From b536632f32d81dceb11f2b7ebf2ec1a284498901 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 22 May 2016 17:57:38 +0200 Subject: spamassassin: list our IPSec subnet in trusted_networks. --- roles/IMAP/files/etc/spamassassin/local.cf | 118 --------------------- roles/IMAP/tasks/main.yml | 6 +- roles/IMAP/tasks/spam.yml | 25 ++++- roles/IMAP/templates/etc/spamassassin/local.cf.j2 | 120 ++++++++++++++++++++++ 4 files changed, 145 insertions(+), 124 deletions(-) delete mode 100644 roles/IMAP/files/etc/spamassassin/local.cf create mode 100644 roles/IMAP/templates/etc/spamassassin/local.cf.j2 (limited to 'roles/IMAP') diff --git a/roles/IMAP/files/etc/spamassassin/local.cf b/roles/IMAP/files/etc/spamassassin/local.cf deleted file mode 100644 index 8ae4a4b..0000000 --- a/roles/IMAP/files/etc/spamassassin/local.cf +++ /dev/null @@ -1,118 +0,0 @@ -# This is the right place to customize your installation of SpamAssassin. -# -# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be -# tweaked. -# -# Only a small subset of options are listed below -# -########################################################################### - -# Add *****SPAM***** to the Subject header of spam e-mails -# -rewrite_header Subject [*****SPAM*****] - - -# Save spam messages as a message/rfc822 MIME attachment instead of -# modifying the original message (0: off, 2: use text/plain instead) -# -report_safe 0 - - -# Set which networks or hosts are considered 'trusted' by your mail -# server (i.e. not spammers) -# -# TODO: Unclear how to do with IPSec and dynamic IPs. -clear_trusted_networks -trusted_networks 192.168.122.2 192.168.122.3 - -clear_internal_networks -internal_networks 192.168.122.2 192.168.122.3 - - -# Set file-locking method (flock is not safe over NFS, but is faster) -# -lock_method flock - - -# Set the threshold at which a message is considered spam (default: 5.0) -# -required_score 5.0 - - -# Use Bayesian classifier (default: 1) -# -use_bayes 1 - - -# Bayesian classifier auto-learning (default: 1) -# -bayes_auto_learn 1 -bayes_auto_expire 0 - - -# Enable or disable network checks -# -# http://en.linuxreviews.org/Spam_blacklists -# The best bets are zen.spamhaus.org and bl.spamcop.net . -skip_rbl_checks 0 -use_razor2 1 -use_pyzor 0 -use_auto_whitelist 1 - -# http://www.spamtips.org/2011/01/disable-dnsfromahblrhsbl.html -score DNS_FROM_AHBL_RHSBL 0 -# http://www.spamtips.org/2011/01/disable-rfc-ignorantorg-rules.html -score __RFC_IGNORANT_ENVFROM 0 -score DNS_FROM_RFC_DSN 0 -score DNS_FROM_RFC_BOGUSMX 0 -score __DNS_FROM_RFC_POST 0 -score __DNS_FROM_RFC_ABUSE 0 -score __DNS_FROM_RFC_WHOIS 0 - -# Set headers which may provide inappropriate cues to the Bayesian -# classifier -# -# bayes_ignore_header X-Bogosity -# bayes_ignore_header X-Spam-Flag -# bayes_ignore_header X-Spam-Status - - -# Some shortcircuiting, if the plugin is enabled -# -ifplugin Mail::SpamAssassin::Plugin::Shortcircuit -# -# default: strongly-whitelisted mails are *really* whitelisted now, if the -# shortcircuiting plugin is active, causing early exit to save CPU load. -# Uncomment to turn this on -# -# shortcircuit USER_IN_WHITELIST on -# shortcircuit USER_IN_DEF_WHITELIST on -# shortcircuit USER_IN_ALL_SPAM_TO on -# shortcircuit SUBJECT_IN_WHITELIST on - -# the opposite; blacklisted mails can also save CPU -# -# shortcircuit USER_IN_BLACKLIST on -# shortcircuit USER_IN_BLACKLIST_TO on -# shortcircuit SUBJECT_IN_BLACKLIST on - -# if you have taken the time to correctly specify your "trusted_networks", -# this is another good way to save CPU -# -# shortcircuit ALL_TRUSTED on - -# and a well-trained bayes DB can save running rules, too -# -# shortcircuit BAYES_99 spam -# shortcircuit BAYES_00 ham - -endif # Mail::SpamAssassin::Plugin::Shortcircuit - - -bayes_store_module Mail::SpamAssassin::BayesStore::MySQL -bayes_sql_dsn DBI:mysql:spamassassin -bayes_sql_username amavis - -auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList -user_awl_dsn DBI:mysql:spamassassin -user_awl_sql_username amavis diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml index f9b25d1..b26cb10 100644 --- a/roles/IMAP/tasks/main.yml +++ b/roles/IMAP/tasks/main.yml @@ -8,9 +8,9 @@ - mda - mail - postfix -# TODO spam filter +## TODO spam filter #- include: spam.yml -# tags +# tags: # - spam +# - amavis # - spamassassin -# diff --git a/roles/IMAP/tasks/spam.yml b/roles/IMAP/tasks/spam.yml index 06624dd..3091b85 100644 --- a/roles/IMAP/tasks/spam.yml +++ b/roles/IMAP/tasks/spam.yml @@ -25,22 +25,34 @@ - meta: flush_handlers + - name: Copy SpamAssassin's configuration copy: src=etc/{{ item }} dest=/etc/{{ item }} owner=root group=root mode=0644 with_items: - - spamassassin/local.cf - spamassassin/v310.pre - spamassassin/v320.pre + register: r1 + notify: + - Restart Amavis + +- name: Copy SpamAssassin's configuration (2) + template: src=etc/{{ item }}.j2 + dest=/etc/{{ item }} + owner=root group=root + mode=0644 + with_items: + - spamassassin/local.cf + register: r2 notify: - Restart Amavis - name: Provision /etc/default/spamassassin lineinfile: dest=/etc/default/spamassassin - regexp='^(\s*#)?\s*{{ item.var }}=' - "line={{ item.var }}={{ item.value }}" + regexp='^(\\s*#)?\\s*{{ item.var }}\\s*=' + line='{{ item.var }}={{ item.value }}' owner=root group=root mode=0644 with_items: @@ -59,5 +71,12 @@ /spamassassin.bayes_vars: SELECT,INSERT,UPDATE,DELETE /spamassassin.bayes_expire: SELECT,INSERT, DELETE" state=present + register: r3 notify: - Restart Amavis + +- name: Start Amavis + service: name=amavis state=started + when: not (r1.changed or r2.changed or r3.changed) + +- meta: flush_handlers diff --git a/roles/IMAP/templates/etc/spamassassin/local.cf.j2 b/roles/IMAP/templates/etc/spamassassin/local.cf.j2 new file mode 100644 index 0000000..edef554 --- /dev/null +++ b/roles/IMAP/templates/etc/spamassassin/local.cf.j2 @@ -0,0 +1,120 @@ +# This is the right place to customize your installation of SpamAssassin. +# +# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be +# tweaked. +# +# Only a small subset of options are listed below +# +########################################################################### + +# Add *****SPAM***** to the Subject header of spam e-mails +# +rewrite_header Subject [*****SPAM*****] + + +# Save spam messages as a message/rfc822 MIME attachment instead of +# modifying the original message (0: off, 2: use text/plain instead) +# +report_safe 0 + + +# Set which networks or hosts are considered 'trusted' by your mail +# server (i.e. not spammers) +# +clear_trusted_networks +trusted_networks 127.0.0.1/8 {{ ipsec_subnet }} {{ groups.MX | join(' ') }} + +# MXes and internal relays should be listed in bouth trusted_networks +# and clear_internal_networks, cf. +# https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html +clear_internal_networks +internal_networks {{ groups.MX | join(' ') }} + + +# Set file-locking method (flock is not safe over NFS, but is faster) +# +lock_method flock + + +# Set the threshold at which a message is considered spam (default: 5.0) +# +required_score 5.0 + + +# Use Bayesian classifier (default: 1) +# +use_bayes 1 + + +# Bayesian classifier auto-learning (default: 1) +# +bayes_auto_learn 1 +bayes_auto_expire 0 + + +# Enable or disable network checks +# +# http://en.linuxreviews.org/Spam_blacklists +# The best bets are zen.spamhaus.org and bl.spamcop.net . +skip_rbl_checks 0 +use_razor2 1 +use_pyzor 0 +use_auto_whitelist 1 + +# http://www.spamtips.org/2011/01/disable-dnsfromahblrhsbl.html +score DNS_FROM_AHBL_RHSBL 0 +# http://www.spamtips.org/2011/01/disable-rfc-ignorantorg-rules.html +score __RFC_IGNORANT_ENVFROM 0 +score DNS_FROM_RFC_DSN 0 +score DNS_FROM_RFC_BOGUSMX 0 +score __DNS_FROM_RFC_POST 0 +score __DNS_FROM_RFC_ABUSE 0 +score __DNS_FROM_RFC_WHOIS 0 + +# Set headers which may provide inappropriate cues to the Bayesian +# classifier +# +# bayes_ignore_header X-Bogosity +# bayes_ignore_header X-Spam-Flag +# bayes_ignore_header X-Spam-Status + + +# Some shortcircuiting, if the plugin is enabled +# +ifplugin Mail::SpamAssassin::Plugin::Shortcircuit +# +# default: strongly-whitelisted mails are *really* whitelisted now, if the +# shortcircuiting plugin is active, causing early exit to save CPU load. +# Uncomment to turn this on +# +# shortcircuit USER_IN_WHITELIST on +# shortcircuit USER_IN_DEF_WHITELIST on +# shortcircuit USER_IN_ALL_SPAM_TO on +# shortcircuit SUBJECT_IN_WHITELIST on + +# the opposite; blacklisted mails can also save CPU +# +# shortcircuit USER_IN_BLACKLIST on +# shortcircuit USER_IN_BLACKLIST_TO on +# shortcircuit SUBJECT_IN_BLACKLIST on + +# if you have taken the time to correctly specify your "trusted_networks", +# this is another good way to save CPU +# +# shortcircuit ALL_TRUSTED on + +# and a well-trained bayes DB can save running rules, too +# +# shortcircuit BAYES_99 spam +# shortcircuit BAYES_00 ham + +endif # Mail::SpamAssassin::Plugin::Shortcircuit + + +bayes_store_module Mail::SpamAssassin::BayesStore::MySQL +bayes_sql_dsn DBI:mysql:spamassassin +bayes_sql_username amavis + +auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList +user_awl_dsn DBI:mysql:spamassassin +user_awl_sql_username amavis -- cgit v1.2.3