We're going to want Mailman 3 served over HTTPS for security
reasons, so start by generating certificates for each of the sites
we have in v2. Also collect the acme.sh logs for verification.
Change-Id: I261ae55c6bc0a414beb473abcb30f9a86c63db85
This is a new mailing list into which the current staff ML from the
lists.openstack.org site will be manually migrated. The existing one
is not included in our current configuration anyway, but a followup
change will set up an appropriate forward for its old address once
migration is complete.
Change-Id: I15f47d210e38a8f04925ffba27e44b2ad5e97dd5
In order to be able to redirect list addresses which have moved from
one domain to another, we need a solution to alias the old addresses
to the new ones. We have simple aliases but they only match on the
local part. Add a new /etc/aliases.domain which matches full
local_part@domain addresses instead. Also collect this file in the
Mailman deployment test for ease of inspection.
Change-Id: I16f871e96792545e1a8cc8eb3834fa4eb82e31c8
The Open Infrastructure Foundation has a number of mailing lists
located in the lists.openstack.org site due to historical reasons
(from when they were the OpenStack Foundation). In order to better
disambiguate their mailing lists, a new Mailman site is being
created into which they'll be moved, leaving the old site
exclusively for OpenStack project-specific lists.
As a first step, create the new lists.openinfra.dev site with the
default "mailman" meta-list (which will be hidden once created).
Subsequent changes will create new lists, and remove/redirect the
old ones once configuration is manually replicated.
Change-Id: I64770fbc33184374f1d24f4a2c234f849ab47bce
This switch testing of lists.openstack.org to Focal and we make a CGI
env var update to accomodate newer mailman.
Specifically newer mailman's CGI scripts filter env vars that it will
pass through. We were setting MAILMAN_SITE_DIR to vhost our mailman
installs with apache2, but that doesn't pass the filter and is removed.
HOST is passed through so we update our scripts, apache vhost configs,
exim, and init scripts to use the HOST env var instead.
Change-Id: I5c8c70c219669e37b7b75a61001a2b7f7bb0bb6c
The openstack-security mailing list is officially closing, and wants
future attempts at posting to end up on openstack-discuss instead:
http://lists.openstack.org/pipermail/openstack-security/2021-June/006077.html
This was also the only remaining user of the notify-impact Gerrit
hook, so we can stop installing/running it.
Change-Id: Id60b781beb072366673b32326e32fd79637c1219
This converts our existing puppeted mailman configuration into a set of
ansible roles and a new playbook. We don't try to do anything new and
instead do our best to map from puppet to ansible as closely as
possible. This helps reduce churn and will help us find problems more
quickly if they happen.
Followups will further cleanup the puppetry.
Change-Id: If8cdb1164c9000438d1977d8965a92ca8eebe4df
The OpenStack Infrastructure team has disbanded, replaced by the
OpenDev community and the OpenStack TaCT SIG. As OpenStack-specific
community infrastructure discussion now happens under TaCT's banner
and they use the openstack-discuss ML, redirect any future messages
for the openstack-infra ML there so we can close down the old list.
Change-Id: I0aea3b36668a92e47a6510880196589b94576cdf
The list owners miss their notifications, and a quick check of the
Exim logs on the listserv indicate the constant flood which
precipitated these blackhole aliases has finally subsided.
This reverts commit 159f012d47.
Change-Id: I0b3f0bb8a0f802e98211abc5aff8b04586e42f73
The OpenStack User Committee is working on merging with the
Technical Committee, and part of that is making sure discussions all
occur in a common place (including planning the committee merger).
The TC already moved its E-mail discussions to the openstack-discuss
mailing list in late 2018, so moving UC discussions to the same list
is imperative.
Change-Id: I9fd6580a65995be235c0f52e65b37a8491edca95
Make inventory/service for service-specific things, including the
groups.yaml group definitions, and inventory/base for hostvars
related to the base system, including the list of hosts.
Move the exisitng host_vars into inventory/service, since most of
them are likely service-specific. Move group_vars/all.yaml into
base/group_vars as almost all of it is related to base things,
with the execption of the gerrit public key.
A followup patch will move host-specific values into equivilent
files in inventory/base.
This should let us override hostvars in gate jobs. It should also
allow us to do better file matchers - and to be able to organize
our playbooks move if we want to.
Depends-On: https://review.opendev.org/731583
Change-Id: Iddf57b5be47c2e9de16b83a1bc83bee25db995cf
This requires an external program and only works on Debian hosts.
Newer versions of exim (4.91) have SPF functionality built-in, but
they are not yet available to us.
Change-Id: Idfe6bfa5a404b61c8761aa1bfa2212e4b4e32be9
The airship-discuss-owner address for lists.airshipit.org is now
besieged with a flood of unsolicited messages. Reject anything sent
to it with an SMTP error explaining the situation.
Change-Id: I19fcea2a502c41cc9438f2710dae3cd686eecc05
To debug DMARC issues, save a copy of every message sent to
openstack-discuss with as little manipulation as possible.
Change-Id: Ic1156849957bc326e9216c2aca0ab9d180e158e6
The owner address for the starlingx-discuss list on
lists.starlingx.io has started receiving large volumes of
unsolicited messages unrelated to its intended purpose. As there's
no easy way to discern them from legitimate messages, we'll do the
same as we've done for other owner addresses and reject them with a
brief error explaining the situation.
Change-Id: I95a910c2e6206098ca268a0e10e86b66455ad1bd
Set up the initial boilerplate to enable addition of new
project-neutral Mailman mailing lists on lists.opendev.org.
Change-Id: I8cad4149bdd7b51d10f43b928cdb9362d4bde835
This list's owners have asked for it to be shut down, as they will
be using an [interop-wg] tag on the new openstack-discuss ML for
future communication. Once this merges (so that Puppet won't
recreate it), the list can be removed with the `rmlist` utility
(this will still leave the archives available but will remove it
from the list index and no longer accept subscriptions/posts).
Set the old list address as an alias for the new openstack-discuss
ML so that replies to previous messages from the list will be routed
there for the foreseeable future.
Change-Id: Ib5fd5aece2465d569e0e7c180ee14ba94882f2b7
The general openstack, openstack-dev, openstack-operators and
openstack-sigs mailing lists have been deprecated since November 19
and are slated to be removed on December 3. Merging this on that
date will ensure any further replies to messages from those lists
are rerouted to the new openstack-discuss mailing list for the
foreseeable future.
The openstack-tc list is included in this batch as it has already
been closed down with a recommendation to send further such
communications to the openstack-discuss ML.
Additionally remove the Puppet mailman resource for the
openstack-sigs ML so it won't be automatically recreated after it
gets deleted (the other lists predate our use of Puppet for this
purpose).
Clean up the corresponding -owner spam rejection aliases since these
addresses will no longer be accepting E-mail anyway.
Change-Id: I9a7fae465c3f6bdcf3ebbadb8926eb4feb8fad79
The OpenStack Korean mailing list's owner address have
become overrun by the same mass spam we've seen hitting our other ML
owner addresses. Add a blackhole alias for it.
Change-Id: Ia6c7e6701a69ee56076062aa85f8699121648501
The OpenStack SIGS mailing list's owner address is starting to
become overrun by the same mass spam we've seen hitting our other ML
owner addresses. Add a blackhole alias for it.
Change-Id: Iefc5b5fa600c5d1de75d3302c8ddf0e1a03301e5
The OpenStack edge-computing mailing list's owner address is
starting to become overrun by the same mass spam we've seen hitting
our other ML owner addresses. Add a blackhole alias for it.
Change-Id: I97a2db5d0565cc166604352e397f580ea2d9e767
The mailman verp router handles remote addresses like dnslookup.
It needs to run before dnslookup in order to be effective, so run
it first. It's only for outgoing messages, not incoming, so won't
affect the blackhole aliases we have for incoming fake bounce
messages.
Note that the verp router hasn't been used in about a year due to
this oversight, so we should merge this change with caution.
Change-Id: I7d2a0f05f82485a54c1e7048f09b4edf6e0f0612
So that we can have complete control of the router order, always
template the full set of routers, including the "default" ones.
So that it's easy to use the defaults but put them in a different
order, define each router in its own variable which can be used
in host or group vars to "copy" that router in.
Apply this change to lists, firehose, and storyboard, all of which
have custom exim routers. Note that firehose intentionally has
its localuser router last.
Change-Id: I737942b8c15f7020b54e350db885e968a93f806a
The mailing list servers have a more complex exim config. Put the
routers and transports into ansible variables.
While we're doing it, role variables with an exim_ prefix - since 'routers'
as a global variable might be a little broad.
iteritems isn't a thing in python3, only items.
We need to escape the exim config with ${if or{{ - because of the {{
which looks like jinja. Wrap it in a {% raw %} block.
Getting the yaml indentation right for things here is non-trivial. Make
them strings instead.
Add a README.rst file - and use the zuul:rolevar construct in it,
because it's nice.
Change-Id: Ieccfce99a1d278440c5baa207479a1887898298e
Jeremy Stanley
Clark Boylan
Andreas Jaeger
Kendall Nelson
Monty Taylor
Amy Marrich (spotz)
James E. Blair
Ian Y. Choi