Andrew Bogott has submitted this change and it was merged. Change subject: Refactor exim::rt to use the new exim template. ......................................................................
Refactor exim::rt to use the new exim template. Change-Id: If1fb27d94e34aa6fb62406c708b401c17c66a9a2 --- D files/exim/exim4.rt.conf M manifests/mail.pp M templates/exim/exim4.conf.SMTP_IMAP_MM.erb 3 files changed, 87 insertions(+), 227 deletions(-) Approvals: Andrew Bogott: Verified; Looks good to me, approved jenkins-bot: Verified diff --git a/files/exim/exim4.rt.conf b/files/exim/exim4.rt.conf deleted file mode 100644 index dd06e5e..0000000 --- a/files/exim/exim4.rt.conf +++ /dev/null @@ -1,209 +0,0 @@ -# Exim 4 configuration file for streber.wikimedia.org -# Written on 2010-08-10 by Mark Bergsma <[email protected]> - -########## -# Macros # -########## - -CONFDIR=/etc/exim4 - -############################### -# Main configuration settings # -############################### - -# Standard lists -hostlist wikimedia_nets = <; 208.80.152.0/22 ; 91.198.174.0/24 ; 2620:0:860::/46 ; 10.0.0.0/16 -domainlist system_domains = @ - -domainlist local_domains = +system_domains -domainlist rt_domains = rt.wikimedia.org -hostlist rt_mail_from_hosts = mchenry.wikimedia.org -hostlist relay_from_hosts = <; @[] - -# Interfaces -daemon_smtp_ports = smtp - -# Administration -log_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn - -# Policy control -acl_smtp_connect = acl_check_connect -acl_smtp_rcpt = acl_check_rcpt - -helo_try_verify_hosts = * - -# Allow RT to use any sender address -untrusted_set_sender = * -local_from_check = false - -# Resource control -check_spool_space = 50M -deliver_queue_load_max = 75.0 -queue_only_load = 50.0 -smtp_accept_max = 100 -smtp_accept_max_per_host = 10 -smtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets -smtp_accept_reserve = 20 -smtp_accept_queue_per_connection = 500 -remote_max_parallel = 25 -smtp_connect_backlog = 32 - -# Lookups -host_lookup = * -rfc1413_hosts = -rfc1413_query_timeout = 5s - -# Other -never_users = root : daemon : bin -ignore_bounce_errors_after = 0h - -############################### -# Access Control Lists (ACLs) # -############################### - -begin acl - -acl_check_connect: - # We only accept mail from our own mail relays - require message = This server does not accept external mail - hosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets - - accept - -acl_check_rcpt: - - # Accept if the source is local SMTP (a pipe) - - accept hosts = : - - # Deny if the local part contains @, %, /, | or !, or starts with a dot - - deny local_parts = ^.*[@%!/|] : ^\\. - - # Accept relaying from networks we control. Note: no address verification - # is done at this point, which is good for mail submission, but may render - # recipient callout verification by affected hosts useless. - - accept hosts = +rt_mail_from_hosts : +relay_from_hosts - - # Require recipient domain to be local, or a domain we relay for - - require message = Relay not permitted - domains = +local_domains - - # { recipient domain is under our administrative control } - - # Verify the recipient address for local domains, or require the - # recipient domain to exist for remote domains - - require verify = recipient - - # Mail can be safely accepted here, but we may want to do more - # rfc compliance checking and spam filtering. - - # Trust that the mail relay has done all checking - - accept - - -########### -# Routers # -########### - -begin routers - -# Use the system aliasfile /etc/aliases for system domains - -system_aliases: - driver = redirect - domains = +system_domains - data = ${lookup{$local_part}lsearch{/etc/aliases}} - pipe_transport = address_pipe - allow_fail - allow_defer - forbid_file - -# Mail destined for RT - -# This router checks whether the local part consists of solely digits, -# and assumes this is the ticket number of an existing ticket if this is -# the case. It rewrites the address to the general queue, and puts the -# ticket nr in $address_data, where the rt_pipe transport can access it. - -rt_ticket: - driver = redirect - domains = +rt_domains - local_part_suffix = -comment - local_part_suffix_optional - condition = ${if match{$local_part}{\N^\d+$\N}{yes}{no}} - address_data = EXTENSION=$local_part - data = general$local_part_suffix@$domain - redirect_router = rt - no_verify - -rt: - driver = accept - domains = +rt_domains - local_part_suffix = -comment - local_part_suffix_optional - transport = rt_pipe - - -# Send all mail not destined for the local machine via a set of -# mail relays ("smart hosts") - -smart_route: - driver = manualroute - transport = remote_smtp - route_list = * mchenry.wikimedia.org:lists.wikimedia.org - -############## -# Transports # -############## - -begin transports - -# Generic remote SMTP transport - -remote_smtp: - driver = smtp - hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0 - -# Generic pipe local delivery transport (for use by alias/forward files) - -address_pipe: - driver = pipe - return_output - -# RT transport -rt_pipe: - driver = pipe - command = /usr/bin/rt-mailgate --queue $local_part \ - --action "${if eq{$local_part_suffix}{-comment}{comment}{correspond}}" \ - --extension ticket --url http://rt.wikimedia.org - environment = $address_data - user = mail - group = mail - return_fail_output - - -############### -# Retry rules # -############### - -begin retry - -* * F,2h,15m; G,16h,1h,1.5; F,4d,6h - -################# -# Rewrite rules # -################# - -begin rewrite - -# Rewrite RT -www-data@$primary_hostname [email protected] Fq - -# Rewrite the envelope From for mails from internal servers in *.wmnet, -# as they are usually rejected by sender domain address verification. -*@$primary_hostname [email protected] F diff --git a/manifests/mail.pp b/manifests/mail.pp index e015e4a..7eb69f4 100644 --- a/manifests/mail.pp +++ b/manifests/mail.pp @@ -89,19 +89,16 @@ } class rt { - class { "exim::config": queuerunner => "combined" } - Class["exim::config"] -> Class[exim::rt] - - file { - "/etc/exim4/exim4.conf": - require => Package[exim4-config], - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/exim/exim4.rt.conf"; - } - - include exim::service + class { exim::roled: + local_domains => [ "+system_domains", "+rt_domains" ], + enable_mail_relay => "false", + enable_external_mail => "true", + smart_route_list => [ "mchenry.wikimedia.org", "lists.wikimedia.org" ], + enable_mailman => "false", + rt_relay => "true", + enable_mail_submission => "false", + enable_spamassassin => "false" + } } class smtp { @@ -141,7 +138,10 @@ $enable_mailman="false", $enable_imap_delivery="false", $enable_mail_submission="false", + $enable_external_mail="false", + $smart_route_list=[], $mediawiki_relay="false", + $rt_relay="false", $enable_spamassassin="false", $outbound_ips=[ $ipaddress ], $hold_domains=[] ) { diff --git a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb index c3757ac..8b39f13 100644 --- a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb +++ b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb @@ -40,7 +40,7 @@ <% if enable_mail_relay == "secondary" then -%> domainlist secondary_domains = @mx_secondary/ignore=127.0.0.1 <% end -%> -<%if enable_mail_relay != "false"%> +<% if enable_mail_relay != "false" %> domainlist relay_domains = lsearch;CONFDIR/relay_domains <% end -%> @@ -76,6 +76,12 @@ <% if enable_mail_relay != "false" then -%> helo_try_verify_hosts = * +<% end -%> + +<% if rt_relay == "true" then -%> +# Allow RT to use any sender address +untrusted_set_sender = * +local_from_check = false <% end -%> system_filter = CONFDIR/system_filter @@ -219,6 +225,11 @@ ! hosts = +wikimedia_nets <% end -%> +<% if enable_external_mail == "true" then -%> + # We only accept mail from our own mail relays + require message = This server does not accept external mail + hosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets +<% end -%> accept acl_check_data: @@ -305,6 +316,34 @@ allow_fail allow_defer forbid_file + +<% if rt_relay == "true" then -%> +# Mail destined for RT + +# This router checks whether the local part consists of solely digits, +# and assumes this is the ticket number of an existing ticket if this is +# the case. It rewrites the address to the general queue, and puts the +# ticket nr in $address_data, where the rt_pipe transport can access it. + +rt_ticket: + driver = redirect + domains = +rt_domains + local_part_suffix = -comment + local_part_suffix_optional + condition = ${if match{$local_part}{\N^\d+$\N}{yes}{no}} + address_data = EXTENSION=$local_part + data = general$local_part_suffix@$domain + redirect_router = rt + no_verify + +rt: + driver = accept + domains = +rt_domains + local_part_suffix = -comment + local_part_suffix_optional + transport = rt_pipe + +<% end -%> <% if enable_mailman == "true" then -%> # Mailman list handling. @@ -522,10 +561,7 @@ # Send all mail not destined for the local machine via a set of # mail relays ("smart hosts") -smart_route: - driver = manualroute - transport = remote_smtp - route_list = * mchenry.wikimedia.org:lists.wikimedia.org + <% end %> <% if enable_mail_relay != "false" then -%> @@ -540,6 +576,13 @@ cannot_route_message = Mailing list $local_part does not exist. <% elsif enable_mail_relay != "false" then -%> cannot_route_message = Address $local_part@$domain does not exist +<% end %> + +<% if !smart_route_list.empty? then -%> +smart_route: + driver = manualroute + transport = remote_smtp + route_list = * <%= smart_route_list.join(":") %> <% end %> ############## @@ -572,6 +615,19 @@ address_pipe: driver = pipe return_output + +<% if rt_relay == "true" then -%> +# RT transport +rt_pipe: + driver = pipe + command = /usr/bin/rt-mailgate --queue $local_part \ + --action "${if eq{$local_part_suffix}{-comment}{comment}{correspond}}" \ + --extension ticket --url http://rt.wikimedia.org + environment = $address_data + user = mail + group = mail + return_fail_output +<% end -%> <% if enable_mailman == "true" then -%> # Mailman pipe transport @@ -690,6 +746,19 @@ begin rewrite <% end %> + +<% if rt_relay == "true" then -%> +################# +# Rewrite rules # +################# + +begin rewrite + +# Rewrite RT +www-data@$primary_hostname [email protected] Fq + +<% end -%> + <% if enable_mailman == "true" then -%> \N^.*@(mail\.)?wiki[mp]edia\.org$\N "${if exists{MAILMAN_LISTS_HOME/lists/$local_part/config.pck}{[email protected]}fail}" ct <% end %> -- To view, visit https://gerrit.wikimedia.org/r/69264 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: If1fb27d94e34aa6fb62406c708b401c17c66a9a2 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <[email protected]> Gerrit-Reviewer: Andrew Bogott <[email protected]> Gerrit-Reviewer: jenkins-bot _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
