diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-03-26 12:48:48 +0000 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-03-26 16:32:56 +0000 |
commit | ad617f0339ee098425a2b455bd17edab5956a18d (patch) | |
tree | 3b0bff6471c8f63b038aee5c69d6952f13654ef4 | |
parent | 3b8767aea464fc82b21e321aa883783eff2419b5 (diff) | |
download | infrastructure-ad617f0339ee098425a2b455bd17edab5956a18d.tar.gz |
Add simple mail relay instance
This is a Fedora Cloud 21 instance running exim4, for the moment.
Change-Id: I6298a134bb474c65dd57a1bda87469dc3cd88441
-rw-r--r-- | README.mdwn | 10 | ||||
-rw-r--r-- | baserock_hosts | 1 | ||||
-rw-r--r-- | baserock_mail/instance-config.yml | 75 | ||||
-rw-r--r-- | firewall.yaml | 20 |
4 files changed, 106 insertions, 0 deletions
diff --git a/README.mdwn b/README.mdwn index fa638bb6..ecf902a1 100644 --- a/README.mdwn +++ b/README.mdwn @@ -162,6 +162,16 @@ be altered and rerun whenever you need to add more users or databases. [MariaDB]: https://www.mariadb.org +### Mail relay + +The mail relay is currently a Fedora Cloud 21 image running Exim. You should be +able to take a Fedora Cloud 21 base image, instantiate it in the +'internal-mail-relay' security group, and then run +'baserock_mail/instance-config.yml' to configure it and start the service. + +It is configured to only listen on its internal IP. It's not intended to +receive mail, or relay mail sent by systems outside the baserock.org cloud. + ### OpenID provider To deploy a development instance: diff --git a/baserock_hosts b/baserock_hosts index 03556251..0d67c3fd 100644 --- a/baserock_hosts +++ b/baserock_hosts @@ -21,6 +21,7 @@ mason-x86-64 ansible_ssh_host=192.168.222.80 [fedora] frontend-haproxy ansible_ssh_host=185.43.218.170 database-mariadb ansible_ssh_host=192.168.222.30 +mail ansible_ssh_host=192.168.222.111 openid ansible_ssh_host=192.168.222.67 storyboard ansible_ssh_host=192.168.222.40 diff --git a/baserock_mail/instance-config.yml b/baserock_mail/instance-config.yml new file mode 100644 index 00000000..f4cb4927 --- /dev/null +++ b/baserock_mail/instance-config.yml @@ -0,0 +1,75 @@ +# Configuration for Baserock mail relay +# +# This Ansible playbook expects to be run on a Fedora 21 Cloud image. +--- +- hosts: mail + gather_facts: false + sudo: yes + vars: + LOCAL_IP: 192.168.222.111 + PUBLIC_IP: 185.43.218.171 + tasks: + - name: exim4 installation + yum: name=exim state=installed + + # Fedora provides a default /etc/exim/exim.conf. Rather than copy it and + # overwrite it, since we only need to make a few changes, I've used the + # lineinfile module to do search-and-replace. It's a bit ugly though. It + # may be better to just embed exim.conf. + + # Several restrictions here are also enforced by the internal-mail-relay + # security group in firewall.yml, which only opens port 25, and only for + # traffic from the local network. + + # This machine is only for sending mail. + - name: do not accept any incoming mail + lineinfile: + regexp: '^domainlist\s+local_domains.*$' + line: 'domainlist local_domains = ' + dest: /etc/exim/exim.conf + + - name: only accept mail from local network + lineinfile: + regexp: '^hostlist\s+relay_from_hosts.*$' + line: 'hostlist relay_from_hosts = 192.168.222.0/24' + dest: /etc/exim/exim.conf + + - name: only listen on internal interface + lineinfile: + regexp: '^#?local_interfaces.*$' + line: 'local_interfaces = <; ::1 ; 127.0.0.1 ; {{ LOCAL_IP }}' + insertbefore: BOF + dest: /etc/exim/exim.conf + + # The automation email addresses like gerrit@baserock.org do have aliases, + # but these are currently configured at Pepperfish, where our MX (mail) + # records for baserock.org point. So Exim thinks they are not routable + # and refuses to send mail from them, unless we disable this. Note that + # the address does have to be routable by something, or the receiving mail + # server may reject the mail anyway. + - name: do not verify that sender is routable within this Exim instance + lineinfile: + regexp: '^#?\s*require\s+verify\s+=\s+sender.*$' + line: '# require verify = sender' + dest: /etc/exim/exim.conf + + # We don't have DNS in the internal baserock.org cloud right now, so this + # would be pointless. + - name: do not try to resolve hosts making SMTP requests + lineinfile: + regexp: '^#?\s+host_lookup = .*$' + line: '# host_lookup = *' + dest: /etc/exim/exim.conf + + # The hostname of the machine will be 'mail', which isn't a fully-qualified + # domain name so will be rejected by SMTP servers. Ideally we would have + # mail.baserock.org set up and pointing to the floating IP of this machine. + # For now, we just have the IP. + - name: set primary hostname to public IP + lineinfile: + regexp: '^#?primary_hostname = .*$' + line: 'primary_hostname = {{ PUBLIC_IP }}' + dest: /etc/exim/exim.conf + + - name: exim4 service + service: name=exim state=started enabled=yes diff --git a/firewall.yaml b/firewall.yaml index 5c933b91..9009de0e 100644 --- a/firewall.yaml +++ b/firewall.yaml @@ -198,6 +198,26 @@ protocol: tcp remote_ip_prefix: 0.0.0.0/0 + - name: internal mail relay security group + neutron_sec_group: + name: internal-mail-relay + description: Allow receiving internal-only connections on port 25 for SMTP + state: present + + auth_url: "{{ ansible_env.OS_AUTH_URL }}" + login_username: "{{ ansible_env.OS_USERNAME }}" + login_password: "{{ ansible_env.OS_PASSWORD }}" + login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" + + rules: + # 25: SMTP, for sending emails. + - direction: ingress + port_range_min: 25 + port_range_max: 25 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 192.168.222.0/24 + - name: Mason x86 security group neutron_sec_group: name: mason-x86 |