Configure the content filter.

Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new.
Each user has his/her amavis preferences, and own Bayes filter (to
maximize privacy).

One question remains, though: how to set spamassassin's trusted_networks
/ internal_networks / msa_networks? It seems not obivious to get it
write with IPSec and dynamic IPs.
(Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)

3 files changed, 109 insertions, 0 deletions

diff --git a/roles/IMAP/tasks/amavis.yml b/roles/IMAP/tasks/amavis.yml
new file mode 100644
index 0000000..6f47328
--- /dev/null
+++ b/roles/IMAP/tasks/amavis.yml
@@ -0,0 +1,56 @@
+- name: Install amavis and its decoders
+  apt: pkg={{ item }}
+  with_items:
+    - amavisd-new
+    - libnet-ldap-perl
+    - libauthen-sasl-perl
+    - gzip
+    - bzip2
+    - xz-utils
+    - lzop
+    - rpm2cpio
+    - pax
+    - binutils
+    - p7zip-full
+    - unrar-free
+    - arj
+    - nomarch
+    - zoo
+    - ripole
+    - cabextract
+    - unar
+    - tnef
+  notify:
+    - Restart Amavis
+
+- name: Add 'clamav' to the group 'amavis'
+  user: name=clamav groups=amavis append=yes
+  register: r1
+  notify:
+    - Restart ClamAV
+    - Restart Amavis
+
+- name: Configure Amavis (1)
+  copy: src=etc/amavis/conf.d/05-domain_id
+        dest=/etc/amavis/conf.d/05-domain_id
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart Amavis
+
+- name: Configure Amavis (2)
+  template: src=etc/amavis/conf.d/{{ item }}.j2
+            dest=/etc/amavis/conf.d/{{ item }}
+            owner=root group=root
+            mode=0644
+  register: r3
+  with_items:
+    - 15-content_filter_mode
+    - 50-user
+  notify:
+    - Restart Amavis
+
+- name: Start Amavis
+  service: name=amavis state=started
+  when: not (r1.changed or r2.changed or r3.changed)
diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml
index df21dd2..b43f9fb 100644
--- a/roles/IMAP/tasks/main.yml
+++ b/roles/IMAP/tasks/main.yml
@@ -1,3 +1,5 @@
 ---
 - include: imap.yml   tags=imap,dovecot
 - include: mda.yml    tags=mda,mail,postfix
+- include: amavis.yml tags=amavis
+- include: spam.yml   tags=spam,spamassassin
diff --git a/roles/IMAP/tasks/spam.yml b/roles/IMAP/tasks/spam.yml
new file mode 100644
index 0000000..d326656
--- /dev/null
+++ b/roles/IMAP/tasks/spam.yml
@@ -0,0 +1,51 @@
+- name: Install spamassassin
+  apt: pkg={{ item }}
+  with_items:
+    - razor
+    - spamassassin
+    - spamc
+    - libdbi-perl
+  notify:
+    - Restart Amavis
+
+- name: Create a 'spamassassin' database
+  mysql_db: name=spamassassin state=present
+            encoding=latin1 collation=latin1_general_ci
+  notify:
+    - Copy SQL tables for spamassassin
+    - Create SQL tables for spamassassin
+
+- meta: flush_handlers
+
+- name: Copy SpamAssassin's configuration
+  copy: src=etc/{{ item }}
+        dest=/etc/{{ item }}
+        owner=root group=root
+        mode=0644
+  with_items:
+    - spamassassin/local.cf
+    - spamassassin/v310.pre
+  notify:
+    - Restart Amavis
+
+- name: Ensure SpamAssassin is not auto-started at boot time
+  lineinfile: dest=/etc/default/spamassassin
+              regexp='^(\s*#)?\s*ENABLED='
+              line='ENABLED=0'
+              owner=root group=root
+              mode=0644
+
+- name: Create a 'amavis' SQL user
+  # This *must* be the user we run spamd as
+  # See https://svn.apache.org/repos/asf/spamassassin/trunk/sql/README.bayes
+  mysql_user: >
+      name=amavis auth_plugin=auth_socket
+      priv="spamassassin.awl:               SELECT,INSERT,UPDATE,DELETE
+           /spamassassin.bayes_seen:        SELECT,INSERT,       DELETE
+           /spamassassin.bayes_token:       SELECT,INSERT,UPDATE,DELETE
+           /spamassassin.bayes_global_vars: SELECT
+           /spamassassin.bayes_vars:        SELECT,INSERT,UPDATE,DELETE
+           /spamassassin.bayes_expire:      SELECT,INSERT,       DELETE"
+      state=present
+  notify:
+    - Restart Amavis