{"host": "mx-out06.cloudinfra.eqiad1.wikimedia.cloud", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 1056, "only_in_self": ["Class[Profile::Mail::Smarthost]"], "only_in_other": [], "resource_diffs": [{"resource": "Class[Profile::Mail::Smarthost::Wmcs]", "parameters": "--- Class[Profile::Mail::Smarthost::Wmcs].orig\n+++ Class[Profile::Mail::Smarthost::Wmcs]\n\n+    dkim_domains           => {'wmcloud_org': {'domain': 'wmcloud.org', 'selector': ['wmcs', 'wmcs-rsa']}, 'wmflabs_org': {'domain': 'wmflabs.org', 'selector': ['wmcs', 'wmcs-rsa']}}\n+    cert_name              => mx\n+    exim_primary_hostname  => mx-out-b.wmcloud.org\n+    support_ipv6           => False\n+    envelope_rewrite_rules => []\n"}, {"resource": "Class[Exim4]", "parameters": "--- Class[Exim4].orig\n+++ Class[Exim4]\n\n@@\n-    config => # This file is managed by puppet\n\n##########\n# Macros #\n##########\n\nCONFDIR=/etc/exim4\n\n###############################\n# Main configuration settings #\n###############################\n\nprimary_hostname = mx-out-b.wmcloud.org\n\ndomainlist system_hostname = @\n\n# relay_from_hosts - Hosts and networks (including local interface addresses) permitted to relay through this smarthost.\n# Within puppet this is an array. The below reformats this into a semicolon ';' delimited list.\n# The <; at the beginning tells exim to use ';' as the delimiter instead of the default ':' (which interferes with ipv6)\nhostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ; 172.16.0.0/21 ; 172.16.128.0/24 ; 172.16.129.0/24 ; 172.16.130.0/24 ; 172.16.131.0/24 ; 172.16.16.0/21 ; 172.16.24.0/24 ; 172.16.8.0/21 ; 172.20.1.0/24 ; 172.20.2.0/24 ; 172.20.254.0/24 ; 172.20.255.0/24 ; 172.20.3.0/24 ; 172.20.4.0/24 ; 172.20.5.0/24 ; 185.15.56.0/25 ; 185.15.56.160/28 ; 185.15.57.0/29 ; 185.15.57.16/29 ; 185.15.57.24/29 ; 2a02:ec80:a000:100::/64 ; 2a02:ec80:a000:1::/64 ; 2a02:ec80:a000:201::/64 ; 2a02:ec80:a000:202::/64 ; 2a02:ec80:a000:203::/64 ; 2a02:ec80:a000:204::/64 ; 2a02:ec80:a000:2ff::/64 ; 2a02:ec80:a000:4000::/64 ; 2a02:ec80:a100:100::/64 ; 2a02:ec80:a100:1::/64 ; 2a02:ec80:a100:205::/64 ; 2a02:ec80:a100:2ff::/64 ; 2a02:ec80:a100:4000::/64\n\ndomainlist dkim_domains = wmcloud.org : wmflabs.org\n\n# Administration\nlog_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn\nmessage_logs = false\n\n# Policy control\nacl_smtp_rcpt = acl_check_rcpt\n\nhelo_try_verify_hosts = *\n\n# Resource control\ncheck_spool_space = 50M\nsmtp_reserve_hosts = <; +relay_from_hosts\nsmtp_accept_queue_per_connection = 500\n\ndeliver_queue_load_max = 800.0\nqueue_only_load = 100.0\nremote_max_parallel = 500\n\nsmtp_connect_backlog = 128\nsmtp_receive_timeout = 1m\nsmtp_accept_max = 4000\nsmtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+relay_from_hosts}{50}{5}}\nsmtp_accept_reserve = 100\n\n# Lookups\nhost_lookup = *\nrfc1413_hosts =\n\n# Other\nnever_users = root : daemon : bin\nignore_bounce_errors_after = 0h\nbounce_message_file = /etc/exim4/bounce_message_file\nwarn_message_file = /etc/exim4/warn_message_file\n\nadd_environment = <; PATH=/bin:/usr/bin\nkeep_environment =\n\n# TLS\ntls_certificate = /etc/acmecerts/mx/live/ec-prime256v1.chained.crt\ntls_privatekey = /etc/acmecerts/mx/live/ec-prime256v1.key\ntls_advertise_hosts = *\ntls_require_ciphers = NORMAL:%SERVER_PRECEDENCE\n\ndisable_ipv6 = true\n\n###############################\n# Access Control Lists (ACLs) #\n###############################\n\nbegin acl\n\nacl_check_rcpt:\n\n\t# Accept if the source is local SMTP (a pipe)\n\taccept hosts = :\n\n\t# Deny if the local part contains @, %, /, | or !, or starts with a dot\n\tdeny local_parts = ^.*[@%!/|] : ^\\\\.\n\n\tdeny hosts          = +relay_from_hosts\n\t     sender_domains = !+dkim_domains\n\t     message        = Mail sent from Cloud VPS using non-supported domain $sender_address_domain\n\n\t# Accept relaying from hosts (and networks) permitted to use this smarthost\n\taccept hosts = +relay_from_hosts\n\n###########\n# Routers #\n###########\n\nbegin routers\n\n# router for dkim domain wmcloud.org (wmcloud_org) (listed in dkim_domains)\ndnslookup_wmcloud_org:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\tcondition = ${if match_domain{$sender_address_domain}{wmcloud.org} }\n\ttransport = remote_smtp_wmcloud_org\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\n# router for dkim domain wmflabs.org (wmflabs_org) (listed in dkim_domains)\ndnslookup_wmflabs_org:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\tcondition = ${if match_domain{$sender_address_domain}{wmflabs.org} }\n\ttransport = remote_smtp_wmflabs_org\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\n\n# Route domains via DNS MX and A records\ndnslookup_unsigned:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\ttransport = remote_smtp_unsigned\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\tno_more\n\n# Use the system aliasfile /etc/aliases for system domains\nsystem_aliases:\n\tdriver = redirect\n\tdomains = +system_hostname\n\tdata = ${lookup{$local_part}lsearch{/etc/aliases}}\n\tpipe_transport = address_pipe\n\tallow_fail\n\tallow_defer\n\tforbid_file\n\n##############\n# Transports #\n##############\n\nbegin transports\n\n# DKIM signature actually happens only for domains listed in dkim_domain\n# and if key file exists on filesystem.\n\n# dkim enabled smtp transport for domain wmcloud.org (wmcloud_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)\nremote_smtp_wmcloud_org:\n\tdriver = smtp\n\tdkim_domain = wmcloud.org\n\tdkim_selector = wmcs : wmcs-rsa\n\tdkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}\n\tdkim_canon = relaxed\n\n# dkim enabled smtp transport for domain wmflabs.org (wmflabs_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)\nremote_smtp_wmflabs_org:\n\tdriver = smtp\n\tdkim_domain = wmflabs.org\n\tdkim_selector = wmcs : wmcs-rsa\n\tdkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}\n\tdkim_canon = relaxed\n\n\n# Transport for unsigned (dkim) mail.\nremote_smtp_unsigned:\n\tdriver = smtp\n\n# Generic pipe local delivery transport (for use by alias/forward files)\n\naddress_pipe:\n\tdriver = pipe\n\treturn_output\n\n###############\n# Retry rules #\n###############\n\nbegin retry\n\n# retry deliveries to *@alert.victorops.com every minute for 2 hours\nalert.victorops.com\t*\tF,2h,1m\n*\t\t\t*\tsenders=wiki@wikimedia.org\tF,1h,15m; G,8h,1h,1.5\n*\t\t\t*\tF,2h,15m; G,16h,1h,1.5; F,4d,6h\n\n#################\n# Rewrite rules #\n#################\n\nbegin rewrite\n\n\n*@*.*.wmflabs  root@wmcloud.org  F\n*@*.*.wikimedia.cloud  root@wmcloud.org  F\n\n\n+    config => # This file is managed by puppet\n\n##########\n# Macros #\n##########\n\nCONFDIR=/etc/exim4\n\n###############################\n# Main configuration settings #\n###############################\n\nprimary_hostname = mx-out-b.wmcloud.org\n\ndomainlist system_hostname = @\n\n# relay_from_hosts - Hosts and networks (including local interface addresses) permitted to relay through this smarthost.\n# Within puppet this is an array. The below reformats this into a semicolon ';' delimited list.\n# The <; at the beginning tells exim to use ';' as the delimiter instead of the default ':' (which interferes with ipv6)\nhostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ; 172.16.0.0/21 ; 172.16.128.0/24 ; 172.16.129.0/24 ; 172.16.130.0/24 ; 172.16.131.0/24 ; 172.16.16.0/21 ; 172.16.24.0/24 ; 172.16.8.0/21 ; 172.20.1.0/24 ; 172.20.2.0/24 ; 172.20.254.0/24 ; 172.20.255.0/24 ; 172.20.3.0/24 ; 172.20.4.0/24 ; 172.20.5.0/24 ; 185.15.56.0/25 ; 185.15.56.160/28 ; 185.15.57.0/29 ; 185.15.57.16/29 ; 185.15.57.24/29 ; 2a02:ec80:a000:100::/64 ; 2a02:ec80:a000:1::/64 ; 2a02:ec80:a000:201::/64 ; 2a02:ec80:a000:202::/64 ; 2a02:ec80:a000:203::/64 ; 2a02:ec80:a000:204::/64 ; 2a02:ec80:a000:2ff::/64 ; 2a02:ec80:a000:4000::/64 ; 2a02:ec80:a100:100::/64 ; 2a02:ec80:a100:1::/64 ; 2a02:ec80:a100:205::/64 ; 2a02:ec80:a100:2ff::/64 ; 2a02:ec80:a100:4000::/64\n\ndomainlist dkim_domains = wmcloud.org : wmflabs.org\n\n# Administration\nlog_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn\nmessage_logs = false\n\n# Policy control\nacl_smtp_rcpt = acl_check_rcpt\n\nhelo_try_verify_hosts = *\n\n# Resource control\ncheck_spool_space = 50M\nsmtp_reserve_hosts = <; +relay_from_hosts\nsmtp_accept_queue_per_connection = 500\n\ndeliver_queue_load_max = 800.0\nqueue_only_load = 100.0\nremote_max_parallel = 500\n\nsmtp_connect_backlog = 128\nsmtp_receive_timeout = 1m\nsmtp_accept_max = 4000\nsmtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+relay_from_hosts}{50}{5}}\nsmtp_accept_reserve = 100\n\n# Lookups\nhost_lookup = *\nrfc1413_hosts =\n\n# Other\nnever_users = root : daemon : bin\nignore_bounce_errors_after = 0h\nbounce_message_file = /etc/exim4/bounce_message_file\nwarn_message_file = /etc/exim4/warn_message_file\n\nadd_environment = <; PATH=/bin:/usr/bin\nkeep_environment =\n\n# TLS\ntls_certificate = /etc/acmecerts/mx/live/ec-prime256v1.chained.crt\ntls_privatekey = /etc/acmecerts/mx/live/ec-prime256v1.key\ntls_advertise_hosts = *\ntls_require_ciphers = NORMAL:%SERVER_PRECEDENCE\n\ndisable_ipv6 = true\n\n###############################\n# Access Control Lists (ACLs) #\n###############################\n\nbegin acl\n\nacl_check_rcpt:\n\n\t# Accept if the source is local SMTP (a pipe)\n\taccept hosts = :\n\n\t# Deny if the local part contains @, %, /, | or !, or starts with a dot\n\tdeny local_parts = ^.*[@%!/|] : ^\\\\.\n\n\tdeny hosts          = +relay_from_hosts\n\t     sender_domains = !+dkim_domains\n\t     message        = Mail sent from Cloud VPS using non-supported domain $sender_address_domain\n\n\t# Accept relaying from hosts (and networks) permitted to use this smarthost\n\taccept hosts = +relay_from_hosts\n\n###########\n# Routers #\n###########\n\nbegin routers\n\n# router for dkim domain wmcloud.org (wmcloud_org) (listed in dkim_domains)\ndnslookup_wmcloud_org:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\tcondition = ${if match_domain{$sender_address_domain}{wmcloud.org} }\n\ttransport = remote_smtp_wmcloud_org\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\n# router for dkim domain wmflabs.org (wmflabs_org) (listed in dkim_domains)\ndnslookup_wmflabs_org:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\tcondition = ${if match_domain{$sender_address_domain}{wmflabs.org} }\n\ttransport = remote_smtp_wmflabs_org\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\n\n# Route domains via DNS MX and A records\ndnslookup_unsigned:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\ttransport = remote_smtp_unsigned\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\tno_more\n\n# Use the system aliasfile /etc/aliases for system domains\nsystem_aliases:\n\tdriver = redirect\n\tdomains = +system_hostname\n\tdata = ${lookup{$local_part}lsearch{/etc/aliases}}\n\tpipe_transport = address_pipe\n\tallow_fail\n\tallow_defer\n\tforbid_file\n\n##############\n# Transports #\n##############\n\nbegin transports\n\n# DKIM signature actually happens only for domains listed in dkim_domain\n# and if key file exists on filesystem.\n\n# dkim enabled smtp transport for domain wmcloud.org (wmcloud_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)\nremote_smtp_wmcloud_org:\n\tdriver = smtp\n\tdkim_domain = wmcloud.org\n\tdkim_selector = wmcs : wmcs-rsa\n\tdkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}\n\tdkim_canon = relaxed\n\n# dkim enabled smtp transport for domain wmflabs.org (wmflabs_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)\nremote_smtp_wmflabs_org:\n\tdriver = smtp\n\tdkim_domain = wmflabs.org\n\tdkim_selector = wmcs : wmcs-rsa\n\tdkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}\n\tdkim_canon = relaxed\n\n\n# Transport for unsigned (dkim) mail.\nremote_smtp_unsigned:\n\tdriver = smtp\n\n# Generic pipe local delivery transport (for use by alias/forward files)\n\naddress_pipe:\n\tdriver = pipe\n\treturn_output\n\n###############\n# Retry rules #\n###############\n\nbegin retry\n\n# retry deliveries to *@alert.victorops.com every minute for 2 hours\nalert.victorops.com\t*\tF,2h,1m\n*\t\t\t*\tsenders=wiki@wikimedia.org\tF,1h,15m; G,8h,1h,1.5\n*\t\t\t*\tF,2h,15m; G,16h,1h,1.5; F,4d,6h\n\n#################\n# Rewrite rules #\n#################\n\nbegin rewrite\n\n\n"}, {"resource": "Class[Profile::Mail::Smarthost]", "parameters": "--- Class[Profile::Mail::Smarthost].orig\n+++ Class[Profile::Mail::Smarthost]\n\n-    dkim_domains           => {'wmcloud_org': {'domain': 'wmcloud.org', 'selector': ['wmcs', 'wmcs-rsa']}, 'wmflabs_org': {'domain': 'wmflabs.org', 'selector': ['wmcs', 'wmcs-rsa']}}\n-    cert_name              => mx\n-    exim_primary_hostname  => mx-out-b.wmcloud.org\n-    support_ipv6           => False\n-    root_alias_rcpt        => root@wmcloud.org\n-    relay_from_hosts       => ['172.16.0.0/21', '172.16.128.0/24', '172.16.129.0/24', '172.16.130.0/24', '172.16.131.0/24', '172.16.16.0/21', '172.16.24.0/24', '172.16.8.0/21', '172.20.1.0/24', '172.20.2.0/24', '172.20.254.0/24', '172.20.255.0/24', '172.20.3.0/24', '172.20.4.0/24', '172.20.5.0/24', '185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:100::/64', '2a02:ec80:a000:1::/64', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '2a02:ec80:a000:2ff::/64', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:100::/64', '2a02:ec80:a100:1::/64', '2a02:ec80:a100:205::/64', '2a02:ec80:a100:2ff::/64', '2a02:ec80:a100:4000::/64']\n-    envelope_rewrite_rules => ['*@*.*.wmflabs  root@wmcloud.org  F', '*@*.*.wikimedia.cloud  root@wmcloud.org  F']\n"}, {"resource": "File[/etc/exim4/exim4.conf]", "content": "--- /etc/exim4/exim4.conf.orig\n+++ /etc/exim4/exim4.conf\n@@ -184,7 +184,3 @@\n \n begin rewrite\n \n-\n-*@*.*.wmflabs  root@wmcloud.org  F\n-*@*.*.wikimedia.cloud  root@wmcloud.org  F\n-"}], "perc_changed": "0.47%"}, "core": {"total": 1056, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/exim4/exim4.conf]", "content": "--- /etc/exim4/exim4.conf.orig\n+++ /etc/exim4/exim4.conf\n@@ -184,7 +184,3 @@\n \n begin rewrite\n \n-\n-*@*.*.wmflabs  root@wmcloud.org  F\n-*@*.*.wikimedia.cloud  root@wmcloud.org  F\n-"}], "perc_changed": "0.09%"}, "main": {"total": 1056, "only_in_self": ["Class[Profile::Mail::Smarthost]"], "only_in_other": [], "resource_diffs": [{"resource": "Class[Profile::Mail::Smarthost::Wmcs]", "parameters": "--- Class[Profile::Mail::Smarthost::Wmcs].orig\n+++ Class[Profile::Mail::Smarthost::Wmcs]\n\n+    dkim_domains           => {'wmcloud_org': {'domain': 'wmcloud.org', 'selector': ['wmcs', 'wmcs-rsa']}, 'wmflabs_org': {'domain': 'wmflabs.org', 'selector': ['wmcs', 'wmcs-rsa']}}\n+    cert_name              => mx\n+    exim_primary_hostname  => mx-out-b.wmcloud.org\n+    support_ipv6           => False\n+    envelope_rewrite_rules => []\n"}, {"resource": "Class[Exim4]", "parameters": "--- Class[Exim4].orig\n+++ Class[Exim4]\n\n@@\n-    config => # This file is managed by puppet\n\n##########\n# Macros #\n##########\n\nCONFDIR=/etc/exim4\n\n###############################\n# Main configuration settings #\n###############################\n\nprimary_hostname = mx-out-b.wmcloud.org\n\ndomainlist system_hostname = @\n\n# relay_from_hosts - Hosts and networks (including local interface addresses) permitted to relay through this smarthost.\n# Within puppet this is an array. The below reformats this into a semicolon ';' delimited list.\n# The <; at the beginning tells exim to use ';' as the delimiter instead of the default ':' (which interferes with ipv6)\nhostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ; 172.16.0.0/21 ; 172.16.128.0/24 ; 172.16.129.0/24 ; 172.16.130.0/24 ; 172.16.131.0/24 ; 172.16.16.0/21 ; 172.16.24.0/24 ; 172.16.8.0/21 ; 172.20.1.0/24 ; 172.20.2.0/24 ; 172.20.254.0/24 ; 172.20.255.0/24 ; 172.20.3.0/24 ; 172.20.4.0/24 ; 172.20.5.0/24 ; 185.15.56.0/25 ; 185.15.56.160/28 ; 185.15.57.0/29 ; 185.15.57.16/29 ; 185.15.57.24/29 ; 2a02:ec80:a000:100::/64 ; 2a02:ec80:a000:1::/64 ; 2a02:ec80:a000:201::/64 ; 2a02:ec80:a000:202::/64 ; 2a02:ec80:a000:203::/64 ; 2a02:ec80:a000:204::/64 ; 2a02:ec80:a000:2ff::/64 ; 2a02:ec80:a000:4000::/64 ; 2a02:ec80:a100:100::/64 ; 2a02:ec80:a100:1::/64 ; 2a02:ec80:a100:205::/64 ; 2a02:ec80:a100:2ff::/64 ; 2a02:ec80:a100:4000::/64\n\ndomainlist dkim_domains = wmcloud.org : wmflabs.org\n\n# Administration\nlog_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn\nmessage_logs = false\n\n# Policy control\nacl_smtp_rcpt = acl_check_rcpt\n\nhelo_try_verify_hosts = *\n\n# Resource control\ncheck_spool_space = 50M\nsmtp_reserve_hosts = <; +relay_from_hosts\nsmtp_accept_queue_per_connection = 500\n\ndeliver_queue_load_max = 800.0\nqueue_only_load = 100.0\nremote_max_parallel = 500\n\nsmtp_connect_backlog = 128\nsmtp_receive_timeout = 1m\nsmtp_accept_max = 4000\nsmtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+relay_from_hosts}{50}{5}}\nsmtp_accept_reserve = 100\n\n# Lookups\nhost_lookup = *\nrfc1413_hosts =\n\n# Other\nnever_users = root : daemon : bin\nignore_bounce_errors_after = 0h\nbounce_message_file = /etc/exim4/bounce_message_file\nwarn_message_file = /etc/exim4/warn_message_file\n\nadd_environment = <; PATH=/bin:/usr/bin\nkeep_environment =\n\n# TLS\ntls_certificate = /etc/acmecerts/mx/live/ec-prime256v1.chained.crt\ntls_privatekey = /etc/acmecerts/mx/live/ec-prime256v1.key\ntls_advertise_hosts = *\ntls_require_ciphers = NORMAL:%SERVER_PRECEDENCE\n\ndisable_ipv6 = true\n\n###############################\n# Access Control Lists (ACLs) #\n###############################\n\nbegin acl\n\nacl_check_rcpt:\n\n\t# Accept if the source is local SMTP (a pipe)\n\taccept hosts = :\n\n\t# Deny if the local part contains @, %, /, | or !, or starts with a dot\n\tdeny local_parts = ^.*[@%!/|] : ^\\\\.\n\n\tdeny hosts          = +relay_from_hosts\n\t     sender_domains = !+dkim_domains\n\t     message        = Mail sent from Cloud VPS using non-supported domain $sender_address_domain\n\n\t# Accept relaying from hosts (and networks) permitted to use this smarthost\n\taccept hosts = +relay_from_hosts\n\n###########\n# Routers #\n###########\n\nbegin routers\n\n# router for dkim domain wmcloud.org (wmcloud_org) (listed in dkim_domains)\ndnslookup_wmcloud_org:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\tcondition = ${if match_domain{$sender_address_domain}{wmcloud.org} }\n\ttransport = remote_smtp_wmcloud_org\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\n# router for dkim domain wmflabs.org (wmflabs_org) (listed in dkim_domains)\ndnslookup_wmflabs_org:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\tcondition = ${if match_domain{$sender_address_domain}{wmflabs.org} }\n\ttransport = remote_smtp_wmflabs_org\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\n\n# Route domains via DNS MX and A records\ndnslookup_unsigned:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\ttransport = remote_smtp_unsigned\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\tno_more\n\n# Use the system aliasfile /etc/aliases for system domains\nsystem_aliases:\n\tdriver = redirect\n\tdomains = +system_hostname\n\tdata = ${lookup{$local_part}lsearch{/etc/aliases}}\n\tpipe_transport = address_pipe\n\tallow_fail\n\tallow_defer\n\tforbid_file\n\n##############\n# Transports #\n##############\n\nbegin transports\n\n# DKIM signature actually happens only for domains listed in dkim_domain\n# and if key file exists on filesystem.\n\n# dkim enabled smtp transport for domain wmcloud.org (wmcloud_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)\nremote_smtp_wmcloud_org:\n\tdriver = smtp\n\tdkim_domain = wmcloud.org\n\tdkim_selector = wmcs : wmcs-rsa\n\tdkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}\n\tdkim_canon = relaxed\n\n# dkim enabled smtp transport for domain wmflabs.org (wmflabs_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)\nremote_smtp_wmflabs_org:\n\tdriver = smtp\n\tdkim_domain = wmflabs.org\n\tdkim_selector = wmcs : wmcs-rsa\n\tdkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}\n\tdkim_canon = relaxed\n\n\n# Transport for unsigned (dkim) mail.\nremote_smtp_unsigned:\n\tdriver = smtp\n\n# Generic pipe local delivery transport (for use by alias/forward files)\n\naddress_pipe:\n\tdriver = pipe\n\treturn_output\n\n###############\n# Retry rules #\n###############\n\nbegin retry\n\n# retry deliveries to *@alert.victorops.com every minute for 2 hours\nalert.victorops.com\t*\tF,2h,1m\n*\t\t\t*\tsenders=wiki@wikimedia.org\tF,1h,15m; G,8h,1h,1.5\n*\t\t\t*\tF,2h,15m; G,16h,1h,1.5; F,4d,6h\n\n#################\n# Rewrite rules #\n#################\n\nbegin rewrite\n\n\n*@*.*.wmflabs  root@wmcloud.org  F\n*@*.*.wikimedia.cloud  root@wmcloud.org  F\n\n\n+    config => # This file is managed by puppet\n\n##########\n# Macros #\n##########\n\nCONFDIR=/etc/exim4\n\n###############################\n# Main configuration settings #\n###############################\n\nprimary_hostname = mx-out-b.wmcloud.org\n\ndomainlist system_hostname = @\n\n# relay_from_hosts - Hosts and networks (including local interface addresses) permitted to relay through this smarthost.\n# Within puppet this is an array. The below reformats this into a semicolon ';' delimited list.\n# The <; at the beginning tells exim to use ';' as the delimiter instead of the default ':' (which interferes with ipv6)\nhostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ; 172.16.0.0/21 ; 172.16.128.0/24 ; 172.16.129.0/24 ; 172.16.130.0/24 ; 172.16.131.0/24 ; 172.16.16.0/21 ; 172.16.24.0/24 ; 172.16.8.0/21 ; 172.20.1.0/24 ; 172.20.2.0/24 ; 172.20.254.0/24 ; 172.20.255.0/24 ; 172.20.3.0/24 ; 172.20.4.0/24 ; 172.20.5.0/24 ; 185.15.56.0/25 ; 185.15.56.160/28 ; 185.15.57.0/29 ; 185.15.57.16/29 ; 185.15.57.24/29 ; 2a02:ec80:a000:100::/64 ; 2a02:ec80:a000:1::/64 ; 2a02:ec80:a000:201::/64 ; 2a02:ec80:a000:202::/64 ; 2a02:ec80:a000:203::/64 ; 2a02:ec80:a000:204::/64 ; 2a02:ec80:a000:2ff::/64 ; 2a02:ec80:a000:4000::/64 ; 2a02:ec80:a100:100::/64 ; 2a02:ec80:a100:1::/64 ; 2a02:ec80:a100:205::/64 ; 2a02:ec80:a100:2ff::/64 ; 2a02:ec80:a100:4000::/64\n\ndomainlist dkim_domains = wmcloud.org : wmflabs.org\n\n# Administration\nlog_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn\nmessage_logs = false\n\n# Policy control\nacl_smtp_rcpt = acl_check_rcpt\n\nhelo_try_verify_hosts = *\n\n# Resource control\ncheck_spool_space = 50M\nsmtp_reserve_hosts = <; +relay_from_hosts\nsmtp_accept_queue_per_connection = 500\n\ndeliver_queue_load_max = 800.0\nqueue_only_load = 100.0\nremote_max_parallel = 500\n\nsmtp_connect_backlog = 128\nsmtp_receive_timeout = 1m\nsmtp_accept_max = 4000\nsmtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+relay_from_hosts}{50}{5}}\nsmtp_accept_reserve = 100\n\n# Lookups\nhost_lookup = *\nrfc1413_hosts =\n\n# Other\nnever_users = root : daemon : bin\nignore_bounce_errors_after = 0h\nbounce_message_file = /etc/exim4/bounce_message_file\nwarn_message_file = /etc/exim4/warn_message_file\n\nadd_environment = <; PATH=/bin:/usr/bin\nkeep_environment =\n\n# TLS\ntls_certificate = /etc/acmecerts/mx/live/ec-prime256v1.chained.crt\ntls_privatekey = /etc/acmecerts/mx/live/ec-prime256v1.key\ntls_advertise_hosts = *\ntls_require_ciphers = NORMAL:%SERVER_PRECEDENCE\n\ndisable_ipv6 = true\n\n###############################\n# Access Control Lists (ACLs) #\n###############################\n\nbegin acl\n\nacl_check_rcpt:\n\n\t# Accept if the source is local SMTP (a pipe)\n\taccept hosts = :\n\n\t# Deny if the local part contains @, %, /, | or !, or starts with a dot\n\tdeny local_parts = ^.*[@%!/|] : ^\\\\.\n\n\tdeny hosts          = +relay_from_hosts\n\t     sender_domains = !+dkim_domains\n\t     message        = Mail sent from Cloud VPS using non-supported domain $sender_address_domain\n\n\t# Accept relaying from hosts (and networks) permitted to use this smarthost\n\taccept hosts = +relay_from_hosts\n\n###########\n# Routers #\n###########\n\nbegin routers\n\n# router for dkim domain wmcloud.org (wmcloud_org) (listed in dkim_domains)\ndnslookup_wmcloud_org:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\tcondition = ${if match_domain{$sender_address_domain}{wmcloud.org} }\n\ttransport = remote_smtp_wmcloud_org\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\n# router for dkim domain wmflabs.org (wmflabs_org) (listed in dkim_domains)\ndnslookup_wmflabs_org:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\tcondition = ${if match_domain{$sender_address_domain}{wmflabs.org} }\n\ttransport = remote_smtp_wmflabs_org\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\n\n# Route domains via DNS MX and A records\ndnslookup_unsigned:\n\tdriver = dnslookup\n\tdomains = ! +system_hostname\n\ttransport = remote_smtp_unsigned\n\tignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 10/8 ; 172.16/12 ; 192.168/16\n\tcannot_route_message = Cannot route to remote domain $domain\n\tno_more\n\n# Use the system aliasfile /etc/aliases for system domains\nsystem_aliases:\n\tdriver = redirect\n\tdomains = +system_hostname\n\tdata = ${lookup{$local_part}lsearch{/etc/aliases}}\n\tpipe_transport = address_pipe\n\tallow_fail\n\tallow_defer\n\tforbid_file\n\n##############\n# Transports #\n##############\n\nbegin transports\n\n# DKIM signature actually happens only for domains listed in dkim_domain\n# and if key file exists on filesystem.\n\n# dkim enabled smtp transport for domain wmcloud.org (wmcloud_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)\nremote_smtp_wmcloud_org:\n\tdriver = smtp\n\tdkim_domain = wmcloud.org\n\tdkim_selector = wmcs : wmcs-rsa\n\tdkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}\n\tdkim_canon = relaxed\n\n# dkim enabled smtp transport for domain wmflabs.org (wmflabs_org) with dkim selector(s) wmcs, wmcs-rsa (listed in dkim_domains)\nremote_smtp_wmflabs_org:\n\tdriver = smtp\n\tdkim_domain = wmflabs.org\n\tdkim_selector = wmcs : wmcs-rsa\n\tdkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{/etc/exim4/dkim/${dkim_domain}-${dkim_selector}.key}{0}}\n\tdkim_canon = relaxed\n\n\n# Transport for unsigned (dkim) mail.\nremote_smtp_unsigned:\n\tdriver = smtp\n\n# Generic pipe local delivery transport (for use by alias/forward files)\n\naddress_pipe:\n\tdriver = pipe\n\treturn_output\n\n###############\n# Retry rules #\n###############\n\nbegin retry\n\n# retry deliveries to *@alert.victorops.com every minute for 2 hours\nalert.victorops.com\t*\tF,2h,1m\n*\t\t\t*\tsenders=wiki@wikimedia.org\tF,1h,15m; G,8h,1h,1.5\n*\t\t\t*\tF,2h,15m; G,16h,1h,1.5; F,4d,6h\n\n#################\n# Rewrite rules #\n#################\n\nbegin rewrite\n\n\n"}, {"resource": "File[/etc/exim4/exim4.conf]", "content": "--- /etc/exim4/exim4.conf.orig\n+++ /etc/exim4/exim4.conf\n@@ -184,7 +184,3 @@\n \n begin rewrite\n \n-\n-*@*.*.wmflabs  root@wmcloud.org  F\n-*@*.*.wikimedia.cloud  root@wmcloud.org  F\n-"}], "perc_changed": "0.38%"}}}