From 7c089f71667a1a14cc508772ca289d4d1d2edd27 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 9 Dec 2013 08:11:16 +0100 Subject: Configure the content filter. Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay) --- .../etc/amavis/conf.d/15-content_filter_mode.j2 | 29 +++++ roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 | 135 +++++++++++++++++++++ 2 files changed, 164 insertions(+) create mode 100644 roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 create mode 100644 roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 (limited to 'roles/IMAP/templates/etc/amavis') diff --git a/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 new file mode 100644 index 0000000..cde0452 --- /dev/null +++ b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 @@ -0,0 +1,29 @@ +use strict; + +# You can modify this file to re-enable SPAM checking through spamassassin +# and to re-enable antivirus checking. + +# +# Default antivirus checking mode +# Please note, that anti-virus checking is DISABLED by +# default. +# If You wish to enable it, please uncomment the following lines: + + +@bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); + + +# +# Default SPAM checking mode +# Please note, that anti-spam checking is DISABLED by +# default. +# If You wish to enable it, please uncomment the following lines: + + +{% if 'MDA' in group_names -%} +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); +{% endif %} + +1; # ensure a defined return diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 new file mode 100644 index 0000000..7d412f8 --- /dev/null +++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 @@ -0,0 +1,135 @@ +use strict; + +# +# Place your configuration directives here. They will override those in +# earlier files. +# +# See /usr/share/doc/amavisd-new/ for documentation and examples of +# the directives you can use in this file +# + +# $max_servers: num of pre-forked children (2..30 is common). It *must* +# match the number set in /etc/postfix/master.cf "maxproc" column for +# the amavisfeed service. +$max_servers = 2; + +# list your internal networks +@mynetworks = qw( 127.0.0.0/8 172.16.0.1/32 ); + + +# Always deliver messages (force *_lovers_maps to [1]) +$final_virus_destiny = D_PASS; +$final_banned_destiny = D_PASS; +$final_unchecked_destiny = D_PASS; +$final_spam_destiny = D_PASS; +$final_bad_header_destiny = D_PASS; +$final_destiny_by_ccat{&CC_OVERSIZED} = D_PASS; + +%lovers_maps_by_ccat = ( + CC_CATCHALL, 1, +); + + +# Disable quarantine (force *_quarantine_to_maps to [1]; don't forget to +# disable setting amavisSpamQuarantineCutoffLevel and amavisVirusQuarantine*To, +# also) +$QUARANTINEDIR = undef; +%quarantine_method_by_ccat = ( + CC_CATCHALL, undef, +); +%admin_maps_by_ccat = ( + CC_CATCHALL, undef, +); + +undef $undecipherable_subject_tag; + +# Defang virus only +%defang_maps_by_ccat = ( + CC_VIRUS, 1, + CC_CATCHALL, undef, +); + +# Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel +# and amavis*Admin, also +%always_bcc_by_ccat = ( + CC_CATCHALL, undef, +); +%dsn_bcc_by_ccat = ( + CC_CATCHALL, undef, +); + +# Never warn sender / recipient; don't forget to disallow setting +# amavisWarn*Recip, also +%warnsender_by_ccat = ( # deprecated use, except perhaps for CC_BADH + CC_CATCHALL, undef, +); +%warnrecip_maps_by_ccat = ( + CC_CATCHALL, undef, +); + +@message_size_limit_maps = (); # per-recipient limits + + +%banned_rules = ( + 'NO-MS-EXEC'=> new_RE( qr'^\.exe-ms$' ), + 'PASSALL' => new_RE( [qr'^' => 0] ), + 'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ), + 'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ), +); + + +$enable_ldap = 1; +$default_ldap = { + hostname => 'ldapi://', + sasl => 1, + sasl_mech => 'EXTERNAL', + deref => 'never', + timeout => 5, + scope => 'one', + base => 'fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org', + # XXX: ideally we would use %u in the base and the query_filter, but + # it's not supported as of amavis 2.7 (see the 'lookup_ldap' + # subroutine in /usr/sbin/amavisd-new) + query_filter => '(&(objectClass=amavisAccount)(ObjectClass=FripostVirtualUser)(fvl=%m))' +}; + + +$recipient_delimiter = '+'; +$enable_dkim_verification = 1; # enable DKIM signatures verification + + +# Per-recipient Bayes Database. +@sa_username_maps = ( + new_RE ( [ qr'^(.+@[^@]+)$'i => '$1' ] ), + 'amavis' # catch-all +); + +# http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex + +$inet_socket_port = 10041; + +$interface_policy{'10041'} = 'INBOUND'; + +{% if 'MTA-out' in group_names %} +$notify_method = 'smtp:[127.0.0.1]:{{ MTA_out.port }}'; +{% else %} +$notify_method = 'smtp:[{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}'; +{% endif %} +$forward_method = 'lmtp:/var/run/dovecot/lmtp'; +$requeue_method = $forward_method; + +$sa_tag_level_deflt = undef; +$sa_tag2_level_deflt = 5; +$sa_kill_level_deflt = 5; +$sa_dsn_cutoff_level = undef; +$sa_quarantine_cutoff_level = undef; + +$policy_bank{'INBOUND'} = { + originating => 0, # indicates a remote client, allows checking + smtpd_greeting_banner => + '${helo-name} ${protocol} ${product} INBOUND service ready', + mynetworks_maps => [], # avoids loading MYNETS policy unnecessarily +}; + +#------------ Do not modify anything below this line ------------- +1; # ensure a defined return -- cgit v1.2.3