X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=2ec73b907a647a31abe93a717554a1cb1785d0c8;hb=fd3ffa99420bfd5455270ea7413bccbc22a8763d;hp=027cff9f16d7c9f8e7d4afc93bb74e2f4b32120f;hpb=bc7a6a9a8cf2d944b93eeb3831383658c31905f5;p=mirror%2Fdsa-puppet.git

diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb
index 027cff9f1..2ec73b907 100644
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -11,24 +11,24 @@
 # considerably from what could be considered a standard exim configuration.
 
 # This configuration file brings in the necessary information from
-# other databases stored in /etc/exim/ and the files distributed by ud-ldap
+# other databases stored in /etc/exim4/ and the files distributed by ud-ldap
 
 # This file is independent of the local host, it should not be changed
 # per machine. primary_hostname is used in all places that require per-host 
 # settings.
 
-# The configuration files in /etc/exim are as follows:
+# The configuration files in /etc/exim4 are as follows:
 #  locals - This is a list of domains that are considered local. A local
-#           domain is essential one that deliveries to /var/mail
+#           domain is essentially one for which deliveries to /var/mail
 #           will be attempted. The users available for local delivery
-#           comes from /etc/passwd and /etc/aliases. Wildcards are not
+#           come from /etc/passwd and /etc/aliases. Wildcards are not
 #           permitted.
 #  virtualdomains - This is a list of all virtual domains. A virtual domain
 #           is much like a local domain, execpt that the delivery location
 #           and allowed set of users is controlled by a virtual domain
 #           alias file and not /etc/passwd. Wildcards are permitted
 #  relayhosts - Hostnames that can send any arbitarily addressed mail to
-#           us. This is primarily only usefull for emergancy 'queue
+#           us. This is primarily only useful for emergency 'queue
 #           flushing' operations, but should be populated with a list
 #           of trusted machines. Wildcards are not permitted
 #  bsmtp_domains - Domains that we deliver locally via bsmtp
@@ -68,7 +68,7 @@
 
 # Heuristic check (none bad enough to cause a hard reject, but in aggregate
 # will trigger things like rcpt to rate limiting or possibly a reject if
-# enough hits are triggered.
+# enough hits are triggered).
 #
 # value is stored in acl_c_scr
 
@@ -76,7 +76,7 @@
 #                    MAIN CONFIGURATION SETTINGS                     #
 ######################################################################
 
-<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
+<%- if @heavy -%>
  perl_startup = do '/etc/exim4/exim_surbl.pl'
 <%- end -%>
 
@@ -87,7 +87,7 @@
 acl_smtp_helo = check_helo
 acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}}
 acl_smtp_data = check_message
-<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
+<%- if @heavy -%>
 acl_smtp_mime = acl_check_mime
 <%- end -%>
 acl_smtp_predata = acl_check_predata
@@ -174,7 +174,7 @@ timeout_frozen_after=14d
 message_size_limit = 100M
 message_logs = false
 smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}}
-<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
+<%- if @heavy -%>
 smtp_accept_max = 300
 smtp_accept_queue = 200
 smtp_accept_queue_per_connection = 50
@@ -193,7 +193,7 @@ check_spool_space  = 20M
 
 delay_warning =
 
-<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
+<%- if @heavy -%>
 message_body_visible = 5000
 queue_run_max = 50
 deliver_queue_load_max = 50
@@ -219,17 +219,16 @@ av_scanner = clamd:/var/run/clamav/clamd.ctl
 ports = []
 out = "daemon_smtp_ports = "
 ports << 25
+if @mail_port  # if we have an overridden mail_port
+  ports << @mail_port
+end
 
 if @is_bugsmx
   ports << 587
 end
 
-if not scope.lookupvar('site::nodeinfo')['mail_port'].to_s.empty?
-  ports << scope.lookupvar('site::nodeinfo')['mail_port']
-end
-
 if @is_mailrelay
-  ports << scope.lookupvar('site::nodeinfo')['smarthost_port']
+  ports << @smarthost_port
 end
 
 out += ports.uniq.sort.join(" : ")
@@ -243,7 +242,7 @@ pipelining_advertise_hosts = !*
 tls_advertise_hosts = *
 smtp_enforce_sync = true
 
-log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
+log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation +smtp_protocol_error
 
 received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
                                  {${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
@@ -267,7 +266,9 @@ GREYLIST_LOCAL_PARTS = ${if match_domain{$domain}{+virtual_domains}\
                        {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
                        {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}}}} : \
                        ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}
+<%- if @is_rtmaster -%>
 RT_QUEUE_MAP = /srv/rt.debian.org/mail/rt_queue_map
+<%- end -%>
 
 keep_environment =
 add_environment =
@@ -407,7 +408,7 @@ check_helo:
   accept  verify   = certificate
 
 <%- end -%>
-<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%>
+<%- unless @use_smarthost -%>
   # These are in HELO acl so that they are only run once.  They increment a counter,
   # so we don't want it to increment per rcpt to.
 
@@ -504,7 +505,7 @@ check_submission:
 
 <%- end -%>
   # Defer after too many bad RCPT TO's.  Legit MTAs will retry later.
-  # This is a rough pass at preventing addres harvesting or other mail blasts.
+  # This is a rough pass at preventing address harvesting or other mail blasts.
 
   defer  log_message   = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
          message       = Too many bad recipients, try again later
@@ -623,12 +624,6 @@ check_recipient:
   deny    domains       = !+handled_domains
           local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
 
-# forwards mail to @d.o address, even if it's a bounce from master, no reply
-# from source address; rejecting all mail now.
-  deny    recipients    = mendoza@debian.org
-          hosts         = 65.110.39.147 : 64.39.31.15
-          message       = <mendoza@kenny.linuxsis.net> cannot forward here while mailer-daemon mail is not caught
-
   deny    condition     = ${lookup{$sender_address_local_part}lsearch{/etc/exim4/localusers}{true}}
 	  sender_domains= +local_domains
 	  hosts         = !+debianhosts
@@ -821,7 +816,7 @@ check_recipient:
   accept  local_parts   = +postmasterish
           domains       = +virtual_domains : +bsmtp_domains
 
-<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%>
+<%- unless @use_smarthost -%>
   deny    message  = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
           dnslists = ${if match_domain{$domain}{+virtual_domains}\
 		     {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
@@ -841,7 +836,7 @@ check_recipient:
 	  domains       = +handled_domains
 	  !hosts        = +debianhosts : WHITELIST
 
-<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%>
+<%- unless @use_smarthost -%>
   deny    domains  = +handled_domains
           local_parts = ${if match_domain{$domain}{+virtual_domains}\
                         {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\
@@ -869,7 +864,7 @@ check_recipient:
 
   deny    message = relay not permitted
 
-<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
+<%- if @heavy -%>
 acl_check_mime:
 
  accept  verify        = certificate
@@ -908,7 +903,7 @@ acl_check_predata:
 #!!# ACL that is used after the DATA command
 check_message:
 
-  # Some people put from hostmaster@something.debian.org in the From
+  # Some people put from postmaster@something.debian.org in the From
   # header.  Take their crack pipe away.
   drop   condition = ${if match{${lc:$h_From:}}{\Npostmaster@([^.]+\.)?debian\.org\N}}
 
@@ -921,7 +916,7 @@ check_message:
 
 <%- end -%>
 <%- if @is_packagesqamaster -%>
-  deny    !hosts  = +debianhosts : 5.153.231.21
+  deny    !hosts  = +debianhosts
           condition = ${if eq {$acl_m_prf}{PTSMail}}
           condition = ${if def:h_X-PTS-Approved:{false}{true}}
           message   = messages to the PTS require an X-PTS-Approved header
@@ -984,7 +979,7 @@ check_message:
           message         = X-malware detected: $malware_name
 
 <%- end -%>
-<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
+<%- if @heavy -%>
  discard condition     = ${if <{$message_size}{256000}}
          condition     = ${if eq {$acl_m_prf}{blackhole}}
          set acl_m_srb = ${perl{surblspamcheck}}
@@ -1039,7 +1034,6 @@ begin rewrite
 *@debian.org ${lookup{$1}cdb{/var/lib/misc/${primary_hostname}/mail-forward.cdb}{$value}fail} T
 *@people.debian.org ${lookup{$1}cdb{/var/lib/misc/${primary_hostname}/mail-forward.cdb}{$value}fail} T
 #*@${primary_hostname} "${if exists{/etc/exim4/email-addresses}{${lookup{$1}lsearch{/etc/exim4/email-addresses}{$value}fail}}fail}" fFs
-m68k@buildd.debian.org m68k-build@nocrew.org Ttrbc
 
 
 #!!#######################################################!!#
@@ -1088,23 +1082,17 @@ ipliteral:
   transport = remote_smtp
   ignore_target_hosts = +reservedaddrs
 
-<%=
-out = ""
-if not scope.lookupvar('site::nodeinfo')['smarthost'].empty?
-out = "
+<%- if @use_smarthost -%>
 smarthost:
-  debug_print = \"R: smarthost for $local_part@$domain\"
+  debug_print = "R: smarthost for $local_part@$domain"
   driver = manualroute
   domains = !+handled_domains
   transport = remote_smtp_smarthost
-  route_list = * #{scope.lookupvar('site::nodeinfo')['smarthost']}
+  route_list = * <%= @smarthost %>
   host_find_failed = defer
   same_domain_copy_routing = yes
   no_more
-"
-end
-out
-%>
+<%- end -%>
 
 # This router routes to remote hosts over SMTP using a DNS lookup.
 # Ignore reserved network responses, including localhost.
@@ -1189,7 +1177,7 @@ userforward_verify:
   router_home_directory = ${lookup passwd{$local_part}{${extract{5}{:}{$value}}}fail}
   verify_only
 
-# This is a senmailesque alias file lookup
+# This is a sendmailesque alias file lookup
 virt_aliases:
   debug_print = "R: virt_aliases for $local_part@$domain"
   driver = redirect
@@ -1347,7 +1335,7 @@ rt_force_new_verbose:
   pipe_transport = rt_pipe
   data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --ca-file /etc/ssl/ca-debian/ca-certificates.crt --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
   headers_remove = Subject
-  headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nSubject: ${if and {{first_delivery}{match {$h_subject:}{(?i)(.*?)\\\\[?debian rt\\\\]?[:\\s]*(.*)}}} {$1$2}{$h_subject:}}"
+  headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nSubject: ${if and {{first_delivery}{match {$h_subject:}{(?is)(.*?)\\\\[?debian rt\\\\]?[:\\s]*(.*)}}} {$1$2}{$h_subject:}}"
 
 # FIXME: figure out how to generalize this approach so that all of the following would work
 # - rt+NNNN@rt.debian.org          : attach correspondence to ticket (verbose)
@@ -1364,7 +1352,7 @@ rt_force_new_quiesce:
   pipe_transport = rt_pipe
   data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --ca-file /etc/ssl/ca-debian/ca-certificates.crt --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
   headers_remove = Subject
-  headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nX-RT-Mode: quiesce\nSubject: ${if and {{first_delivery}{match {$h_subject:}{(?i)(.*?)\\\\[?debian rt\\\\]?[:\\s]*(.*)}}} {$1$2}{$h_subject:}}"
+  headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nX-RT-Mode: quiesce\nSubject: ${if and {{first_delivery}{match {$h_subject:}{(?is)(.*?)\\\\[?debian rt\\\\]?[:\\s]*(.*)}}} {$1$2}{$h_subject:}}"
 
 rt_otherwise:
   debug_print = "R: rt for $local_part@$domain"
@@ -1582,24 +1570,17 @@ remote_smtp:
   tls_certificate = /etc/exim4/ssl/thishost.crt
   tls_privatekey = /etc/exim4/ssl/thishost.key
 
-<%=
-out = ""
-if not scope.lookupvar('site::nodeinfo')['smarthost'].empty?
-out = '
+<%- if @use_smarthost -%>
 remote_smtp_smarthost:
   debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
   driver = smtp
   delay_after_cutoff = false
-  port = '
-  out += scope.lookupvar('site::nodeinfo')['smarthost_port'].to_s + "\n"
-  out += '  tls_tempfail_tryclear = false
-  hosts_require_tls = ' + scope.lookupvar('site::nodeinfo')['smarthost'] + '
+  port = <%= @smarthost_port %>
+  tls_tempfail_tryclear = false
+  hosts_require_tls = <%= @smarthost %>
   tls_certificate = /etc/exim4/ssl/thishost.crt
   tls_privatekey = /etc/exim4/ssl/thishost.key
-'
-end
-out
-%>
+<%- end -%>
 # Send the message to procmail
 procmail_pipe:
   driver = pipe