Fix Amavis' Policy Banks.

It turns out that in a policy bank, a *_by_ccat doesn't replace the
default but is merely merged into the default (if the keys overlap,
those in the bank take precedence of course).  Hence it's pointless to
use CC_CATCHALL in a bank unless all the other keys have been
overridden, for instance.

Also, treat unchecked (eg, encrypted) mails as clean in the OUTGOING
Policy Bank.

1 files changed, 23 insertions, 20 deletions

diff --git a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2 b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
index 3595331..ae2031b 100644
--- a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
+++ b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
@@ -1,81 +1,83 @@
 use strict;
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 
 #
 # Place your configuration directives here.  They will override those in
 # earlier files.
 #
 # See /usr/share/doc/amavisd-new/ for documentation and examples of
 # the directives you can use in this file
 #
 
 # $max_servers: num of pre-forked children (2..30 is common). It *must*
 # match the number set in /etc/postfix/master.cf "maxproc" column for
 # the amavisfeed service.
 $max_servers = 5;
 $recipient_delimiter = '+';
 
 $mydomain = 'fripost.org';
 $X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
-undef $undecipherable_subject_tag;
 
 @mynetworks_maps = ();
 @remove_existing_spam_headers_maps = ();
 @bypass_virus_checks_maps = (); # load virus checking code
 
 
 $enable_dkim_verification = 1; # load DKIM signing/verifying code
 {% if 'out' not in group_names %}
 undef $enable_dkim_signing;
 @bypass_spam_checks_maps = (); # load spam checking code
 {% else %}
 $enable_dkim_signing = 1;
 # Sign *all* outgoing mails with *our* key (yes, amavis complains, but this is
 # safe as we force our domain with the 'd' tag).
 dkim_key(qr/./, '20140703', '/var/lib/dkim/20140703.'.$mydomain.'.key');
 @dkim_signature_options_bysender_maps = (
     { '.' => { d => $mydomain
              , a => 'rsa-sha256'
              , ttl => 21*24*3600
              , c => 'relaxed/simple' } } );
 # Conform to RFC 4871 and don't sign Received: headers.
 $signed_header_fields{received} = 0;
 {% endif %}
 
 
 
-# Defang viruses only
-%defang_maps_by_ccat = ( CC_VIRUS, 1
-                       , CC_CATCHALL, undef
+# Defang viruses and nothing else
+%defang_maps_by_ccat = ( &CC_VIRUS    => 1
+                       , &CC_CATCHALL => undef
                        );
 
+# Don't change the subject for unchecked messages (not by-recip)
+delete $subject_tag_maps_by_ccat{+CC_UNCHECKED};
+
 # Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel
 # and amavis*Admin, also
-%always_bcc_by_ccat = ( CC_CATCHALL, undef );
-%dsn_bcc_by_ccat    = ( CC_CATCHALL, undef );
+%always_bcc_by_ccat = ( &CC_CATCHALL => undef );
+%dsn_bcc_by_ccat    = ( &CC_CATCHALL => undef );
 
 # Never warn sender or recipient; don't forget to disallow setting
 # amavisWarn*Recip, also
-%warnsender_by_ccat     = ( CC_CATCHALL, undef );
-%warnrecip_maps_by_ccat = ( CC_CATCHALL, undef );
+%warnsender_by_ccat     = ( &CC_CATCHALL => undef );
+%warnrecip_maps_by_ccat = ( &CC_CATCHALL => undef );
 
 
 # A couple of common banned rules one might can refer by their name
 %banned_rules = (
   'NO-MS-EXEC'=> new_RE( qr/^\.exe-ms$/ ),
   'PASSALL'   => new_RE( [qr/^/ => 0] ),
   'ALLOW_EXE' => new_RE( qr/.\.(vbs|pif|scr|bat)$/i, [qr/^\.exe$/ => 0] ),
   'ALLOW_VBS' => new_RE( [qr/.\.vbs$/ => 0] ),
 );
 
 
 {% if 'MDA' in group_names %}
 $enable_ldap  = 1; # Load Net::LDAP
 $default_ldap = {
     hostname      => 'ldapi://',
     sasl          => 1,
     sasl_mech     => 'EXTERNAL',
     deref         => 'never',
     timeout       => 5,
     scope         => 'one',
@@ -131,55 +133,56 @@ $sa_quarantine_cutoff_level = undef;
 
 
 # Mandatory DKIM signing and virus checking only
 $policy_bank{'OUTGOING'} = {
   originating              => 1,
   enable_dkim_verification => 0,
   smtpd_greeting_banner    => '${helo-name} ${protocol} ${product} OUTGOING service ready',
   forward_method           => $forward_method,
 
   # No black or white lists
   message_size_limit_maps => [],
   whitelist_sender_maps   => [],
   blacklist_sender_maps   => [],
 
   # Check for viruses (regardless of the recipient), but bypass all other checks
   bypass_virus_checks_maps  => undef,
   bypass_banned_checks_maps => 1,
   bypass_header_checks_maps => 1,
   bypass_spam_checks_maps   => 1,
 
-  # If found, notify postmaster, quarantine, then discard
-  quarantine_to_maps_by_ccat => { CC_VIRUS, [$virus_quarantine_to],     CC_CATCHALL, undef  },
-  quarantine_method_by_ccat  => { CC_VIRUS, [$virus_quarantine_method], CC_CATCHALL, undef  },
-  admin_maps_by_ccat         => { CC_VIRUS, ["postmaster\@$mydomain"],  CC_CATCHALL, undef  },
-  addr_extension_maps_by_ccat=> {                                       CC_CATCHALL, undef  },
-  lovers_maps_by_ccat        => { CC_VIRUS, undef,                      CC_CATCHALL, 1      }, 
-  final_destiny_by_ccat      => { CC_VIRUS, D_DISCARD,                  CC_CATCHALL, D_PASS },
+  # If a virus is found, notify postmaster, quarantine, then discard.
+  # Treat unchecked mails (eg, encrypted) as clean.
+  quarantine_to_maps_by_ccat => { &CC_VIRUS => [$virus_quarantine_to],     &CC_UNCHECKED => undef, &CC_CLEAN => undef       },
+  quarantine_method_by_ccat  => { &CC_VIRUS => [$virus_quarantine_method], &CC_UNCHECKED => undef, &CC_CLEAN => undef       },
+  admin_maps_by_ccat         => { &CC_VIRUS => ["postmaster\@$mydomain"],  &CC_UNCHECKED => undef                           },
+  lovers_maps_by_ccat        => { &CC_VIRUS => undef,                      &CC_UNCHECKED => 1                               },
+  final_destiny_by_ccat      => { &CC_VIRUS => D_DISCARD,                  &CC_UNCHECKED => D_PASS, &CC_OVERSIZED => D_PASS },
 };
 
 $policy_bank{'INCOMING'} = {
   originating              => 0,
   enable_dkim_verification => 1,
   smtpd_greeting_banner    => '${helo-name} ${protocol} ${product} INCOMING service ready',
   forward_method           => $forward_method,
   message_size_limit_maps  => [],
 
   # Per-recipient Bayes Database
   sa_username_maps => [ new_RE ( [ qr/^(.+\@.+)$/ => '$1' ] )
                       , 'amavis' # catch-all
                       ],
 
-  # Never quarantine
+  # Never quarantine, and never notify.
   # (Remember to disallow setting amavisSpamQuarantineCutoffLevel and
   # amavisVirusQuarantine*To in the LDAP schema.)
-  quarantine_method_by_ccat => { CC_CATCHALL, undef },
-  admin_maps_by_ccat        => { CC_CATCHALL, undef },
+  # XXX: users might want to quarantine messages and get a notification instead
+  quarantine_method_by_ccat => { map {$_ => undef} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH, CC_CLEAN) },
+  admin_maps_by_ccat        => { map {$_ => undef} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH          ) },
 
   # Always deliver messages
-  final_destiny_by_ccat => { CC_CATCHALL, D_PASS },
-  lovers_maps_by_ccat   => { CC_CATCHALL, 1      },
+  final_destiny_by_ccat  => { map {$_ => D_PASS} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM,            CC_BADH) },
+  lovers_maps_by_ccat    => { map {$_ => 1     } (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_SPAMMY, CC_BADH) },
 };
 
 #------------ Do not modify anything below this line -------------
 1;  # ensure a defined return
 # vim: set filetype=perl :