spamassassin: list our IPSec subnet in trusted_networks.

author: Guilhem Moulin <guilhem@fripost.org> 2016-05-22 17:57:38 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-05-22 17:59:01 +0200
commit: b536632f32d81dceb11f2b7ebf2ec1a284498901 (patch)
tree: c4a8cbbd68c7985d91ec6b501586049028d2f666 /roles/IMAP
parent: deb4777fb64a8427fa029bcd932a0c58adf203d6 (diff)
3 files changed, 30 insertions, 9 deletions
diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml
index f9b25d1..b26cb10 100644
--- a/roles/IMAP/tasks/main.yml
+++ b/roles/IMAP/tasks/main.yml
@@ -1,16 +1,16 @@
 ---
 - include: imap.yml
   tags:
     - imap
     - dovecot
 - include: mda.yml
   tags:
     - mda
     - mail
     - postfix
-# TODO spam filter
+## TODO spam filter
 #- include: spam.yml
-#  tags
+#  tags:
 #    - spam
+#    - amavis
 #    - spamassassin
-#
diff --git a/roles/IMAP/tasks/spam.yml b/roles/IMAP/tasks/spam.yml
index 06624dd..3091b85 100644
--- a/roles/IMAP/tasks/spam.yml
+++ b/roles/IMAP/tasks/spam.yml
@@ -8,56 +8,75 @@
     - spamassassin
     - spamc
     - libdbi-perl
     - re2c
     - libc6-dev
     - gcc
     - make
   notify:
     - Compile Spamassassin rules
     - Restart Amavis
 
 - name: Create a 'spamassassin' database
   mysql_db: name=spamassassin state=present
             encoding=latin1 collation=latin1_general_ci
   notify:
     - Copy SQL tables for spamassassin
     - Create SQL tables for spamassassin
 
 - meta: flush_handlers
 
+
 - name: Copy SpamAssassin's configuration
   copy: src=etc/{{ item }}
         dest=/etc/{{ item }}
         owner=root group=root
         mode=0644
   with_items:
-    - spamassassin/local.cf
     - spamassassin/v310.pre
     - spamassassin/v320.pre
+  register: r1
+  notify:
+    - Restart Amavis
+
+- name: Copy SpamAssassin's configuration (2)
+  template: src=etc/{{ item }}.j2
+            dest=/etc/{{ item }}
+            owner=root group=root
+            mode=0644
+  with_items:
+    - spamassassin/local.cf
+  register: r2
   notify:
     - Restart Amavis
 
 - name: Provision /etc/default/spamassassin
   lineinfile: dest=/etc/default/spamassassin
-              regexp='^(\s*#)?\s*{{ item.var }}='
-              "line={{ item.var }}={{ item.value }}"
+              regexp='^(\\s*#)?\\s*{{ item.var }}\\s*='
+              line='{{ item.var }}={{ item.value }}'
               owner=root group=root
               mode=0644
   with_items:
     - { var: ENABLED, value: 0 }
     - { var: CRON,    value: 1 }
 
 - name: Create a 'amavis' SQL user
   # This *must* be the user we run spamd as
   # See https://svn.apache.org/repos/asf/spamassassin/trunk/sql/README.bayes
   mysql_user2: >
       name=amavis password= auth_plugin=auth_socket
       priv="spamassassin.awl:               SELECT,INSERT,UPDATE,DELETE
            /spamassassin.bayes_seen:        SELECT,INSERT,       DELETE
            /spamassassin.bayes_token:       SELECT,INSERT,UPDATE,DELETE
            /spamassassin.bayes_global_vars: SELECT
            /spamassassin.bayes_vars:        SELECT,INSERT,UPDATE,DELETE
            /spamassassin.bayes_expire:      SELECT,INSERT,       DELETE"
       state=present
+  register: r3
   notify:
     - Restart Amavis
+
+- name: Start Amavis
+  service: name=amavis state=started
+  when: not (r1.changed or r2.changed or r3.changed)
+
+- meta: flush_handlers
diff --git a/roles/IMAP/files/etc/spamassassin/local.cf b/roles/IMAP/templates/etc/spamassassin/local.cf.j2
index 8ae4a4b..edef554 100644
--- a/roles/IMAP/files/etc/spamassassin/local.cf
+++ b/roles/IMAP/templates/etc/spamassassin/local.cf.j2
@@ -4,46 +4,48 @@
 # tweaked.
 #
 # Only a small subset of options are listed below
 #
 ###########################################################################
 
 #   Add *****SPAM***** to the Subject header of spam e-mails
 #
 rewrite_header Subject [*****SPAM*****]
 
 
 #   Save spam messages as a message/rfc822 MIME attachment instead of
 #   modifying the original message (0: off, 2: use text/plain instead)
 #
 report_safe 0
 
 
 #   Set which networks or hosts are considered 'trusted' by your mail
 #   server (i.e. not spammers)
 #
-# TODO: Unclear how to do with IPSec and dynamic IPs.
 clear_trusted_networks
-trusted_networks 192.168.122.2 192.168.122.3
+trusted_networks 127.0.0.1/8 {{ ipsec_subnet }} {{ groups.MX | join(' ') }}
 
+# MXes and internal relays should be listed in bouth trusted_networks
+# and clear_internal_networks, cf.
+# https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html
 clear_internal_networks
-internal_networks 192.168.122.2 192.168.122.3
+internal_networks {{ groups.MX | join(' ') }}
 
 
 #   Set file-locking method (flock is not safe over NFS, but is faster)
 #
 lock_method flock
 
 
 #   Set the threshold at which a message is considered spam (default: 5.0)
 #
 required_score 5.0
 
 
 #   Use Bayesian classifier (default: 1)
 #
 use_bayes 1
 
 
 #   Bayesian classifier auto-learning (default: 1)
 #
 bayes_auto_learn 1
author	Guilhem Moulin <guilhem@fripost.org>	2016-05-22 17:57:38 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-05-22 17:59:01 +0200
commit	b536632f32d81dceb11f2b7ebf2ec1a284498901 (patch)
tree	c4a8cbbd68c7985d91ec6b501586049028d2f666 /roles/IMAP
parent	deb4777fb64a8427fa029bcd932a0c58adf203d6 (diff)