From 72382b845a9f51920bf8b7ba8ea6268e62f34434 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Wed, 12 Feb 2014 13:16:15 -0800 Subject: [PATCH] Only allow mail from jenkins from zuul If someone copies the production Zuul configuration, they may end up sending emails as jenkins@o.o. Configure our hosts to only accept email with an envelope sender or From header of jenkins@.o.o if the connecting host is zuul.openstack.org (or localhost, to handle the case of exim running on zuul.o.o itself). Change-Id: Ic92bb39659689347fea1744ee8c1b47ef21858b0 --- modules/exim/templates/exim4.conf.erb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/modules/exim/templates/exim4.conf.erb b/modules/exim/templates/exim4.conf.erb index e3b424c707..b5be96d4f2 100644 --- a/modules/exim/templates/exim4.conf.erb +++ b/modules/exim/templates/exim4.conf.erb @@ -457,6 +457,13 @@ acl_check_rcpt: control = submission control = dkim_disable_verify + # In case people cargo-cult our Zuul configuration, only allow + # messages with an envelope sender of jenkins from OpenStack's Zuul. + + deny senders = jenkins@openstack.org + !hosts = zuul.openstack.org : 127.0.0.1 + message = Sender address not permitted from this host + # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow # relaying. Any other domain is rejected as being unacceptable for relaying. @@ -529,6 +536,14 @@ acl_check_data: # X-Spam_bar: $spam_bar\n\ # X-Spam_report: $spam_report + # In case people cargo-cult our Zuul configuration, only allow + # messages with a From header of jenkins from OpenStack's Zuul. + + deny condition = ${if eq{${address:$h_from:}}\ + {jenkins@openstack.org}} + !hosts = zuul.openstack.org : 127.0.0.1 + message = From address not permitted from this host + # Accept the message. accept