Andrew Bogott has uploaded a new change for review. https://gerrit.wikimedia.org/r/69263
Change subject: Revert "Refactor exim::rt to use the new exim template." ...................................................................... Revert "Refactor exim::rt to use the new exim template." This patch somehow glommed on to a different exim refactor which I'm not ready to merge yet. This reverts commit b86a33d166c16b9797c817aa7f10eee4359a4a31. Change-Id: I0faf4e101572ade8de8f808ba10ddf6c05b160eb --- R files/exim/exim4.listserver_aliases.conf A files/exim/exim4.rt.conf R files/exim/exim4.secondary_relay_domains.conf R files/mailman/docroot/favicon.ico R files/mailman/docroot/favicon.png R files/mailman/docroot/robots.txt R files/mailman/mm_cfg.py R files/spamassassin/spamassassin.default A manifests/mail.pp M manifests/site.pp D modules/exim/manifests/init.pp D modules/exim/manifests/mailman.pp D modules/exim/manifests/role/mediawiki.pp D modules/exim/manifests/role/rt.pp D modules/exim/manifests/role/simple-mail-sender.pp D modules/exim/manifests/spamassassin.pp R templates/exim/exim4.conf.SMTP_IMAP_MM.erb R templates/exim/exim4.default.erb R templates/exim/exim4.donate.erb R templates/exim/exim4.minimal.erb R templates/exim/system_filter.conf.erb 21 files changed, 576 insertions(+), 440 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/63/69263/1 diff --git a/modules/exim/files/exim4.listserver_aliases.conf b/files/exim/exim4.listserver_aliases.conf similarity index 100% rename from modules/exim/files/exim4.listserver_aliases.conf rename to files/exim/exim4.listserver_aliases.conf diff --git a/files/exim/exim4.rt.conf b/files/exim/exim4.rt.conf new file mode 100644 index 0000000..dd06e5e --- /dev/null +++ b/files/exim/exim4.rt.conf @@ -0,0 +1,209 @@ +# Exim 4 configuration file for streber.wikimedia.org +# Written on 2010-08-10 by Mark Bergsma <[email protected]> + +########## +# Macros # +########## + +CONFDIR=/etc/exim4 + +############################### +# Main configuration settings # +############################### + +# Standard lists +hostlist wikimedia_nets = <; 208.80.152.0/22 ; 91.198.174.0/24 ; 2620:0:860::/46 ; 10.0.0.0/16 +domainlist system_domains = @ + +domainlist local_domains = +system_domains +domainlist rt_domains = rt.wikimedia.org +hostlist rt_mail_from_hosts = mchenry.wikimedia.org +hostlist relay_from_hosts = <; @[] + +# Interfaces +daemon_smtp_ports = smtp + +# Administration +log_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn + +# Policy control +acl_smtp_connect = acl_check_connect +acl_smtp_rcpt = acl_check_rcpt + +helo_try_verify_hosts = * + +# Allow RT to use any sender address +untrusted_set_sender = * +local_from_check = false + +# Resource control +check_spool_space = 50M +deliver_queue_load_max = 75.0 +queue_only_load = 50.0 +smtp_accept_max = 100 +smtp_accept_max_per_host = 10 +smtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets +smtp_accept_reserve = 20 +smtp_accept_queue_per_connection = 500 +remote_max_parallel = 25 +smtp_connect_backlog = 32 + +# Lookups +host_lookup = * +rfc1413_hosts = +rfc1413_query_timeout = 5s + +# Other +never_users = root : daemon : bin +ignore_bounce_errors_after = 0h + +############################### +# Access Control Lists (ACLs) # +############################### + +begin acl + +acl_check_connect: + # We only accept mail from our own mail relays + require message = This server does not accept external mail + hosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets + + accept + +acl_check_rcpt: + + # Accept if the source is local SMTP (a pipe) + + accept hosts = : + + # Deny if the local part contains @, %, /, | or !, or starts with a dot + + deny local_parts = ^.*[@%!/|] : ^\\. + + # Accept relaying from networks we control. Note: no address verification + # is done at this point, which is good for mail submission, but may render + # recipient callout verification by affected hosts useless. + + accept hosts = +rt_mail_from_hosts : +relay_from_hosts + + # Require recipient domain to be local, or a domain we relay for + + require message = Relay not permitted + domains = +local_domains + + # { recipient domain is under our administrative control } + + # Verify the recipient address for local domains, or require the + # recipient domain to exist for remote domains + + require verify = recipient + + # Mail can be safely accepted here, but we may want to do more + # rfc compliance checking and spam filtering. + + # Trust that the mail relay has done all checking + + accept + + +########### +# Routers # +########### + +begin routers + +# Use the system aliasfile /etc/aliases for system domains + +system_aliases: + driver = redirect + domains = +system_domains + data = ${lookup{$local_part}lsearch{/etc/aliases}} + pipe_transport = address_pipe + allow_fail + allow_defer + forbid_file + +# Mail destined for RT + +# This router checks whether the local part consists of solely digits, +# and assumes this is the ticket number of an existing ticket if this is +# the case. It rewrites the address to the general queue, and puts the +# ticket nr in $address_data, where the rt_pipe transport can access it. + +rt_ticket: + driver = redirect + domains = +rt_domains + local_part_suffix = -comment + local_part_suffix_optional + condition = ${if match{$local_part}{\N^\d+$\N}{yes}{no}} + address_data = EXTENSION=$local_part + data = general$local_part_suffix@$domain + redirect_router = rt + no_verify + +rt: + driver = accept + domains = +rt_domains + local_part_suffix = -comment + local_part_suffix_optional + transport = rt_pipe + + +# Send all mail not destined for the local machine via a set of +# mail relays ("smart hosts") + +smart_route: + driver = manualroute + transport = remote_smtp + route_list = * mchenry.wikimedia.org:lists.wikimedia.org + +############## +# Transports # +############## + +begin transports + +# Generic remote SMTP transport + +remote_smtp: + driver = smtp + hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0 + +# Generic pipe local delivery transport (for use by alias/forward files) + +address_pipe: + driver = pipe + return_output + +# RT transport +rt_pipe: + driver = pipe + command = /usr/bin/rt-mailgate --queue $local_part \ + --action "${if eq{$local_part_suffix}{-comment}{comment}{correspond}}" \ + --extension ticket --url http://rt.wikimedia.org + environment = $address_data + user = mail + group = mail + return_fail_output + + +############### +# Retry rules # +############### + +begin retry + +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + +################# +# Rewrite rules # +################# + +begin rewrite + +# Rewrite RT +www-data@$primary_hostname [email protected] Fq + +# Rewrite the envelope From for mails from internal servers in *.wmnet, +# as they are usually rejected by sender domain address verification. +*@$primary_hostname [email protected] F diff --git a/modules/exim/files/exim4.secondary_relay_domains.conf b/files/exim/exim4.secondary_relay_domains.conf similarity index 100% rename from modules/exim/files/exim4.secondary_relay_domains.conf rename to files/exim/exim4.secondary_relay_domains.conf diff --git a/modules/exim/files/docroot/favicon.ico b/files/mailman/docroot/favicon.ico similarity index 100% rename from modules/exim/files/docroot/favicon.ico rename to files/mailman/docroot/favicon.ico Binary files differ diff --git a/modules/exim/files/docroot/favicon.png b/files/mailman/docroot/favicon.png similarity index 100% rename from modules/exim/files/docroot/favicon.png rename to files/mailman/docroot/favicon.png Binary files differ diff --git a/modules/exim/files/docroot/robots.txt b/files/mailman/docroot/robots.txt similarity index 100% rename from modules/exim/files/docroot/robots.txt rename to files/mailman/docroot/robots.txt diff --git a/modules/exim/files/mm_cfg.py b/files/mailman/mm_cfg.py similarity index 100% rename from modules/exim/files/mm_cfg.py rename to files/mailman/mm_cfg.py diff --git a/modules/exim/files/spamassassin.default b/files/spamassassin/spamassassin.default similarity index 100% rename from modules/exim/files/spamassassin.default rename to files/spamassassin/spamassassin.default diff --git a/manifests/mail.pp b/manifests/mail.pp new file mode 100644 index 0000000..e015e4a --- /dev/null +++ b/manifests/mail.pp @@ -0,0 +1,343 @@ +# mail.pp + +class exim { + class constants { + $primary_mx = [ "208.80.152.186", "2620::860:2:219:b9ff:fedd:c027" ] + } + + class config($install_type="light", $queuerunner="queueonly") { + package { [ "exim4-config", "exim4-daemon-${install_type}" ]: ensure => latest } + + if $install_type == "heavy" { + exec { "mkdir /var/spool/exim4/scan": + require => Package[exim4-daemon-heavy], + path => "/bin:/usr/bin", + creates => "/var/spool/exim4/scan" + } + + mount { [ "/var/spool/exim4/scan", "/var/spool/exim4/db" ]: + device => "none", + fstype => "tmpfs", + options => "defaults", + ensure => mounted + } + + file { [ "/var/spool/exim4/scan", "/var/spool/exim4/db" ]: + ensure => directory, + owner => Debian-exim, + group => Debian-exim + } + + # add nagios to the Debian-exim group to allow check_disk tmpfs mounts (puppet still can't manage existing users?! so just Exec) + exec { "nagios_to_exim_group": + command => "usermod -a -G Debian-exim nagios", + path => "/usr/sbin"; + } + + Exec["mkdir /var/spool/exim4/scan"] -> Mount["/var/spool/exim4/scan"] -> File["/var/spool/exim4/scan"] + Package[exim4-daemon-heavy] -> Mount["/var/spool/exim4/db"] -> File["/var/spool/exim4/db"] + } + + file { + "/etc/default/exim4": + require => Package[exim4-config], + owner => root, + group => root, + mode => 0444, + content => template("exim/exim4.default.erb"); + "/etc/exim4/aliases/": + require => Package[exim4-config], + mode => 0755, + owner => root, + group => root, + ensure => directory; + } + } + + class service { + Class["exim::config"] -> Class[exim::service] + + # The init script's status command exit value only reflects the SMTP service + service { exim4: + ensure => running, + hasstatus => $exim::config::queuerunner ? { + "queueonly" => false, + default => true + } + } + + if $exim::config::queuerunner != "queueonly" { + # Nagios monitoring + monitor_service { "smtp": description => "Exim SMTP", check_command => "check_smtp" } + } + } + + class simple-mail-sender { + class { "exim::config": queuerunner => "queueonly" } + Class["exim::config"] -> Class[exim::simple-mail-sender] + + file { + "/etc/exim4/exim4.conf": + require => Package[exim4-config], + owner => root, + group => root, + mode => 0444, + content => template("exim/exim4.minimal.erb"); + } + + include exim::service + } + + class rt { + class { "exim::config": queuerunner => "combined" } + Class["exim::config"] -> Class[exim::rt] + + file { + "/etc/exim4/exim4.conf": + require => Package[exim4-config], + owner => root, + group => root, + mode => 0444, + source => "puppet:///files/exim/exim4.rt.conf"; + } + + include exim::service + } + + class smtp { + $otrs_mysql_password = $passwords::exim4::otrs_mysql_password + $smtp_ldap_password = $passwords::exim4::smtp_ldap_password + } + + # Class: exim::roled + # + # This class installs a full featured Exim MTA + # + # Parameters: + # - $local_domains: + # List of domains Exim will treat as "local", i.e. be responsible + # for + # - $enable_mail_relay: + # Values: primary, secondary + # Whether Exim will act as a primary or secondary mail relay for + # other mail servers + # - $enable_mailman: + # Whether Mailman delivery functionality is enabled (true/false) + # - $enable_imap_delivery: + # Whether IMAP local delivery functional is enabled (true/false) + # - $enable_mail_submission: + # Enable/disable mail submission by users/client MUAs + # - $mediawiki_relay: + # Whether this MTA relays mail for MediaWiki (true/false) + # - $enable_spamasssin: + # Enable/disable SpamAssassin spam checking + # - $outbound_ips: + # IP addresses to use for sending outbound e-mail + # - $hold_domains: + # List of domains to hold on the queue without processing + class roled( + $local_domains = [ "+system_domains" ], + $enable_mail_relay="false", + $enable_mailman="false", + $enable_imap_delivery="false", + $enable_mail_submission="false", + $mediawiki_relay="false", + $enable_spamassassin="false", + $outbound_ips=[ $ipaddress ], + $hold_domains=[] ) { + + class { "exim::config": install_type => "heavy", queuerunner => "combined" } + Class["exim::config"] -> Class[exim::roled] + + include exim::service + + include exim::smtp + include exim::constants + include network::constants + include exim::listserve::private + + file { + "/etc/exim4/exim4.conf": + require => Package[exim4-config], + notify => Service[exim4], + owner => root, + group => Debian-exim, + mode => 0440, + content => template("exim/exim4.conf.SMTP_IMAP_MM.erb"); + "/etc/exim4/system_filter": + owner => root, + group => Debian-exim, + mode => 0444, + content => template("exim/system_filter.conf.erb"); + } + + class mail_relay { + Class["exim::config"] -> Class[exim::roled::mail_relay] + + file { + "/etc/exim4/relay_domains": + owner => root, + group => root, + mode => 0444, + source => "puppet:///files/exim/exim4.secondary_relay_domains.conf"; + } + } + + class mailman { + Class["exim::config"] -> Class[exim::roled::mailman] + + file { + "/etc/exim4/aliases/lists.wikimedia.org": + owner => root, + group => root, + mode => 0444, + source => "puppet:///files/exim/exim4.listserver_aliases.conf"; + } + } + + if ( $enable_mailman == "true" ) { + include mailman + } + if ( $enable_mail_relay == "primary" ) or ( $enable_mail_relay == "secondary" ) { + include mail_relay + } + if ( $enable_spamassassin == "true" ) { + include spamassassin + } + } +} + +# SpamAssassin http://spamassassin.apache.org/ + +class spamassassin { + include network::constants + + package { [ "spamassassin" ]: + ensure => latest; + } + + systemuser { "spamd": name => "spamd" } + + File { + require => Package[spamassassin], + owner => root, + group => root, + mode => 0444 + } + file { + "/etc/spamassassin/local.cf": + content => template("spamassassin/local.cf"); + "/etc/default/spamassassin": + source => "puppet:///files/spamassassin/spamassassin.default"; + } + + service { "spamassassin": + require => [ File["/etc/default/spamassassin"], File["/etc/spamassassin/local.cf"], Package[spamassassin], Systemuser[spamd] ], + subscribe => [ File["/etc/default/spamassassin"], File["/etc/spamassassin/local.cf"] ], + ensure => running; + } + + file { "/var/spamd": + require => Systemuser[spamd], + ensure => directory, + owner => spamd, + group => spamd, + mode => 0700; + } + + monitor_service { "spamd": description => "spamassassin", check_command => "nrpe_check_spamd" } +} + +class mailman { + class base { + # lighttpd needs to be installed first, or the mailman package will pull in apache2 + require webserver::static + + package { "mailman": ensure => latest } + } + + class listserve { + require mailman::base + + system_role { "mailman::listserve": description => "Mailman listserver" } + + file { + "/etc/mailman/mm_cfg.py": + owner => root, + group => root, + mode => 0444, + source => "puppet:///files/mailman/mm_cfg.py"; + } + + # Install as many languages as possible + include generic::locales::international + + generic::debconf::set { + "mailman/gate_news": + value => "false", + notify => Exec["dpkg-reconfigure mailman"]; + "mailman/used_languages": + value => "ar big5 ca cs da de en es et eu fi fr gb hr hu ia it ja ko lt nl no pl pt pt_BR ro ru sl sr sv tr uk vi zh_CN zh_TW", + notify => Exec["dpkg-reconfigure mailman"]; + "mailman/default_server_language": + value => "en", + notify => Exec["dpkg-reconfigure mailman"]; + } + exec { "dpkg-reconfigure mailman": + require => Class["generic::locales::international"], + before => Service[mailman], + command => "/usr/sbin/dpkg-reconfigure -fnoninteractive mailman", + refreshonly => true + } + + service { mailman: + ensure => running, + hasstatus => false, + pattern => "mailmanctl" + } + + monitor_service { "procs_mailman": description => "mailman", check_command => "nrpe_check_mailman" } + } + + class web-ui { + include webserver::static + + if ( $realm == "production" ) { + install_certificate{ "star.wikimedia.org": } + } + + # htdigest file for private list archives + file { "/etc/lighttpd/htdigest": + require => Class["webserver::static"], + source => "puppet:///private/lighttpd/htdigest", + owner => root, + group => www-data, + mode => 0440; + } + + # Enable CGI module + lighttpd_config { "10-cgi": require => Class["webserver::static"] } + + # Install Mailman specific Lighttpd config file + lighttpd_config { "50-mailman": + require => [ Class["webserver::static"], File["/etc/lighttpd/htdigest"] ], + install => "true" + } + + # Add files in /var/www (docroot) + file { "/var/www": + source => "puppet:///files/mailman/docroot/", + owner => root, + group => root, + mode => 0444, + recurse => remote; + } + + # monitor SSL cert expiry + if ( $realm == "production" ) { + monitor_service { "https": description => "HTTPS", check_command => "check_ssl_cert!*.wikimedia.org" } + } + } + + include listserve, web-ui +} diff --git a/manifests/site.pp b/manifests/site.pp index a16a874..6d1653a 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -17,6 +17,7 @@ import "iptables.pp" import "ldap.pp" import "lvs.pp" +import "mail.pp" import "media-storage.pp" import "memcached.pp" import "misc/*.pp" @@ -51,7 +52,7 @@ include base, ganglia, ntp::client, - exim::role::simple-mail-sender + exim::simple-mail-sender } class standard-noexim { @@ -764,7 +765,7 @@ include base, ganglia, - exim::role::simple-mail-sender, + exim::simple-mail-sender, dns::recursor::statistics include network::constants @@ -1346,7 +1347,7 @@ include base, ganglia, - exim::role::simple-mail-sender, + exim::simple-mail-sender, misc::url-downloader class { 'ntp::server': @@ -1643,7 +1644,7 @@ $cluster = "misc" include role::racktables - include role::request-tracker-apache::production, exim::role::rt + include role::request-tracker-apache::production, exim::rt } node "marmontel.wikimedia.org" { @@ -2370,9 +2371,19 @@ ganglia, ntp::client, nrpe, + mailman, dns::recursor, - backup::client, - exim::role::mediawiki + spamassassin, + backup::client + + class { exim::roled: + outbound_ips => [ "208.80.154.4", "2620:0:861:1::2" ], + local_domains => [ "+system_domains", "+mailman_domains" ], + enable_mail_relay => "secondary", + enable_mailman => "true", + enable_mail_submission => "false", + enable_spamassassin => "true" + } interface_ip { "lists.wikimedia.org_v4": interface => "eth0", address => "208.80.154.4", prefixlen => 32; @@ -2670,7 +2681,7 @@ ntp::client, admins::roots, # misc::torrus, - exim::role::rt, + exim::rt, misc::rt::server, misc::rancid, firewall::builder diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp deleted file mode 100644 index cca8d28..0000000 --- a/modules/exim/manifests/init.pp +++ /dev/null @@ -1,190 +0,0 @@ -# Class: exim -# -# This class installs a full featured Exim MTA -# -# Parameters: -# - $local_domains: -# List of domains Exim will treat as "local", i.e. be responsible -# for -# - $enable_mail_relay: -# Values: primary, secondary -# Whether Exim will act as a primary or secondary mail relay for -# other mail servers -# - $enable_mailman: -# Whether Mailman delivery functionality is enabled (true/false) -# - $enable_imap_delivery: -# Whether IMAP local delivery functional is enabled (true/false) -# - $enable_mail_submission: -# Enable/disable mail submission by users/client MUAs -# - $mediawiki_relay: -# Whether this MTA relays mail for MediaWiki (true/false) -# - $enable_spamasssin: -# Enable/disable SpamAssassin spam checking -# - $outbound_ips: -# IP addresses to use for sending outbound e-mail -# - $hold_domains: -# List of domains to hold on the queue without processing -class exim( - $local_domains = [ "+system_domains" ], - $enable_mail_relay="false", - $enable_mailman="false", - $enable_imap_delivery="false", - $enable_mail_submission="false", - $enable_external_mail="false", - $smart_route_list=[], - $mediawiki_relay="false", - $rt_relay="false", - $enable_spamassassin="false", - $outbound_ips=[ $ipaddress ], - $hold_domains=[] ) { - - class { "config": install_type => "heavy", queuerunner => "combined" } - Class["config"] -> Class[exim] - - include service - - include smtp - include network::constants - include exim::listserve::private - - $primary_mx = [ "208.80.152.186", "2620::860:2:219:b9ff:fedd:c027" ] - file { - "/etc/exim4/exim4.conf": - require => Package[exim4-config], - notify => Service[exim4], - owner => root, - group => Debian-exim, - mode => 0440, - content => template("exim/exim4.conf.SMTP_IMAP_MM.erb"); - "/etc/exim4/system_filter": - owner => root, - group => Debian-exim, - mode => 0444, - content => template("exim/system_filter.conf.erb"); - } - - class mail_relay { - Class["config"] -> Class[exim::mail_relay] - - file { - "/etc/exim4/relay_domains": - owner => root, - group => root, - mode => 0444, - source => "puppet:///modules/exim/exim4.secondary_relay_domains.conf"; - } - } - - class mailman { - Class["config"] -> Class[exim::mailman] - - file { - "/etc/exim4/aliases/lists.wikimedia.org": - owner => root, - group => root, - mode => 0444, - source => "puppet:///modules/exim/exim4.listserver_aliases.conf"; - } - } - - if ( $enable_mailman == "true" ) { - include exim::mailman - } - if ( $enable_mail_relay == "primary" ) or ( $enable_mail_relay == "secondary" ) { - include mail_relay - } - if ( $enable_spamassassin == "true" ) { - include spamassassin - } -} - - -class config($install_type="light", $queuerunner="queueonly") { - package { [ "exim4-config", "exim4-daemon-${install_type}" ]: ensure => latest } - - if $install_type == "heavy" { - exec { "mkdir /var/spool/exim4/scan": - require => Package[exim4-daemon-heavy], - path => "/bin:/usr/bin", - creates => "/var/spool/exim4/scan" - } - - mount { [ "/var/spool/exim4/scan", "/var/spool/exim4/db" ]: - device => "none", - fstype => "tmpfs", - options => "defaults", - ensure => mounted - } - - file { [ "/var/spool/exim4/scan", "/var/spool/exim4/db" ]: - ensure => directory, - owner => Debian-exim, - group => Debian-exim - } - - # add nagios to the Debian-exim group to allow check_disk tmpfs mounts (puppet still can't manage existing users?! so just Exec) - exec { "nagios_to_exim_group": - command => "usermod -a -G Debian-exim nagios", - path => "/usr/sbin"; - } - - Exec["mkdir /var/spool/exim4/scan"] -> Mount["/var/spool/exim4/scan"] -> File["/var/spool/exim4/scan"] - Package[exim4-daemon-heavy] -> Mount["/var/spool/exim4/db"] -> File["/var/spool/exim4/db"] - } - - file { - "/etc/default/exim4": - require => Package[exim4-config], - owner => root, - group => root, - mode => 0444, - content => template("exim/exim4.default.erb"); - "/etc/exim4/aliases/": - require => Package[exim4-config], - mode => 0755, - owner => root, - group => root, - ensure => directory; - } -} - -class service { - Class["config"] -> Class[service] - - # The init script's status command exit value only reflects the SMTP service - service { exim4: - ensure => running, - hasstatus => $exim::config::queuerunner ? { - "queueonly" => false, - default => true - } - } - - if $config::queuerunner != "queueonly" { - # Nagios monitoring - monitor_service { "smtp": description => "Exim SMTP", check_command => "check_smtp" } - } -} - -class simple-mail-sender { - class { "config": queuerunner => "queueonly" } - Class["config"] -> Class[exim::simple-mail-sender] - - file { - "/etc/exim4/exim4.conf": - require => Package[exim4-config], - owner => root, - group => root, - mode => 0444, - content => template("exim/exim4.minimal.erb"); - } - - include service -} - -class smtp { - $otrs_mysql_password = $passwords::exim4::otrs_mysql_password - $smtp_ldap_password = $passwords::exim4::smtp_ldap_password -} - - diff --git a/modules/exim/manifests/mailman.pp b/modules/exim/manifests/mailman.pp deleted file mode 100644 index 829b59c..0000000 --- a/modules/exim/manifests/mailman.pp +++ /dev/null @@ -1,93 +0,0 @@ -class mailman { - class base { - # lighttpd needs to be installed first, or the mailman package will pull in apache2 - require webserver::static - - package { "mailman": ensure => latest } - } - - class listserve { - require mailman::base - - system_role { "mailman::listserve": description => "Mailman listserver" } - - file { - "/etc/mailman/mm_cfg.py": - owner => root, - group => root, - mode => 0444, - source => "puppet:///modules/mailman/mm_cfg.py"; - } - - # Install as many languages as possible - include generic::locales::international - - generic::debconf::set { - "mailman/gate_news": - value => "false", - notify => Exec["dpkg-reconfigure mailman"]; - "mailman/used_languages": - value => "ar big5 ca cs da de en es et eu fi fr gb hr hu ia it ja ko lt nl no pl pt pt_BR ro ru sl sr sv tr uk vi zh_CN zh_TW", - notify => Exec["dpkg-reconfigure mailman"]; - "mailman/default_server_language": - value => "en", - notify => Exec["dpkg-reconfigure mailman"]; - } - exec { "dpkg-reconfigure mailman": - require => Class["generic::locales::international"], - before => Service[mailman], - command => "/usr/sbin/dpkg-reconfigure -fnoninteractive mailman", - refreshonly => true - } - - service { mailman: - ensure => running, - hasstatus => false, - pattern => "mailmanctl" - } - - monitor_service { "procs_mailman": description => "mailman", check_command => "nrpe_check_mailman" } - } - - class web-ui { - include webserver::static - - if ( $realm == "production" ) { - install_certificate{ "star.wikimedia.org": } - } - - # htdigest file for private list archives - file { "/etc/lighttpd/htdigest": - require => Class["webserver::static"], - source => "puppet:///private/lighttpd/htdigest", - owner => root, - group => www-data, - mode => 0440; - } - - # Enable CGI module - lighttpd_config { "10-cgi": require => Class["webserver::static"] } - - # Install Mailman specific Lighttpd config file - lighttpd_config { "50-mailman": - require => [ Class["webserver::static"], File["/etc/lighttpd/htdigest"] ], - install => "true" - } - - # Add files in /var/www (docroot) - file { "/var/www": - source => "puppet:///modules/mailman/docroot/", - owner => root, - group => root, - mode => 0444, - recurse => remote; - } - - # monitor SSL cert expiry - if ( $realm == "production" ) { - monitor_service { "https": description => "HTTPS", check_command => "check_ssl_cert!*.wikimedia.org" } - } - } - - include listserve, web-ui -} diff --git a/modules/exim/manifests/role/mediawiki.pp b/modules/exim/manifests/role/mediawiki.pp deleted file mode 100644 index 6ffd89f..0000000 --- a/modules/exim/manifests/role/mediawiki.pp +++ /dev/null @@ -1,10 +0,0 @@ -class exim::role::mediawiki { - class { exim: - outbound_ips => [ "208.80.154.4", "2620:0:861:1::2" ], - local_domains => [ "+system_domains", "+mailman_domains" ], - enable_mail_relay => "secondary", - enable_mailman => "true", - enable_mail_submission => "false", - enable_spamassassin => "true" - } -} diff --git a/modules/exim/manifests/role/rt.pp b/modules/exim/manifests/role/rt.pp deleted file mode 100644 index 2f8e080..0000000 --- a/modules/exim/manifests/role/rt.pp +++ /dev/null @@ -1,12 +0,0 @@ -class exim::role::rt { - class { exim: - local_domains => [ "+system_domains", "+rt_domains" ], - enable_mail_relay => "false", - enable_external_mail => "true", - smart_route_list => [ "mchenry.wikimedia.org", "lists.wikimedia.org" ], - enable_mailman => "false", - rt_relay => "true", - enable_mail_submission => "false", - enable_spamassassin => "false" - } -} diff --git a/modules/exim/manifests/role/simple-mail-sender.pp b/modules/exim/manifests/role/simple-mail-sender.pp deleted file mode 100644 index 90a2ec8..0000000 --- a/modules/exim/manifests/role/simple-mail-sender.pp +++ /dev/null @@ -1,15 +0,0 @@ -class exim::role::simple-mail-sender { - class { "config": queuerunner => "queueonly" } - Class["config"] -> Class[exim::role::simple-mail-sender] - - file { - "/etc/exim4/exim4.conf": - require => Package[exim4-config], - owner => root, - group => root, - mode => 0444, - content => template("exim/exim4.minimal.erb"); - } - - include service -} diff --git a/modules/exim/manifests/spamassassin.pp b/modules/exim/manifests/spamassassin.pp deleted file mode 100644 index e7c48d2..0000000 --- a/modules/exim/manifests/spamassassin.pp +++ /dev/null @@ -1,38 +0,0 @@ -class spamassassin { - include network::constants - - package { [ "spamassassin" ]: - ensure => latest; - } - - systemuser { "spamd": name => "spamd" } - - File { - require => Package[spamassassin], - owner => root, - group => root, - mode => 0444 - } - file { - "/etc/spamassassin/local.cf": - content => template("spamassassin/local.cf"); - "/etc/default/spamassassin": - source => "puppet:///modules/exim/spamassassin.default"; - } - - service { "spamassassin": - require => [ File["/etc/default/spamassassin"], File["/etc/spamassassin/local.cf"], Package[spamassassin], Systemuser[spamd] ], - subscribe => [ File["/etc/default/spamassassin"], File["/etc/spamassassin/local.cf"] ], - ensure => running; - } - - file { "/var/spamd": - require => Systemuser[spamd], - ensure => directory, - owner => spamd, - group => spamd, - mode => 0700; - } - - monitor_service { "spamd": description => "spamassassin", check_command => "nrpe_check_spamd" } -} diff --git a/modules/exim/templates/exim4.conf.SMTP_IMAP_MM.erb b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb similarity index 91% rename from modules/exim/templates/exim4.conf.SMTP_IMAP_MM.erb rename to templates/exim/exim4.conf.SMTP_IMAP_MM.erb index 1e5ee1e..c3757ac 100644 --- a/modules/exim/templates/exim4.conf.SMTP_IMAP_MM.erb +++ b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb @@ -40,7 +40,7 @@ <% if enable_mail_relay == "secondary" then -%> domainlist secondary_domains = @mx_secondary/ignore=127.0.0.1 <% end -%> -<% if enable_mail_relay != "false" %> +<%if enable_mail_relay != "false"%> domainlist relay_domains = lsearch;CONFDIR/relay_domains <% end -%> @@ -57,7 +57,7 @@ hostlist wikimedia_nets = <; <%= scope.lookupvar('network::constants::all_networks').join(" ; ") %> hostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ; <% if enable_mail_relay != "false" -%><%= scope.lookupvar('network::constants::external_networks').join(" ; ") %>; 10.0.0.0/8<% end %> # Relay @mx_secondary domains only to these hosts -hostlist primary_mx = <; <%= primary_mx.join(" ; ") %> +hostlist primary_mx = <; <%= scope.lookupvar('exim::constants::primary_mx').join(" ; ") %> <% if enable_imap_delivery == "true" then -%> @@ -76,12 +76,6 @@ <% if enable_mail_relay != "false" then -%> helo_try_verify_hosts = * -<% end -%> - -<% if rt_relay == "true" then -%> -# Allow RT to use any sender address -untrusted_set_sender = * -local_from_check = false <% end -%> system_filter = CONFDIR/system_filter @@ -225,11 +219,6 @@ ! hosts = +wikimedia_nets <% end -%> -<% if enable_external_mail == "true" then -%> - # We only accept mail from our own mail relays - require message = This server does not accept external mail - hosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets -<% end -%> accept acl_check_data: @@ -316,34 +305,6 @@ allow_fail allow_defer forbid_file - -<% if rt_relay == "true" then -%> -# Mail destined for RT - -# This router checks whether the local part consists of solely digits, -# and assumes this is the ticket number of an existing ticket if this is -# the case. It rewrites the address to the general queue, and puts the -# ticket nr in $address_data, where the rt_pipe transport can access it. - -rt_ticket: - driver = redirect - domains = +rt_domains - local_part_suffix = -comment - local_part_suffix_optional - condition = ${if match{$local_part}{\N^\d+$\N}{yes}{no}} - address_data = EXTENSION=$local_part - data = general$local_part_suffix@$domain - redirect_router = rt - no_verify - -rt: - driver = accept - domains = +rt_domains - local_part_suffix = -comment - local_part_suffix_optional - transport = rt_pipe - -<% end -%> <% if enable_mailman == "true" then -%> # Mailman list handling. @@ -561,7 +522,10 @@ # Send all mail not destined for the local machine via a set of # mail relays ("smart hosts") - +smart_route: + driver = manualroute + transport = remote_smtp + route_list = * mchenry.wikimedia.org:lists.wikimedia.org <% end %> <% if enable_mail_relay != "false" then -%> @@ -576,13 +540,6 @@ cannot_route_message = Mailing list $local_part does not exist. <% elsif enable_mail_relay != "false" then -%> cannot_route_message = Address $local_part@$domain does not exist -<% end %> - -<% if !smart_route_list.empty? then -%> -smart_route: - driver = manualroute - transport = remote_smtp - route_list = * <%= smart_route_list.join(":") %> <% end %> ############## @@ -615,19 +572,6 @@ address_pipe: driver = pipe return_output - -<% if rt_relay == "true" then -%> -# RT transport -rt_pipe: - driver = pipe - command = /usr/bin/rt-mailgate --queue $local_part \ - --action "${if eq{$local_part_suffix}{-comment}{comment}{correspond}}" \ - --extension ticket --url http://rt.wikimedia.org - environment = $address_data - user = mail - group = mail - return_fail_output -<% end -%> <% if enable_mailman == "true" then -%> # Mailman pipe transport @@ -746,19 +690,6 @@ begin rewrite <% end %> - -<% if rt_relay == "true" then -%> -################# -# Rewrite rules # -################# - -begin rewrite - -# Rewrite RT -www-data@$primary_hostname [email protected] Fq - -<% end -%> - <% if enable_mailman == "true" then -%> \N^.*@(mail\.)?wiki[mp]edia\.org$\N "${if exists{MAILMAN_LISTS_HOME/lists/$local_part/config.pck}{[email protected]}fail}" ct <% end %> diff --git a/modules/exim/templates/exim4.default.erb b/templates/exim/exim4.default.erb similarity index 100% rename from modules/exim/templates/exim4.default.erb rename to templates/exim/exim4.default.erb diff --git a/modules/exim/templates/exim4.donate.erb b/templates/exim/exim4.donate.erb similarity index 100% rename from modules/exim/templates/exim4.donate.erb rename to templates/exim/exim4.donate.erb diff --git a/modules/exim/templates/exim4.minimal.erb b/templates/exim/exim4.minimal.erb similarity index 100% rename from modules/exim/templates/exim4.minimal.erb rename to templates/exim/exim4.minimal.erb diff --git a/modules/exim/templates/system_filter.conf.erb b/templates/exim/system_filter.conf.erb similarity index 100% rename from modules/exim/templates/system_filter.conf.erb rename to templates/exim/system_filter.conf.erb -- To view, visit https://gerrit.wikimedia.org/r/69263 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0faf4e101572ade8de8f808ba10ddf6c05b160eb Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
