail - allow_defer - forbid_file - -# Mail destined for RT - -# This router checks whether the local part consists of solely digits, -# and assumes this is the ticket number of an existing ticket if this is -# the case. It rewrites the address to the general queue, and puts the -# ticket nr in $address_data, where the rt_pipe transport can access it. - -rt_ticket: - driver = redirect - domains = +rt_domains - local_part_suffix = -comment - local_part_suffix_optional - condition = ${if match{$local_part}{\N^\d+$\N}{yes}{no}} - address_data = EXTENSION=$local_part - data = general$local_part_suffix@$domain - redirect_router = rt - no_verify - -rt: - driver = accept - domains = +rt_domains - local_part_suffix = -comment - local_part_suffix_optional - transport = rt_pipe - - -# Send all mail not destined for the local machine via a set of -# mail relays ("smart hosts") - -smart_route: - driver = manualroute - transport = remote_smtp - route_list = * mchenry.wikimedia.org:lists.wikimedia.org - -############## -# Transports # -############## - -begin transports - -# Generic remote SMTP transport - -remote_smtp: - driver = smtp - hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0 - -# Generic pipe local delivery transport (for use by alias/forward files) - -address_pipe: - driver = pipe - return_output - -# RT transport -rt_pipe: - driver = pipe - command = /usr/bin/rt-mailgate --queue $local_part \ - --action "${if eq{$local_part_suffix}{-comment}{comment}{correspond}}" \ - --extension ticket --url http://rt.wikimedia.org - environment = $address_data - user = mail - group = mail - return_fail_output - - -############### -# Retry rules # -############### - -begin retry - -* * F,2h,15m; G,16h,1h,1.5; F,4d,6h - -################# -# Rewrite rules # -################# - -begin rewrite - -# Rewrite RT -www-data@$primary_hostname [email protected] Fq - -# Rewrite the envelope From for mails from internal servers in *.wmnet, -# as they are usually rejected by sender domain address verification. -*@$primary_hostname [email protected] F diff --git a/manifests/mail.pp b/manifests/mail.pp deleted file mode 100644 index e015e4a..0000000 --- a/manifests/mail.pp +++ /dev/null @@ -1,343 +0,0 @@ -# mail.pp - -class exim { - class constants { - $primary_mx = [ "208.80.152.186", "2620::860:2:219:b9ff:fedd:c027" ] - } - - class config($install_type="light", $queuerunner="queueonly") { - package { [ "exim4-config", "exim4-daemon-${install_type}" ]: ensure => latest } - - if $install_type == "heavy" { - exec { "mkdir /var/spool/exim4/scan": - require => Package[exim4-daemon-heavy], - path => "/bin:/usr/bin", - creates => "/var/spool/exim4/scan" - } - - mount { [ "/var/spool/exim4/scan", "/var/spool/exim4/db" ]: - device => "none", - fstype => "tmpfs", - options => "defaults", - ensure => mounted - } - - file { [ "/var/spool/exim4/scan", "/var/spool/exim4/db" ]: - ensure => directory, - owner => Debian-exim, - group => Debian-exim - } - - # add nagios to the Debian-exim group to allow check_disk tmpfs mounts (puppet still can't manage existing users?! so just Exec) - exec { "nagios_to_exim_group": - command => "usermod -a -G Debian-exim nagios", - path => "/usr/sbin"; - } - - Exec["mkdir /var/spool/exim4/scan"] -> Mount["/var/spool/exim4/scan"] -> File["/var/spool/exim4/scan"] - Package[exim4-daemon-heavy] -> Mount["/var/spool/exim4/db"] -> File["/var/spool/exim4/db"] - } - - file { - "/etc/default/exim4": - require => Package[exim4-config], - owner => root, - group => root, - mode => 0444, - content => template("exim/exim4.default.erb"); - "/etc/exim4/aliases/": - require => Package[exim4-config], - mode => 0755, - owner => root, - group => root, - ensure => directory; - } - } - - class service { - Class["exim::config"] -> Class[exim::service] - - # The init script's status command exit value only reflects the SMTP service - service { exim4: - ensure => running, - hasstatus => $exim::config::queuerunner ? { - "queueonly" => false, - default => true - } - } - - if $exim::config::queuerunner != "queueonly" { - # Nagios monitoring - monitor_service { "smtp": description => "Exim SMTP", check_command => "check_smtp" } - } - } - - class simple-mail-sender { - class { "exim::config": queuerunner => "queueonly" } - Class["exim::config"] -> Class[exim::simple-mail-sender] - - file { - "/etc/exim4/exim4.conf": - require => Package[exim4-config], - owner => root, - group => root, - mode => 0444, - content => template("exim/exim4.minimal.erb"); - } - - include exim::service - } - - class rt { - class { "exim::config": queuerunner => "combined" } - Class["exim::config"] -> Class[exim::rt] - - file { - "/etc/exim4/exim4.conf": - require => Package[exim4-config], - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/exim/exim4.rt.conf"; - } - - include exim::service - } - - class smtp { - $otrs_mysql_password = $passwords::exim4::otrs_mysql_password - $smtp_ldap_password = $passwords::exim4::smtp_ldap_password - } - - # Class: exim::roled - # - # This class installs a full featured Exim MTA - # - # Parameters: - # - $local_domains: - # List of domains Exim will treat as "local", i.e. be responsible - # for - # - $enable_mail_relay: - # Values: primary, secondary - # Whether Exim will act as a primary or secondary mail relay for - # other mail servers - # - $enable_mailman: - # Whether Mailman delivery functionality is enabled (true/false) - # - $enable_imap_delivery: - # Whether IMAP local delivery functional is enabled (true/false) - # - $enable_mail_submission: - # Enable/disable mail submission by users/client MUAs - # - $mediawiki_relay: - # Whether this MTA relays mail for MediaWiki (true/false) - # - $enable_spamasssin: - # Enable/disable SpamAssassin spam checking - # - $outbound_ips: - # IP addresses to use for sending outbound e-mail - # - $hold_domains: - # List of domains to hold on the queue without processing - class roled( - $local_domains = [ "+system_domains" ], - $enable_mail_relay="false", - $enable_mailman="false", - $enable_imap_delivery="false", - $enable_mail_submission="false", - $mediawiki_relay="false", - $enable_spamassassin="false", - $outbound_ips=[ $ipaddress ], - $hold_domains=[] ) { - - class { "exim::config": install_type => "heavy", queuerunner => "combined" } - Class["exim::config"] -> Class[exim::roled] - - include exim::service - - include exim::smtp - include exim::constants - include network::constants - include exim::listserve::private - - file { - "/etc/exim4/exim4.conf": - require => Package[exim4-config], - notify => Service[exim4], - owner => root, - group => Debian-exim, - mode => 0440, - content => template("exim/exim4.conf.SMTP_IMAP_MM.erb"); - "/etc/exim4/system_filter": - owner => root, - group => Debian-exim, - mode => 0444, - content => template("exim/system_filter.conf.erb"); - } - - class mail_relay { - Class["exim::config"] -> Class[exim::roled::mail_relay] - - file { - "/etc/exim4/relay_domains": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/exim/exim4.secondary_relay_domains.conf"; - } - } - - class mailman { - Class["exim::config"] -> Class[exim::roled::mailman] - - file { - "/etc/exim4/aliases/lists.wikimedia.org": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/exim/exim4.listserver_aliases.conf"; - } - } - - if ( $enable_mailman == "true" ) { - include mailman - } - if ( $enable_mail_relay == "primary" ) or ( $enable_mail_relay == "secondary" ) { - include mail_relay - } - if ( $enable_spamassassin == "true" ) { - include spamassassin - } - } -} - -# SpamAssassin http://spamassassin.apache.org/ - -class spamassassin { - include network::constants - - package { [ "spamassassin" ]: - ensure => latest; - } - - systemuser { "spamd": name => "spamd" } - - File { - require => Package[spamassassin], - owner => root, - group => root, - mode => 0444 - } - file { - "/etc/spamassassin/local.cf": - content => template("spamassassin/local.cf"); - "/etc/default/spamassassin": - source => "puppet:///files/spamassassin/spamassassin.default"; - } - - service { "spamassassin": - require => [ File["/etc/default/spamassassin"], File["/etc/spamassassin/local.cf"], Package[spamassassin], Systemuser[spamd] ], - subscribe => [ File["/etc/default/spamassassin"], File["/etc/spamassassin/local.cf"] ], - ensure => running; - } - - file { "/var/spamd": - require => Systemuser[spamd], - ensure => directory, - owner => spamd, - group => spamd, - mode => 0700; - } - - monitor_service { "spamd": description => "spamassassin", check_command => "nrpe_check_spamd" } -} - -class mailman { - class base { - # lighttpd needs to be installed first, or the mailman package will pull in apache2 - require webserver::static - - package { "mailman": ensure => latest } - } - - class listserve { - require mailman::base - - system_role { "mailman::listserve": description => "Mailman listserver" } - - file { - "/etc/mailman/mm_cfg.py": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/mailman/mm_cfg.py"; - } - - # Install as many languages as possible - include generic::locales::international - - generic::debconf::set { - "mailman/gate_news": - value => "false", - notify => Exec["dpkg-reconfigure mailman"]; - "mailman/used_languages": - value => "ar big5 ca cs da de en es et eu fi fr gb hr hu ia it ja ko lt nl no pl pt pt_BR ro ru sl sr sv tr uk vi zh_CN zh_TW", - notify => Exec["dpkg-reconfigure mailman"]; - "mailman/default_server_language": - value => "en", - notify => Exec["dpkg-reconfigure mailman"]; - } - exec { "dpkg-reconfigure mailman": - require => Class["generic::locales::international"], - before => Service[mailman], - command => "/usr/sbin/dpkg-reconfigure -fnoninteractive mailman", - refreshonly => true - } - - service { mailman: - ensure => running, - hasstatus => false, - pattern => "mailmanctl" - } - - monitor_service { "procs_mailman": description => "mailman", check_command => "nrpe_check_mailman" } - } - - class web-ui { - include webserver::static - - if ( $realm == "production" ) { - install_certificate{ "star.wikimedia.org": } - } - - # htdigest file for private list archives - file { "/etc/lighttpd/htdigest": - require => Class["webserver::static"], - source => "puppet:///private/lighttpd/htdigest", - owner => root, - group => www-data, - mode => 0440; - } - - # Enable CGI module - lighttpd_config { "10-cgi": require => Class["webserver::static"] } - - # Install Mailman specific Lighttpd config file - lighttpd_config { "50-mailman": - require => [ Class["webserver::static"], File["/etc/lighttpd/htdigest"] ], - install => "true" - } - - # Add files in /var/www (docroot) - file { "/var/www": - source => "puppet:///files/mailman/docroot/", - owner => root, - group => root, - mode => 0444, - recurse => remote; - } - - # monitor SSL cert expiry - if ( $realm == "production" ) { - monitor_service { "https": description => "HTTPS", check_command => "check_ssl_cert!*.wikimedia.org" } - } - } - - include listserve, web-ui -} diff --git a/manifests/site.pp b/manifests/site.pp index 6d1653a..a16a874 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -17,7 +17,6 @@ import "iptables.pp" import "ldap.pp" import "lvs.pp" -import "mail.pp" import "media-storage.pp" import "memcached.pp" import "misc/*.pp" @@ -52,7 +51,7 @@ include base, ganglia, ntp::client, - exim::simple-mail-sender + exim::role::simple-mail-sender } class standard-noexim { @@ -765,7 +764,7 @@ include base, ganglia, - exim::simple-mail-sender, + exim::role::simple-mail-sender, dns::recursor::statistics include network::constants @@ -1347,7 +1346,7 @@ include base, ganglia, - exim::simple-mail-sender, + exim::role::simple-mail-sender, misc::url-downloader class { 'ntp::server': @@ -1644,7 +1643,7 @@ $cluster = "misc" include role::racktables - include role::request-tracker-apache::production, exim::rt + include role::request-tracker-apache::production, exim::role::rt } node "marmontel.wikimedia.org" { @@ -2371,19 +2370,9 @@ ganglia, ntp::client, nrpe, - mailman, dns::recursor, - spamassassin, - backup::client - - class { exim::roled: - outbound_ips => [ "208.80.154.4", "2620:0:861:1::2" ], - local_domains => [ "+system_domains", "+mailman_domains" ], - enable_mail_relay => "secondary", - enable_mailman => "true", - enable_mail_submission => "false", - enable_spamassassin => "true" - } + backup::client, + exim::role::mediawiki interface_ip { "lists.wikimedia.org_v4": interface => "eth0", address => "208.80.154.4", prefixlen => 32; @@ -2681,7 +2670,7 @@ ntp::client, admins::roots, # misc::torrus, - exim::rt, + exim::role::rt, misc::rt::server, misc::rancid, firewall::builder diff --git a/files/mailman/docroot/favicon.ico b/modules/exim/files/docroot/favicon.ico similarity index 100% rename from files/mailman/docroot/favicon.ico rename to modules/exim/files/docroot/favicon.ico Binary files differ diff --git a/files/mailman/docroot/favicon.png b/modules/exim/files/docroot/favicon.png similarity index 100% rename from files/mailman/docroot/favicon.png rename to modules/exim/files/docroot/favicon.png Binary files differ diff --git a/files/mailman/docroot/robots.txt b/modules/exim/files/docroot/robots.txt similarity index 100% rename from files/mailman/docroot/robots.txt rename to modules/exim/files/docroot/robots.txt diff --git a/files/exim/exim4.listserver_aliases.conf b/modules/exim/files/exim4.listserver_aliases.conf similarity index 100% rename from files/exim/exim4.listserver_aliases.conf rename to modules/exim/files/exim4.listserver_aliases.conf diff --git a/files/exim/exim4.secondary_relay_domains.conf b/modules/exim/files/exim4.secondary_relay_domains.conf similarity index 100% rename from files/exim/exim4.secondary_relay_domains.conf rename to modules/exim/files/exim4.secondary_relay_domains.conf diff --git a/files/mailman/mm_cfg.py b/modules/exim/files/mm_cfg.py similarity index 100% rename from files/mailman/mm_cfg.py rename to modules/exim/files/mm_cfg.py diff --git a/files/spamassassin/spamassassin.default b/modules/exim/files/spamassassin.default similarity index 100% rename from files/spamassassin/spamassassin.default rename to modules/exim/files/spamassassin.default diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp new file mode 100644 index 0000000..cca8d28 --- /dev/null +++ b/modules/exim/manifests/init.pp @@ -0,0 +1,190 @@ +# Class: exim +# +# This class installs a full featured Exim MTA +# +# Parameters: +# - $local_domains: +# List of domains Exim will treat as "local", i.e. be responsible +# for +# - $enable_mail_relay: +# Values: primary, secondary +# Whether Exim will act as a primary or secondary mail relay for +# other mail servers +# - $enable_mailman: +# Whether Mailman delivery functionality is enabled (true/false) +# - $enable_imap_delivery: +# Whether IMAP local delivery functional is enabled (true/false) +# - $enable_mail_submission: +# Enable/disable mail submission by users/client MUAs +# - $mediawiki_relay: +# Whether this MTA relays mail for MediaWiki (true/false) +# - $enable_spamasssin: +# Enable/disable SpamAssassin spam checking +# - $outbound_ips: +# IP addresses to use for sending outbound e-mail +# - $hold_domains: +# List of domains to hold on the queue without processing +class exim( + $local_domains = [ "+system_domains" ], + $enable_mail_relay="false", + $enable_mailman="false", + $enable_imap_delivery="false", + $enable_mail_submission="false", + $enable_external_mail="false", + $smart_route_list=[], + $mediawiki_relay="false", + $rt_relay="false", + $enable_spamassassin="false", + $outbound_ips=[ $ipaddress ], + $hold_domains=[] ) { + + class { "config": install_type => "heavy", queuerunner => "combined" } + Class["config"] -> Class[exim] + + include service + + include smtp + include network::constants + include exim::listserve::private + + $primary_mx = [ "208.80.152.186", "2620::860:2:219:b9ff:fedd:c027" ] + file { + "/etc/exim4/exim4.conf": + require => Package[exim4-config], + notify => Service[exim4], + owner => root, + group => Debian-exim, + mode => 0440, + content => template("exim/exim4.conf.SMTP_IMAP_MM.erb"); + "/etc/exim4/system_filter": + owner => root, + group => Debian-exim, + mode => 0444, + content => template("exim/system_filter.conf.erb"); + } + + class mail_relay { + Class["config"] -> Class[exim::mail_relay] + + file { + "/etc/exim4/relay_domains": + owner => root, + group => root, + mode => 0444, + source => "puppet:///modules/exim/exim4.secondary_relay_domains.conf"; + } + } + + class mailman { + Class["config"] -> Class[exim::mailman] + + file { + "/etc/exim4/aliases/lists.wikimedia.org": + owner => root, + group => root, + mode => 0444, + source => "puppet:///modules/exim/exim4.listserver_aliases.conf"; + } + } + + if ( $enable_mailman == "true" ) { + include exim::mailman + } + if ( $enable_mail_relay == "primary" ) or ( $enable_mail_relay == "secondary" ) { + include mail_relay + } + if ( $enable_spamassassin == "true" ) { + include spamassassin + } +} + + +class config($install_type="light", $queuerunner="queueonly") { + package { [ "exim4-config", "exim4-daemon-${install_type}" ]: ensure => latest } + + if $install_type == "heavy" { + exec { "mkdir /var/spool/exim4/scan": + require => Package[exim4-daemon-heavy], + path => "/bin:/usr/bin", + creates => "/var/spool/exim4/scan" + } + + mount { [ "/var/spool/exim4/scan", "/var/spool/exim4/db" ]: + device => "none", + fstype => "tmpfs", + options => "defaults", + ensure => mounted + } + + file { [ "/var/spool/exim4/scan", "/var/spool/exim4/db" ]: + ensure => directory, + owner => Debian-exim, + group => Debian-exim + } + + # add nagios to the Debian-exim group to allow check_disk tmpfs mounts (puppet still can't manage existing users?! so just Exec) + exec { "nagios_to_exim_group": + command => "usermod -a -G Debian-exim nagios", + path => "/usr/sbin"; + } + + Exec["mkdir /var/spool/exim4/scan"] -> Mount["/var/spool/exim4/scan"] -> File["/var/spool/exim4/scan"] + Package[exim4-daemon-heavy] -> Mount["/var/spool/exim4/db"] -> File["/var/spool/exim4/db"] + } + + file { + "/etc/default/exim4": + require => Package[exim4-config], + owner => root, + group => root, + mode => 0444, + content => template("exim/exim4.default.erb"); + "/etc/exim4/aliases/": + require => Package[exim4-config], + mode => 0755, + owner => root, + group => root, + ensure => directory; + } +} + +class service { + Class["config"] -> Class[service] + + # The init script's status command exit value only reflects the SMTP service + service { exim4: + ensure => running, + hasstatus => $exim::config::queuerunner ? { + "queueonly" => false, + default => true + } + } + + if $config::queuerunner != "queueonly" { + # Nagios monitoring + monitor_service { "smtp": description => "Exim SMTP", check_command => "check_smtp" } + } +} + +class simple-mail-sender { + class { "config": queuerunner => "queueonly" } + Class["config"] -> Class[exim::simple-mail-sender] + + file { + "/etc/exim4/exim4.conf": + require => Package[exim4-config], + owner => root, + group => root, + mode => 0444, + content => template("exim/exim4.minimal.erb"); + } + + include service +} + +class smtp { + $otrs_mysql_password = $passwords::exim4::otrs_mysql_password + $smtp_ldap_password = $passwords::exim4::smtp_ldap_password +} + + diff --git a/modules/exim/manifests/mailman.pp b/modules/exim/manifests/mailman.pp new file mode 100644 index 0000000..829b59c --- /dev/null +++ b/modules/exim/manifests/mailman.pp @@ -0,0 +1,93 @@ +class mailman { + class base { + # lighttpd needs to be installed first, or the mailman package will pull in apache2 + require webserver::static + + package { "mailman": ensure => latest } + } + + class listserve { + require mailman::base + + system_role { "mailman::listserve": description => "Mailman listserver" } + + file { + "/etc/mailman/mm_cfg.py": + owner => root, + group => root, + mode => 0444, + source => "puppet:///modules/mailman/mm_cfg.py"; + } + + # Install as many languages as possible + include generic::locales::international + + generic::debconf::set { + "mailman/gate_news": + value => "false", + notify => Exec["dpkg-reconfigure mailman"]; + "mailman/used_languages": + value => "ar big5 ca cs da de en es et eu fi fr gb hr hu ia it ja ko lt nl no pl pt pt_BR ro ru sl sr sv tr uk vi zh_CN zh_TW", + notify => Exec["dpkg-reconfigure mailman"]; + "mailman/default_server_language": + value => "en", + notify => Exec["dpkg-reconfigure mailman"]; + } + exec { "dpkg-reconfigure mailman": + require => Class["generic::locales::international"], + before => Service[mailman], + command => "/usr/sbin/dpkg-reconfigure -fnoninteractive mailman", + refreshonly => true + } + + service { mailman: + ensure => running, + hasstatus => false, + pattern => "mailmanctl" + } + + monitor_service { "procs_mailman": description => "mailman", check_command => "nrpe_check_mailman" } + } + + class web-ui { + include webserver::static + + if ( $realm == "production" ) { + install_certificate{ "star.wikimedia.org": } + } + + # htdigest file for private list archives + file { "/etc/lighttpd/htdigest": + require => Class["webserver::static"], + source => "puppet:///private/lighttpd/htdigest", + owner => root, + group => www-data, + mode => 0440; + } + + # Enable CGI module + lighttpd_config { "10-cgi": require => Class["webserver::static"] } + + # Install Mailman specific Lighttpd config file + lighttpd_config { "50-mailman": + require => [ Class["webserver::static"], File["/etc/lighttpd/htdigest"] ], + install => "true" + } + + # Add files in /var/www (docroot) + file { "/var/www": + source => "puppet:///modules/mailman/docroot/", + owner => root, + group => root, + mode => 0444, + recurse => remote; + } + + # monitor SSL cert expiry + if ( $realm == "production" ) { + monitor_service { "https": description => "HTTPS", check_command => "check_ssl_cert!*.wikimedia.org" } + } + } + + include listserve, web-ui +} diff --git a/modules/exim/manifests/role/mediawiki.pp b/modules/exim/manifests/role/mediawiki.pp new file mode 100644 index 0000000..6ffd89f --- /dev/null +++ b/modules/exim/manifests/role/mediawiki.pp @@ -0,0 +1,10 @@ +class exim::role::mediawiki { + class { exim: + outbound_ips => [ "208.80.154.4", "2620:0:861:1::2" ], + local_domains => [ "+system_domains", "+mailman_domains" ], + enable_mail_relay => "secondary", + enable_mailman => "true", + enable_mail_submission => "false", + enable_spamassassin => "true" + } +} diff --git a/modules/exim/manifests/role/rt.pp b/modules/exim/manifests/role/rt.pp new file mode 100644 index 0000000..2f8e080 --- /dev/null +++ b/modules/exim/manifests/role/rt.pp @@ -0,0 +1,12 @@ +class exim::role::rt { + class { exim: + local_domains => [ "+system_domains", "+rt_domains" ], + enable_mail_relay => "false", + enable_external_mail => "true", + smart_route_list => [ "mchenry.wikimedia.org", "lists.wikimedia.org" ], + enable_mailman => "false", + rt_relay => "true", + enable_mail_submission => "false", + enable_spamassassin => "false" + } +} diff --git a/modules/exim/manifests/role/simple-mail-sender.pp b/modules/exim/manifests/role/simple-mail-sender.pp new file mode 100644 index 0000000..90a2ec8 --- /dev/null +++ b/modules/exim/manifests/role/simple-mail-sender.pp @@ -0,0 +1,15 @@ +class exim::role::simple-mail-sender { + class { "config": queuerunner => "queueonly" } + Class["config"] -> Class[exim::role::simple-mail-sender] + + file { + "/etc/exim4/exim4.conf": + require => Package[exim4-config], + owner => root, + group => root, + mode => 0444, + content => template("exim/exim4.minimal.erb"); + } + + include service +} diff --git a/modules/exim/manifests/spamassassin.pp b/modules/exim/manifests/spamassassin.pp new file mode 100644 index 0000000..e7c48d2 --- /dev/null +++ b/modules/exim/manifests/spamassassin.pp @@ -0,0 +1,38 @@ +class spamassassin { + include network::constants + + package { [ "spamassassin" ]: + ensure => latest; + } + + systemuser { "spamd": name => "spamd" } + + File { + require => Package[spamassassin], + owner => root, + group => root, + mode => 0444 + } + file { + "/etc/spamassassin/local.cf": + content => template("spamassassin/local.cf"); + "/etc/default/spamassassin": + source => "puppet:///modules/exim/spamassassin.default"; + } + + service { "spamassassin": + require => [ File["/etc/default/spamassassin"], File["/etc/spamassassin/local.cf"], Package[spamassassin], Systemuser[spamd] ], + subscribe => [ File["/etc/default/spamassassin"], File["/etc/spamassassin/local.cf"] ], + ensure => running; + } + + file { "/var/spamd": + require => Systemuser[spamd], + ensure => directory, + owner => spamd, + group => spamd, + mode => 0700; + } + + monitor_service { "spamd": description => "spamassassin", check_command => "nrpe_check_spamd" } +} diff --git a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb b/modules/exim/templates/exim4.conf.SMTP_IMAP_MM.erb similarity index 91% rename from templates/exim/exim4.conf.SMTP_IMAP_MM.erb rename to modules/exim/templates/exim4.conf.SMTP_IMAP_MM.erb index c3757ac..1e5ee1e 100644 --- a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb +++ b/modules/exim/templates/exim4.conf.SMTP_IMAP_MM.erb @@ -40,7 +40,7 @@ <% if enable_mail_relay == "secondary" then -%> domainlist secondary_domains = @mx_secondary/ignore=127.0.0.1 <% end -%> -<%if enable_mail_relay != "false"%> +<% if enable_mail_relay != "false" %> domainlist relay_domains = lsearch;CONFDIR/relay_domains <% end -%> @@ -57,7 +57,7 @@ hostlist wikimedia_nets = <; <%= scope.lookupvar('network::constants::all_networks').join(" ; ") %> hostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ; <% if enable_mail_relay != "false" -%><%= scope.lookupvar('network::constants::external_networks').join(" ; ") %>; 10.0.0.0/8<% end %> # Relay @mx_secondary domains only to these hosts -hostlist primary_mx = <; <%= scope.lookupvar('exim::constants::primary_mx').join(" ; ") %> +hostlist primary_mx = <; <%= primary_mx.join(" ; ") %> <% if enable_imap_delivery == "true" then -%> @@ -76,6 +76,12 @@ <% if enable_mail_relay != "false" then -%> helo_try_verify_hosts = * +<% end -%> + +<% if rt_relay == "true" then -%> +# Allow RT to use any sender address +untrusted_set_sender = * +local_from_check = false <% end -%> system_filter = CONFDIR/system_filter @@ -219,6 +225,11 @@ ! hosts = +wikimedia_nets <% end -%> +<% if enable_external_mail == "true" then -%> + # We only accept mail from our own mail relays + require message = This server does not accept external mail + hosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets +<% end -%> accept acl_check_data: @@ -305,6 +316,34 @@ allow_fail allow_defer forbid_file + +<% if rt_relay == "true" then -%> +# Mail destined for RT + +# This router checks whether the local part consists of solely digits, +# and assumes this is the ticket number of an existing ticket if this is +# the case. It rewrites the address to the general queue, and puts the +# ticket nr in $address_data, where the rt_pipe transport can access it. + +rt_ticket: + driver = redirect + domains = +rt_domains + local_part_suffix = -comment + local_part_suffix_optional + condition = ${if match{$local_part}{\N^\d+$\N}{yes}{no}} + address_data = EXTENSION=$local_part + data = general$local_part_suffix@$domain + redirect_router = rt + no_verify + +rt: + driver = accept + domains = +rt_domains + local_part_suffix = -comment + local_part_suffix_optional + transport = rt_pipe + +<% end -%> <% if enable_mailman == "true" then -%> # Mailman list handling. @@ -522,10 +561,7 @@ # Send all mail not destined for the local machine via a set of # mail relays ("smart hosts") -smart_route: - driver = manualroute - transport = remote_smtp - route_list = * mchenry.wikimedia.org:lists.wikimedia.org + <% end %> <% if enable_mail_relay != "false" then -%> @@ -540,6 +576,13 @@ cannot_route_message = Mailing list $local_part does not exist. <% elsif enable_mail_relay != "false" then -%> cannot_route_message = Address $local_part@$domain does not exist +<% end %> + +<% if !smart_route_list.empty? then -%> +smart_route: + driver = manualroute + transport = remote_smtp + route_list = * <%= smart_route_list.join(":") %> <% end %> ############## @@ -572,6 +615,19 @@ address_pipe: driver = pipe return_output + +<% if rt_relay == "true" then -%> +# RT transport +rt_pipe: + driver = pipe + command = /usr/bin/rt-mailgate --queue $local_part \ + --action "${if eq{$local_part_suffix}{-comment}{comment}{correspond}}" \ + --extension ticket --url http://rt.wikimedia.org + environment = $address_data + user = mail + group = mail + return_fail_output +<% end -%> <% if enable_mailman == "true" then -%> # Mailman pipe transport @@ -690,6 +746,19 @@ begin rewrite <% end %> + +<% if rt_relay == "true" then -%> +################# +# Rewrite rules # +################# + +begin rewrite + +# Rewrite RT +www-data@$primary_hostname [email protected] Fq + +<% end -%> + <% if enable_mailman == "true" then -%> \N^.*@(mail\.)?wiki[mp]edia\.org$\N "${if exists{MAILMAN_LISTS_HOME/lists/$local_part/config.pck}{[email protected]}fail}" ct <% end %> diff --git a/templates/exim/exim4.default.erb b/modules/exim/templates/exim4.default.erb similarity index 100% rename from templates/exim/exim4.default.erb rename to modules/exim/templates/exim4.default.erb diff --git a/templates/exim/exim4.donate.erb b/modules/exim/templates/exim4.donate.erb similarity index 100% rename from templates/exim/exim4.donate.erb rename to modules/exim/templates/exim4.donate.erb diff --git a/templates/exim/exim4.minimal.erb b/modules/exim/templates/exim4.minimal.erb similarity index 100% rename from templates/exim/exim4.minimal.erb rename to modules/exim/templates/exim4.minimal.erb diff --git a/templates/exim/system_filter.conf.erb b/modules/exim/templates/system_filter.conf.erb similarity index 100% rename from templates/exim/system_filter.conf.erb rename to modules/exim/templates/system_filter.conf.erb -- To view, visit https://gerrit.wikimedia.org/r/68011 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I6dd5b30257643528da3e8bf671e8736bd87e495f Gerrit-PatchSet: 8 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <[email protected]> Gerrit-Reviewer: Andrew Bogott <[email protected]> Gerrit-Reviewer: Dzahn <[email protected]> Gerrit-Reviewer: Mark Bergsma <[email protected]> Gerrit-Reviewer: jenkins-bot _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
