Configure the content filter.

Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new.
Each user has his/her amavis preferences, and own Bayes filter (to
maximize privacy).

One question remains, though: how to set spamassassin's trusted_networks
/ internal_networks / msa_networks? It seems not obivious to get it
write with IPSec and dynamic IPs.
(Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)

2 files changed, 38 insertions, 5 deletions

diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 06eb692..5c993fc 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -36,38 +36,51 @@
         dest=/var/lib/ldap/fripost/DB_CONFIG
         owner=openldap group=openldap
         mode=0600
   register: r2
   notify:
     # Not sure if required
     - Restart slapd
 
 - name: Create directory /etc/ldap/fripost
   file: path=/etc/ldap/fripost
         owner=root group=root
         state=directory
         mode=0755
 
 - name: Copy fripost database definition
   template: src=etc/ldap/database.ldif.j2
             dest=/etc/ldap/fripost/database.ldif
             owner=root group=root
             mode=0600
 
-- name: Copy fripost schema
-  copy: src=etc/ldap/schema/fripost.ldif
-        dest=/etc/ldap/schema/fripost.ldif
+- name: Copy fripost & amavis' schema
+  copy: src=etc/ldap/schema/{{ item }}
+        dest=/etc/ldap/schema/{{ item }}
         owner=root group=root
         mode=0644
+  # It'd certainly be nicer if we didn't have to deploy amavis' schema
+  # everywhere, but we need the 'objectClass' in our replicates, hence
+  # they need to be aware of the 'amavisAccount' class.
+  with_items:
+    - fripost.ldif
+    - amavis.schema
+  tags:
+    - amavis
 
 - name: Load fripost's schema and configure the database
   openldap: target=/etc/ldap/{{ item }} state=present
   with_items:
     - schema/fripost.ldif
-    # TODO load other required schemas *before* loading the database
     - fripost/database.ldif
 
+- name: Load amavis' schema
+  openldap: target=/etc/ldap/schema/amavis.schema state=present
+            format=slapd.conf name=amavis
+  tags:
+    - ldap
+
 - name: Start slapd
   service: name=slapd state=started
   when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index cf12f10..f76eb78 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -56,41 +56,47 @@ olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 # - http://www.openldap.org/faq/data/cache/136.html
 # - http://www.zytrax.com/books/ldap/apa/indeces.html
 #
 olcDbIndex: objectClass eq
 # Let us make Postfix's life easier. TODO: only if MX, lists.f.o, MDA, etc.
 olcDbIndex: fripostIsStatusActive,fvd,fvl,fripostLocalAlias eq
 olcDbIndex: fripostOptionalMaildrop pres
 # SyncProv/SyncRepl specific indexing.
 olcDbIndex: entryCSN,entryUUID eq
 #
 #
 ########################################################################
 ########################################################################
 # Sync Replication
 # TODO: replace the simple bind by Kerberos/GSSAPI
 #
 # References:
 # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
 # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
 #
-{% if 'LDAP-provider' not in group_names %}
+{% if 'LDAP-provider' in group_names %}
+olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
+  time.soft=unlimited
+  time.hard=unlimited
+  size.soft=unlimited
+  size.hard=unlimited
+{% elif 'MX' in group_names %}
 olcSyncrepl: rid=000
   provider=ldap://{{ LDAP_provider }}
   type=refreshAndPersist
   retry="5 5 300 +"
   searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
   attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner
   scope=sub
   schemachecking=off
   bindmethod=simple
   binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
   credentials=postfix
 {% endif %}
 #
 #
 ########################################################################
 ########################################################################
 # Access control
 # /!\ WARN: All modification to the ACL should be reflected to the test
 # /!\ suite as well!
 #
@@ -112,40 +118,54 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
         filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
     by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by realanonymous =rsd
     by users =0 break
 #
 # Postfix needs to look up lists' local aliases.
 olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry
     by realanonymous =s
     by users =0 break
 #
 # Search domain owners / postmasters (used by reserved-alias.pl).
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner
         filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
     by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
     by users =0 break
 #
+# The following is required for the content filter
+{% if 'MDA' in group_names %}
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+        attrs=entry
+        filter=(&(objectClass=FripostVirtualDomain)(fripostIsStatusActive=TRUE))
+    by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =s
+    by users =0 break
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+        attrs=entry,objectClass,fvl,@AmavisAccount
+        filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
+    by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =rsd
+    by users =0 break
+{% endif %}
+#
 # Anonymous can authenticate into the services. (But not read or write the password.)
 olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org"
         attrs=userPassword
     by realanonymous =xd
 #
 # The following is required for SASL proxy Authorize the web application.
 olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,authzTo
     by realanonymous =x
 #
 # The following is required for Sync Replication.
 {% if 'LDAP-provider' in group_names %}
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
     by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by users =0 break
 {% endif %}
 #
 # 1. The WebPanel itself cannot bind, read or write passwords. This
 # guarantees that, if an attacker gains its priviledge, it will *not* be