From 72382b845a9f51920bf8b7ba8ea6268e62f34434 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@openstack.org>
Date: Wed, 12 Feb 2014 13:16:15 -0800
Subject: [PATCH] Only allow mail from jenkins from zuul
If someone copies the production Zuul configuration, they may end
up sending emails as jenkins@o.o. Configure our hosts to only
accept email with an envelope sender or From header of jenkins@.o.o
if the connecting host is zuul.openstack.org (or localhost, to handle
the case of exim running on zuul.o.o itself).
Change-Id: Ic92bb39659689347fea1744ee8c1b47ef21858b0
---
modules/exim/templates/exim4.conf.erb | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/modules/exim/templates/exim4.conf.erb b/modules/exim/templates/exim4.conf.erb
index e3b424c707..b5be96d4f2 100644
--- a/modules/exim/templates/exim4.conf.erb
+++ b/modules/exim/templates/exim4.conf.erb
@@ -457,6 +457,13 @@ acl_check_rcpt:
control = submission
control = dkim_disable_verify
+ # In case people cargo-cult our Zuul configuration, only allow
+ # messages with an envelope sender of jenkins from OpenStack's Zuul.
+
+ deny senders = jenkins@openstack.org
+ !hosts = zuul.openstack.org : 127.0.0.1
+ message = Sender address not permitted from this host
+
# Insist that any other recipient address that we accept is either in one of
# our local domains, or is in a domain for which we explicitly allow
# relaying. Any other domain is rejected as being unacceptable for relaying.
@@ -529,6 +536,14 @@ acl_check_data:
# X-Spam_bar: $spam_bar\n\
# X-Spam_report: $spam_report
+ # In case people cargo-cult our Zuul configuration, only allow
+ # messages with a From header of jenkins from OpenStack's Zuul.
+
+ deny condition = ${if eq{${address:$h_from:}}\
+ {jenkins@openstack.org}}
+ !hosts = zuul.openstack.org : 127.0.0.1
+ message = From address not permitted from this host
+
# Accept the message.
accept