--- Class[Exim4].orig
+++ Class[Exim4]
@@
- config => # This file is managed by puppet
##########
# Macros #
##########
CONFDIR=/etc/exim4
###############################
# Main configuration settings #
###############################
primary_hostname = mx-out-b.wmcloud.org
domainlist system_hostname = @
# relay_from_hosts - Hosts and networks (including local interface addresses) permitted to relay through this smarthost.
# Within puppet this is an array. The below reformats this into a semicolon ';' delimited list.
# The <; at the beginning tells exim to use ';' as the delimiter instead of the default ':' (which interferes with ipv6)
hostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ; 172.16.0.0/21 ; 172.16.128.0/24 ; 172.16.129.0/24 ; 172.16.130.0/24 ; 172.16.131.0/24 ; 172.16.16.0/21 ; 172.16.24.0/24 ; 172.16.8.0/21 ; 172.20.1.0/24 ; 172.20.2.0/24 ; 172.20.254.0/24 ; 172.20.255.0/24 ; 172.20.3.0/24 ; 172.20.4.0/24 ; 172.20.5.0/24 ; 185.15.56.0/25 ; 185.15.56.160/28 ; 185.15.57.0/29 ; 185.15.57.16/29 ; 185.15.57.24/29 ; 2a02:ec80:a000:100::/64 ; 2a02:ec80:a000:1::/64 ; 2a02:ec80:a000:201::/64 ; 2a02:ec80:a000:202::/64 ; 2a02:ec80:a000:203::/64 ; 2a02:ec80:a000:204::/64 ; 2a02:ec80:a000:2ff::/64 ; 2a02:ec80:a000:4000::/64 ; 2a02:ec80:a100:100::/64 ; 2a02:ec80:a100:1::/64 ; 2a02:ec80:a100:205::/64 ; 2a02:ec80:a100:2ff::/64 ; 2a02:ec80:a100:4000::/64
domainlist dkim_domains = wmcloud.org : wmflabs.org
# Administration
log_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn
message_logs = false
# Policy control
acl_smtp_rcpt = acl_check_rcpt
helo_try_verify_hosts = *
# Resource control
check_spool_space = 50M
smtp_reserve_hosts = <; +relay_from_hosts
smtp_accept_queue_per_connection = 500
deliver_queue_load_max = 800.0
queue_only_load = 100.0
remote_max_parallel = 500
smtp_connect_backlog = 128
smtp_receive_timeout = 1m
smtp_accept_max = 4000
smtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+relay_from_hosts}{50}{5}}
smtp_accept_reserve = 100
# Lookups
host_lookup = *
rfc1413_hosts =
# Other
never_users = root : daemon : bin
ignore_bounce_errors_after = 0h
bounce_message_file = /etc/exim4/bounce_message_file
warn_message_file = /etc/exim4/warn_message_file
add_environment = <; PATH=/bin:/usr/bin
keep_environment =
# TLS
tls_certificate = /etc/acmecerts/mx/live/ec-prime256v1.chained.crt
tls_privatekey = /etc/acmecerts/mx/live/ec-prime256v1.key
tls_advertise_hosts = *
tls_require_ciphers = NORMAL:%SERVER_PRECEDENCE
disable_ipv6 = true
###############################
# Access Control Lists (ACLs) #
###############################
begin acl
acl_check_rcpt:
# Accept if the source is local SMTP (a pipe)
accept hosts = :
# Deny if the local part contains @, %, /, | or !, or starts with a dot
deny local_parts = ^.*[@%!/|] : ^\\.
deny hosts = +relay_from_hosts
sender_domains = !+dkim_domains
message = Mail sent from Cloud VPS using non-supported domain $sender_address_domain
# Accept relaying from hosts (and networks) permitted to use this smarthost
accept hosts = +relay_from_hosts
###########
# Routers #
###########
begin routers
# router for dkim domain wmcloud.org (wmcloud_org) (listed in dkim_domains)
dnslookup_wmcloud_org:
driver = dnslookup
domains = ! +system_hostname
condition = ${if match_domain{$sender_address_domain}{wmcloud.org} }
transport = remote_smtp_wmcloud_org
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16
cannot_route_message = Cannot route to remote domain $domain
# router for dkim domain wmflabs.org (wmflabs_org) (listed in dkim_domains)
dnslookup_wmflabs_org:
driver = dnslookup
domains = ! +system_hostname
condition = ${if match_domain{$sender_address_domain}{wmflabs.org} }
transport = remote_smtp_wmflabs_org
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16
cannot_route_message = Cannot route to remote domain $domain
# Route domains via DNS MX and A records
dnslookup_unsigned:
driver = dnslookup
domains = ! +system_hostname
transport = remote_smtp_unsigned
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16
cannot_route_message = Cannot route to remote domain $domain
no_more
# Use the system aliasfile /etc/aliases for system domains
system_aliases:
driver = redirect
domains = +system_hostname
data = ${lookup{$local_part}lsearch{/etc/aliases}}
pipe_transport = address_pipe
allow_fail
allow_defer
forbid_file
##############
# Transports #
##############
begin transports
# DKIM signature actually happens only for domains listed in dkim_domain
# and if key file exists on filesystem.
# dkim enabled smtp transport for domain wmcloud.org (wmcloud_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)
remote_smtp_wmcloud_org:
driver = smtp
dkim_domain = wmcloud.org
dkim_selector = wmcs : wmcs-rsa
dkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}
dkim_canon = relaxed
# dkim enabled smtp transport for domain wmflabs.org (wmflabs_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)
remote_smtp_wmflabs_org:
driver = smtp
dkim_domain = wmflabs.org
dkim_selector = wmcs : wmcs-rsa
dkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}
dkim_canon = relaxed
# Transport for unsigned (dkim) mail.
remote_smtp_unsigned:
driver = smtp
# Generic pipe local delivery transport (for use by alias/forward files)
address_pipe:
driver = pipe
return_output
###############
# Retry rules #
###############
begin retry
# retry deliveries to *@alert.victorops.com every minute for 2 hours
alert.victorops.com * F,2h,1m
* * senders=wiki@wikimedia.org F,1h,15m; G,8h,1h,1.5
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
#################
# Rewrite rules #
#################
begin rewrite
*@*.*.wmflabs root@wmcloud.org F
*@*.*.wikimedia.cloud root@wmcloud.org F
+ config => # This file is managed by puppet
##########
# Macros #
##########
CONFDIR=/etc/exim4
###############################
# Main configuration settings #
###############################
primary_hostname = mx-out-b.wmcloud.org
domainlist system_hostname = @
# relay_from_hosts - Hosts and networks (including local interface addresses) permitted to relay through this smarthost.
# Within puppet this is an array. The below reformats this into a semicolon ';' delimited list.
# The <; at the beginning tells exim to use ';' as the delimiter instead of the default ':' (which interferes with ipv6)
hostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ; 172.16.0.0/21 ; 172.16.128.0/24 ; 172.16.129.0/24 ; 172.16.130.0/24 ; 172.16.131.0/24 ; 172.16.16.0/21 ; 172.16.24.0/24 ; 172.16.8.0/21 ; 172.20.1.0/24 ; 172.20.2.0/24 ; 172.20.254.0/24 ; 172.20.255.0/24 ; 172.20.3.0/24 ; 172.20.4.0/24 ; 172.20.5.0/24 ; 185.15.56.0/25 ; 185.15.56.160/28 ; 185.15.57.0/29 ; 185.15.57.16/29 ; 185.15.57.24/29 ; 2a02:ec80:a000:100::/64 ; 2a02:ec80:a000:1::/64 ; 2a02:ec80:a000:201::/64 ; 2a02:ec80:a000:202::/64 ; 2a02:ec80:a000:203::/64 ; 2a02:ec80:a000:204::/64 ; 2a02:ec80:a000:2ff::/64 ; 2a02:ec80:a000:4000::/64 ; 2a02:ec80:a100:100::/64 ; 2a02:ec80:a100:1::/64 ; 2a02:ec80:a100:205::/64 ; 2a02:ec80:a100:2ff::/64 ; 2a02:ec80:a100:4000::/64
domainlist dkim_domains = wmcloud.org : wmflabs.org
# Administration
log_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn
message_logs = false
# Policy control
acl_smtp_rcpt = acl_check_rcpt
helo_try_verify_hosts = *
# Resource control
check_spool_space = 50M
smtp_reserve_hosts = <; +relay_from_hosts
smtp_accept_queue_per_connection = 500
deliver_queue_load_max = 800.0
queue_only_load = 100.0
remote_max_parallel = 500
smtp_connect_backlog = 128
smtp_receive_timeout = 1m
smtp_accept_max = 4000
smtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+relay_from_hosts}{50}{5}}
smtp_accept_reserve = 100
# Lookups
host_lookup = *
rfc1413_hosts =
# Other
never_users = root : daemon : bin
ignore_bounce_errors_after = 0h
bounce_message_file = /etc/exim4/bounce_message_file
warn_message_file = /etc/exim4/warn_message_file
add_environment = <; PATH=/bin:/usr/bin
keep_environment =
# TLS
tls_certificate = /etc/acmecerts/mx/live/ec-prime256v1.chained.crt
tls_privatekey = /etc/acmecerts/mx/live/ec-prime256v1.key
tls_advertise_hosts = *
tls_require_ciphers = NORMAL:%SERVER_PRECEDENCE
disable_ipv6 = true
###############################
# Access Control Lists (ACLs) #
###############################
begin acl
acl_check_rcpt:
# Accept if the source is local SMTP (a pipe)
accept hosts = :
# Deny if the local part contains @, %, /, | or !, or starts with a dot
deny local_parts = ^.*[@%!/|] : ^\\.
deny hosts = +relay_from_hosts
sender_domains = !+dkim_domains
message = Mail sent from Cloud VPS using non-supported domain $sender_address_domain
# Accept relaying from hosts (and networks) permitted to use this smarthost
accept hosts = +relay_from_hosts
###########
# Routers #
###########
begin routers
# router for dkim domain wmcloud.org (wmcloud_org) (listed in dkim_domains)
dnslookup_wmcloud_org:
driver = dnslookup
domains = ! +system_hostname
condition = ${if match_domain{$sender_address_domain}{wmcloud.org} }
transport = remote_smtp_wmcloud_org
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16
cannot_route_message = Cannot route to remote domain $domain
# router for dkim domain wmflabs.org (wmflabs_org) (listed in dkim_domains)
dnslookup_wmflabs_org:
driver = dnslookup
domains = ! +system_hostname
condition = ${if match_domain{$sender_address_domain}{wmflabs.org} }
transport = remote_smtp_wmflabs_org
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16
cannot_route_message = Cannot route to remote domain $domain
# Route domains via DNS MX and A records
dnslookup_unsigned:
driver = dnslookup
domains = ! +system_hostname
transport = remote_smtp_unsigned
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16
cannot_route_message = Cannot route to remote domain $domain
no_more
# Use the system aliasfile /etc/aliases for system domains
system_aliases:
driver = redirect
domains = +system_hostname
data = ${lookup{$local_part}lsearch{/etc/aliases}}
pipe_transport = address_pipe
allow_fail
allow_defer
forbid_file
##############
# Transports #
##############
begin transports
# DKIM signature actually happens only for domains listed in dkim_domain
# and if key file exists on filesystem.
# dkim enabled smtp transport for domain wmcloud.org (wmcloud_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)
remote_smtp_wmcloud_org:
driver = smtp
dkim_domain = wmcloud.org
dkim_selector = wmcs : wmcs-rsa
dkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}
dkim_canon = relaxed
# dkim enabled smtp transport for domain wmflabs.org (wmflabs_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)
remote_smtp_wmflabs_org:
driver = smtp
dkim_domain = wmflabs.org
dkim_selector = wmcs : wmcs-rsa
dkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}
dkim_canon = relaxed
# Transport for unsigned (dkim) mail.
remote_smtp_unsigned:
driver = smtp
# Generic pipe local delivery transport (for use by alias/forward files)
address_pipe:
driver = pipe
return_output
###############
# Retry rules #
###############
begin retry
# retry deliveries to *@alert.victorops.com every minute for 2 hours
alert.victorops.com * F,2h,1m
* * senders=wiki@wikimedia.org F,1h,15m; G,8h,1h,1.5
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
#################
# Rewrite rules #
#################
begin rewrite
Class[Profile::Mail::Smarthost]
- Parameters differences:
--- Class[Profile::Mail::Smarthost].orig
+++ Class[Profile::Mail::Smarthost]
- dkim_domains => {'wmcloud_org': {'domain': 'wmcloud.org', 'selector': ['wmcs', 'wmcs-rsa']}, 'wmflabs_org': {'domain': 'wmflabs.org', 'selector': ['wmcs', 'wmcs-rsa']}}
- cert_name => mx
- exim_primary_hostname => mx-out-b.wmcloud.org
- support_ipv6 => False
- root_alias_rcpt => root@wmcloud.org
- relay_from_hosts => ['172.16.0.0/21', '172.16.128.0/24', '172.16.129.0/24', '172.16.130.0/24', '172.16.131.0/24', '172.16.16.0/21', '172.16.24.0/24', '172.16.8.0/21', '172.20.1.0/24', '172.20.2.0/24', '172.20.254.0/24', '172.20.255.0/24', '172.20.3.0/24', '172.20.4.0/24', '172.20.5.0/24', '185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:100::/64', '2a02:ec80:a000:1::/64', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '2a02:ec80:a000:2ff::/64', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:100::/64', '2a02:ec80:a100:1::/64', '2a02:ec80:a100:205::/64', '2a02:ec80:a100:2ff::/64', '2a02:ec80:a100:4000::/64']
- envelope_rewrite_rules => ['*@*.*.wmflabs root@wmcloud.org F', '*@*.*.wikimedia.cloud root@wmcloud.org F']
- File[/etc/exim4/exim4.conf]
- Content differences:
--- /etc/exim4/exim4.conf.orig
+++ /etc/exim4/exim4.conf
@@ -184,7 +184,3 @@
begin rewrite
-
-*@*.*.wmflabs root@wmcloud.org F
-*@*.*.wikimedia.cloud root@wmcloud.org F
-
Relevant files