summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-12-09 08:11:16 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:17 +0200
commit7c089f71667a1a14cc508772ca289d4d1d2edd27 (patch)
tree2858164a1015603ebb8f2478b920e84a7dd62dd6 /roles
parent185cf14065554038820c696e7d35f47017b43783 (diff)
Configure the content filter.
Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
Diffstat (limited to 'roles')
-rw-r--r--roles/IMAP/files/etc/amavis/conf.d/05-domain_id20
-rw-r--r--roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf4
-rw-r--r--roles/IMAP/files/etc/spamassassin/local.cf118
-rw-r--r--roles/IMAP/files/etc/spamassassin/v310.pre78
-rw-r--r--roles/IMAP/files/tmp/spamassassin.sql57
-rw-r--r--roles/IMAP/handlers/main.yml19
-rw-r--r--roles/IMAP/tasks/amavis.yml56
-rw-r--r--roles/IMAP/tasks/main.yml2
-rw-r--r--roles/IMAP/tasks/spam.yml51
-rw-r--r--roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j229
-rw-r--r--roles/IMAP/templates/etc/amavis/conf.d/50-user.j2135
-rw-r--r--roles/IMAP/templates/etc/postfix/main.cf.j23
-rw-r--r--roles/common-LDAP/tasks/main.yml21
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j222
14 files changed, 607 insertions, 8 deletions
diff --git a/roles/IMAP/files/etc/amavis/conf.d/05-domain_id b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id
new file mode 100644
index 0000000..19f10ed
--- /dev/null
+++ b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id
@@ -0,0 +1,20 @@
+use strict;
+
+# $mydomain is used just for convenience in the config files and it is not
+# used internally by amavisd-new except in the default X_HEADER_LINE (which
+# Debian overrides by default anyway).
+
+$mydomain = "fripost.org";
+
+# amavisd-new needs to know which email domains are to be considered local
+# to the administrative domain. Only emails to "local" domains are subject
+# to certain functionality, such as the addition of spam tags.
+#
+# Default local domains to $mydomain and all subdomains. Remember to
+# override or redefine this if $mydomain is changed later in the config
+# sequence.
+
+@local_domains_acl = ( ".$mydomain" );
+@local_domains_maps = ( ".$mydomain" );
+
+1; # ensure a defined return
diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf
index 6ea944f..3a97841 100644
--- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf
+++ b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf
@@ -3,6 +3,6 @@ version = 3
search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = base
bind = none
-query_filter = (&(ObjectClass=AmavisAccount)(fvl=%u))
+query_filter = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fvl=%u))
result_attribute = fvl
-result_format = amavisfeed:unix:public/amavisfeed-contentfilter
+result_format = amavisfeed:[127.0.0.1]:10041
diff --git a/roles/IMAP/files/etc/spamassassin/local.cf b/roles/IMAP/files/etc/spamassassin/local.cf
new file mode 100644
index 0000000..8ae4a4b
--- /dev/null
+++ b/roles/IMAP/files/etc/spamassassin/local.cf
@@ -0,0 +1,118 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# Only a small subset of options are listed below
+#
+###########################################################################
+
+# Add *****SPAM***** to the Subject header of spam e-mails
+#
+rewrite_header Subject [*****SPAM*****]
+
+
+# Save spam messages as a message/rfc822 MIME attachment instead of
+# modifying the original message (0: off, 2: use text/plain instead)
+#
+report_safe 0
+
+
+# Set which networks or hosts are considered 'trusted' by your mail
+# server (i.e. not spammers)
+#
+# TODO: Unclear how to do with IPSec and dynamic IPs.
+clear_trusted_networks
+trusted_networks 192.168.122.2 192.168.122.3
+
+clear_internal_networks
+internal_networks 192.168.122.2 192.168.122.3
+
+
+# Set file-locking method (flock is not safe over NFS, but is faster)
+#
+lock_method flock
+
+
+# Set the threshold at which a message is considered spam (default: 5.0)
+#
+required_score 5.0
+
+
+# Use Bayesian classifier (default: 1)
+#
+use_bayes 1
+
+
+# Bayesian classifier auto-learning (default: 1)
+#
+bayes_auto_learn 1
+bayes_auto_expire 0
+
+
+# Enable or disable network checks
+#
+# http://en.linuxreviews.org/Spam_blacklists
+# The best bets are zen.spamhaus.org and bl.spamcop.net .
+skip_rbl_checks 0
+use_razor2 1
+use_pyzor 0
+use_auto_whitelist 1
+
+# http://www.spamtips.org/2011/01/disable-dnsfromahblrhsbl.html
+score DNS_FROM_AHBL_RHSBL 0
+# http://www.spamtips.org/2011/01/disable-rfc-ignorantorg-rules.html
+score __RFC_IGNORANT_ENVFROM 0
+score DNS_FROM_RFC_DSN 0
+score DNS_FROM_RFC_BOGUSMX 0
+score __DNS_FROM_RFC_POST 0
+score __DNS_FROM_RFC_ABUSE 0
+score __DNS_FROM_RFC_WHOIS 0
+
+# Set headers which may provide inappropriate cues to the Bayesian
+# classifier
+#
+# bayes_ignore_header X-Bogosity
+# bayes_ignore_header X-Spam-Flag
+# bayes_ignore_header X-Spam-Status
+
+
+# Some shortcircuiting, if the plugin is enabled
+#
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+# default: strongly-whitelisted mails are *really* whitelisted now, if the
+# shortcircuiting plugin is active, causing early exit to save CPU load.
+# Uncomment to turn this on
+#
+# shortcircuit USER_IN_WHITELIST on
+# shortcircuit USER_IN_DEF_WHITELIST on
+# shortcircuit USER_IN_ALL_SPAM_TO on
+# shortcircuit SUBJECT_IN_WHITELIST on
+
+# the opposite; blacklisted mails can also save CPU
+#
+# shortcircuit USER_IN_BLACKLIST on
+# shortcircuit USER_IN_BLACKLIST_TO on
+# shortcircuit SUBJECT_IN_BLACKLIST on
+
+# if you have taken the time to correctly specify your "trusted_networks",
+# this is another good way to save CPU
+#
+# shortcircuit ALL_TRUSTED on
+
+# and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99 spam
+# shortcircuit BAYES_00 ham
+
+endif # Mail::SpamAssassin::Plugin::Shortcircuit
+
+
+bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
+bayes_sql_dsn DBI:mysql:spamassassin
+bayes_sql_username amavis
+
+auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList
+user_awl_dsn DBI:mysql:spamassassin
+user_awl_sql_username amavis
diff --git a/roles/IMAP/files/etc/spamassassin/v310.pre b/roles/IMAP/files/etc/spamassassin/v310.pre
new file mode 100644
index 0000000..bff0bbf
--- /dev/null
+++ b/roles/IMAP/files/etc/spamassassin/v310.pre
@@ -0,0 +1,78 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 3.1.0,
+# and contains plugin loading commands for the new plugins added in that
+# release. It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read. Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read. As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+
+# DCC - perform DCC message checks.
+#
+# DCC is disabled here because it is not open source. See the DCC
+# license for more details.
+#
+#loadplugin Mail::SpamAssassin::Plugin::DCC
+
+# Pyzor - perform Pyzor message checks.
+#
+loadplugin Mail::SpamAssassin::Plugin::Pyzor
+
+# Razor2 - perform Razor2 message checks.
+#
+loadplugin Mail::SpamAssassin::Plugin::Razor2
+
+# SpamCop - perform SpamCop message reporting
+#
+loadplugin Mail::SpamAssassin::Plugin::SpamCop
+
+# AntiVirus - some simple anti-virus checks, this is not a replacement
+# for an anti-virus filter like Clam AntiVirus
+#
+#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
+
+# AWL - do auto-whitelist checks
+#
+loadplugin Mail::SpamAssassin::Plugin::AWL
+
+# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning
+#
+loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
+
+# TextCat - language guesser
+#
+#loadplugin Mail::SpamAssassin::Plugin::TextCat
+
+# AccessDB - lookup from-addresses in access database
+#
+#loadplugin Mail::SpamAssassin::Plugin::AccessDB
+
+# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions
+#
+loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
+
+###########################################################################
+# experimental plugins
+
+# DomainKeys - perform DomainKeys verification
+#
+# This plugin has been removed as of v3.3.0. Use the DKIM plugin instead,
+# which supports both Domain Keys and DKIM.
+
+# MIMEHeader - apply regexp rules against MIME headers in the message
+#
+loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
+
+# ReplaceTags
+#
+loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
diff --git a/roles/IMAP/files/tmp/spamassassin.sql b/roles/IMAP/files/tmp/spamassassin.sql
new file mode 100644
index 0000000..ed2e641
--- /dev/null
+++ b/roles/IMAP/files/tmp/spamassassin.sql
@@ -0,0 +1,57 @@
+-- Sources: https://svn.apache.org/repos/asf/spamassassin/trunk/sql/awl_mysql.sql
+-- https://svn.apache.org/repos/asf/spamassassin/trunk/sql/bayes_mysql.sql
+
+CREATE TABLE awl (
+ username VARCHAR(100) NOT NULL DEFAULT '',
+ email VARBINARY(255) NOT NULL DEFAULT '',
+ ip VARCHAR(40) NOT NULL DEFAULT '',
+ count INT(11) NOT NULL DEFAULT 0,
+ totscore FLOAT NOT NULL DEFAULT 0,
+ signedby VARCHAR(255) NOT NULL DEFAULT '',
+ PRIMARY KEY (username,email,signedby,ip)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_expire (
+ id INT(11) NOT NULL DEFAULT 0,
+ runtime INT(11) NOT NULL DEFAULT 0,
+ KEY bayes_expire_idx1 (id)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_global_vars (
+ variable VARCHAR(30) NOT NULL default '',
+ value VARCHAR(200) NOT NULL default '',
+ PRIMARY KEY (variable)
+) ENGINE=InnoDB;
+INSERT INTO bayes_global_vars VALUES ('VERSION','3');
+
+CREATE TABLE bayes_seen (
+ id INT(11) NOT NULL DEFAULT 0,
+ msgid VARCHAR(200) BINARY NOT NULL DEFAULT '',
+ flag CHAR(1) NOT NULL DEFAULT '',
+ PRIMARY KEY (id,msgid)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_token (
+ id INT(11) NOT NULL DEFAULT 0,
+ token BINARY(5) NOT NULL DEFAULT '',
+ spam_count INT(11) NOT NULL DEFAULT 0,
+ ham_count INT(11) NOT NULL DEFAULT 0,
+ atime INT(11) NOT NULL DEFAULT 0,
+ PRIMARY KEY (id, token),
+ INDEX bayes_token_idx1 (id, atime)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_vars (
+ id INT(11) NOT NULL AUTO_INCREMENT,
+ username VARCHAR(200) NOT NULL DEFAULT '',
+ spam_count INT(11) NOT NULL DEFAULT 0,
+ ham_count INT(11) NOT NULL DEFAULT 0,
+ token_count INT(11) NOT NULL DEFAULT 0,
+ last_expire INT(11) NOT NULL DEFAULT 0,
+ last_atime_delta INT(11) NOT NULL DEFAULT 0,
+ last_expire_reduce INT(11) NOT NULL DEFAULT 0,
+ oldest_token_age INT(11) NOT NULL DEFAULT 2147483647,
+ newest_token_age INT(11) NOT NULL DEFAULT 0,
+ PRIMARY KEY (id),
+ UNIQUE bayes_vars_idx1 (username)
+) ENGINE=InnoDB;
diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml
index 2e54251..9bd7dab 100644
--- a/roles/IMAP/handlers/main.yml
+++ b/roles/IMAP/handlers/main.yml
@@ -7,3 +7,22 @@
- name: Reload Postfix
service: name=postfix state=reloaded
+
+- name: Restart ClamAV
+ service: name=clamav-daemon state=restarted
+
+- name: Restart Amavis
+ service: name=amavis state=restarted
+
+- name: Copy SQL tables for spamassassin
+ copy: src=tmp/spamassassin.sql
+ dest=/tmp/spamassassin.sql
+ owner=root group=root
+ mode=0600
+
+- name: Create SQL tables for spamassassin
+ # see https://svn.apache.org/repos/asf/spamassassin/trunk/sql/
+ # for the original
+ mysql_db: name=spamassassin state=import
+ target=/tmp/spamassassin.sql
+ encoding=latin1 collation=latin1_unicode_ci
diff --git a/roles/IMAP/tasks/amavis.yml b/roles/IMAP/tasks/amavis.yml
new file mode 100644
index 0000000..6f47328
--- /dev/null
+++ b/roles/IMAP/tasks/amavis.yml
@@ -0,0 +1,56 @@
+- name: Install amavis and its decoders
+ apt: pkg={{ item }}
+ with_items:
+ - amavisd-new
+ - libnet-ldap-perl
+ - libauthen-sasl-perl
+ - gzip
+ - bzip2
+ - xz-utils
+ - lzop
+ - rpm2cpio
+ - pax
+ - binutils
+ - p7zip-full
+ - unrar-free
+ - arj
+ - nomarch
+ - zoo
+ - ripole
+ - cabextract
+ - unar
+ - tnef
+ notify:
+ - Restart Amavis
+
+- name: Add 'clamav' to the group 'amavis'
+ user: name=clamav groups=amavis append=yes
+ register: r1
+ notify:
+ - Restart ClamAV
+ - Restart Amavis
+
+- name: Configure Amavis (1)
+ copy: src=etc/amavis/conf.d/05-domain_id
+ dest=/etc/amavis/conf.d/05-domain_id
+ owner=root group=root
+ mode=0644
+ register: r2
+ notify:
+ - Restart Amavis
+
+- name: Configure Amavis (2)
+ template: src=etc/amavis/conf.d/{{ item }}.j2
+ dest=/etc/amavis/conf.d/{{ item }}
+ owner=root group=root
+ mode=0644
+ register: r3
+ with_items:
+ - 15-content_filter_mode
+ - 50-user
+ notify:
+ - Restart Amavis
+
+- name: Start Amavis
+ service: name=amavis state=started
+ when: not (r1.changed or r2.changed or r3.changed)
diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml
index df21dd2..b43f9fb 100644
--- a/roles/IMAP/tasks/main.yml
+++ b/roles/IMAP/tasks/main.yml
@@ -1,3 +1,5 @@
---
- include: imap.yml tags=imap,dovecot
- include: mda.yml tags=mda,mail,postfix
+- include: amavis.yml tags=amavis
+- include: spam.yml tags=spam,spamassassin
diff --git a/roles/IMAP/tasks/spam.yml b/roles/IMAP/tasks/spam.yml
new file mode 100644
index 0000000..d326656
--- /dev/null
+++ b/roles/IMAP/tasks/spam.yml
@@ -0,0 +1,51 @@
+- name: Install spamassassin
+ apt: pkg={{ item }}
+ with_items:
+ - razor
+ - spamassassin
+ - spamc
+ - libdbi-perl
+ notify:
+ - Restart Amavis
+
+- name: Create a 'spamassassin' database
+ mysql_db: name=spamassassin state=present
+ encoding=latin1 collation=latin1_general_ci
+ notify:
+ - Copy SQL tables for spamassassin
+ - Create SQL tables for spamassassin
+
+- meta: flush_handlers
+
+- name: Copy SpamAssassin's configuration
+ copy: src=etc/{{ item }}
+ dest=/etc/{{ item }}
+ owner=root group=root
+ mode=0644
+ with_items:
+ - spamassassin/local.cf
+ - spamassassin/v310.pre
+ notify:
+ - Restart Amavis
+
+- name: Ensure SpamAssassin is not auto-started at boot time
+ lineinfile: dest=/etc/default/spamassassin
+ regexp='^(\s*#)?\s*ENABLED='
+ line='ENABLED=0'
+ owner=root group=root
+ mode=0644
+
+- name: Create a 'amavis' SQL user
+ # This *must* be the user we run spamd as
+ # See https://svn.apache.org/repos/asf/spamassassin/trunk/sql/README.bayes
+ mysql_user: >
+ name=amavis auth_plugin=auth_socket
+ priv="spamassassin.awl: SELECT,INSERT,UPDATE,DELETE
+ /spamassassin.bayes_seen: SELECT,INSERT, DELETE
+ /spamassassin.bayes_token: SELECT,INSERT,UPDATE,DELETE
+ /spamassassin.bayes_global_vars: SELECT
+ /spamassassin.bayes_vars: SELECT,INSERT,UPDATE,DELETE
+ /spamassassin.bayes_expire: SELECT,INSERT, DELETE"
+ state=present
+ notify:
+ - Restart Amavis
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2
new file mode 100644
index 0000000..cde0452
--- /dev/null
+++ b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2
@@ -0,0 +1,29 @@
+use strict;
+
+# You can modify this file to re-enable SPAM checking through spamassassin
+# and to re-enable antivirus checking.
+
+#
+# Default antivirus checking mode
+# Please note, that anti-virus checking is DISABLED by
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_virus_checks_maps = (
+ \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+
+#
+# Default SPAM checking mode
+# Please note, that anti-spam checking is DISABLED by
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+{% if 'MDA' in group_names -%}
+@bypass_spam_checks_maps = (
+ \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+{% endif %}
+
+1; # ensure a defined return
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
new file mode 100644
index 0000000..7d412f8
--- /dev/null
+++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
@@ -0,0 +1,135 @@
+use strict;
+
+#
+# Place your configuration directives here. They will override those in
+# earlier files.
+#
+# See /usr/share/doc/amavisd-new/ for documentation and examples of
+# the directives you can use in this file
+#
+
+# $max_servers: num of pre-forked children (2..30 is common). It *must*
+# match the number set in /etc/postfix/master.cf "maxproc" column for
+# the amavisfeed service.
+$max_servers = 2;
+
+# list your internal networks
+@mynetworks = qw( 127.0.0.0/8 172.16.0.1/32 );
+
+
+# Always deliver messages (force *_lovers_maps to [1])
+$final_virus_destiny = D_PASS;
+$final_banned_destiny = D_PASS;
+$final_unchecked_destiny = D_PASS;
+$final_spam_destiny = D_PASS;
+$final_bad_header_destiny = D_PASS;
+$final_destiny_by_ccat{&CC_OVERSIZED} = D_PASS;
+
+%lovers_maps_by_ccat = (
+ CC_CATCHALL, 1,
+);
+
+
+# Disable quarantine (force *_quarantine_to_maps to [1]; don't forget to
+# disable setting amavisSpamQuarantineCutoffLevel and amavisVirusQuarantine*To,
+# also)
+$QUARANTINEDIR = undef;
+%quarantine_method_by_ccat = (
+ CC_CATCHALL, undef,
+);
+%admin_maps_by_ccat = (
+ CC_CATCHALL, undef,
+);
+
+undef $undecipherable_subject_tag;
+
+# Defang virus only
+%defang_maps_by_ccat = (
+ CC_VIRUS, 1,
+ CC_CATCHALL, undef,
+);
+
+# Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel
+# and amavis*Admin, also
+%always_bcc_by_ccat = (
+ CC_CATCHALL, undef,
+);
+%dsn_bcc_by_ccat = (
+ CC_CATCHALL, undef,
+);
+
+# Never warn sender / recipient; don't forget to disallow setting
+# amavisWarn*Recip, also
+%warnsender_by_ccat = ( # deprecated use, except perhaps for CC_BADH
+ CC_CATCHALL, undef,
+);
+%warnrecip_maps_by_ccat = (
+ CC_CATCHALL, undef,
+);
+
+@message_size_limit_maps = (); # per-recipient limits
+
+
+%banned_rules = (
+ 'NO-MS-EXEC'=> new_RE( qr'^\.exe-ms$' ),
+ 'PASSALL' => new_RE( [qr'^' => 0] ),
+ 'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
+ 'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
+);
+
+
+$enable_ldap = 1;
+$default_ldap = {
+ hostname => 'ldapi://',
+ sasl => 1,
+ sasl_mech => 'EXTERNAL',
+ deref => 'never',
+ timeout => 5,
+ scope => 'one',
+ base => 'fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org',
+ # XXX: ideally we would use %u in the base and the query_filter, but
+ # it's not supported as of amavis 2.7 (see the 'lookup_ldap'
+ # subroutine in /usr/sbin/amavisd-new)
+ query_filter => '(&(objectClass=amavisAccount)(ObjectClass=FripostVirtualUser)(fvl=%m))'
+};
+
+
+$recipient_delimiter = '+';
+$enable_dkim_verification = 1; # enable DKIM signatures verification
+
+
+# Per-recipient Bayes Database.
+@sa_username_maps = (
+ new_RE ( [ qr'^(.+@[^@]+)$'i => '$1' ] ),
+ 'amavis' # catch-all
+);
+
+# http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex
+
+$inet_socket_port = 10041;
+
+$interface_policy{'10041'} = 'INBOUND';
+
+{% if 'MTA-out' in group_names %}
+$notify_method = 'smtp:[127.0.0.1]:{{ MTA_out.port }}';
+{% else %}
+$notify_method = 'smtp:[{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}';
+{% endif %}
+$forward_method = 'lmtp:/var/run/dovecot/lmtp';
+$requeue_method = $forward_method;
+
+$sa_tag_level_deflt = undef;
+$sa_tag2_level_deflt = 5;
+$sa_kill_level_deflt = 5;
+$sa_dsn_cutoff_level = undef;
+$sa_quarantine_cutoff_level = undef;
+
+$policy_bank{'INBOUND'} = {
+ originating => 0, # indicates a remote client, allows checking
+ smtpd_greeting_banner =>
+ '${helo-name} ${protocol} ${product} INBOUND service ready',
+ mynetworks_maps => [], # avoids loading MYNETS policy unnecessarily
+};
+
+#------------ Do not modify anything below this line -------------
+1; # ensure a defined return
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index 1fb2fcc..2ccbe6a 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -50,9 +50,10 @@ default_transport = error:5.1.1 Transport unavailable
# Virtual transport (the alias resolution is already done by the MX:es)
virtual_transport = lmtp:unix:private/dovecot-lmtpd
+lmtp_bind_address = 127.0.0.1
virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf
virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox_maps.cf
-mailbox_transport_maps = ldap:$config_directory/virtual/transport_content_filter_maps.cf
+transport_maps = ldap:$config_directory/virtual/transport_content_filter_maps.cf
# Don't rewrite remote headers
local_header_rewrite_clients =
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 06eb692..5c993fc 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -53,19 +53,32 @@
owner=root group=root
mode=0600
-- name: Copy fripost schema
- copy: src=etc/ldap/schema/fripost.ldif
- dest=/etc/ldap/schema/fripost.ldif
+- name: Copy fripost & amavis' schema
+ copy: src=etc/ldap/schema/{{ item }}
+ dest=/etc/ldap/schema/{{ item }}
owner=root group=root
mode=0644
+ # It'd certainly be nicer if we didn't have to deploy amavis' schema
+ # everywhere, but we need the 'objectClass' in our replicates, hence
+ # they need to be aware of the 'amavisAccount' class.
+ with_items:
+ - fripost.ldif
+ - amavis.schema
+ tags:
+ - amavis
- name: Load fripost's schema and configure the database
openldap: target=/etc/ldap/{{ item }} state=present
with_items:
- schema/fripost.ldif
- # TODO load other required schemas *before* loading the database
- fripost/database.ldif
+- name: Load amavis' schema
+ openldap: target=/etc/ldap/schema/amavis.schema state=present
+ format=slapd.conf name=amavis
+ tags:
+ - ldap
+
- name: Start slapd
service: name=slapd state=started
when: not (r1.changed or r2.changed)
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index cf12f10..f76eb78 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -73,7 +73,13 @@ olcDbIndex: entryCSN,entryUUID eq
# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
#
-{% if 'LDAP-provider' not in group_names %}
+{% if 'LDAP-provider' in group_names %}
+olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
+ time.soft=unlimited
+ time.hard=unlimited
+ size.soft=unlimited
+ size.hard=unlimited
+{% elif 'MX' in group_names %}
olcSyncrepl: rid=000
provider=ldap://{{ LDAP_provider }}
type=refreshAndPersist
@@ -129,6 +135,20 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
by users =0 break
#
+# The following is required for the content filter
+{% if 'MDA' in group_names %}
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+ attrs=entry
+ filter=(&(objectClass=FripostVirtualDomain)(fripostIsStatusActive=TRUE))
+ by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =s
+ by users =0 break
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+ attrs=entry,objectClass,fvl,@AmavisAccount
+ filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
+ by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =rsd
+ by users =0 break
+{% endif %}
+#
# Anonymous can authenticate into the services. (But not read or write the password.)
olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org"
attrs=userPassword