majic-ansible-roles Changeset

Changeset - d92577936630

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 7 years ago 2017-07-20 22:57:26
branko@majic.rs

MAR-105: Added parameter for controlling firewall to mail_forwarder:

- Added new parameter smtp_from_relay_allowed.
- Updated role reference documentation.
- Added small note to usage instructions to mention the parameter's usability in
case of NAT'ed machines or laptops.
- Updated test playbook, adding another instance for testing the parameter, and
added tests that cover new parameter.
- Updated existing connectivity tests to be more specific and reliable.

8 files changed with 47 insertions and 2 deletions:

docs/rolereference.rst

docs/usage.rst

roles/mail_forwarder/defaults/main.yml

roles/mail_forwarder/molecule.yml

roles/mail_forwarder/playbook.yml

roles/mail_forwarder/templates/ferm_mail.conf.j2

roles/mail_forwarder/tests/test_connectivity_from_client.py

roles/mail_forwarder/tests/test_connectivity_from_relay.py

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1230,6 +1230,13 @@ Parameters @@
   recipients/aliases, while the value provided should be a space-separated list
   of mail addresses (or local users) where the mails should be forwarded.
 **smtp_from_relay_allowed** (boolean, optional, ``True``)
   Specify if SMTP traffic from SMTP relay should be allowed or not (for bounced
   messages, for example). This parameter should be set to ``False`` on systems
   behind NAT or on systems that may not have constant network connectivity (such
   as laptops) to avoid firewall failures since SMTP relay name needs to be
   resolvable.
 **smtp_relay_host** (string, optional, ``None``)
   SMTP server via which the mails are sent out for non-local recipients.
   smtp_relay_host: mail.example.com
   smtp_from_relay_allowed: False
   smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem

docs/usage.rst

➞

Show inline comments

 and one for setting-up a local SMTP mail forwarder (for having the rest of your
 servers relay their mails to the mail server host).
 .. note::
    Should you ever need to deploy the forwarder role on a laptop or machine
    behind NAT, make sure to look at ``smtp_from_relay_allowed`` parameter.
 The mail server role looks-up available mail domains, users, and aliases in the
 LDAP directory. This has already been set-up on the server
 ``comms.example.com``, but some changes will be required.

roles/mail_forwarder/defaults/main.yml

➞

Show inline comments

 ---
 local_mail_aliases: {}
 smtp_from_relay_allowed: True
 smtp_relay_host: ""
 smtp_relay_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}"
@@ \ No newline at end of file @@
 smtp_relay_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}"

roles/mail_forwarder/molecule.yml

➞

Show inline comments

@@ @@ -49,5 +49,12 @@ vagrant: @@
           ip: 10.31.127.31
           auto_config: yes
     - name: parameters-no-incoming
       interfaces:
         - network_name: private_network
           type: static
           ip: 10.31.127.32
           auto_config: yes
 verifier:
   name: testinfra

roles/mail_forwarder/playbook.yml

➞

Show inline comments

@@ @@ -19,6 +19,7 @@ @@
 .31.127.20: "client1"
 .31.127.30: "parameters-mandatory"
 .31.127.31: "parameters-optional"
 .31.127.32: "parameters-no-incoming"
 - hosts: client1
   tasks:
@@ @@ -120,6 +121,7 @@ @@
     - role: mail_forwarder
       local_mail_aliases:
         root: "root testuser"
       smtp_from_relay_allowed: True
       smtp_relay_host: mail-server
       smtp_relay_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
@@ @@ -127,6 +129,17 @@ @@
       ca_certificates:
         testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
 - hosts: parameters-no-incoming
   roles:
     - role: mail_forwarder
       smtp_relay_host: mail-server
       smtp_from_relay_allowed: False
       smtp_relay_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
       # common
       ca_certificates:
         testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
 - hosts: parameters-optional
   tasks:

roles/mail_forwarder/templates/ferm_mail.conf.j2

➞

Show inline comments

 {% if smtp_relay_host %}
+{% if smtp_relay_host and smtp_from_relay_allowed %}
 domain ip {
     # Accept incoming connections on port 25 from SMTP relay host.
     table filter {

roles/mail_forwarder/tests/test_connectivity_from_client.py

➞

Show inline comments

@@ @@ -15,6 +15,12 @@ def test_connectivity_from_client(Command, Sudo): @@
         ping = Command('hping3 -S -p 25 -c 1 parameters-mandatory')
         assert ping.rc != 0
         assert "100% packet loss" in ping.stderr
         ping = Command('hping3 -S -p 25 -c 1 parameters-optional')
         assert ping.rc != 0
         assert "100% packet loss" in ping.stderr
         ping = Command('hping3 -S -p 25 -c 1 parameters-no-incoming')
         assert "100% packet loss" in ping.stderr
         assert ping.rc != 0

roles/mail_forwarder/tests/test_connectivity_from_relay.py

➞

Show inline comments

@@ @@ -15,10 +15,15 @@ def test_connectivity_from_relay(Command, Sudo): @@
         ping = Command('hping3 -S -p 25 -c 1 parameters-mandatory')
         assert ping.rc != 0
         assert "100% packet loss" in ping.stderr
         ping = Command('hping3 -S -p 25 -c 1 parameters-optional')
         assert ping.rc == 0
         ping = Command('hping3 -S -p 25 -c 1 parameters-no-incoming')
         assert "100% packet loss" in ping.stderr
         assert ping.rc != 0
 def test_mail_reception_from_relay(Command, Sudo):
     """

0 comments (0 inline, 0 general)