summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/templates/etc/amavis
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-12-09 08:11:16 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:17 +0200
commit7c089f71667a1a14cc508772ca289d4d1d2edd27 (patch)
tree2858164a1015603ebb8f2478b920e84a7dd62dd6 /roles/IMAP/templates/etc/amavis
parent185cf14065554038820c696e7d35f47017b43783 (diff)
Configure the content filter.
Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
Diffstat (limited to 'roles/IMAP/templates/etc/amavis')
-rw-r--r--roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j229
-rw-r--r--roles/IMAP/templates/etc/amavis/conf.d/50-user.j2135
2 files changed, 164 insertions, 0 deletions
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2
new file mode 100644
index 0000000..cde0452
--- /dev/null
+++ b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2
@@ -0,0 +1,29 @@
+use strict;
+
+# You can modify this file to re-enable SPAM checking through spamassassin
+# and to re-enable antivirus checking.
+
+#
+# Default antivirus checking mode
+# Please note, that anti-virus checking is DISABLED by
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_virus_checks_maps = (
+ \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+
+#
+# Default SPAM checking mode
+# Please note, that anti-spam checking is DISABLED by
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+{% if 'MDA' in group_names -%}
+@bypass_spam_checks_maps = (
+ \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+{% endif %}
+
+1; # ensure a defined return
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
new file mode 100644
index 0000000..7d412f8
--- /dev/null
+++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
@@ -0,0 +1,135 @@
+use strict;
+
+#
+# Place your configuration directives here. They will override those in
+# earlier files.
+#
+# See /usr/share/doc/amavisd-new/ for documentation and examples of
+# the directives you can use in this file
+#
+
+# $max_servers: num of pre-forked children (2..30 is common). It *must*
+# match the number set in /etc/postfix/master.cf "maxproc" column for
+# the amavisfeed service.
+$max_servers = 2;
+
+# list your internal networks
+@mynetworks = qw( 127.0.0.0/8 172.16.0.1/32 );
+
+
+# Always deliver messages (force *_lovers_maps to [1])
+$final_virus_destiny = D_PASS;
+$final_banned_destiny = D_PASS;
+$final_unchecked_destiny = D_PASS;
+$final_spam_destiny = D_PASS;
+$final_bad_header_destiny = D_PASS;
+$final_destiny_by_ccat{&CC_OVERSIZED} = D_PASS;
+
+%lovers_maps_by_ccat = (
+ CC_CATCHALL, 1,
+);
+
+
+# Disable quarantine (force *_quarantine_to_maps to [1]; don't forget to
+# disable setting amavisSpamQuarantineCutoffLevel and amavisVirusQuarantine*To,
+# also)
+$QUARANTINEDIR = undef;
+%quarantine_method_by_ccat = (
+ CC_CATCHALL, undef,
+);
+%admin_maps_by_ccat = (
+ CC_CATCHALL, undef,
+);
+
+undef $undecipherable_subject_tag;
+
+# Defang virus only
+%defang_maps_by_ccat = (
+ CC_VIRUS, 1,
+ CC_CATCHALL, undef,
+);
+
+# Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel
+# and amavis*Admin, also
+%always_bcc_by_ccat = (
+ CC_CATCHALL, undef,
+);
+%dsn_bcc_by_ccat = (
+ CC_CATCHALL, undef,
+);
+
+# Never warn sender / recipient; don't forget to disallow setting
+# amavisWarn*Recip, also
+%warnsender_by_ccat = ( # deprecated use, except perhaps for CC_BADH
+ CC_CATCHALL, undef,
+);
+%warnrecip_maps_by_ccat = (
+ CC_CATCHALL, undef,
+);
+
+@message_size_limit_maps = (); # per-recipient limits
+
+
+%banned_rules = (
+ 'NO-MS-EXEC'=> new_RE( qr'^\.exe-ms$' ),
+ 'PASSALL' => new_RE( [qr'^' => 0] ),
+ 'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
+ 'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
+);
+
+
+$enable_ldap = 1;
+$default_ldap = {
+ hostname => 'ldapi://',
+ sasl => 1,
+ sasl_mech => 'EXTERNAL',
+ deref => 'never',
+ timeout => 5,
+ scope => 'one',
+ base => 'fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org',
+ # XXX: ideally we would use %u in the base and the query_filter, but
+ # it's not supported as of amavis 2.7 (see the 'lookup_ldap'
+ # subroutine in /usr/sbin/amavisd-new)
+ query_filter => '(&(objectClass=amavisAccount)(ObjectClass=FripostVirtualUser)(fvl=%m))'
+};
+
+
+$recipient_delimiter = '+';
+$enable_dkim_verification = 1; # enable DKIM signatures verification
+
+
+# Per-recipient Bayes Database.
+@sa_username_maps = (
+ new_RE ( [ qr'^(.+@[^@]+)$'i => '$1' ] ),
+ 'amavis' # catch-all
+);
+
+# http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex
+
+$inet_socket_port = 10041;
+
+$interface_policy{'10041'} = 'INBOUND';
+
+{% if 'MTA-out' in group_names %}
+$notify_method = 'smtp:[127.0.0.1]:{{ MTA_out.port }}';
+{% else %}
+$notify_method = 'smtp:[{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}';
+{% endif %}
+$forward_method = 'lmtp:/var/run/dovecot/lmtp';
+$requeue_method = $forward_method;
+
+$sa_tag_level_deflt = undef;
+$sa_tag2_level_deflt = 5;
+$sa_kill_level_deflt = 5;
+$sa_dsn_cutoff_level = undef;
+$sa_quarantine_cutoff_level = undef;
+
+$policy_bank{'INBOUND'} = {
+ originating => 0, # indicates a remote client, allows checking
+ smtpd_greeting_banner =>
+ '${helo-name} ${protocol} ${product} INBOUND service ready',
+ mynetworks_maps => [], # avoids loading MYNETS policy unnecessarily
+};
+
+#------------ Do not modify anything below this line -------------
+1; # ensure a defined return