From 7c089f71667a1a14cc508772ca289d4d1d2edd27 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 9 Dec 2013 08:11:16 +0100 Subject: Configure the content filter. Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay) --- roles/IMAP/files/etc/amavis/conf.d/05-domain_id | 20 ++++ .../virtual/transport_content_filter_maps.cf | 4 +- roles/IMAP/files/etc/spamassassin/local.cf | 118 +++++++++++++++++++++ roles/IMAP/files/etc/spamassassin/v310.pre | 78 ++++++++++++++ roles/IMAP/files/tmp/spamassassin.sql | 57 ++++++++++ 5 files changed, 275 insertions(+), 2 deletions(-) create mode 100644 roles/IMAP/files/etc/amavis/conf.d/05-domain_id create mode 100644 roles/IMAP/files/etc/spamassassin/local.cf create mode 100644 roles/IMAP/files/etc/spamassassin/v310.pre create mode 100644 roles/IMAP/files/tmp/spamassassin.sql (limited to 'roles/IMAP/files') diff --git a/roles/IMAP/files/etc/amavis/conf.d/05-domain_id b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id new file mode 100644 index 0000000..19f10ed --- /dev/null +++ b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id @@ -0,0 +1,20 @@ +use strict; + +# $mydomain is used just for convenience in the config files and it is not +# used internally by amavisd-new except in the default X_HEADER_LINE (which +# Debian overrides by default anyway). + +$mydomain = "fripost.org"; + +# amavisd-new needs to know which email domains are to be considered local +# to the administrative domain. Only emails to "local" domains are subject +# to certain functionality, such as the addition of spam tags. +# +# Default local domains to $mydomain and all subdomains. Remember to +# override or redefine this if $mydomain is changed later in the config +# sequence. + +@local_domains_acl = ( ".$mydomain" ); +@local_domains_maps = ( ".$mydomain" ); + +1; # ensure a defined return diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf index 6ea944f..3a97841 100644 --- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf +++ b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf @@ -3,6 +3,6 @@ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base bind = none -query_filter = (&(ObjectClass=AmavisAccount)(fvl=%u)) +query_filter = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fvl=%u)) result_attribute = fvl -result_format = amavisfeed:unix:public/amavisfeed-contentfilter +result_format = amavisfeed:[127.0.0.1]:10041 diff --git a/roles/IMAP/files/etc/spamassassin/local.cf b/roles/IMAP/files/etc/spamassassin/local.cf new file mode 100644 index 0000000..8ae4a4b --- /dev/null +++ b/roles/IMAP/files/etc/spamassassin/local.cf @@ -0,0 +1,118 @@ +# This is the right place to customize your installation of SpamAssassin. +# +# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be +# tweaked. +# +# Only a small subset of options are listed below +# +########################################################################### + +# Add *****SPAM***** to the Subject header of spam e-mails +# +rewrite_header Subject [*****SPAM*****] + + +# Save spam messages as a message/rfc822 MIME attachment instead of +# modifying the original message (0: off, 2: use text/plain instead) +# +report_safe 0 + + +# Set which networks or hosts are considered 'trusted' by your mail +# server (i.e. not spammers) +# +# TODO: Unclear how to do with IPSec and dynamic IPs. +clear_trusted_networks +trusted_networks 192.168.122.2 192.168.122.3 + +clear_internal_networks +internal_networks 192.168.122.2 192.168.122.3 + + +# Set file-locking method (flock is not safe over NFS, but is faster) +# +lock_method flock + + +# Set the threshold at which a message is considered spam (default: 5.0) +# +required_score 5.0 + + +# Use Bayesian classifier (default: 1) +# +use_bayes 1 + + +# Bayesian classifier auto-learning (default: 1) +# +bayes_auto_learn 1 +bayes_auto_expire 0 + + +# Enable or disable network checks +# +# http://en.linuxreviews.org/Spam_blacklists +# The best bets are zen.spamhaus.org and bl.spamcop.net . +skip_rbl_checks 0 +use_razor2 1 +use_pyzor 0 +use_auto_whitelist 1 + +# http://www.spamtips.org/2011/01/disable-dnsfromahblrhsbl.html +score DNS_FROM_AHBL_RHSBL 0 +# http://www.spamtips.org/2011/01/disable-rfc-ignorantorg-rules.html +score __RFC_IGNORANT_ENVFROM 0 +score DNS_FROM_RFC_DSN 0 +score DNS_FROM_RFC_BOGUSMX 0 +score __DNS_FROM_RFC_POST 0 +score __DNS_FROM_RFC_ABUSE 0 +score __DNS_FROM_RFC_WHOIS 0 + +# Set headers which may provide inappropriate cues to the Bayesian +# classifier +# +# bayes_ignore_header X-Bogosity +# bayes_ignore_header X-Spam-Flag +# bayes_ignore_header X-Spam-Status + + +# Some shortcircuiting, if the plugin is enabled +# +ifplugin Mail::SpamAssassin::Plugin::Shortcircuit +# +# default: strongly-whitelisted mails are *really* whitelisted now, if the +# shortcircuiting plugin is active, causing early exit to save CPU load. +# Uncomment to turn this on +# +# shortcircuit USER_IN_WHITELIST on +# shortcircuit USER_IN_DEF_WHITELIST on +# shortcircuit USER_IN_ALL_SPAM_TO on +# shortcircuit SUBJECT_IN_WHITELIST on + +# the opposite; blacklisted mails can also save CPU +# +# shortcircuit USER_IN_BLACKLIST on +# shortcircuit USER_IN_BLACKLIST_TO on +# shortcircuit SUBJECT_IN_BLACKLIST on + +# if you have taken the time to correctly specify your "trusted_networks", +# this is another good way to save CPU +# +# shortcircuit ALL_TRUSTED on + +# and a well-trained bayes DB can save running rules, too +# +# shortcircuit BAYES_99 spam +# shortcircuit BAYES_00 ham + +endif # Mail::SpamAssassin::Plugin::Shortcircuit + + +bayes_store_module Mail::SpamAssassin::BayesStore::MySQL +bayes_sql_dsn DBI:mysql:spamassassin +bayes_sql_username amavis + +auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList +user_awl_dsn DBI:mysql:spamassassin +user_awl_sql_username amavis diff --git a/roles/IMAP/files/etc/spamassassin/v310.pre b/roles/IMAP/files/etc/spamassassin/v310.pre new file mode 100644 index 0000000..bff0bbf --- /dev/null +++ b/roles/IMAP/files/etc/spamassassin/v310.pre @@ -0,0 +1,78 @@ +# This is the right place to customize your installation of SpamAssassin. +# +# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be +# tweaked. +# +# This file was installed during the installation of SpamAssassin 3.1.0, +# and contains plugin loading commands for the new plugins added in that +# release. It will not be overwritten during future SpamAssassin installs, +# so you can modify it to enable some disabled-by-default plugins below, +# if you so wish. +# +# There are now multiple files read to enable plugins in the +# /etc/mail/spamassassin directory; previously only one, "init.pre" was +# read. Now both "init.pre", "v310.pre", and any other files ending in +# ".pre" will be read. As future releases are made, new plugins will be +# added to new files, named according to the release they're added in. +########################################################################### + +# DCC - perform DCC message checks. +# +# DCC is disabled here because it is not open source. See the DCC +# license for more details. +# +#loadplugin Mail::SpamAssassin::Plugin::DCC + +# Pyzor - perform Pyzor message checks. +# +loadplugin Mail::SpamAssassin::Plugin::Pyzor + +# Razor2 - perform Razor2 message checks. +# +loadplugin Mail::SpamAssassin::Plugin::Razor2 + +# SpamCop - perform SpamCop message reporting +# +loadplugin Mail::SpamAssassin::Plugin::SpamCop + +# AntiVirus - some simple anti-virus checks, this is not a replacement +# for an anti-virus filter like Clam AntiVirus +# +#loadplugin Mail::SpamAssassin::Plugin::AntiVirus + +# AWL - do auto-whitelist checks +# +loadplugin Mail::SpamAssassin::Plugin::AWL + +# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning +# +loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold + +# TextCat - language guesser +# +#loadplugin Mail::SpamAssassin::Plugin::TextCat + +# AccessDB - lookup from-addresses in access database +# +#loadplugin Mail::SpamAssassin::Plugin::AccessDB + +# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions +# +loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject + +########################################################################### +# experimental plugins + +# DomainKeys - perform DomainKeys verification +# +# This plugin has been removed as of v3.3.0. Use the DKIM plugin instead, +# which supports both Domain Keys and DKIM. + +# MIMEHeader - apply regexp rules against MIME headers in the message +# +loadplugin Mail::SpamAssassin::Plugin::MIMEHeader + +# ReplaceTags +# +loadplugin Mail::SpamAssassin::Plugin::ReplaceTags + diff --git a/roles/IMAP/files/tmp/spamassassin.sql b/roles/IMAP/files/tmp/spamassassin.sql new file mode 100644 index 0000000..ed2e641 --- /dev/null +++ b/roles/IMAP/files/tmp/spamassassin.sql @@ -0,0 +1,57 @@ +-- Sources: https://svn.apache.org/repos/asf/spamassassin/trunk/sql/awl_mysql.sql +-- https://svn.apache.org/repos/asf/spamassassin/trunk/sql/bayes_mysql.sql + +CREATE TABLE awl ( + username VARCHAR(100) NOT NULL DEFAULT '', + email VARBINARY(255) NOT NULL DEFAULT '', + ip VARCHAR(40) NOT NULL DEFAULT '', + count INT(11) NOT NULL DEFAULT 0, + totscore FLOAT NOT NULL DEFAULT 0, + signedby VARCHAR(255) NOT NULL DEFAULT '', + PRIMARY KEY (username,email,signedby,ip) +) ENGINE=InnoDB; + +CREATE TABLE bayes_expire ( + id INT(11) NOT NULL DEFAULT 0, + runtime INT(11) NOT NULL DEFAULT 0, + KEY bayes_expire_idx1 (id) +) ENGINE=InnoDB; + +CREATE TABLE bayes_global_vars ( + variable VARCHAR(30) NOT NULL default '', + value VARCHAR(200) NOT NULL default '', + PRIMARY KEY (variable) +) ENGINE=InnoDB; +INSERT INTO bayes_global_vars VALUES ('VERSION','3'); + +CREATE TABLE bayes_seen ( + id INT(11) NOT NULL DEFAULT 0, + msgid VARCHAR(200) BINARY NOT NULL DEFAULT '', + flag CHAR(1) NOT NULL DEFAULT '', + PRIMARY KEY (id,msgid) +) ENGINE=InnoDB; + +CREATE TABLE bayes_token ( + id INT(11) NOT NULL DEFAULT 0, + token BINARY(5) NOT NULL DEFAULT '', + spam_count INT(11) NOT NULL DEFAULT 0, + ham_count INT(11) NOT NULL DEFAULT 0, + atime INT(11) NOT NULL DEFAULT 0, + PRIMARY KEY (id, token), + INDEX bayes_token_idx1 (id, atime) +) ENGINE=InnoDB; + +CREATE TABLE bayes_vars ( + id INT(11) NOT NULL AUTO_INCREMENT, + username VARCHAR(200) NOT NULL DEFAULT '', + spam_count INT(11) NOT NULL DEFAULT 0, + ham_count INT(11) NOT NULL DEFAULT 0, + token_count INT(11) NOT NULL DEFAULT 0, + last_expire INT(11) NOT NULL DEFAULT 0, + last_atime_delta INT(11) NOT NULL DEFAULT 0, + last_expire_reduce INT(11) NOT NULL DEFAULT 0, + oldest_token_age INT(11) NOT NULL DEFAULT 2147483647, + newest_token_age INT(11) NOT NULL DEFAULT 0, + PRIMARY KEY (id), + UNIQUE bayes_vars_idx1 (username) +) ENGINE=InnoDB; -- cgit v1.2.3