From 1c357b55931a0d4fbd15d51d61ec4e81d4f38aa5 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 3 Jul 2014 04:26:26 +0200 Subject: Install amavisd-new on the outgoing SMTP proxy. For DKIM signing and virus checking. --- roles/IMAP/files/etc/amavis/conf.d/05-domain_id | 20 --- roles/IMAP/handlers/main.yml | 3 - roles/IMAP/tasks/amavis.yml | 56 --------- roles/IMAP/tasks/main.yml | 1 - roles/IMAP/tasks/spam.yml | 3 + .../etc/amavis/conf.d/15-content_filter_mode.j2 | 29 ----- roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 | 135 --------------------- 7 files changed, 3 insertions(+), 244 deletions(-) delete mode 100644 roles/IMAP/files/etc/amavis/conf.d/05-domain_id delete mode 100644 roles/IMAP/tasks/amavis.yml delete mode 100644 roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 delete mode 100644 roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 (limited to 'roles/IMAP') diff --git a/roles/IMAP/files/etc/amavis/conf.d/05-domain_id b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id deleted file mode 100644 index 19f10ed..0000000 --- a/roles/IMAP/files/etc/amavis/conf.d/05-domain_id +++ /dev/null @@ -1,20 +0,0 @@ -use strict; - -# $mydomain is used just for convenience in the config files and it is not -# used internally by amavisd-new except in the default X_HEADER_LINE (which -# Debian overrides by default anyway). - -$mydomain = "fripost.org"; - -# amavisd-new needs to know which email domains are to be considered local -# to the administrative domain. Only emails to "local" domains are subject -# to certain functionality, such as the addition of spam tags. -# -# Default local domains to $mydomain and all subdomains. Remember to -# override or redefine this if $mydomain is changed later in the config -# sequence. - -@local_domains_acl = ( ".$mydomain" ); -@local_domains_maps = ( ".$mydomain" ); - -1; # ensure a defined return diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml index bda2ab9..c14468a 100644 --- a/roles/IMAP/handlers/main.yml +++ b/roles/IMAP/handlers/main.yml @@ -8,9 +8,6 @@ - name: Reload Postfix service: name=postfix state=reloaded -- name: Restart ClamAV - service: name=clamav-daemon state=restarted - - name: Compile Spamassassin rules sudo_user: debian-spamd # it might take a while... diff --git a/roles/IMAP/tasks/amavis.yml b/roles/IMAP/tasks/amavis.yml deleted file mode 100644 index 6f47328..0000000 --- a/roles/IMAP/tasks/amavis.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: Install amavis and its decoders - apt: pkg={{ item }} - with_items: - - amavisd-new - - libnet-ldap-perl - - libauthen-sasl-perl - - gzip - - bzip2 - - xz-utils - - lzop - - rpm2cpio - - pax - - binutils - - p7zip-full - - unrar-free - - arj - - nomarch - - zoo - - ripole - - cabextract - - unar - - tnef - notify: - - Restart Amavis - -- name: Add 'clamav' to the group 'amavis' - user: name=clamav groups=amavis append=yes - register: r1 - notify: - - Restart ClamAV - - Restart Amavis - -- name: Configure Amavis (1) - copy: src=etc/amavis/conf.d/05-domain_id - dest=/etc/amavis/conf.d/05-domain_id - owner=root group=root - mode=0644 - register: r2 - notify: - - Restart Amavis - -- name: Configure Amavis (2) - template: src=etc/amavis/conf.d/{{ item }}.j2 - dest=/etc/amavis/conf.d/{{ item }} - owner=root group=root - mode=0644 - register: r3 - with_items: - - 15-content_filter_mode - - 50-user - notify: - - Restart Amavis - -- name: Start Amavis - service: name=amavis state=started - when: not (r1.changed or r2.changed or r3.changed) diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml index b43f9fb..c6fbbd9 100644 --- a/roles/IMAP/tasks/main.yml +++ b/roles/IMAP/tasks/main.yml @@ -1,5 +1,4 @@ --- - include: imap.yml tags=imap,dovecot - include: mda.yml tags=mda,mail,postfix -- include: amavis.yml tags=amavis - include: spam.yml tags=spam,spamassassin diff --git a/roles/IMAP/tasks/spam.yml b/roles/IMAP/tasks/spam.yml index 51fde4b..a8fbe71 100644 --- a/roles/IMAP/tasks/spam.yml +++ b/roles/IMAP/tasks/spam.yml @@ -1,6 +1,9 @@ - name: Install spamassassin apt: pkg={{ item }} with_items: + # The following two lines are for the policy lookup (made by amavis) + - libnet-ldap-perl + - libauthen-sasl-perl - razor - spamassassin - spamc diff --git a/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 deleted file mode 100644 index cde0452..0000000 --- a/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 +++ /dev/null @@ -1,29 +0,0 @@ -use strict; - -# You can modify this file to re-enable SPAM checking through spamassassin -# and to re-enable antivirus checking. - -# -# Default antivirus checking mode -# Please note, that anti-virus checking is DISABLED by -# default. -# If You wish to enable it, please uncomment the following lines: - - -@bypass_virus_checks_maps = ( - \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); - - -# -# Default SPAM checking mode -# Please note, that anti-spam checking is DISABLED by -# default. -# If You wish to enable it, please uncomment the following lines: - - -{% if 'MDA' in group_names -%} -@bypass_spam_checks_maps = ( - \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); -{% endif %} - -1; # ensure a defined return diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 deleted file mode 100644 index b3ae7a9..0000000 --- a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 +++ /dev/null @@ -1,135 +0,0 @@ -use strict; - -# -# Place your configuration directives here. They will override those in -# earlier files. -# -# See /usr/share/doc/amavisd-new/ for documentation and examples of -# the directives you can use in this file -# - -# $max_servers: num of pre-forked children (2..30 is common). It *must* -# match the number set in /etc/postfix/master.cf "maxproc" column for -# the amavisfeed service. -$max_servers = 2; - -# list your internal networks -@mynetworks = qw( 127.0.0.0/8 172.16.0.1/32 ); - - -# Always deliver messages (force *_lovers_maps to [1]) -$final_virus_destiny = D_PASS; -$final_banned_destiny = D_PASS; -$final_unchecked_destiny = D_PASS; -$final_spam_destiny = D_PASS; -$final_bad_header_destiny = D_PASS; -$final_destiny_by_ccat{&CC_OVERSIZED} = D_PASS; - -%lovers_maps_by_ccat = ( - CC_CATCHALL, 1, -); - - -# Disable quarantine (force *_quarantine_to_maps to [1]; don't forget to -# disable setting amavisSpamQuarantineCutoffLevel and amavisVirusQuarantine*To, -# also) -$QUARANTINEDIR = undef; -%quarantine_method_by_ccat = ( - CC_CATCHALL, undef, -); -%admin_maps_by_ccat = ( - CC_CATCHALL, undef, -); - -undef $undecipherable_subject_tag; - -# Defang virus only -%defang_maps_by_ccat = ( - CC_VIRUS, 1, - CC_CATCHALL, undef, -); - -# Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel -# and amavis*Admin, also -%always_bcc_by_ccat = ( - CC_CATCHALL, undef, -); -%dsn_bcc_by_ccat = ( - CC_CATCHALL, undef, -); - -# Never warn sender / recipient; don't forget to disallow setting -# amavisWarn*Recip, also -%warnsender_by_ccat = ( # deprecated use, except perhaps for CC_BADH - CC_CATCHALL, undef, -); -%warnrecip_maps_by_ccat = ( - CC_CATCHALL, undef, -); - -@message_size_limit_maps = (); # per-recipient limits - - -%banned_rules = ( - 'NO-MS-EXEC'=> new_RE( qr'^\.exe-ms$' ), - 'PASSALL' => new_RE( [qr'^' => 0] ), - 'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ), - 'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ), -); - - -$enable_ldap = 1; -$default_ldap = { - hostname => 'ldapi://', - sasl => 1, - sasl_mech => 'EXTERNAL', - deref => 'never', - timeout => 5, - scope => 'one', - base => 'fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org', - # XXX: ideally we would use %u in the base and the query_filter, but - # it's not supported as of amavis 2.7 (see the 'lookup_ldap' - # subroutine in /usr/sbin/amavisd-new) - query_filter => '(&(objectClass=amavisAccount)(ObjectClass=FripostVirtualUser)(fvl=%m))' -}; - - -$recipient_delimiter = '+'; -$enable_dkim_verification = 1; # enable DKIM signatures verification - - -# Per-recipient Bayes Database. -@sa_username_maps = ( - new_RE ( [ qr'^(.+@[^@]+)$'i => '$1' ] ), - 'amavis' # catch-all -); - -# http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex - -$inet_socket_port = 10041; - -$interface_policy{'10041'} = 'INBOUND'; - -{% if 'out' in group_names %} -$notify_method = 'smtp:[127.0.0.1]:{{ postfix_instance.out.port }}'; -{% else %} -$notify_method = 'smtp:[outgoing.fripost.org]:{{ postfix_instance.out.port }}'; -{% endif %} -$forward_method = 'lmtp:/var/run/dovecot/lmtp'; -$requeue_method = $forward_method; - -$sa_tag_level_deflt = undef; -$sa_tag2_level_deflt = 5; -$sa_kill_level_deflt = 5; -$sa_dsn_cutoff_level = undef; -$sa_quarantine_cutoff_level = undef; - -$policy_bank{'INBOUND'} = { - originating => 0, # indicates a remote client, allows checking - smtpd_greeting_banner => - '${helo-name} ${protocol} ${product} INBOUND service ready', - mynetworks_maps => [], # avoids loading MYNETS policy unnecessarily -}; - -#------------ Do not modify anything below this line ------------- -1; # ensure a defined return -- cgit v1.2.3