2 files changed, 25 insertions, 21 deletions

diff --git a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2 b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
index 3595331..ae2031b 100644
--- a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
+++ b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
@@ -1,81 +1,83 @@
 use strict;
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 
 #
 # Place your configuration directives here.  They will override those in
 # earlier files.
 #
 # See /usr/share/doc/amavisd-new/ for documentation and examples of
 # the directives you can use in this file
 #
 
 # $max_servers: num of pre-forked children (2..30 is common). It *must*
 # match the number set in /etc/postfix/master.cf "maxproc" column for
 # the amavisfeed service.
 $max_servers = 5;
 $recipient_delimiter = '+';
 
 $mydomain = 'fripost.org';
 $X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
-undef $undecipherable_subject_tag;
 
 @mynetworks_maps = ();
 @remove_existing_spam_headers_maps = ();
 @bypass_virus_checks_maps = (); # load virus checking code
 
 
 $enable_dkim_verification = 1; # load DKIM signing/verifying code
 {% if 'out' not in group_names %}
 undef $enable_dkim_signing;
 @bypass_spam_checks_maps = (); # load spam checking code
 {% else %}
 $enable_dkim_signing = 1;
 # Sign *all* outgoing mails with *our* key (yes, amavis complains, but this is
 # safe as we force our domain with the 'd' tag).
 dkim_key(qr/./, '20140703', '/var/lib/dkim/20140703.'.$mydomain.'.key');
 @dkim_signature_options_bysender_maps = (
     { '.' => { d => $mydomain
              , a => 'rsa-sha256'
              , ttl => 21*24*3600
              , c => 'relaxed/simple' } } );
 # Conform to RFC 4871 and don't sign Received: headers.
 $signed_header_fields{received} = 0;
 {% endif %}
 
 
 
-# Defang viruses only
-%defang_maps_by_ccat = ( CC_VIRUS, 1
-                       , CC_CATCHALL, undef
+# Defang viruses and nothing else
+%defang_maps_by_ccat = ( &CC_VIRUS    => 1
+                       , &CC_CATCHALL => undef
                        );
 
+# Don't change the subject for unchecked messages (not by-recip)
+delete $subject_tag_maps_by_ccat{+CC_UNCHECKED};
+
 # Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel
 # and amavis*Admin, also
-%always_bcc_by_ccat = ( CC_CATCHALL, undef );
-%dsn_bcc_by_ccat    = ( CC_CATCHALL, undef );
+%always_bcc_by_ccat = ( &CC_CATCHALL => undef );
+%dsn_bcc_by_ccat    = ( &CC_CATCHALL => undef );
 
 # Never warn sender or recipient; don't forget to disallow setting
 # amavisWarn*Recip, also
-%warnsender_by_ccat     = ( CC_CATCHALL, undef );
-%warnrecip_maps_by_ccat = ( CC_CATCHALL, undef );
+%warnsender_by_ccat     = ( &CC_CATCHALL => undef );
+%warnrecip_maps_by_ccat = ( &CC_CATCHALL => undef );
 
 
 # A couple of common banned rules one might can refer by their name
 %banned_rules = (
   'NO-MS-EXEC'=> new_RE( qr/^\.exe-ms$/ ),
   'PASSALL'   => new_RE( [qr/^/ => 0] ),
   'ALLOW_EXE' => new_RE( qr/.\.(vbs|pif|scr|bat)$/i, [qr/^\.exe$/ => 0] ),
   'ALLOW_VBS' => new_RE( [qr/.\.vbs$/ => 0] ),
 );
 
 
 {% if 'MDA' in group_names %}
 $enable_ldap  = 1; # Load Net::LDAP
 $default_ldap = {
     hostname      => 'ldapi://',
     sasl          => 1,
     sasl_mech     => 'EXTERNAL',
     deref         => 'never',
     timeout       => 5,
     scope         => 'one',
@@ -131,55 +133,56 @@ $sa_quarantine_cutoff_level = undef;
 
 
 # Mandatory DKIM signing and virus checking only
 $policy_bank{'OUTGOING'} = {
   originating              => 1,
   enable_dkim_verification => 0,
   smtpd_greeting_banner    => '${helo-name} ${protocol} ${product} OUTGOING service ready',
   forward_method           => $forward_method,
 
   # No black or white lists
   message_size_limit_maps => [],
   whitelist_sender_maps   => [],
   blacklist_sender_maps   => [],
 
   # Check for viruses (regardless of the recipient), but bypass all other checks
   bypass_virus_checks_maps  => undef,
   bypass_banned_checks_maps => 1,
   bypass_header_checks_maps => 1,
   bypass_spam_checks_maps   => 1,
 
-  # If found, notify postmaster, quarantine, then discard
-  quarantine_to_maps_by_ccat => { CC_VIRUS, [$virus_quarantine_to],     CC_CATCHALL, undef  },
-  quarantine_method_by_ccat  => { CC_VIRUS, [$virus_quarantine_method], CC_CATCHALL, undef  },
-  admin_maps_by_ccat         => { CC_VIRUS, ["postmaster\@$mydomain"],  CC_CATCHALL, undef  },
-  addr_extension_maps_by_ccat=> {                                       CC_CATCHALL, undef  },
-  lovers_maps_by_ccat        => { CC_VIRUS, undef,                      CC_CATCHALL, 1      }, 
-  final_destiny_by_ccat      => { CC_VIRUS, D_DISCARD,                  CC_CATCHALL, D_PASS },
+  # If a virus is found, notify postmaster, quarantine, then discard.
+  # Treat unchecked mails (eg, encrypted) as clean.
+  quarantine_to_maps_by_ccat => { &CC_VIRUS => [$virus_quarantine_to],     &CC_UNCHECKED => undef, &CC_CLEAN => undef       },
+  quarantine_method_by_ccat  => { &CC_VIRUS => [$virus_quarantine_method], &CC_UNCHECKED => undef, &CC_CLEAN => undef       },
+  admin_maps_by_ccat         => { &CC_VIRUS => ["postmaster\@$mydomain"],  &CC_UNCHECKED => undef                           },
+  lovers_maps_by_ccat        => { &CC_VIRUS => undef,                      &CC_UNCHECKED => 1                               },
+  final_destiny_by_ccat      => { &CC_VIRUS => D_DISCARD,                  &CC_UNCHECKED => D_PASS, &CC_OVERSIZED => D_PASS },
 };
 
 $policy_bank{'INCOMING'} = {
   originating              => 0,
   enable_dkim_verification => 1,
   smtpd_greeting_banner    => '${helo-name} ${protocol} ${product} INCOMING service ready',
   forward_method           => $forward_method,
   message_size_limit_maps  => [],
 
   # Per-recipient Bayes Database
   sa_username_maps => [ new_RE ( [ qr/^(.+\@.+)$/ => '$1' ] )
                       , 'amavis' # catch-all
                       ],
 
-  # Never quarantine
+  # Never quarantine, and never notify.
   # (Remember to disallow setting amavisSpamQuarantineCutoffLevel and
   # amavisVirusQuarantine*To in the LDAP schema.)
-  quarantine_method_by_ccat => { CC_CATCHALL, undef },
-  admin_maps_by_ccat        => { CC_CATCHALL, undef },
+  # XXX: users might want to quarantine messages and get a notification instead
+  quarantine_method_by_ccat => { map {$_ => undef} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH, CC_CLEAN) },
+  admin_maps_by_ccat        => { map {$_ => undef} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH          ) },
 
   # Always deliver messages
-  final_destiny_by_ccat => { CC_CATCHALL, D_PASS },
-  lovers_maps_by_ccat   => { CC_CATCHALL, 1      },
+  final_destiny_by_ccat  => { map {$_ => D_PASS} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM,            CC_BADH) },
+  lovers_maps_by_ccat    => { map {$_ => 1     } (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_SPAMMY, CC_BADH) },
 };
 
 #------------ Do not modify anything below this line -------------
 1;  # ensure a defined return
 # vim: set filetype=perl :
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
index 0e33094..1a1ff21 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
@@ -23,21 +23,22 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/cleanup\[[[:digit:]]+\]: [[:xdigit:]]{10}: replace: header\s
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: [[:xdigit:]]{10}: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: improper command pipelining after EHLO from [._[:alnum:]-]+\[[[:digit:].]{7,15}\]:\s
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: warning: hostname [._[:alnum:]-]+ does not resolve to address [[:xdigit:].:]{3,39}: Name or service not known$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: timeout after [-[:upper:]]+( \([[:digit:]]+ bytes\))? from [^[:space:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-((msa|mx)/smtpd|out/smtp)\[[[:digit:]]+\]: warning: (tls_text_name: [-._[:alnum:]]+\[[.[:digit:]]+\]: )?peer certificate has no (subject CN|issuer Organization)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mda/lmtp\[[[:digit:]]+\]: [[:xdigit:]]{10}: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[._[:alnum:]-]+\[private/dovecot-lmtpd\],( conn_use=[[:digit:]]+,)? delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(2[[:digit:]][[:digit:]] .+\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/(error|n?qmgr|smtp)\[[[:digit:]]+\]: [[:alnum:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=(none|[^[:space:]]+\[[[:digit:].]{7,15}\]:(25|587)),( conn_use=[[:digit:]]+,)? delay=[[:digit:].]+,( delays=[[:digit:]./]+,)?( dsn=[45]\.[[:digit:]]\.[[:digit:]],)? status=(deferred|undeliverable) \((delivery temporarily suspended: )?((lost connection with [^[:space:]]+|conversation with [^[:space:]]+ timed out) while (sending [[:alnum:]]+( [[:alnum:]]+)?|performing the (HELO|EHLO) handshake|receiving the initial server greeting|sending [[:alnum:]]+( [/[:alnum:]]+)?|sending end of data -- message may be sent more than once)|connect to [^[:space:]]+: (Connection timed out|read timeout|Connection refused)|Host or domain name not found. Name service errorfor name=[^[:space:]]+ type=MX: Host not found, try again|User unknown in virtual alias table)\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: connect to [^[:space:]]+: (read timeout|Connection (refused|timed out)|Network is unreachable|No route to host)( \(port [[:digit:]]+\))?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/[ls]mtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[[:digit:].]{7,15}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=[45](\.[[:digit:]]+){2})?, status=(deferred|bounced|undeliverable) \(host [._[:alnum:]-]+\[[[:digit:].]{7,15}\] said: [45][[:digit:]][[:digit:]] .+ \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: host [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] said: [45][[:digit:]][[:digit:]][- ]+.* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|(end of )?DATA) command\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mda|out)/smtpd\[[[:digit:]]+\]: [[:xdigit:]]{10}: client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\], orig_queue_id=[[:xdigit:]]{10}, orig_client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [A-Z[:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,) relay=[^[:space:]]+, delay=[[:digit:]]+, status=deferred \(host [^[:space:]]+ said: [45][[:digit:]]{2} <[^[:space:]]*>: Recipient address rejected: Greylisted for [[:digit:]]+ (seconds|minutes)(\(see http://isg.ee.ethz.ch/tools/postgrey/help/[.[:alnum:]-]+.html\))? \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|DATA|end of DATA) command\)\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:alnum:]]+: to=<.*>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+\](:[[:digit:]]+)?,( conn_use=[[:digit:]]+,)? delay=[[:digit:].]+,( delays=[[:digit:]./]+,)?( dsn=4\.[[:digit:]]\.[[:digit:]],)? status=deferred \(host [^[:space:]]+\] said: .*$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mda|out)/smtpd?\[[[:digit:]]+\]: warning: numeric domain name in resource data of MX record for [._[:alnum:]-]+: [[:xdigit:].:]{3,39}$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|out)/smtpd\[[[:digit:]]+\]: SSL_accept error from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: lost connection$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/bounce\[[[:digit:]]+\]: [[:xdigit:]]+: sender (delay|non-delivery|delivery status) notification: [[:xdigit:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: enabling PIX <CRLF>\.<CRLF> workaround for [._[:alnum:]-]+\[[[:digit:].]{7,15}\](:[[:digit:]]{1,5})?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: enabling PIX workarounds:( (disable_esmtp|delay_dotcrlf))+ for [._[:alnum:]-]+\[[[:digit:].]{7,15}\](:[[:digit:]]{1,5})?$
 #
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed CLEAN {RelayedOutbound}, OUTGOING LOCAL \[(IPv6:)?[[:xdigit:].:]{3,39}\]:[[:digit:]]+( \[[[:xdigit:].:]{3,39}\])? <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Queue-ID: [[:xdigit:]]+,)?( Message-ID: <[^>]+>,)? mail_id: [_-+[:alnum:]]+, Hits: -, size: [[:digit:]]+, queued_as: [[:xdigit:]]+, dkim_new=[-.:[:alnum:]]+, [[:digit:]]+ ms$
+# Amavis
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|UNCHECKED) {RelayedOutbound}, OUTGOING LOCAL \[(IPv6:)?[[:xdigit:].:]{3,39}\]:[[:digit:]]+( \[[[:xdigit:].:]{3,39}\])? <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Queue-ID: [[:xdigit:]]+,)?( Message-ID: <[^>]+>,)? mail_id: [_-+[:alnum:]]+, Hits: -, size: [[:digit:]]+, queued_as: [[:xdigit:]]+, dkim_new=[-.:[:alnum:]]+, [[:digit:]]+ ms$