Install amavisd-new on the outgoing SMTP proxy.

For DKIM signing and virus checking.
author: Guilhem Moulin <guilhem@fripost.org> 2014-07-03 04:26:26 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:52:20 +0200
commit: 1c357b55931a0d4fbd15d51d61ec4e81d4f38aa5 (patch)
tree: d5f37b52487f75c3ffe40a39c94ea570c32816a5 /roles/IMAP
parent: dfe8b222dc5067e1019d7ab5744df55b2c314ce8 (diff)
7 files changed, 3 insertions, 244 deletions
diff --git a/roles/IMAP/files/etc/amavis/conf.d/05-domain_id b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id
deleted file mode 100644
index 19f10ed..0000000
--- a/roles/IMAP/files/etc/amavis/conf.d/05-domain_id
+++ /dev/null
@@ -1,20 +0,0 @@
-use strict;
-
-# $mydomain is used just for convenience in the config files and it is not
-# used internally by amavisd-new except in the default X_HEADER_LINE (which
-# Debian overrides by default anyway).
-
-$mydomain = "fripost.org";
-
-# amavisd-new needs to know which email domains are to be considered local
-# to the administrative domain.  Only emails to "local" domains are subject
-# to certain functionality, such as the addition of spam tags.
-#
-# Default local domains to $mydomain and all subdomains.  Remember to
-# override or redefine this if $mydomain is changed later in the config
-# sequence.
-
-@local_domains_acl = ( ".$mydomain" );
-@local_domains_maps = ( ".$mydomain" );
-
-1;  # ensure a defined return
diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml
index bda2ab9..c14468a 100644
--- a/roles/IMAP/handlers/main.yml
+++ b/roles/IMAP/handlers/main.yml
@@ -8,9 +8,6 @@
 - name: Reload Postfix
   service: name=postfix state=reloaded
 
-- name: Restart ClamAV
-  service: name=clamav-daemon state=restarted
-
 - name: Compile Spamassassin rules
   sudo_user: debian-spamd
   # it might take a while...
diff --git a/roles/IMAP/tasks/amavis.yml b/roles/IMAP/tasks/amavis.yml
deleted file mode 100644
index 6f47328..0000000
--- a/roles/IMAP/tasks/amavis.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-- name: Install amavis and its decoders
-  apt: pkg={{ item }}
-  with_items:
-    - amavisd-new
-    - libnet-ldap-perl
-    - libauthen-sasl-perl
-    - gzip
-    - bzip2
-    - xz-utils
-    - lzop
-    - rpm2cpio
-    - pax
-    - binutils
-    - p7zip-full
-    - unrar-free
-    - arj
-    - nomarch
-    - zoo
-    - ripole
-    - cabextract
-    - unar
-    - tnef
-  notify:
-    - Restart Amavis
-
-- name: Add 'clamav' to the group 'amavis'
-  user: name=clamav groups=amavis append=yes
-  register: r1
-  notify:
-    - Restart ClamAV
-    - Restart Amavis
-
-- name: Configure Amavis (1)
-  copy: src=etc/amavis/conf.d/05-domain_id
-        dest=/etc/amavis/conf.d/05-domain_id
-        owner=root group=root
-        mode=0644
-  register: r2
-  notify:
-    - Restart Amavis
-
-- name: Configure Amavis (2)
-  template: src=etc/amavis/conf.d/{{ item }}.j2
-            dest=/etc/amavis/conf.d/{{ item }}
-            owner=root group=root
-            mode=0644
-  register: r3
-  with_items:
-    - 15-content_filter_mode
-    - 50-user
-  notify:
-    - Restart Amavis
-
-- name: Start Amavis
-  service: name=amavis state=started
-  when: not (r1.changed or r2.changed or r3.changed)
diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml
index b43f9fb..c6fbbd9 100644
--- a/roles/IMAP/tasks/main.yml
+++ b/roles/IMAP/tasks/main.yml
@@ -1,5 +1,4 @@
 ---
 - include: imap.yml   tags=imap,dovecot
 - include: mda.yml    tags=mda,mail,postfix
-- include: amavis.yml tags=amavis
 - include: spam.yml   tags=spam,spamassassin
diff --git a/roles/IMAP/tasks/spam.yml b/roles/IMAP/tasks/spam.yml
index 51fde4b..a8fbe71 100644
--- a/roles/IMAP/tasks/spam.yml
+++ b/roles/IMAP/tasks/spam.yml
@@ -1,6 +1,9 @@
 - name: Install spamassassin
   apt: pkg={{ item }}
   with_items:
+    # The following two lines are for the policy lookup (made by amavis)
+    - libnet-ldap-perl
+    - libauthen-sasl-perl
     - razor
     - spamassassin
     - spamc
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2
deleted file mode 100644
index cde0452..0000000
--- a/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2
+++ /dev/null
@@ -1,29 +0,0 @@
-use strict;
-
-# You can modify this file to re-enable SPAM checking through spamassassin
-# and to re-enable antivirus checking.
-
-#
-# Default antivirus checking mode
-# Please note, that anti-virus checking is DISABLED by 
-# default.
-# If You wish to enable it, please uncomment the following lines:
-
-
-@bypass_virus_checks_maps = (
-   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
-
-
-#
-# Default SPAM checking mode
-# Please note, that anti-spam checking is DISABLED by 
-# default.
-# If You wish to enable it, please uncomment the following lines:
-
-
-{% if 'MDA' in group_names -%}
-@bypass_spam_checks_maps = (
-   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
-{% endif %}
-
-1;  # ensure a defined return
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
deleted file mode 100644
index b3ae7a9..0000000
--- a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
+++ /dev/null
@@ -1,135 +0,0 @@
-use strict;
-
-#
-# Place your configuration directives here.  They will override those in
-# earlier files.
-#
-# See /usr/share/doc/amavisd-new/ for documentation and examples of
-# the directives you can use in this file
-#
-
-# $max_servers: num of pre-forked children (2..30 is common). It *must*
-# match the number set in /etc/postfix/master.cf "maxproc" column for
-# the amavisfeed service.
-$max_servers = 2;
-
-# list your internal networks
-@mynetworks = qw( 127.0.0.0/8 172.16.0.1/32 );
-
-
-# Always deliver messages (force *_lovers_maps to [1])
-$final_virus_destiny                  = D_PASS;
-$final_banned_destiny                 = D_PASS;
-$final_unchecked_destiny              = D_PASS;
-$final_spam_destiny                   = D_PASS;
-$final_bad_header_destiny             = D_PASS;
-$final_destiny_by_ccat{&CC_OVERSIZED} = D_PASS;
-
-%lovers_maps_by_ccat = (
-  CC_CATCHALL, 1,
-);
-
-
-# Disable quarantine (force *_quarantine_to_maps to [1]; don't forget to
-# disable setting amavisSpamQuarantineCutoffLevel and amavisVirusQuarantine*To,
-# also)
-$QUARANTINEDIR = undef;
-%quarantine_method_by_ccat = (
-  CC_CATCHALL, undef,
-);
-%admin_maps_by_ccat = (
-  CC_CATCHALL, undef,
-);
-
-undef $undecipherable_subject_tag;
-
-# Defang virus only
-%defang_maps_by_ccat = (
-  CC_VIRUS,    1,
-  CC_CATCHALL, undef,
-);
-
-# Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel
-# and amavis*Admin, also
-%always_bcc_by_ccat = (
-  CC_CATCHALL, undef,
-);
-%dsn_bcc_by_ccat = (
-  CC_CATCHALL, undef,
-);
-
-# Never warn sender / recipient; don't forget to disallow setting
-# amavisWarn*Recip, also
-%warnsender_by_ccat = (  # deprecated use, except perhaps for CC_BADH
-  CC_CATCHALL, undef,
-);
-%warnrecip_maps_by_ccat = (
-  CC_CATCHALL, undef,
-);
-
-@message_size_limit_maps = (); # per-recipient limits
-
-
-%banned_rules = (
-  'NO-MS-EXEC'=> new_RE( qr'^\.exe-ms$' ),
-  'PASSALL'   => new_RE( [qr'^' => 0] ),
-  'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
-  'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
-);
-
-
-$enable_ldap  = 1;
-$default_ldap = {
-    hostname      => 'ldapi://',
-    sasl          => 1,
-    sasl_mech     => 'EXTERNAL',
-    deref         => 'never',
-    timeout       => 5,
-    scope         => 'one',
-    base          => 'fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org',
-    # XXX: ideally we would use %u in the base and the query_filter, but
-    # it's not supported as of amavis 2.7 (see the 'lookup_ldap'
-    # subroutine in /usr/sbin/amavisd-new)
-    query_filter  => '(&(objectClass=amavisAccount)(ObjectClass=FripostVirtualUser)(fvl=%m))'
-};
-
-
-$recipient_delimiter = '+';
-$enable_dkim_verification = 1;    # enable DKIM signatures verification
-
-
-# Per-recipient Bayes Database.
-@sa_username_maps = (
-  new_RE ( [ qr'^(.+@[^@]+)$'i => '$1' ] ),
-  'amavis' # catch-all
-);
-
-# http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex
-
-$inet_socket_port = 10041;
-
-$interface_policy{'10041'} = 'INBOUND';
-
-{% if 'out' in group_names %}
-$notify_method  = 'smtp:[127.0.0.1]:{{ postfix_instance.out.port }}';
-{% else %}
-$notify_method  = 'smtp:[outgoing.fripost.org]:{{ postfix_instance.out.port }}';
-{% endif %}
-$forward_method = 'lmtp:/var/run/dovecot/lmtp';
-$requeue_method = $forward_method;
-
-$sa_tag_level_deflt         = undef;
-$sa_tag2_level_deflt        = 5;
-$sa_kill_level_deflt        = 5;
-$sa_dsn_cutoff_level        = undef;
-$sa_quarantine_cutoff_level = undef;
-
-$policy_bank{'INBOUND'} = {
-  originating           => 0,  # indicates a remote client, allows checking
-  smtpd_greeting_banner =>
-    '${helo-name} ${protocol} ${product} INBOUND service ready',
-  mynetworks_maps       => [],  # avoids loading MYNETS policy unnecessarily
-};
-
-#------------ Do not modify anything below this line -------------
-1;  # ensure a defined return
author	Guilhem Moulin <guilhem@fripost.org>	2014-07-03 04:26:26 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:52:20 +0200
commit	1c357b55931a0d4fbd15d51d61ec4e81d4f38aa5 (patch)
tree	d5f37b52487f75c3ffe40a39c94ea570c32816a5 /roles/IMAP
parent	dfe8b222dc5067e1019d7ab5744df55b2c314ce8 (diff)