Configure the content filter.

Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new.
Each user has his/her amavis preferences, and own Bayes filter (to
maximize privacy).

One question remains, though: how to set spamassassin's trusted_networks
/ internal_networks / msa_networks? It seems not obivious to get it
write with IPSec and dynamic IPs.
(Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)

14 files changed, 607 insertions, 8 deletions

diff --git a/roles/IMAP/files/etc/amavis/conf.d/05-domain_id b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id
new file mode 100644
index 0000000..19f10ed
--- /dev/null
+++ b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id
@@ -0,0 +1,20 @@
+use strict;
+
+# $mydomain is used just for convenience in the config files and it is not
+# used internally by amavisd-new except in the default X_HEADER_LINE (which
+# Debian overrides by default anyway).
+
+$mydomain = "fripost.org";
+
+# amavisd-new needs to know which email domains are to be considered local
+# to the administrative domain.  Only emails to "local" domains are subject
+# to certain functionality, such as the addition of spam tags.
+#
+# Default local domains to $mydomain and all subdomains.  Remember to
+# override or redefine this if $mydomain is changed later in the config
+# sequence.
+
+@local_domains_acl = ( ".$mydomain" );
+@local_domains_maps = ( ".$mydomain" );
+
+1;  # ensure a defined return
diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf
index 6ea944f..3a97841 100644
--- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf
+++ b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf
@@ -3,6 +3,6 @@ version          = 3
 search_base      = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
 scope            = base
 bind             = none
-query_filter     = (&(ObjectClass=AmavisAccount)(fvl=%u))
+query_filter     = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fvl=%u))
 result_attribute = fvl
-result_format    = amavisfeed:unix:public/amavisfeed-contentfilter
+result_format    = amavisfeed:[127.0.0.1]:10041
diff --git a/roles/IMAP/files/etc/spamassassin/local.cf b/roles/IMAP/files/etc/spamassassin/local.cf
new file mode 100644
index 0000000..8ae4a4b
--- /dev/null
+++ b/roles/IMAP/files/etc/spamassassin/local.cf
@@ -0,0 +1,118 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# Only a small subset of options are listed below
+#
+###########################################################################
+
+#   Add *****SPAM***** to the Subject header of spam e-mails
+#
+rewrite_header Subject [*****SPAM*****]
+
+
+#   Save spam messages as a message/rfc822 MIME attachment instead of
+#   modifying the original message (0: off, 2: use text/plain instead)
+#
+report_safe 0
+
+
+#   Set which networks or hosts are considered 'trusted' by your mail
+#   server (i.e. not spammers)
+#
+# TODO: Unclear how to do with IPSec and dynamic IPs.
+clear_trusted_networks
+trusted_networks 192.168.122.2 192.168.122.3
+
+clear_internal_networks
+internal_networks 192.168.122.2 192.168.122.3
+
+
+#   Set file-locking method (flock is not safe over NFS, but is faster)
+#
+lock_method flock
+
+
+#   Set the threshold at which a message is considered spam (default: 5.0)
+#
+required_score 5.0
+
+
+#   Use Bayesian classifier (default: 1)
+#
+use_bayes 1
+
+
+#   Bayesian classifier auto-learning (default: 1)
+#
+bayes_auto_learn 1
+bayes_auto_expire 0
+
+
+# Enable or disable network checks
+#
+# http://en.linuxreviews.org/Spam_blacklists
+# The best bets are zen.spamhaus.org and bl.spamcop.net .
+skip_rbl_checks                 0
+use_razor2                      1
+use_pyzor                       0
+use_auto_whitelist              1
+
+# http://www.spamtips.org/2011/01/disable-dnsfromahblrhsbl.html
+score DNS_FROM_AHBL_RHSBL       0
+# http://www.spamtips.org/2011/01/disable-rfc-ignorantorg-rules.html
+score __RFC_IGNORANT_ENVFROM    0
+score DNS_FROM_RFC_DSN          0
+score DNS_FROM_RFC_BOGUSMX      0
+score __DNS_FROM_RFC_POST       0
+score __DNS_FROM_RFC_ABUSE      0
+score __DNS_FROM_RFC_WHOIS      0
+
+#   Set headers which may provide inappropriate cues to the Bayesian
+#   classifier
+#
+# bayes_ignore_header X-Bogosity
+# bayes_ignore_header X-Spam-Flag
+# bayes_ignore_header X-Spam-Status
+
+
+#   Some shortcircuiting, if the plugin is enabled
+# 
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+#   default: strongly-whitelisted mails are *really* whitelisted now, if the
+#   shortcircuiting plugin is active, causing early exit to save CPU load.
+#   Uncomment to turn this on
+#
+# shortcircuit USER_IN_WHITELIST       on
+# shortcircuit USER_IN_DEF_WHITELIST   on
+# shortcircuit USER_IN_ALL_SPAM_TO     on
+# shortcircuit SUBJECT_IN_WHITELIST    on
+
+#   the opposite; blacklisted mails can also save CPU
+#
+# shortcircuit USER_IN_BLACKLIST       on
+# shortcircuit USER_IN_BLACKLIST_TO    on
+# shortcircuit SUBJECT_IN_BLACKLIST    on
+
+#   if you have taken the time to correctly specify your "trusted_networks",
+#   this is another good way to save CPU
+#
+# shortcircuit ALL_TRUSTED             on
+
+#   and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99                spam
+# shortcircuit BAYES_00                ham
+
+endif # Mail::SpamAssassin::Plugin::Shortcircuit
+
+
+bayes_store_module          Mail::SpamAssassin::BayesStore::MySQL
+bayes_sql_dsn               DBI:mysql:spamassassin
+bayes_sql_username          amavis
+
+auto_whitelist_factory      Mail::SpamAssassin::SQLBasedAddrList
+user_awl_dsn                DBI:mysql:spamassassin
+user_awl_sql_username       amavis
diff --git a/roles/IMAP/files/etc/spamassassin/v310.pre b/roles/IMAP/files/etc/spamassassin/v310.pre
new file mode 100644
index 0000000..bff0bbf
--- /dev/null
+++ b/roles/IMAP/files/etc/spamassassin/v310.pre
@@ -0,0 +1,78 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 3.1.0,
+# and contains plugin loading commands for the new plugins added in that
+# release.  It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read.  Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read.  As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+
+# DCC - perform DCC message checks.
+#
+# DCC is disabled here because it is not open source.  See the DCC
+# license for more details.
+#
+#loadplugin Mail::SpamAssassin::Plugin::DCC
+
+# Pyzor - perform Pyzor message checks.
+#
+loadplugin Mail::SpamAssassin::Plugin::Pyzor
+
+# Razor2 - perform Razor2 message checks.
+#
+loadplugin Mail::SpamAssassin::Plugin::Razor2
+
+# SpamCop - perform SpamCop message reporting
+#
+loadplugin Mail::SpamAssassin::Plugin::SpamCop
+
+# AntiVirus - some simple anti-virus checks, this is not a replacement
+# for an anti-virus filter like Clam AntiVirus
+#
+#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
+
+# AWL - do auto-whitelist checks
+#
+loadplugin Mail::SpamAssassin::Plugin::AWL
+
+# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning
+#
+loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
+
+# TextCat - language guesser
+#
+#loadplugin Mail::SpamAssassin::Plugin::TextCat
+
+# AccessDB - lookup from-addresses in access database
+#
+#loadplugin Mail::SpamAssassin::Plugin::AccessDB
+
+# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions
+#
+loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
+
+###########################################################################
+# experimental plugins
+
+# DomainKeys - perform DomainKeys verification
+#
+# This plugin has been removed as of v3.3.0.  Use the DKIM plugin instead,
+# which supports both Domain Keys and DKIM.
+
+# MIMEHeader - apply regexp rules against MIME headers in the message
+#
+loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
+
+# ReplaceTags
+#
+loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
diff --git a/roles/IMAP/files/tmp/spamassassin.sql b/roles/IMAP/files/tmp/spamassassin.sql
new file mode 100644
index 0000000..ed2e641
--- /dev/null
+++ b/roles/IMAP/files/tmp/spamassassin.sql
@@ -0,0 +1,57 @@
+-- Sources: https://svn.apache.org/repos/asf/spamassassin/trunk/sql/awl_mysql.sql
+--          https://svn.apache.org/repos/asf/spamassassin/trunk/sql/bayes_mysql.sql
+
+CREATE TABLE awl (
+    username VARCHAR(100)   NOT NULL DEFAULT '',
+    email    VARBINARY(255) NOT NULL DEFAULT '',
+    ip       VARCHAR(40)    NOT NULL DEFAULT '',
+    count    INT(11)        NOT NULL DEFAULT 0,
+    totscore FLOAT          NOT NULL DEFAULT 0,
+    signedby VARCHAR(255)   NOT NULL DEFAULT '',
+    PRIMARY KEY (username,email,signedby,ip)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_expire (
+    id      INT(11) NOT NULL DEFAULT 0,
+    runtime INT(11) NOT NULL DEFAULT 0,
+    KEY bayes_expire_idx1 (id)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_global_vars (
+    variable VARCHAR(30)  NOT NULL default '',
+    value    VARCHAR(200) NOT NULL default '',
+    PRIMARY KEY (variable)
+) ENGINE=InnoDB;
+INSERT INTO bayes_global_vars VALUES ('VERSION','3');
+
+CREATE TABLE bayes_seen (
+    id    INT(11)             NOT NULL DEFAULT 0,
+    msgid VARCHAR(200) BINARY NOT NULL DEFAULT '',
+    flag  CHAR(1)             NOT NULL DEFAULT '',
+    PRIMARY KEY (id,msgid)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_token (
+    id         INT(11)   NOT NULL DEFAULT 0,
+    token      BINARY(5) NOT NULL DEFAULT '',
+    spam_count INT(11)   NOT NULL DEFAULT 0,
+    ham_count  INT(11)   NOT NULL DEFAULT 0,
+    atime      INT(11)   NOT NULL DEFAULT 0,
+    PRIMARY KEY (id, token),
+    INDEX bayes_token_idx1 (id, atime)
+) ENGINE=InnoDB;
+
+CREATE TABLE bayes_vars (
+    id                 INT(11)      NOT NULL AUTO_INCREMENT,
+    username           VARCHAR(200) NOT NULL DEFAULT '',
+    spam_count         INT(11)      NOT NULL DEFAULT 0,
+    ham_count          INT(11)      NOT NULL DEFAULT 0,
+    token_count        INT(11)      NOT NULL DEFAULT 0,
+    last_expire        INT(11)      NOT NULL DEFAULT 0,
+    last_atime_delta   INT(11)      NOT NULL DEFAULT 0,
+    last_expire_reduce INT(11)      NOT NULL DEFAULT 0,
+    oldest_token_age   INT(11)      NOT NULL DEFAULT 2147483647,
+    newest_token_age   INT(11)      NOT NULL DEFAULT 0,
+    PRIMARY KEY (id),
+    UNIQUE bayes_vars_idx1 (username)
+) ENGINE=InnoDB;
diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml
index 2e54251..9bd7dab 100644
--- a/roles/IMAP/handlers/main.yml
+++ b/roles/IMAP/handlers/main.yml
@@ -7,3 +7,22 @@
 
 - name: Reload Postfix
   service: name=postfix state=reloaded
+
+- name: Restart ClamAV
+  service: name=clamav-daemon state=restarted
+
+- name: Restart Amavis
+  service: name=amavis state=restarted
+
+- name: Copy SQL tables for spamassassin
+  copy: src=tmp/spamassassin.sql
+        dest=/tmp/spamassassin.sql
+        owner=root group=root
+        mode=0600
+
+- name: Create SQL tables for spamassassin
+  # see https://svn.apache.org/repos/asf/spamassassin/trunk/sql/
+  # for the original
+  mysql_db: name=spamassassin state=import
+            target=/tmp/spamassassin.sql
+            encoding=latin1 collation=latin1_unicode_ci
diff --git a/roles/IMAP/tasks/amavis.yml b/roles/IMAP/tasks/amavis.yml
new file mode 100644
index 0000000..6f47328
--- /dev/null
+++ b/roles/IMAP/tasks/amavis.yml
@@ -0,0 +1,56 @@
+- name: Install amavis and its decoders
+  apt: pkg={{ item }}
+  with_items:
+    - amavisd-new
+    - libnet-ldap-perl
+    - libauthen-sasl-perl
+    - gzip
+    - bzip2
+    - xz-utils
+    - lzop
+    - rpm2cpio
+    - pax
+    - binutils
+    - p7zip-full
+    - unrar-free
+    - arj
+    - nomarch
+    - zoo
+    - ripole
+    - cabextract
+    - unar
+    - tnef
+  notify:
+    - Restart Amavis
+
+- name: Add 'clamav' to the group 'amavis'
+  user: name=clamav groups=amavis append=yes
+  register: r1
+  notify:
+    - Restart ClamAV
+    - Restart Amavis
+
+- name: Configure Amavis (1)
+  copy: src=etc/amavis/conf.d/05-domain_id
+        dest=/etc/amavis/conf.d/05-domain_id
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart Amavis
+
+- name: Configure Amavis (2)
+  template: src=etc/amavis/conf.d/{{ item }}.j2
+            dest=/etc/amavis/conf.d/{{ item }}
+            owner=root group=root
+            mode=0644
+  register: r3
+  with_items:
+    - 15-content_filter_mode
+    - 50-user
+  notify:
+    - Restart Amavis
+
+- name: Start Amavis
+  service: name=amavis state=started
+  when: not (r1.changed or r2.changed or r3.changed)
diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml
index df21dd2..b43f9fb 100644
--- a/roles/IMAP/tasks/main.yml
+++ b/roles/IMAP/tasks/main.yml
@@ -1,3 +1,5 @@
 ---
 - include: imap.yml   tags=imap,dovecot
 - include: mda.yml    tags=mda,mail,postfix
+- include: amavis.yml tags=amavis
+- include: spam.yml   tags=spam,spamassassin
diff --git a/roles/IMAP/tasks/spam.yml b/roles/IMAP/tasks/spam.yml
new file mode 100644
index 0000000..d326656
--- /dev/null
+++ b/roles/IMAP/tasks/spam.yml
@@ -0,0 +1,51 @@
+- name: Install spamassassin
+  apt: pkg={{ item }}
+  with_items:
+    - razor
+    - spamassassin
+    - spamc
+    - libdbi-perl
+  notify:
+    - Restart Amavis
+
+- name: Create a 'spamassassin' database
+  mysql_db: name=spamassassin state=present
+            encoding=latin1 collation=latin1_general_ci
+  notify:
+    - Copy SQL tables for spamassassin
+    - Create SQL tables for spamassassin
+
+- meta: flush_handlers
+
+- name: Copy SpamAssassin's configuration
+  copy: src=etc/{{ item }}
+        dest=/etc/{{ item }}
+        owner=root group=root
+        mode=0644
+  with_items:
+    - spamassassin/local.cf
+    - spamassassin/v310.pre
+  notify:
+    - Restart Amavis
+
+- name: Ensure SpamAssassin is not auto-started at boot time
+  lineinfile: dest=/etc/default/spamassassin
+              regexp='^(\s*#)?\s*ENABLED='
+              line='ENABLED=0'
+              owner=root group=root
+              mode=0644
+
+- name: Create a 'amavis' SQL user
+  # This *must* be the user we run spamd as
+  # See https://svn.apache.org/repos/asf/spamassassin/trunk/sql/README.bayes
+  mysql_user: >
+      name=amavis auth_plugin=auth_socket
+      priv="spamassassin.awl:               SELECT,INSERT,UPDATE,DELETE
+           /spamassassin.bayes_seen:        SELECT,INSERT,       DELETE
+           /spamassassin.bayes_token:       SELECT,INSERT,UPDATE,DELETE
+           /spamassassin.bayes_global_vars: SELECT
+           /spamassassin.bayes_vars:        SELECT,INSERT,UPDATE,DELETE
+           /spamassassin.bayes_expire:      SELECT,INSERT,       DELETE"
+      state=present
+  notify:
+    - Restart Amavis
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2
new file mode 100644
index 0000000..cde0452
--- /dev/null
+++ b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2
@@ -0,0 +1,29 @@
+use strict;
+
+# You can modify this file to re-enable SPAM checking through spamassassin
+# and to re-enable antivirus checking.
+
+#
+# Default antivirus checking mode
+# Please note, that anti-virus checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+
+#
+# Default SPAM checking mode
+# Please note, that anti-spam checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+{% if 'MDA' in group_names -%}
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+{% endif %}
+
+1;  # ensure a defined return
diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
new file mode 100644
index 0000000..7d412f8
--- /dev/null
+++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2
@@ -0,0 +1,135 @@
+use strict;
+
+#
+# Place your configuration directives here.  They will override those in
+# earlier files.
+#
+# See /usr/share/doc/amavisd-new/ for documentation and examples of
+# the directives you can use in this file
+#
+
+# $max_servers: num of pre-forked children (2..30 is common). It *must*
+# match the number set in /etc/postfix/master.cf "maxproc" column for
+# the amavisfeed service.
+$max_servers = 2;
+
+# list your internal networks
+@mynetworks = qw( 127.0.0.0/8 172.16.0.1/32 );
+
+
+# Always deliver messages (force *_lovers_maps to [1])
+$final_virus_destiny                  = D_PASS;
+$final_banned_destiny                 = D_PASS;
+$final_unchecked_destiny              = D_PASS;
+$final_spam_destiny                   = D_PASS;
+$final_bad_header_destiny             = D_PASS;
+$final_destiny_by_ccat{&CC_OVERSIZED} = D_PASS;
+
+%lovers_maps_by_ccat = (
+  CC_CATCHALL, 1,
+);
+
+
+# Disable quarantine (force *_quarantine_to_maps to [1]; don't forget to
+# disable setting amavisSpamQuarantineCutoffLevel and amavisVirusQuarantine*To,
+# also)
+$QUARANTINEDIR = undef;
+%quarantine_method_by_ccat = (
+  CC_CATCHALL, undef,
+);
+%admin_maps_by_ccat = (
+  CC_CATCHALL, undef,
+);
+
+undef $undecipherable_subject_tag;
+
+# Defang virus only
+%defang_maps_by_ccat = (
+  CC_VIRUS,    1,
+  CC_CATCHALL, undef,
+);
+
+# Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel
+# and amavis*Admin, also
+%always_bcc_by_ccat = (
+  CC_CATCHALL, undef,
+);
+%dsn_bcc_by_ccat = (
+  CC_CATCHALL, undef,
+);
+
+# Never warn sender / recipient; don't forget to disallow setting
+# amavisWarn*Recip, also
+%warnsender_by_ccat = (  # deprecated use, except perhaps for CC_BADH
+  CC_CATCHALL, undef,
+);
+%warnrecip_maps_by_ccat = (
+  CC_CATCHALL, undef,
+);
+
+@message_size_limit_maps = (); # per-recipient limits
+
+
+%banned_rules = (
+  'NO-MS-EXEC'=> new_RE( qr'^\.exe-ms$' ),
+  'PASSALL'   => new_RE( [qr'^' => 0] ),
+  'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
+  'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
+);
+
+
+$enable_ldap  = 1;
+$default_ldap = {
+    hostname      => 'ldapi://',
+    sasl          => 1,
+    sasl_mech     => 'EXTERNAL',
+    deref         => 'never',
+    timeout       => 5,
+    scope         => 'one',
+    base          => 'fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org',
+    # XXX: ideally we would use %u in the base and the query_filter, but
+    # it's not supported as of amavis 2.7 (see the 'lookup_ldap'
+    # subroutine in /usr/sbin/amavisd-new)
+    query_filter  => '(&(objectClass=amavisAccount)(ObjectClass=FripostVirtualUser)(fvl=%m))'
+};
+
+
+$recipient_delimiter = '+';
+$enable_dkim_verification = 1;    # enable DKIM signatures verification
+
+
+# Per-recipient Bayes Database.
+@sa_username_maps = (
+  new_RE ( [ qr'^(.+@[^@]+)$'i => '$1' ] ),
+  'amavis' # catch-all
+);
+
+# http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex
+
+$inet_socket_port = 10041;
+
+$interface_policy{'10041'} = 'INBOUND';
+
+{% if 'MTA-out' in group_names %}
+$notify_method  = 'smtp:[127.0.0.1]:{{ MTA_out.port }}';
+{% else %}
+$notify_method  = 'smtp:[{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}';
+{% endif %}
+$forward_method = 'lmtp:/var/run/dovecot/lmtp';
+$requeue_method = $forward_method;
+
+$sa_tag_level_deflt         = undef;
+$sa_tag2_level_deflt        = 5;
+$sa_kill_level_deflt        = 5;
+$sa_dsn_cutoff_level        = undef;
+$sa_quarantine_cutoff_level = undef;
+
+$policy_bank{'INBOUND'} = {
+  originating           => 0,  # indicates a remote client, allows checking
+  smtpd_greeting_banner =>
+    '${helo-name} ${protocol} ${product} INBOUND service ready',
+  mynetworks_maps       => [],  # avoids loading MYNETS policy unnecessarily
+};
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index 1fb2fcc..2ccbe6a 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -50,9 +50,10 @@ default_transport = error:5.1.1 Transport unavailable
 
 # Virtual transport (the alias resolution is already done by the MX:es)
 virtual_transport       = lmtp:unix:private/dovecot-lmtpd
+lmtp_bind_address       = 127.0.0.1
 virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf
 virtual_mailbox_maps    = ldap:$config_directory/virtual/mailbox_maps.cf
-mailbox_transport_maps  = ldap:$config_directory/virtual/transport_content_filter_maps.cf
+transport_maps          = ldap:$config_directory/virtual/transport_content_filter_maps.cf
 
 # Don't rewrite remote headers
 local_header_rewrite_clients =
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 06eb692..5c993fc 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -53,19 +53,32 @@
             owner=root group=root
             mode=0600
 
-- name: Copy fripost schema
-  copy: src=etc/ldap/schema/fripost.ldif
-        dest=/etc/ldap/schema/fripost.ldif
+- name: Copy fripost & amavis' schema
+  copy: src=etc/ldap/schema/{{ item }}
+        dest=/etc/ldap/schema/{{ item }}
         owner=root group=root
         mode=0644
+  # It'd certainly be nicer if we didn't have to deploy amavis' schema
+  # everywhere, but we need the 'objectClass' in our replicates, hence
+  # they need to be aware of the 'amavisAccount' class.
+  with_items:
+    - fripost.ldif
+    - amavis.schema
+  tags:
+    - amavis
 
 - name: Load fripost's schema and configure the database
   openldap: target=/etc/ldap/{{ item }} state=present
   with_items:
     - schema/fripost.ldif
-    # TODO load other required schemas *before* loading the database
     - fripost/database.ldif
 
+- name: Load amavis' schema
+  openldap: target=/etc/ldap/schema/amavis.schema state=present
+            format=slapd.conf name=amavis
+  tags:
+    - ldap
+
 - name: Start slapd
   service: name=slapd state=started
   when: not (r1.changed or r2.changed)
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index cf12f10..f76eb78 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -73,7 +73,13 @@ olcDbIndex: entryCSN,entryUUID eq
 # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
 # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
 #
-{% if 'LDAP-provider' not in group_names %}
+{% if 'LDAP-provider' in group_names %}
+olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
+  time.soft=unlimited
+  time.hard=unlimited
+  size.soft=unlimited
+  size.hard=unlimited
+{% elif 'MX' in group_names %}
 olcSyncrepl: rid=000
   provider=ldap://{{ LDAP_provider }}
   type=refreshAndPersist
@@ -129,6 +135,20 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
     by users =0 break
 #
+# The following is required for the content filter
+{% if 'MDA' in group_names %}
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+        attrs=entry
+        filter=(&(objectClass=FripostVirtualDomain)(fripostIsStatusActive=TRUE))
+    by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =s
+    by users =0 break
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+        attrs=entry,objectClass,fvl,@AmavisAccount
+        filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
+    by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =rsd
+    by users =0 break
+{% endif %}
+#
 # Anonymous can authenticate into the services. (But not read or write the password.)
 olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org"
         attrs=userPassword