summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbertagaz <bertagaz@ptitcanardnoir.org>2017-10-30 12:08:52 +0100
committerbertagaz <bertagaz@ptitcanardnoir.org>2017-10-30 12:08:52 +0100
commitdb7e8b98813fda8d1ea83020e7a24887ce9d5e2f (patch)
tree2a81446dfabd149752f8be46e4e69d48f9499706
parent657d1cb29ef9669d97a4a8eccddc61060aece50a (diff)
parent7250c3548273a0087ea39a2845b7cddc430403bb (diff)
Merge remote-tracking branch 'origin/master' into feature/12633-lower-reproducible-builds-workloadfeature/12633-lower-reproducible-builds-workload
-rw-r--r--files/monitoring/icinga2/checkcommands/check_systemd.conf6
-rw-r--r--files/monitoring/icinga2/plugins/pynagsystemd106
-rw-r--r--manifests/jenkins/master.pp6
-rw-r--r--manifests/jenkins/slave/iso_tester.pp7
-rw-r--r--manifests/limesurvey.pp1
-rw-r--r--manifests/monitoring/agent.pp2
-rw-r--r--manifests/monitoring/checkcommand/systemd.pp17
-rw-r--r--manifests/monitoring/config.pp9
-rw-r--r--manifests/monitoring/config/common_services.pp7
-rw-r--r--manifests/monitoring/master.pp2
-rw-r--r--manifests/monitoring/plugin/check_systemd.pp17
-rw-r--r--manifests/monitoring/satellite.pp6
-rw-r--r--manifests/monitoring/service/systemd.pp42
-rw-r--r--manifests/tester/support/email.pp188
-rw-r--r--templates/monitoring/service/systemd.erb15
-rw-r--r--templates/tester/support/email/dovecot/tails-tester-support.conf.erb20
-rw-r--r--templates/tester/support/email/postfix/main.cf.erb23
-rw-r--r--templates/tester/support/email/postfix/master.cf.erb124
18 files changed, 598 insertions, 0 deletions
diff --git a/files/monitoring/icinga2/checkcommands/check_systemd.conf b/files/monitoring/icinga2/checkcommands/check_systemd.conf
new file mode 100644
index 0000000..605683f
--- /dev/null
+++ b/files/monitoring/icinga2/checkcommands/check_systemd.conf
@@ -0,0 +1,6 @@
+object CheckCommand "systemd" {
+ import "plugin-check-command"
+
+ command = [ "sudo", PluginDir + "/pynagsystemd" ]
+
+}
diff --git a/files/monitoring/icinga2/plugins/pynagsystemd b/files/monitoring/icinga2/plugins/pynagsystemd
new file mode 100644
index 0000000..14de0e8
--- /dev/null
+++ b/files/monitoring/icinga2/plugins/pynagsystemd
@@ -0,0 +1,106 @@
+#!/usr/bin/env python
+"""
+You can redistribute it and/or modify it under the terms of the GNU General
+Public License as published by the Free Software Foundation, either version 2
+of the License.
+Copyright Andrea Briganti a.k.a 'Kbyte'
+"""
+import io
+import subprocess
+import argparse
+
+import nagiosplugin
+
+
+class SystemdStatus(nagiosplugin.Resource):
+ name = 'SYSTEMD'
+
+ def probe(self):
+ # Execute systemctl --failed --no-legend and get output
+ try:
+ p = subprocess.Popen(['systemctl', '--failed', '--no-legend'],
+ stderr=subprocess.PIPE,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE)
+ pres, err = p.communicate()
+ except OSError as e:
+ raise nagiosplugin.CheckError(e)
+
+ if err:
+ raise nagiosplugin.CheckError(err)
+
+ if pres:
+ result = ""
+ for line in io.StringIO(pres.decode('utf-8')):
+ result = "%s %s" % (result, line.split(' ')[0])
+
+ return [nagiosplugin.Metric('systemd', (False, result), context='systemd')]
+
+ return [nagiosplugin.Metric('systemd', (True, None), context='systemd')]
+
+
+class ServiceStatus(nagiosplugin.Resource):
+ name = 'SYSTEMD'
+
+ def __init__(self, *args, **kwargs):
+ self.service = kwargs.pop('service')
+ super(nagiosplugin.Resource, self).__init__(*args, **kwargs)
+
+ def probe(self):
+ # Execute systemctl is-active and get output
+ try:
+ p = subprocess.Popen(['systemctl', 'is-active', self.service],
+ stderr=subprocess.PIPE,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE)
+ pres, err = p.communicate()
+ except OSError as e:
+ raise nagiosplugin.CheckError(e)
+
+ if err:
+ raise nagiosplugin.CheckError(err)
+ if pres:
+ result = ""
+ for line in io.StringIO(pres.decode('utf-8')):
+ result = "%s %s" % (result, line.split(' ')[0])
+ result = result.strip()
+ if result == "active":
+ return [nagiosplugin.Metric('systemd', (True, None), context='systemd')]
+ else:
+ return [nagiosplugin.Metric('systemd', (False, self.service), context='systemd')]
+
+ return [nagiosplugin.Metric('systemd', (False, "No Service given"), context='systemd')]
+
+
+class SystemdContext(nagiosplugin.Context):
+ def __init__(self):
+ super(SystemdContext, self).__init__('systemd')
+
+ def evaluate(self, metric, resource):
+ value, output = metric.value
+ if value:
+ return self.result_cls(nagiosplugin.Ok, metric=metric)
+ else:
+ return self.result_cls(nagiosplugin.Critical, metric=metric, hint='failed units: %s' % output)
+
+
+def main():
+ parser = argparse.ArgumentParser()
+ parser.add_argument("-s", "--service", type=str, dest="service", help="Name of the Service that is beeing tested")
+
+ args = parser.parse_args()
+
+ if args.service is None:
+ check = nagiosplugin.Check(
+ SystemdStatus(),
+ SystemdContext())
+ else:
+ check = nagiosplugin.Check(
+ ServiceStatus(service=args.service),
+ SystemdContext())
+ check.main()
+
+
+if __name__ == '__main__':
+ main()
+
diff --git a/manifests/jenkins/master.pp b/manifests/jenkins/master.pp
index ad79cfa..ec0477e 100644
--- a/manifests/jenkins/master.pp
+++ b/manifests/jenkins/master.pp
@@ -104,6 +104,12 @@ class tails::jenkins::master (
digest_type => 'sha512',
}
+ jenkins::plugin { 'downstream-ext':
+ version => '1.8',
+ digest_string => '5033490d9b34943488e387d64a3a09cf02a43dced29b0f43e8a68b9d837a1869702f9080831fc80e64e2addebf0553bd5c6a8793b46182ed1535422ca839d27f',
+ digest_type => 'sha512',
+ }
+
jenkins::plugin { 'email-ext':
version => '2.39.3',
digest_string => 'e810accf918560daab2ba08929dad2f9d130758555d9ba1d2b94c28a0e594e2fc163a9c18f531d4051ead10c400523f126a85365ce48f2ac875effaa4a508acb',
diff --git a/manifests/jenkins/slave/iso_tester.pp b/manifests/jenkins/slave/iso_tester.pp
index 5a3242f..b68e18c 100644
--- a/manifests/jenkins/slave/iso_tester.pp
+++ b/manifests/jenkins/slave/iso_tester.pp
@@ -10,8 +10,11 @@ class tails::jenkins::slave::iso_tester (
$temp_dir_fs_type = 'ext4',
$temp_dir_mount_options = 'relatime,acl',
$test_suite_shared_secrets_repo = 'tails@git.tails.boum.org:test-suite-shared-secrets',
+ $manage_email_server = false,
) {
+ validate_bool($manage_email_server)
+
validate_string(
$master_url,
)
@@ -36,6 +39,10 @@ class tails::jenkins::slave::iso_tester (
temp_dir_mount_options => $temp_dir_mount_options,
}
+ if $manage_email_server {
+ include tails::tester::support::email
+ }
+
file { '/etc/systemd/system/jenkins-slave.service.d':
ensure => directory,
}
diff --git a/manifests/limesurvey.pp b/manifests/limesurvey.pp
index ed25998..920fcfe 100644
--- a/manifests/limesurvey.pp
+++ b/manifests/limesurvey.pp
@@ -25,6 +25,7 @@ class tails::limesurvey (
'libapache2-mod-removeip',
'ncdu',
'php',
+ 'php-imagick',
'php-mysql',
'php-mbstring',
'php-xml',
diff --git a/manifests/monitoring/agent.pp b/manifests/monitoring/agent.pp
index 21ac873..424c3cc 100644
--- a/manifests/monitoring/agent.pp
+++ b/manifests/monitoring/agent.pp
@@ -73,6 +73,8 @@ class tails::monitoring::agent (
Tails::Monitoring::Service::Upgradeable <<| nodename == $nodename |>>
+ Tails::Monitoring::Service::Systemd <<| nodename == $nodename |>>
+
}
}
diff --git a/manifests/monitoring/checkcommand/systemd.pp b/manifests/monitoring/checkcommand/systemd.pp
new file mode 100644
index 0000000..6c953c0
--- /dev/null
+++ b/manifests/monitoring/checkcommand/systemd.pp
@@ -0,0 +1,17 @@
+class tails::monitoring::checkcommand::systemd (
+ $ensure = present,
+){
+
+ include ::tails::monitoring::plugin::check_systemd
+
+ file { '/etc/icinga2/conf.d/check_systemd.conf':
+ ensure => $ensure,
+ owner => 'nagios',
+ group => 'nagios',
+ mode => '0600',
+ source => 'puppet:///modules/tails/monitoring/icinga2/checkcommands/check_systemd.conf',
+ require => Class['tails::monitoring::plugin::check_systemd'],
+ notify => Service['icinga2'],
+ }
+
+}
diff --git a/manifests/monitoring/config.pp b/manifests/monitoring/config.pp
index 5d5b23d..b22c2b8 100644
--- a/manifests/monitoring/config.pp
+++ b/manifests/monitoring/config.pp
@@ -82,4 +82,13 @@ class tails::monitoring::config (
require => Package['icinga2'],
}
+ file { '/etc/sudoers.d/nagios-systemd':
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0440',
+ content => "nagios ALL = (root) NOPASSWD: /usr/lib/nagios/plugins/pynagsystemd\n",
+ require => Package['icinga2'],
+ }
+
}
diff --git a/manifests/monitoring/config/common_services.pp b/manifests/monitoring/config/common_services.pp
index 7a65563..4d7ceaf 100644
--- a/manifests/monitoring/config/common_services.pp
+++ b/manifests/monitoring/config/common_services.pp
@@ -43,6 +43,13 @@ class tails::monitoring::config::common_services (
tag => $parent_zone,
}
+ @@::tails::monitoring::service::systemd { "systemd@${nodename}":
+ ensure => $ensure,
+ nodename => $nodename,
+ zone => $zone,
+ tag => $parent_zone,
+ }
+
@@::tails::monitoring::service::postfix_mailqueue { "mailqueue@${nodename}":
ensure => $ensure,
nodename => $nodename,
diff --git a/manifests/monitoring/master.pp b/manifests/monitoring/master.pp
index 844f78b..27da6de 100644
--- a/manifests/monitoring/master.pp
+++ b/manifests/monitoring/master.pp
@@ -204,6 +204,8 @@ class tails::monitoring::master (
Tails::Monitoring::Service::Memory <<| |>>
+ Tails::Monitoring::Service::Systemd <<| |>>
+
Tails::Monitoring::Service::Postfix_mailqueue <<| |>>
Tails::Monitoring::Service::Upgradeable <<| |>>
diff --git a/manifests/monitoring/plugin/check_systemd.pp b/manifests/monitoring/plugin/check_systemd.pp
new file mode 100644
index 0000000..8683eac
--- /dev/null
+++ b/manifests/monitoring/plugin/check_systemd.pp
@@ -0,0 +1,17 @@
+class tails::monitoring::plugin::check_systemd (
+ $ensure = present,
+){
+
+ file {'/usr/lib/nagios/plugins/pynagsystemd':
+ ensure => $ensure,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ source => 'puppet:///modules/tails/monitoring/icinga2/plugins/pynagsystemd',
+ notify => Service['icinga2'],
+ require => Package['python-nagiosplugin'],
+ }
+
+ ensure_packages(['python-nagiosplugin'])
+
+}
diff --git a/manifests/monitoring/satellite.pp b/manifests/monitoring/satellite.pp
index eee616a..72d77da 100644
--- a/manifests/monitoring/satellite.pp
+++ b/manifests/monitoring/satellite.pp
@@ -58,12 +58,16 @@ class tails::monitoring::satellite (
Tails::Monitoring::Service::Disk <<| zone == $zone |>>
+ Tails::Monitoring::Service::Memory <<| zone == $zone |>>
+
Tails::Monitoring::Service::Number_in_file <<| zone == $zone |>>
Tails::Monitoring::Service::Postfix_mailqueue <<| zone == $zone |>>
Tails::Monitoring::Service::Upgradeable <<| zone == $zone |>>
+ Tails::Monitoring::Service::Systemd <<| zone == $zone |>>
+
Tails::Monitoring::Config::Host <<| tag == $zone |>>
Tails::Monitoring::Service <<| tag == $zone |>>
@@ -78,4 +82,6 @@ class tails::monitoring::satellite (
Tails::Monitoring::Service::Upgradeable <<| tag == $zone |>>
+ Tails::Monitoring::Service::Systemd <<| tag == $zone |>>
+
}
diff --git a/manifests/monitoring/service/systemd.pp b/manifests/monitoring/service/systemd.pp
new file mode 100644
index 0000000..55c43ee
--- /dev/null
+++ b/manifests/monitoring/service/systemd.pp
@@ -0,0 +1,42 @@
+# Manages the monitoring of systemd.
+define tails::monitoring::service::systemd (
+ $zone,
+ $nodename,
+ $ensure = present,
+ $enable_notifications = true,
+ $check_interval = '1h',
+ $retry_interval = '10m',
+ $display_name = undef,
+){
+
+ validate_re($ensure, '^(present|absent)$')
+
+ validate_string(
+ $name,
+ $nodename,
+ $check_interval,
+ $retry_interval,
+ )
+
+ validate_bool($enable_notifications)
+
+ if $display_name == undef {
+ $displayed_name = $name
+ } else {
+ validate_string($display_name)
+ $displayed_name = $display_name
+ }
+
+ include ::tails::monitoring::checkcommand::systemd
+
+ file { "/etc/icinga2/zones.d/${zone}/systemd.conf":
+ ensure => $ensure,
+ owner => 'nagios',
+ group => 'nagios',
+ mode => '0600',
+ content => template('tails/monitoring/service/systemd.erb'),
+ require => Class['::tails::monitoring::checkcommand::systemd'],
+ notify => Service['icinga2'],
+ }
+
+}
diff --git a/manifests/tester/support/email.pp b/manifests/tester/support/email.pp
new file mode 100644
index 0000000..178f0cb
--- /dev/null
+++ b/manifests/tester/support/email.pp
@@ -0,0 +1,188 @@
+# Manage services needed to provide a local email server that can be used
+# by Thunderbird in our automated test suite.
+
+class tails::tester::support::email (
+ $email_password,
+ $email_password_salt = $::fqdn,
+ $email_user = 'test',
+) {
+
+ ### Sanity checks
+
+ validate_string(
+ $email_password,
+ $email_password_salt,
+ $email_user,
+ )
+
+ ### Common resources
+
+ $packages = [
+ 'dovecot-core',
+ 'dovecot-imapd',
+ 'dovecot-pop3d',
+ 'nginx',
+ 'ssl-cert',
+ 'swaks',
+ ]
+
+ ensure_packages($packages)
+
+ $hashed_email_password = pw_hash(
+ $email_password, 'SHA-512', $email_password_salt
+ )
+
+ ### Dovecot
+
+ $dovecot_ssl_cert = '/etc/dovecot/dovecot.pem'
+ $dovecot_ssl_key = '/etc/dovecot/private/dovecot.key'
+
+ service { 'dovecot':
+ ensure => running,
+ enable => true,
+ require => [
+ File['/etc/dovecot/conf.d/99-tails-tester-support.conf'],
+ Package['dovecot-imapd'],
+ Package['dovecot-pop3d'],
+ Package['ssl-cert'],
+ User['vmail'],
+ ],
+ }
+
+ user { 'vmail':
+ uid => '5000',
+ home => '/var/vmail',
+ managehome => true,
+ }
+
+ group { 'vmail':
+ gid => '5000',
+ }
+
+ file { $dovecot_ssl_cert:
+ ensure => link,
+ target => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
+ }
+
+ file { $dovecot_ssl_key:
+ ensure => link,
+ target => '/etc/ssl/private/ssl-cert-snakeoil.key',
+ }
+
+ file { '/etc/dovecot/conf.d/99-tails-tester-support.conf':
+ content => template('tails/tester/support/email/dovecot/tails-tester-support.conf.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ require => [
+ File[$dovecot_ssl_cert],
+ File[$dovecot_ssl_key],
+ Package['dovecot-core'],
+ ],
+ notify => Service['dovecot'],
+ }
+
+ file { '/etc/dovecot/passwd':
+ content => "${email_user}:${hashed_email_password}::::::\n",
+ owner => 'root',
+ group => 'dovecot',
+ mode => '0640',
+ }
+
+ ### Postfix
+
+ # XXX: deliver local email with dovecot's LDA
+
+ # XXX: enable SASL authentication (see "Configuring Dovecot SASL"
+ # in /usr/share/doc/postfix/SASL_README.gz)
+
+ # XXX: once a PoC is ready, consider refactoring to de-duplicate
+ # stuff copied/adapted from tails::whisperback::relay; this should
+ # not be too hard: everything below was paramaterized with
+ # $postfix_instance_name and config files were turned into templates.
+
+ $postfix_instance_name = 'TailsToaster'
+ $postfix_conf_dir = "/etc/postfix-${postfix_instance_name}"
+ $postfix_service = "postfix@postfix-${postfix_instance_name}"
+ $postfix_lib_dir = "/var/lib/postfix-${postfix_instance_name}"
+ $postfix_spool_dir = "/var/spool/postfix-${postfix_instance_name}"
+ $postfix_tls_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ $postfix_tls_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
+
+ postfix::config {
+ 'multi_instance_wrapper':
+ # lint:ignore:single_quote_string_with_variables -- Postfix variable
+ value => '${command_directory}/postmulti -p --}';
+ # lint:endignore
+ 'multi_instance_enable':
+ value => 'yes';
+ 'multi_instance_directories':
+ value => $postfix_conf_dir,
+ require => File[$postfix_conf_dir];
+ }
+
+ service { $postfix_service:
+ ensure => running,
+ enable => true,
+ require => [
+ Service['postfix'],
+ Postfix::Config['multi_instance_directories'],
+ File["${postfix_conf_dir}/dynamicmaps.cf"],
+ Exec["Seed /etc in chroot for ${postfix_instance_name}"],
+ ],
+ }
+
+ file { [$postfix_conf_dir, $postfix_spool_dir]:
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755';
+ }
+
+ file { $postfix_lib_dir:
+ ensure => directory,
+ owner => 'postfix',
+ group => 'postfix',
+ mode => '0755',
+ }
+
+ file { "${postfix_conf_dir}/master.cf":
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => template('tails/tester/support/email/postfix/master.cf.erb'),
+ notify => Service[$postfix_service],
+ require => Package['postfix'],
+ }
+
+ file { "${postfix_conf_dir}/main.cf":
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => template('tails/tester/support/email/postfix/main.cf.erb'),
+ notify => Service[$postfix_service],
+ require => [
+ Package['postfix'],
+ File[$postfix_lib_dir],
+ File[$postfix_spool_dir],
+ ],
+ }
+
+ file { "${postfix_conf_dir}/dynamicmaps.cf":
+ ensure => link,
+ target => '/etc/postfix/dynamicmaps.cf',
+ notify => Service[$postfix_service],
+ }
+
+ exec { "Seed /etc in chroot for ${postfix_instance_name}":
+ command => "cp -a /var/spool/postfix/etc ${postfix_spool_dir}/etc",
+ onlyif => "test ! -d ${postfix_spool_dir}/etc",
+ require => [
+ File[$postfix_spool_dir],
+ Service['postfix'],
+ ],
+ }
+
+}
diff --git a/templates/monitoring/service/systemd.erb b/templates/monitoring/service/systemd.erb
new file mode 100644
index 0000000..b486d7d
--- /dev/null
+++ b/templates/monitoring/service/systemd.erb
@@ -0,0 +1,15 @@
+
+object Service "<%= @name %>" {
+
+ import "generic-service"
+
+ check_command = "systemd"
+
+ display_name = "<%= @displayed_name %>"
+ host_name = "<%= @nodename %>"
+ enable_notifications = <%= @enable_notifications %>
+
+ check_interval = <%= @check_interval %>
+ retry_interval = <%= @retry_interval %>
+
+}
diff --git a/templates/tester/support/email/dovecot/tails-tester-support.conf.erb b/templates/tester/support/email/dovecot/tails-tester-support.conf.erb
new file mode 100644
index 0000000..26c6679
--- /dev/null
+++ b/templates/tester/support/email/dovecot/tails-tester-support.conf.erb
@@ -0,0 +1,20 @@
+# Auth
+auth_verbose = yes
+
+passdb {
+ driver = passwd-file
+ args = /etc/dovecot/passwd
+}
+
+userdb {
+ driver = static
+ args = uid=vmail gid=vmail home=/var/vmail/%u
+}
+
+# Mail
+mail_location = maildir:~/Maildir
+
+# SSL
+ssl = yes
+ssl_key = <<%= scope.lookupvar('tails::tester::support::email::dovecot_ssl_key') %>
+ssl_cert = <<%= scope.lookupvar('tails::tester::support::email::dovecot_ssl_cert') %>
diff --git a/templates/tester/support/email/postfix/main.cf.erb b/templates/tester/support/email/postfix/main.cf.erb
new file mode 100644
index 0000000..47abbf1
--- /dev/null
+++ b/templates/tester/support/email/postfix/main.cf.erb
@@ -0,0 +1,23 @@
+multi_instance_name = postfix-<%= scope.lookupvar('tails::tester::support::email::postfix_instance_name') %>
+myorigin = <%= fqdn %>
+myhostname = <%= fqdn %>
+queue_directory = <%= scope.lookupvar('tails::tester::support::email::postfix_spool_dir') %>
+data_directory = <%= scope.lookupvar('tails::tester::support::email::postfix_lib_dir') %>
+
+mynetworks = <%= ipaddress_eth0 %>
+inet_interfaces = <%= ipaddress_eth0 %>
+mydestination = <%= fqdn %>
+
+alias_database =
+alias_maps =
+
+# TLS parameters
+smtpd_use_tls=yes
+smtpd_tls_cert_file = <%= scope.lookupvar('tails::tester::support::email::postfix_tls_cert_file') %>
+smtpd_tls_key_file = <%= scope.lookupvar('tails::tester::support::email::postfix_tls_key_file') %>
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+
+bounce_queue_lifetime = 1w
+maximal_queue_lifetime = 1w
+
+multi_instance_enable = yes
diff --git a/templates/tester/support/email/postfix/master.cf.erb b/templates/tester/support/email/postfix/master.cf.erb
new file mode 100644
index 0000000..0e80820
--- /dev/null
+++ b/templates/tester/support/email/postfix/master.cf.erb
@@ -0,0 +1,124 @@
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+<%= ipaddress_eth0 %>:smtp inet n - y - - smtpd
+#smtp inet n - y - 1 postscreen
+#smtpd pass - - y - - smtpd
+#dnsblog unix - - y - 0 dnsblog
+#tlsproxy unix - - y - 0 tlsproxy
+<%= ipaddress_eth0 %>:submission inet n - y - - smtpd
+ -o syslog_name=postfix/submission
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_reject_unlisted_recipient=no
+ -o smtpd_client_restrictions=$mua_client_restrictions
+ -o smtpd_helo_restrictions=$mua_helo_restrictions
+ -o smtpd_sender_restrictions=$mua_sender_restrictions
+ -o smtpd_recipient_restrictions=
+ -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
+<%= ipaddress_eth0 %>:smtps inet n - y - - smtpd
+ -o syslog_name=postfix/smtps
+ -o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_reject_unlisted_recipient=no
+ -o smtpd_client_restrictions=$mua_client_restrictions
+ -o smtpd_helo_restrictions=$mua_helo_restrictions
+ -o smtpd_sender_restrictions=$mua_sender_restrictions
+ -o smtpd_recipient_restrictions=
+ -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - y - - qmqpd
+pickup unix n - y 60 1 pickup
+cleanup unix n - y - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - y 1000? 1 tlsmgr
+rewrite unix - - y - - trivial-rewrite
+bounce unix - - y - 0 bounce
+defer unix - - y - 0 bounce
+trace unix - - y - 0 bounce
+verify unix - - y - 1 verify
+flush unix n - y 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - y - - smtp
+relay unix - - y - - smtp
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - y - - showq
+error unix - - y - - error
+retry unix - - y - - error
+discard unix - - y - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - y - - lmtp
+anvil unix - - y - 1 anvil
+scache unix - - y - 1 scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop unix - n n - - pipe
+ flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe
+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe
+ flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+ ${nexthop} ${user}
+