summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/files
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-12-09 08:11:16 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:17 +0200
commit7c089f71667a1a14cc508772ca289d4d1d2edd27 (patch)
tree2858164a1015603ebb8f2478b920e84a7dd62dd6 /roles/IMAP/files
parent185cf14065554038820c696e7d35f47017b43783 (diff)
Configure the content filter.
Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
Diffstat (limited to 'roles/IMAP/files')
-rw-r--r--roles/IMAP/files/etc/amavis/conf.d/05-domain_id20
-rw-r--r--roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf4
-rw-r--r--roles/IMAP/files/etc/spamassassin/local.cf118
-rw-r--r--roles/IMAP/files/etc/spamassassin/v310.pre78
-rw-r--r--roles/IMAP/files/tmp/spamassassin.sql57
5 files changed, 275 insertions, 2 deletions
diff --git a/roles/IMAP/files/etc/amavis/conf.d/05-domain_id b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id
new file mode 100644
index 0000000..19f10ed
--- /dev/null
+++ b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id
@@ -0,0 +1,20 @@
+use strict;
+
+# $mydomain is used just for convenience in the config files and it is not
+# used internally by amavisd-new except in the default X_HEADER_LINE (which
+# Debian overrides by default anyway).
+
+$mydomain = "fripost.org";
+
+# amavisd-new needs to know which email domains are to be considered local
+# to the administrative domain. Only emails to "local" domains are subject
+# to certain functionality, such as the addition of spam tags.
+#
+# Default local domains to $mydomain and all subdomains. Remember to
+# override or redefine this if $mydomain is changed later in the config
+# sequence.
+
+@local_domains_acl = ( ".$mydomain" );
+@local_domains_maps = ( ".$mydomain" );
+
+1; # ensure a defined return
diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf
index 6ea944f..3a97841 100644
--- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf
+++ b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf
@@ -3,6 +3,6 @@ version = 3
search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = base
bind = none
-query_filter = (&(ObjectClass=AmavisAccount)(fvl=%u))
+query_filter = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fvl=%u))
result_attribute = fvl
-result_format = amavisfeed:unix:public/amavisfeed-contentfilter
+result_format = amavisfeed:[127.0.0.1]:10041
diff --git a/roles/IMAP/files/etc/spamassassin/local.cf b/roles/IMAP/files/etc/spamassassin/local.cf
new file mode 100644
index 0000000..8ae4a4b
--- /dev/null
+++ b/roles/IMAP/files/etc/spamassassin/local.cf
@@ -0,0 +1,118 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# Only a small subset of options are listed below
+#
+###########################################################################
+
+# Add *****SPAM***** to the Subject header of spam e-mails
+#
+rewrite_header Subject [*****SPAM*****]
+
+
+# Save spam messages as a message/rfc822 MIME attachment instead of
+# modifying the original message (0: off, 2: use text/plain instead)
+#
+report_safe 0
+
+
+# Set which networks or hosts are considered 'trusted' by your mail
+# server (i.e. not spammers)
+#
+# TODO: Unclear how to do with IPSec and dynamic IPs.
+clear_trusted_networks
+trusted_networks 192.168.122.2 192.168.122.3
+
+clear_internal_networks
+internal_networks 192.168.122.2 192.168.122.3
+
+
+# Set file-locking method (flock is not safe over NFS, but is faster)
+#
+lock_method flock
+
+
+# Set the threshold at which a message is considered spam (default: 5.0)
+#
+required_score 5.0
+
+
+# Use Bayesian classifier (default: 1)
+#
+use_bayes 1
+
+
+# Bayesian classifier auto-learning (default: 1)
+#
+bayes_auto_learn 1
+bayes_auto_expire 0
+
+
+# Enable or disable network checks
+#
+# http://en.linuxreviews.org/Spam_blacklists
+# The best bets are zen.spamhaus.org and bl.spamcop.net .
+skip_rbl_checks 0
+use_razor2 1
+use_pyzor 0
+use_auto_whitelist 1
+
+# http://www.spamtips.org/2011/01/disable-dnsfromahblrhsbl.html
+score DNS_FROM_AHBL_RHSBL 0
+# http://www.spamtips.org/2011/01/disable-rfc-ignorantorg-rules.html
+score __RFC_IGNORANT_ENVFROM 0
+score DNS_FROM_RFC_DSN 0
+score DNS_FROM_RFC_BOGUSMX 0
+score __DNS_FROM_RFC_POST 0
+score __DNS_FROM_RFC_ABUSE 0
+score __DNS_FROM_RFC_WHOIS 0
+
+# Set headers which may provide inappropriate cues to the Bayesian
+# classifier
+#
+# bayes_ignore_header X-Bogosity
+# bayes_ignore_header X-Spam-Flag
+# bayes_ignore_header X-Spam-Status
+
+
+# Some shortcircuiting, if the plugin is enabled
+#
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+# default: strongly-whitelisted mails are *really* whitelisted now, if the
+# shortcircuiting plugin is active, causing early exit to save CPU load.
+# Uncomment to turn this on
+#
+# shortcircuit USER_IN_WHITELIST on
+# shortcircuit USER_IN_DEF_WHITELIST on
+# shortcircuit USER_IN_ALL_SPAM_TO on
+# shortcircuit SUBJECT_IN_WHITELIST on
+
+# the opposite; blacklisted mails can also save CPU
+#
+# shortcircuit USER_IN_BLACKLIST on
+# shortcircuit USER_IN_BLACKLIST_TO on
+# shortcircuit SUBJECT_IN_BLACKLIST on
+
+# if you have taken the time to correctly specify your "trusted_networks",
+# this is another good way to save CPU
+#
+# shortcircuit ALL_TRUSTED on
+
+# and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99 spam
+# shortcircuit BAYES_00 ham
+
+endif # Mail::SpamAssassin::Plugin::Shortcircuit
+
+
+bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
+bayes_sql_dsn DBI:mysql:spamassassin
+bayes_sql_username amavis
+
+auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList
+user_awl_dsn DBI:mysql:spamassassin
+user_awl_sql_username amavis
diff --git a/roles/IMAP/files/etc/spamassassin/v310.pre b/roles/IMAP/files/etc/spamassassin/v310.pre
new file mode 100644
index 0000000..bff0bbf
--- /dev/null
+++ b/roles/IMAP/files/etc/spamassassin/v310.pre
@@ -0,0 +1,78 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 3.1.0,
+# and contains plugin loading commands for the new plugins added in that
+# release. It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read. Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read. As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+
+# DCC - perform DCC message checks.
+#
+# DCC is disabled here because it is not open source. See the DCC
+# license for more details.
+#
+#loadplugin Mail::SpamAssassin::Plugin::DCC
+
+# Pyzor - perform Pyzor message checks.
+#
+loadplugin Mail::SpamAssassin::Plugin::Pyzor
+
+# Razor2 - perform Razor2 message checks.
+#
+loadplugin Mail::SpamAssassin::Plugin::Razor2
+
+# SpamCop - perform SpamCop message reporting
+#
+loadplugin Mail::SpamAssassin::Plugin::SpamCop
+
+# AntiVirus - some simple anti-virus checks, this is not a replacement
+# for an anti-virus filter like Clam AntiVirus
+#
+#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
+
+# AWL - do auto-whitelist checks
+#
+loadplugin Mail::SpamAssassin::Plugin::AWL
+
+# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning
+#
+loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
+
+# TextCat - language guesser
+#
+#loadplugin Mail::SpamAssassin::Plugin::TextCat
+
+# AccessDB - lookup from-addresses in access database
+#
+#loadplugin Mail::SpamAssassin::Plugin::AccessDB
+
+# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions
+#
+loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
+
+###########################################################################
+# experimental plugins
+
+# DomainKeys - perform DomainKeys verification
+#
+# This plugin has been removed as of v3.3.0. Use the DKIM plugin instead,
+# which supports both Domain Keys and DKIM.
+
+# MIMEHeader - apply regexp rules against MIME headers in the message
+#
+loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
+
+# ReplaceTags
+#
+loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
diff --git a/roles/IMAP/files/tmp/spamassassin.sql b/roles/IMAP/files/tmp/spamassassin.sql
new file mode 100644
index 0000000..ed2e641
--- /dev/null
+++ b/roles/IMAP/files/tmp/spamassassin.sql
@@ -0,0 +1,57 @@
+-- Sources: https://svn.apache.org/repos/asf/spamassassin/trunk/sql/awl_mysql.sql
+-- https://svn.apache.org/repos/asf/spamassassin/trunk/sql/bayes_mysql.sql
+
+CREATE TABLE awl (
+ username VARCHAR(100) NOT NULL DEFAULT '',
+ email VARBINARY(255) NOT NULL DEFAULT '',
+ ip VARCHAR(40) NOT NULL DEFAULT '',
+ count INT(11) NOT NULL DEFAULT 0,
+ totscore FLOAT NOT NULL DEFAULT 0,
+ signedby VARCHAR(255) NOT NULL DEFAULT '',
+ PRIMARY KEY (username,email,signedby,ip)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_expire (
+ id INT(11) NOT NULL DEFAULT 0,
+ runtime INT(11) NOT NULL DEFAULT 0,
+ KEY bayes_expire_idx1 (id)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_global_vars (
+ variable VARCHAR(30) NOT NULL default '',
+ value VARCHAR(200) NOT NULL default '',
+ PRIMARY KEY (variable)
+) ENGINE=InnoDB;
+INSERT INTO bayes_global_vars VALUES ('VERSION','3');
+
+CREATE TABLE bayes_seen (
+ id INT(11) NOT NULL DEFAULT 0,
+ msgid VARCHAR(200) BINARY NOT NULL DEFAULT '',
+ flag CHAR(1) NOT NULL DEFAULT '',
+ PRIMARY KEY (id,msgid)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_token (
+ id INT(11) NOT NULL DEFAULT 0,
+ token BINARY(5) NOT NULL DEFAULT '',
+ spam_count INT(11) NOT NULL DEFAULT 0,
+ ham_count INT(11) NOT NULL DEFAULT 0,
+ atime INT(11) NOT NULL DEFAULT 0,
+ PRIMARY KEY (id, token),
+ INDEX bayes_token_idx1 (id, atime)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_vars (
+ id INT(11) NOT NULL AUTO_INCREMENT,
+ username VARCHAR(200) NOT NULL DEFAULT '',
+ spam_count INT(11) NOT NULL DEFAULT 0,
+ ham_count INT(11) NOT NULL DEFAULT 0,
+ token_count INT(11) NOT NULL DEFAULT 0,
+ last_expire INT(11) NOT NULL DEFAULT 0,
+ last_atime_delta INT(11) NOT NULL DEFAULT 0,
+ last_expire_reduce INT(11) NOT NULL DEFAULT 0,
+ oldest_token_age INT(11) NOT NULL DEFAULT 2147483647,
+ newest_token_age INT(11) NOT NULL DEFAULT 0,
+ PRIMARY KEY (id),
+ UNIQUE bayes_vars_idx1 (username)
+) ENGINE=InnoDB;