summaryrefslogtreecommitdiffstats
path: root/roles/amavis
diff options
context:
space:
mode:
Diffstat (limited to 'roles/amavis')
-rw-r--r--roles/amavis/handlers/main.yml4
-rw-r--r--roles/amavis/tasks/main.yml43
-rw-r--r--roles/amavis/templates/etc/amavis/conf.d/50-user.j222
3 files changed, 44 insertions, 25 deletions
diff --git a/roles/amavis/handlers/main.yml b/roles/amavis/handlers/main.yml
index 62cc6fc..684be0f 100644
--- a/roles/amavis/handlers/main.yml
+++ b/roles/amavis/handlers/main.yml
@@ -1,13 +1,9 @@
---
- name: Restart ClamAV
service: name=clamav-daemon state=restarted
-- name: Publish the public key to the DNS zone
- # See the output of 'genkeypair.sh dkim --privkey=/path/to/key'
- fail: "msg={{ dkim.stdout }}"
-
- name: Restart Amavis
service: name=amavis state=restarted
- name: Restart munin-node
service: name=munin-node state=restarted
diff --git a/roles/amavis/tasks/main.yml b/roles/amavis/tasks/main.yml
index 4009c05..7fc44c7 100644
--- a/roles/amavis/tasks/main.yml
+++ b/roles/amavis/tasks/main.yml
@@ -1,79 +1,90 @@
- name: Install amavis and its decoders
- apt: pkg={{ item }}
- with_items:
+ apt: pkg={{ packages }}
+ vars:
+ packages:
- amavisd-new
- libnet-ldap-perl
# Mail::DKIM
- libmail-dkim-perl
- gzip
- bzip2
- xz-utils
- lzop
- rpm2cpio
- pax
- binutils
- p7zip-full
- unrar-free
- arj
- nomarch
- - zoo
- - ripole
- cabextract
- unar
- tnef
notify:
- Restart Amavis
- name: Add 'clamav' to the group 'amavis'
user: name=clamav groups=amavis append=yes
notify:
- Restart ClamAV
- Restart Amavis
-- name: Set AllowSupplementaryGroups=true
- lineinfile: "dest=/etc/clamav/clamd.conf
- regexp='^AllowSupplementaryGroups\\s'
- line='AllowSupplementaryGroups true'"
- notify:
- - Restart ClamAV
+- name: Add an 'amavis' alias
+ lineinfile: dest=/etc/aliases create=yes
+ regexp="^amavis{{':'}} "
+ line="amavis{{':'}} root"
-- name: Create directory /var/lib/dkim
- file: path=/var/lib/dkim
+- name: Compile the static local Postfix database
+ postmap: cmd=postalias src=/etc/aliases db=lmdb
+ owner=root group=root
+ mode=0644
+
+- name: Create directory /etc/amavis/dkim
+ file: path=/etc/amavis/dkim
state=directory
owner=root group=root
mode=0755
when: "'out' in group_names"
tags:
- genkey
+ - dkim
- name: Generate a private key for DKIM signing
- command: genkeypair.sh dkim --privkey=/var/lib/dkim/20140703.fripost.org.key -t rsa -b 1024
+ command: genkeypair.sh dkim --owner=amavis --group=root --privkey="/etc/amavis/dkim/{{ item.s }}:{{ item.d }}.pem" -t rsa -b 2048
+ with_items: "{{ (dkim_keys[inventory_hostname_short] | default({})).values() | list }}"
register: dkim
changed_when: dkim.rc == 0
failed_when: dkim.rc > 1
when: "'out' in group_names"
- notify:
- - Restart Amavis
- - Publish the public key to the DNS zone
tags:
- genkey
+ - dkim
+
+- name: Fetch DKIM keys
+ fetch_cmd: cmd="openssl pkey -pubout -outform PEM"
+ stdin="/etc/amavis/dkim/{{ item.s }}:{{ item.d }}.pem"
+ dest="certs/dkim/{{ item.s }}:{{ item.d }}.pub"
+ with_items: "{{ (dkim_keys[inventory_hostname_short] | default({})).values() | list }}"
+ tags:
+ - genkey
+ - dkim
- name: Configure Amavis
template: src=etc/amavis/conf.d/50-user.j2
dest=/etc/amavis/conf.d/50-user
owner=root group=root
mode=0644
register: r3
notify:
- Restart Amavis
- meta: flush_handlers
- name: Start Amavis
service: name=amavis state=started
- name: Install 'amavis' Munin plugin
file: src=/usr/share/munin/plugins/amavis
dest=/etc/munin/plugins/amavis
owner=root group=root
diff --git a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2 b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
index 92805b8..8563a8c 100644
--- a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
+++ b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
@@ -15,46 +15,55 @@ use strict;
# the amavisfeed service.
$max_servers = 5;
$recipient_delimiter = '+';
$mydomain = 'fripost.org';
$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
@mynetworks_maps = ();
@remove_existing_spam_headers_maps = ();
@bypass_virus_checks_maps = (); # load virus checking code
$enable_dkim_verification = 1; # load DKIM signing/verifying code
{% if 'out' not in group_names %}
undef $enable_dkim_signing;
@bypass_spam_checks_maps = (); # load spam checking code
{% else %}
$enable_dkim_signing = 1;
# Sign *all* outgoing mails with *our* key (yes, amavis complains, but this is
# safe as we force our domain with the 'd' tag).
-dkim_key(qr/./, '20140703', '/var/lib/dkim/20140703.'.$mydomain.'.key');
+{% for x,k in dkim_keys[inventory_hostname_short] | default({}) | dictsort() -%}
+dkim_key({{ (x == "~") | ternary('qr/./', "'"+(x | regex_replace('^.*@',''))+"'") }}, '{{ k.s }}', '/etc/amavis/dkim/{{ k.s }}:{{ k.d }}.pem');
+{% endfor -%}
@dkim_signature_options_bysender_maps = (
- { '.' => { d => $mydomain
- , a => 'rsa-sha256'
- , ttl => 21*24*3600
- , c => 'relaxed/simple' } } );
+{% for x,k in dkim_keys[inventory_hostname_short] | default({}) | dictsort() %}
+ { '{{ (x == "~") | ternary('.', x) }}' => {
+ d => '{{ k.d }}'
+ , s => '{{ k.s }}'
+ , a => 'rsa-sha256'
+ , ttl => 21*24*3600
+ , c => 'relaxed/simple' }
+ }{% if not loop.last %},
+{% endif %}
+{% endfor %}
+);
# Conform to RFC 4871 and don't sign Received: headers.
$signed_header_fields{received} = 0;
{% endif %}
# Defang viruses and nothing else
%defang_maps_by_ccat = ( &CC_VIRUS => 1
, &CC_CATCHALL => undef
);
# Don't change the subject for unchecked messages (not by-recip)
delete $subject_tag_maps_by_ccat{+CC_UNCHECKED};
# Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel
# and amavis*Admin, also
%always_bcc_by_ccat = ( &CC_CATCHALL => undef );
%dsn_bcc_by_ccat = ( &CC_CATCHALL => undef );
# Never warn sender or recipient; don't forget to disallow setting
@@ -76,40 +85,41 @@ delete $subject_tag_maps_by_ccat{+CC_UNCHECKED};
$enable_ldap = 1; # Load Net::LDAP
$default_ldap = {
hostname => 'ldapi://',
sasl => 1,
sasl_mech => 'EXTERNAL',
deref => 'never',
timeout => 5,
scope => 'one',
base => 'fvd=%d,ou=virtual,dc=fripost,dc=org',
# XXX: ideally we would use %u in the base and the query_filter, but
# it's not supported as of amavis 2.7 (see the 'lookup_ldap'
# subroutine in /usr/sbin/amavisd-new)
query_filter => '(&(objectClass=amavisAccount)(ObjectClass=FripostVirtualUser)(fvl=%m))'
};
{% endif %}
# http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex
$protocol = 'LMTP';
+$inet_socket_bind = ['127.0.0.1'];
$inet_socket_port = [];
{% if 'out' in group_names %}
push @$inet_socket_port, 10040;
$interface_policy{'10040'} = 'OUTGOING';
{% endif %}
{% if 'MDA' in group_names %}
push @$inet_socket_port, 10041;
$interface_policy{'10041'} = 'INCOMING';
{% endif %}
$QUARANTINEDIR = "$MYHOME/virusmails";
$notify_method = 'smtp:[127.0.0.1]:16132'; # notifications
$forward_method = 'smtp:[127.0.0.1]:10025'; # reinject
$requeue_method = $notify_method; # requeue after quarantine
# some defaults for spam checking
$sa_tag_level_deflt = undef;
$sa_tag2_level_deflt = 5;
$sa_kill_level_deflt = 5;
@@ -119,66 +129,68 @@ $sa_quarantine_cutoff_level = undef;
# Here is an overall picture (sequence of events) of how pieces fit together
#
# bypass_virus_checks set for all recipients? ==> PASS
# no viruses? ==> PASS
# log virus if $log_templ is nonempty
# quarantine if $virus_quarantine_to is nonempty
# notify admin if $virus_admin (lookup) nonempty
# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
# add address extensions for local recipients (when enabled)
# send (non-)delivery notifications
# to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS))
# virus_lovers or final_destiny==D_PASS ==> PASS
# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
# Mandatory DKIM signing and virus checking only
$policy_bank{'OUTGOING'} = {
originating => 1,
enable_dkim_verification => 0,
+ protocol => 'LMTP',
smtpd_greeting_banner => '${helo-name} ${protocol} ${product} OUTGOING service ready',
forward_method => $forward_method,
# No black or white lists
message_size_limit_maps => [],
whitelist_sender_maps => [],
blacklist_sender_maps => [],
# Check for viruses (regardless of the recipient), but bypass all other checks
bypass_virus_checks_maps => undef,
bypass_banned_checks_maps => 1,
bypass_header_checks_maps => 1,
bypass_spam_checks_maps => 1,
# If a virus is found, notify postmaster, quarantine, then discard.
# Treat unchecked mails (eg, encrypted) as clean.
quarantine_to_maps_by_ccat => { &CC_VIRUS => [$virus_quarantine_to], &CC_UNCHECKED => undef, &CC_CLEAN => undef },
quarantine_method_by_ccat => { &CC_VIRUS => [$virus_quarantine_method], &CC_UNCHECKED => undef, &CC_CLEAN => undef },
admin_maps_by_ccat => { &CC_VIRUS => ["postmaster\@$mydomain"], &CC_UNCHECKED => undef },
lovers_maps_by_ccat => { &CC_VIRUS => undef, &CC_UNCHECKED => 1 },
final_destiny_maps_by_ccat => { &CC_VIRUS => D_DISCARD, &CC_UNCHECKED => D_PASS, &CC_OVERSIZED => D_PASS },
};
$policy_bank{'INCOMING'} = {
originating => 0,
enable_dkim_verification => 1,
+ protocol => 'LMTP',
smtpd_greeting_banner => '${helo-name} ${protocol} ${product} INCOMING service ready',
forward_method => $forward_method,
message_size_limit_maps => [],
# Per-recipient Bayes Database
sa_username_maps => [ new_RE ( [ qr/^(.+\@.+)$/ => '$1' ] )
, 'amavis' # catch-all
],
# Never quarantine, and never notify.
# (Remember to disallow setting amavisSpamQuarantineCutoffLevel and
# amavisVirusQuarantine*To in the LDAP schema.)
# XXX: users might want to quarantine messages and get a notification instead
quarantine_method_by_ccat => { map {$_ => undef} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH, CC_CLEAN) },
admin_maps_by_ccat => { map {$_ => undef} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH ) },
# Always deliver messages
final_destiny_maps_by_ccat => { map {$_ => D_PASS} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH) },
lovers_maps_by_ccat => { map {$_ => 1 } (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_SPAMMY, CC_BADH) },
};
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 15:52:36 +0000