Feature #15511

Switch to another Puppet module to manage Postfix

Added by intrigeri 2018-04-09 15:06:30 . Updated 2019-02-13 16:27:13 .

Status:
Resolved
Priority:
Elevated
Assignee:
groente
Category:
Infrastructure
Target version:
Start date:
2018-04-09
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:


Subtasks


Related issues

Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) Confirmed 2017-06-30

History

#1 Updated by intrigeri 2018-04-09 15:06:40

  • blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#2 Updated by intrigeri 2018-04-09 15:52:28

#3 Updated by intrigeri 2018-12-11 11:14:44

intrigeri wrote:
> One option is to switch to https://github.com/camptocamp/puppet-postfix but quite some features are missing e.g.
> https://gitlab.com/shared-puppet-modules-group/postfix/milestones/1.

Among those, the only feature we actually use is postfix::tlspolicy_snippet (https://gitlab.com/shared-puppet-modules-group/postfix/issues/8). It’s simple enough to implement, be it upstream if they take it, or on our side.

Other than that, as of camptocamp-postfix 1.7.0, the migration seems mostly straightforward and will even give us a couple neat new features:

  • We satisfy all the dependencies (the dependency on alternatives is RH-only).
  • They add a postfix::canonical resource that can be used to deal more nicely with sender_canonical_maps.
  • The module seems to support all the features we need apart postfix::mailalias so we need to use the regular mailalias resource with notify => Exec['newaliases']. Would be nice to add this feature to the module though.
  • Everywhere we use postmap ourselves, we could switch to the nicer postfix::map resource.
  • Some parameters have a different name, e.g. for postfix::mta.

#4 Updated by intrigeri 2018-12-11 12:35:54

> * The module seems to support all the features we need apart postfix::mailalias so we need to use the regular mailalias resource with notify => Exec['newaliases']. Would be nice to add this feature to the module though.

https://github.com/camptocamp/puppet-postfix/pull/233

#5 Updated by intrigeri 2018-12-11 13:22:05

intrigeri wrote:
> > * The module seems to support all the features we need apart postfix::mailalias so we need to use the regular mailalias resource with notify => Exec['newaliases']. Would be nice to add this feature to the module though.
>
> https://github.com/camptocamp/puppet-postfix/pull/233

Merged upstream :)

#6 Updated by intrigeri 2018-12-11 14:42:17

  • blocks Feature #16218: Migrate some of our Schleuder lists to lizard added

#7 Updated by intrigeri 2018-12-18 18:06:04

  • Priority changed from Normal to High

#8 Updated by intrigeri 2018-12-19 10:09:47

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 50

Done & deployed. Resulting changes in /etc look good. I’ll see when I do Feature #16218 whether it works fine as well to configure a brand new system. Will wait & see whether email gets delivered (we have a monitoring check for the Postfix mailqueue).

#9 Updated by intrigeri 2018-12-19 11:43:11

  • Assignee changed from intrigeri to groente
  • QA Check set to Ready for QA

intrigeri wrote:
> I’ll see when I do Feature #16218 whether it works fine as well to configure a brand new system.

It does.

> Will wait & see whether email gets delivered

At least ecours, lizard and VM hosted on lizard can deliver email so we should be good. If we’re not, monitoring will tell us.

All relevant commits have this ticket ID in the commit message.

#10 Updated by intrigeri 2018-12-24 09:50:55

  • Assignee changed from groente to intrigeri
  • QA Check deleted (Ready for QA)

Hold on, I just realized that this turned chrooting off for many of the Postfix services in master.cf. I’ll turn it back on by passing chroot => true to the Postfix class. Then I’ll need to ensure this does not break with commit 816d4c02b08659149373c3463b2acf3bf810626c in puppet-tails.git; if it does, I’ll have to ensure these custom CAs are copied to the chroot.

#11 Updated by intrigeri 2018-12-24 10:11:12

The Postfix instanced services set up their chroot via ExecStartPre=/usr/lib/postfix/configure-instance.sh %i. Similarly, I’ll add a drop-in override with another ExecStartPre= directive, that will be run after the exiting one, and will copy the custom CAs to the chroot.

#12 Updated by intrigeri 2018-12-30 09:34:29

  • blocked by deleted (Feature #16218: Migrate some of our Schleuder lists to lizard)

#13 Updated by intrigeri 2019-01-04 13:25:18

And once that’s fixed, revert 90400e5 in puppet-tails.

#14 Updated by intrigeri 2019-01-26 17:31:46

  • Assignee changed from intrigeri to groente
  • QA Check set to Ready for QA

All done, deployed, seems to work fine. I was not too happy with my first implementation but I’m fine with the 2nd iteration, that takes benefit of the way the postfix@.service are instanciated to make the whole thing generic :) I’ve tagged Feature #15511 all the relevant commits.

#15 Updated by anonym 2019-01-30 11:59:30

  • Target version changed from Tails_3.12 to Tails_3.13

#16 Updated by intrigeri 2019-02-10 15:00:26

  • Priority changed from High to Elevated

(The review is not that urgent and I’d like the parent ticket to have priority << high.)

#17 Updated by groente 2019-02-13 15:27:36

  • Status changed from In Progress to Resolved
  • Target version deleted (Tails_3.13)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

#18 Updated by intrigeri 2019-02-13 16:27:13

  • Target version set to Tails_3.13

(Makes it easier to look at our Redmine dashboards and get an overview of what we did when.)