majic-ansible-roles Changeset

Changeset - d92577936630

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 8 years ago 2017-07-20 22:57:26
branko@majic.rs

MAR-105: Added parameter for controlling firewall to mail_forwarder:

- Added new parameter smtp_from_relay_allowed.
- Updated role reference documentation.
- Added small note to usage instructions to mention the parameter's usability in
case of NAT'ed machines or laptops.
- Updated test playbook, adding another instance for testing the parameter, and
added tests that cover new parameter.
- Updated existing connectivity tests to be more specific and reliable.

8 files changed with 47 insertions and 2 deletions:

docs/rolereference.rst

docs/usage.rst

roles/mail_forwarder/defaults/main.yml

roles/mail_forwarder/molecule.yml

roles/mail_forwarder/playbook.yml

roles/mail_forwarder/templates/ferm_mail.conf.j2

roles/mail_forwarder/tests/test_connectivity_from_client.py

roles/mail_forwarder/tests/test_connectivity_from_relay.py

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1227,12 +1227,19 @@ Parameters @@
   Dictionary defining the local aliases. Aliases defined this way will either be
   appended to default aliases on the server, or replace the existing entries (if
   the alias/recipient is already present). Keys in the dictionary are the local
   recipients/aliases, while the value provided should be a space-separated list
   of mail addresses (or local users) where the mails should be forwarded.
 **smtp_from_relay_allowed** (boolean, optional, ``True``)
   Specify if SMTP traffic from SMTP relay should be allowed or not (for bounced
   messages, for example). This parameter should be set to ``False`` on systems
   behind NAT or on systems that may not have constant network connectivity (such
   as laptops) to avoid firewall failures since SMTP relay name needs to be
   resolvable.
 **smtp_relay_host** (string, optional, ``None``)
   SMTP server via which the mails are sent out for non-local recipients.
 **smtp_relay_truststore** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}``)
   X.509 certificate chain used for issuing certificate for the SMTP relay
   service. The file will be stored in location
   # well.
   local_mail_aliases:
     root: "root john.doe@example.com"
   smtp_relay_host: mail.example.com
   smtp_from_relay_allowed: False
   smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem
 Web Server
 ----------

docs/usage.rst

➞

Show inline comments

@@ @@ -632,12 +632,16 @@ Adding mail server @@
 The next thing in line is to implement the mail server capability. *Majic
 Ansible Roles* come with two distinct mail server-related roles. One for
 setting-up a mail server host (with authenticated IMAP, SMTP, mail storage etc),
 and one for setting-up a local SMTP mail forwarder (for having the rest of your
 servers relay their mails to the mail server host).
 .. note::
    Should you ever need to deploy the forwarder role on a laptop or machine
    behind NAT, make sure to look at ``smtp_from_relay_allowed`` parameter.
 The mail server role looks-up available mail domains, users, and aliases in the
 LDAP directory. This has already been set-up on the server
 ``comms.example.com``, but some changes will be required.
 . Update the playbook for communications server to include the mail server
 role.

roles/mail_forwarder/defaults/main.yml

➞

Show inline comments

 ---
 local_mail_aliases: {}
 smtp_from_relay_allowed: True
 smtp_relay_host: ""
 smtp_relay_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}"
@@ \ No newline at end of file @@
 smtp_relay_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}"

roles/mail_forwarder/molecule.yml

➞

Show inline comments

@@ @@ -46,8 +46,15 @@ vagrant: @@
       interfaces:
         - network_name: private_network
           type: static
           ip: 10.31.127.31
           auto_config: yes
     - name: parameters-no-incoming
       interfaces:
         - network_name: private_network
           type: static
           ip: 10.31.127.32
           auto_config: yes
 verifier:
   name: testinfra

roles/mail_forwarder/playbook.yml

➞

Show inline comments

@@ @@ -16,12 +16,13 @@ @@
         line: "{{ item.key }} {{ item.value }}"
       with_dict:
 .31.127.10: "mail-server domain1"
 .31.127.20: "client1"
 .31.127.30: "parameters-mandatory"
 .31.127.31: "parameters-optional"
 .31.127.32: "parameters-no-incoming"
 - hosts: client1
   tasks:
     - name: Install SWAKS for testing SMTP capability
       apt:
@@ @@ -117,19 +118,31 @@ @@
 - hosts: parameters-optional
   roles:
     - role: mail_forwarder
       local_mail_aliases:
         root: "root testuser"
       smtp_from_relay_allowed: True
       smtp_relay_host: mail-server
       smtp_relay_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
       # common
       ca_certificates:
         testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
 - hosts: parameters-no-incoming
   roles:
     - role: mail_forwarder
       smtp_relay_host: mail-server
       smtp_from_relay_allowed: False
       smtp_relay_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
       # common
       ca_certificates:
         testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
 - hosts: parameters-optional
   tasks:
     - name: Create additional group for testing local aliases
       group:
         name: testuser

roles/mail_forwarder/templates/ferm_mail.conf.j2

➞

Show inline comments

 {% if smtp_relay_host %}
+{% if smtp_relay_host and smtp_from_relay_allowed %}
 domain ip {
     # Accept incoming connections on port 25 from SMTP relay host.
     table filter {
         chain INPUT {
             # SMTP for server communication.
             proto tcp dport 25 {

roles/mail_forwarder/tests/test_connectivity_from_client.py

➞

Show inline comments

@@ @@ -12,9 +12,15 @@ def test_connectivity_from_client(Command, Sudo): @@
     """
     with Sudo():
         ping = Command('hping3 -S -p 25 -c 1 parameters-mandatory')
         assert ping.rc != 0
         assert "100% packet loss" in ping.stderr
         ping = Command('hping3 -S -p 25 -c 1 parameters-optional')
         assert ping.rc != 0
         assert "100% packet loss" in ping.stderr
         ping = Command('hping3 -S -p 25 -c 1 parameters-no-incoming')
         assert "100% packet loss" in ping.stderr
         assert ping.rc != 0

roles/mail_forwarder/tests/test_connectivity_from_relay.py

➞

Show inline comments

@@ @@ -12,16 +12,21 @@ def test_connectivity_from_relay(Command, Sudo): @@
     """
     with Sudo():
         ping = Command('hping3 -S -p 25 -c 1 parameters-mandatory')
         assert ping.rc != 0
         assert "100% packet loss" in ping.stderr
         ping = Command('hping3 -S -p 25 -c 1 parameters-optional')
         assert ping.rc == 0
         ping = Command('hping3 -S -p 25 -c 1 parameters-no-incoming')
         assert "100% packet loss" in ping.stderr
         assert ping.rc != 0
 def test_mail_reception_from_relay(Command, Sudo):
     """
     Tests if mails can be sent from relay to servers configured to use the
     relay.
     """

0 comments (0 inline, 0 general)