Saturday, 14 September 2013

How to set up RT part 6: Configuring rt-mailgate

rt-mailgate is the mail gateway which RT uses to convert emails to tickets. Before we get stuck into configuring it, first a few things need configuring in RT.

The RT configuration file can be found at
/etc/request-tracker4/RT_SiteConfig.pm
It's best not to modify this file directly, but to add config fragments under RT_SiteConfig.d and then recompile. To ready RT for email, we do the following:

/etc/request-tracker4/RT_SiteConfig.d/50-debconf :
  # THE BASICS:
  Set($rtname, 'rt.tickets.company.com');
  Set($Organization, 'company.com');
  Set($CorrespondAddress , 'anna@company.com');
  Set($CommentAddress , 'anna@company.com');
  # THE WEBSERVER:
  Set($WebPath , "/rt");
  Set($WebBaseURL , "http://tickets.company.com");

/etc/request-tracker4/RT_SiteConfig.d/60-mailconf :
  Set($SendmailPath, "/usr/lib/sendmail");    
  Set($SendmailArguments, "-t");
  Set($OwnerEmail, "anna@company.com"); #who to email errors to
Then run

# update-rt-siteconfig-4
to update RT.

Now we can look at configuring rt-mailgate itself. First, let's make sure rt-mailgate works in its own right.
# echo "Test123" | rt-mailgate --queue General --action correspond --url http://tickets.company.com

If this gave you a 403, then you'll need to configure
# /etc/apache2/sites-available/apache2-modperl2.conf
There should be a stanza about limiting access to mail gateway. Since it's NoAuth anyway, let's just allow access across the board for it:
<Location /rt/REST/1.0/NoAuth>
    Order Allow,Deny
    Allow from all
    Satisfy any
</Location>
Add the line "Allow from rt.tickets.company.com" and restart Apache.


To configure exim to forward emails to rt-mailgate, edit /etc/aliases :
  rt: "|/usr/bin/rt-mailgate --queue general --action correspond --url http://tickets.company.com/rt"
  rt-comment: "|/usr/bin/rt-mailgate --queue general --action comment --url http://tickets.company.com/rt"

In my installation, I decided to make queue names which were modular, with a 'from' and a 'to' part, of the shape 'from@to' so that I could use email addresses that look like from@to.company.com. To set this up, I added two files to exim, one a list of requestors, and one a list of recipients:

/etc/exim/queuenames/list.of.requestors (the bit before the @) :
    account-managers
    developers

vim /etc/exim/queuenames/list.of.recipients (the bit after the @) :
    systems.company.com
    dba.company.com

NB make sure that the two lists combine to make the queue names that are configured in the RT gui.

Also to note - if you add to the list of requestors then you don’t need to reconfigure exim, but if you add to the list of recipients you’ll need to do dpkg-reconfigure exim4-config again and add in the extra subdomain as a destination to receive mail for.

Alternative - and probably easier to keep track of - these settings are all saved in /etc/exim/update-exim4.conf.conf. If you do add to the list of requestors you can add in the additional domains here, under dc_other_hostnames, making sure to separate your items with colons (no csv here, it will silently fail, madness lies beyond). 
Then run update-exim4.conf (yes, that's the command), and then restart exim.

Also to configure to make this work: /etc/exim/conf.d/main/01_exim4-config_listmacrosdefs
    RT4_URL = http://tickets.company.com/

and /etc/exim/conf.d/router/950_exim4-config_rt
request_tracker4:
 driver            = redirect
 domains           = /etc/exim4/queuenames/list.of.recipients
 local_parts       = /etc/exim4/queuenames/list.of.requestors

 local_part_suffix = -comment
 local_part_suffix_optional
 pipe_transport    = request_tracker4_pipe
 data              =   "|/usr/bin/rt-mailgate-4 \
                       --queue \"${local_part}@${extract{1}{.}{$domain}}\" \
                       --action ${substr_1:${if eq{$local_part_suffix}{} \
                       {-correspond}{$local_part_suffix}} } \
                       --url RT4_URL"
 user              = www-data

and /etc/exim/conf.d/transport/30_exim4-config_rt_pipe
request_tracker4_pipe:
 driver         = pipe
 return_fail_output
 allow_commands = /usr/bin/rt-mailgate-4

Recompile the config
dpkg-reconfigure -plow exim4-config

Test making a ticket via email from the command line of the exim server.
echo "This is a test ticket" | from=anna@company.com mail -s "test $(date)" accountmanagers@systems.company.com

If these tests all went smoothly and the server is able to email out, then next we need to configure RT to interact with users by email.


NB here I am using swaks to test RT so that I can send emails internally without needing to open exim up to receive emails from gmail (and therefore spam). A basic swaks command looks like
swaks --to accountmanagers@systems.company.com --from anna@company.com --server tickets.company.com -d "Subject: This is the subject line \n\n Here is some text that should go into the body"
Telnet would also work, but is a bit more long-winded.

More testing:  

1. Test making a ticket via email from another internal server (this allows us to test before the smtp port is opened to the whole world:
swaks --to accountmanagers@systems.company.com --from anna@company.com --server tickets.company.com

2. A person not in the domain should not be able to make a ticket
swaks --to accountmanagers@systems.company.com --from abadperson@yahoo.com --server tickets.company.com
Action: no ticket created
/var/log/request-tracker/rt4.log:  RT could not load a valid user, and RT's configuration does not allow
for the creation of a new user for your email. Could not record email: Could not load a valid user


3. An email sent to a non-existent queue should not create a ticket
swaks --to systems@wrongaddress.com --from anna@company.com --server tickets.company.com
Action: no ticket created
/var/log/exim4/mainlog: Connection refused
exim -Mvh <emailID>: spam score of -1
Mail gets returned to sender with the message “A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: systems@systems.whereever.com retry timeout exceeded”


4. From a valid, privileged user in RT who is not a user in AD:
swaks --to accountmanagers@systems.company.com --from bobby.tables@company.com --server tickets.company.com
Action: ticket created, but user cannot access selfservice as no password set.


4. From a valid AD user who is present but unprivileged user in RT
Action: ticket created. User can access selfservice.


5a. From a valid AD user who is not in RT:
Action: ticket created, unprivileged user created. User can access selfservice but not see ticket


5b. As root, make this new user privileged.
Action: User can now access selfservice and see ticket, as well as the queue that ticket was sent to.