implement inbound email reports for roundup

[ewdurbin]

Resolves #352

[ewdurbin]

CC @rouilj

[ewdurbin]

Resulting files (note hostname will be different since this was rendered from local dev, specifically bugs.vagrant.psf.io -> bugs.nyc1.psf.io):

$ cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6



# TLS parameters
smtpd_tls_cert_file=/etc/lego/certificates/bugs.vagrant.psf.io.crt
smtpd_tls_key_file=/etc/lego/certificates/bugs.vagrant.psf.io.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = bugs.vagrant.psf.io
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

virtual_alias_domains = bugs.python.org bugs.jython.org issues.roundup-tracker.org mail.roundup-tracker.org
virtual_alias_maps = hash:/etc/postfix/virtual

smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/reject_recipients

$ cat /etc/postfix/virtual

[email protected]	roundup+jython
[email protected]	roundup+roundup

$ cat /etc/postfix/reject_recipients

[email protected] REJECT This tracker is in read-only mode. Please use GitHub issues to open a ticket.

[rouilj]

Hmm:

virtual_alias_domains = bugs.python.org bugs.jython.org issues.roundup-tracker.org mail.roundup-tracker.org

in main.cf looks suspect. I think it needs to be:

  virtual_alias_domains = bugs.python.org bugs.jython.org roundup-tracker.org

I think you want to replace:

virtual_alias_domains ={%- for domain in pillar['bugs']['subject_alternative_names']  %} {{ domain }}{%- endfor %}

with something like (been years since I last salted my systems so this might need work):

virtual_alias_domains = {% for tracker, config in pillar["bugs"]["trackers"].items() %}{% if config.get("accept_email", True) %} {{ (config["config"]["tracker__email"] | split('@')  | last }} {%- endif %}{%- endfor %}

So you are using the tracker email domains rather than the web SAN domains.

issues.roundup-tracker.org and mail.roundup-tracker.org are cnamed to bugs.python.org.
AFAIK, all email addresses generated by the roundup tracker use the apex address @roundup-tracker.org.
There is no need to support *@mail.roundup-tracker.org at this time.

Also did you want to add a warning like:

   # This file is automatically maintained. Manual changes will be removed.

to the top of salt/bugs/config/postfix/main.cf , salt/bugs/config/postfix/virtual, salt/bugs/config/postfix/reject_recipients to identify salt maintained and default vendor
supplied files in the /etc/postfix tree.

The rest looks good.

Thanks for your fast work on this.

[ewdurbin]

Thanks for the review @rouilj. My only concern is that we don't have a valid TLS cert for roundup-tracker.org for Postfix to serve, since we fetch via LetsEncrypt and share the cert between the HTTP front-end (nginx) and postfix.

I'm going to ship this and we'll see.

[ewdurbin]

I got the expedited Delivery Status Notifications and successfully submitted (and closed) an issue on the roundup tracker.

Calling this closed.