Add simple mail relay instance

This is a Fedora Cloud 21 instance running exim4, for the moment.

Change-Id: I6298a134bb474c65dd57a1bda87469dc3cd88441

4 files changed, 106 insertions, 0 deletions

diff --git a/README.mdwn b/README.mdwn
index fa638bb6..ecf902a1 100644
--- a/README.mdwn
+++ b/README.mdwn
@@ -162,6 +162,16 @@ be altered and rerun whenever you need to add more users or databases.
 
 [MariaDB]: https://www.mariadb.org
 
+### Mail relay
+
+The mail relay is currently a Fedora Cloud 21 image running Exim. You should be
+able to take a Fedora Cloud 21 base image, instantiate it in the
+'internal-mail-relay' security group, and then run
+'baserock_mail/instance-config.yml' to configure it and start the service.
+
+It is configured to only listen on its internal IP. It's not intended to
+receive mail, or relay mail sent by systems outside the baserock.org cloud.
+
 ### OpenID provider
 
 To deploy a development instance:
diff --git a/baserock_hosts b/baserock_hosts
index 03556251..0d67c3fd 100644
--- a/baserock_hosts
+++ b/baserock_hosts
@@ -21,6 +21,7 @@ mason-x86-64 ansible_ssh_host=192.168.222.80
 [fedora]
 frontend-haproxy ansible_ssh_host=185.43.218.170
 database-mariadb ansible_ssh_host=192.168.222.30
+mail ansible_ssh_host=192.168.222.111
 openid ansible_ssh_host=192.168.222.67
 storyboard ansible_ssh_host=192.168.222.40
 
diff --git a/baserock_mail/instance-config.yml b/baserock_mail/instance-config.yml
new file mode 100644
index 00000000..f4cb4927
--- /dev/null
+++ b/baserock_mail/instance-config.yml
@@ -0,0 +1,75 @@
+# Configuration for Baserock mail relay
+#
+# This Ansible playbook expects to be run on a Fedora 21 Cloud image.
+---
+- hosts: mail
+  gather_facts: false
+  sudo: yes
+  vars:
+    LOCAL_IP: 192.168.222.111
+    PUBLIC_IP: 185.43.218.171
+  tasks:
+  - name: exim4 installation
+    yum: name=exim state=installed
+
+  # Fedora provides a default /etc/exim/exim.conf. Rather than copy it and
+  # overwrite it, since we only need to make a few changes, I've used the
+  # lineinfile module to do search-and-replace. It's a bit ugly though. It
+  # may be better to just embed exim.conf.
+
+  # Several restrictions here are also enforced by the internal-mail-relay
+  # security group in firewall.yml, which only opens port 25, and only for
+  # traffic from the local network.
+
+  # This machine is only for sending mail.
+  - name: do not accept any incoming mail
+    lineinfile:
+      regexp: '^domainlist\s+local_domains.*$'
+      line: 'domainlist local_domains = '
+      dest: /etc/exim/exim.conf
+
+  - name: only accept mail from local network
+    lineinfile:
+      regexp: '^hostlist\s+relay_from_hosts.*$'
+      line: 'hostlist relay_from_hosts = 192.168.222.0/24'
+      dest: /etc/exim/exim.conf
+
+  - name: only listen on internal interface
+    lineinfile:
+      regexp: '^#?local_interfaces.*$'
+      line: 'local_interfaces = <; ::1 ; 127.0.0.1 ; {{ LOCAL_IP }}'
+      insertbefore: BOF
+      dest: /etc/exim/exim.conf
+
+  # The automation email addresses like gerrit@baserock.org do have aliases,
+  # but these are currently configured at Pepperfish, where our MX (mail)
+  # records for baserock.org point. So Exim thinks they are not routable
+  # and refuses to send mail from them, unless we disable this. Note that
+  # the address does have to be routable by something, or the receiving mail
+  # server may reject the mail anyway.
+  - name: do not verify that sender is routable within this Exim instance
+    lineinfile:
+      regexp: '^#?\s*require\s+verify\s+=\s+sender.*$'
+      line: '# require verify = sender'
+      dest: /etc/exim/exim.conf
+
+  # We don't have DNS in the internal baserock.org cloud right now, so this
+  # would be pointless.
+  - name: do not try to resolve hosts making SMTP requests
+    lineinfile:
+      regexp: '^#?\s+host_lookup = .*$'
+      line: '# host_lookup = *'
+      dest: /etc/exim/exim.conf
+
+  # The hostname of the machine will be 'mail', which isn't a fully-qualified
+  # domain name so will be rejected by SMTP servers. Ideally we would have
+  # mail.baserock.org set up and pointing to the floating IP of this machine.
+  # For now, we just have the IP.
+  - name: set primary hostname to public IP
+    lineinfile:
+      regexp: '^#?primary_hostname = .*$'
+      line: 'primary_hostname = {{ PUBLIC_IP }}'
+      dest: /etc/exim/exim.conf
+
+  - name: exim4 service
+    service: name=exim state=started enabled=yes
diff --git a/firewall.yaml b/firewall.yaml
index 5c933b91..9009de0e 100644
--- a/firewall.yaml
+++ b/firewall.yaml
@@ -198,6 +198,26 @@
             protocol: tcp
             remote_ip_prefix: 0.0.0.0/0
 
+    - name: internal mail relay security group
+      neutron_sec_group:
+        name: internal-mail-relay
+        description: Allow receiving internal-only connections on port 25 for SMTP
+        state: present
+
+        auth_url: "{{ ansible_env.OS_AUTH_URL }}"
+        login_username: "{{ ansible_env.OS_USERNAME }}"
+        login_password: "{{ ansible_env.OS_PASSWORD }}"
+        login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
+
+        rules:
+          # 25: SMTP, for sending emails.
+          - direction: ingress
+            port_range_min: 25
+            port_range_max: 25
+            ethertype: IPv4
+            protocol: tcp
+            remote_ip_prefix: 192.168.222.0/24
+
     - name: Mason x86 security group
       neutron_sec_group:
         name: mason-x86