1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
use strict;
# {{ ansible_managed }}
# Do NOT edit this file directly!
#
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
# $max_servers: num of pre-forked children (2..30 is common). It *must*
# match the number set in /etc/postfix/master.cf "maxproc" column for
# the amavisfeed service.
$max_servers = 5;
$recipient_delimiter = '+';
$mydomain = 'fripost.org';
$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
@mynetworks_maps = ();
@remove_existing_spam_headers_maps = ();
@bypass_virus_checks_maps = (); # load virus checking code
$enable_dkim_verification = 1; # load DKIM signing/verifying code
{% if 'out' not in group_names %}
undef $enable_dkim_signing;
@bypass_spam_checks_maps = (); # load spam checking code
{% else %}
$enable_dkim_signing = 1;
# Sign *all* outgoing mails with *our* key (yes, amavis complains, but this is
# safe as we force our domain with the 'd' tag).
{% for x,k in dkim_keys[inventory_hostname_short] | default({}) | dictsort() -%}
dkim_key({{ (x == "~") | ternary('qr/./', "'"+x+"'") }}, '{{ k.s }}', '/etc/amavis/dkim/{{ k.s }}:{{ k.d }}.pem');
{% endfor -%}
@dkim_signature_options_bysender_maps = (
{% for x,k in dkim_keys[inventory_hostname_short] | default({}) | dictsort() %}
{ '{{ (x == "~") | ternary('.', x) }}' => {
d => '{{ k.d }}'
, a => 'rsa-sha256'
, ttl => 21*24*3600
, c => 'relaxed/simple' }
}{% if not loop.last %},
{% endif %}
{% endfor %}
);
# Conform to RFC 4871 and don't sign Received: headers.
$signed_header_fields{received} = 0;
{% endif %}
# Defang viruses and nothing else
%defang_maps_by_ccat = ( &CC_VIRUS => 1
, &CC_CATCHALL => undef
);
# Don't change the subject for unchecked messages (not by-recip)
delete $subject_tag_maps_by_ccat{+CC_UNCHECKED};
# Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel
# and amavis*Admin, also
%always_bcc_by_ccat = ( &CC_CATCHALL => undef );
%dsn_bcc_by_ccat = ( &CC_CATCHALL => undef );
# Never warn sender or recipient; don't forget to disallow setting
# amavisWarn*Recip, also
%warnsender_by_ccat = ( &CC_CATCHALL => undef );
%warnrecip_maps_by_ccat = ( &CC_CATCHALL => undef );
# A couple of common banned rules one might can refer by their name
%banned_rules = (
'NO-MS-EXEC'=> new_RE( qr/^\.exe-ms$/ ),
'PASSALL' => new_RE( [qr/^/ => 0] ),
'ALLOW_EXE' => new_RE( qr/.\.(vbs|pif|scr|bat)$/i, [qr/^\.exe$/ => 0] ),
'ALLOW_VBS' => new_RE( [qr/.\.vbs$/ => 0] ),
);
{% if 'MDA' in group_names %}
$enable_ldap = 1; # Load Net::LDAP
$default_ldap = {
hostname => 'ldapi://',
sasl => 1,
sasl_mech => 'EXTERNAL',
deref => 'never',
timeout => 5,
scope => 'one',
base => 'fvd=%d,ou=virtual,dc=fripost,dc=org',
# XXX: ideally we would use %u in the base and the query_filter, but
# it's not supported as of amavis 2.7 (see the 'lookup_ldap'
# subroutine in /usr/sbin/amavisd-new)
query_filter => '(&(objectClass=amavisAccount)(ObjectClass=FripostVirtualUser)(fvl=%m))'
};
{% endif %}
# http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex
$protocol = 'LMTP';
$inet_socket_bind = ['127.0.0.1'];
$inet_socket_port = [];
{% if 'out' in group_names %}
push @$inet_socket_port, 10040;
$interface_policy{'10040'} = 'OUTGOING';
{% endif %}
{% if 'MDA' in group_names %}
push @$inet_socket_port, 10041;
$interface_policy{'10041'} = 'INCOMING';
{% endif %}
$QUARANTINEDIR = "$MYHOME/virusmails";
$notify_method = 'smtp:[127.0.0.1]:16132'; # notifications
$forward_method = 'smtp:[127.0.0.1]:10025'; # reinject
$requeue_method = $notify_method; # requeue after quarantine
# some defaults for spam checking
$sa_tag_level_deflt = undef;
$sa_tag2_level_deflt = 5;
$sa_kill_level_deflt = 5;
$sa_dsn_cutoff_level = undef;
$sa_quarantine_cutoff_level = undef;
# Here is an overall picture (sequence of events) of how pieces fit together
#
# bypass_virus_checks set for all recipients? ==> PASS
# no viruses? ==> PASS
# log virus if $log_templ is nonempty
# quarantine if $virus_quarantine_to is nonempty
# notify admin if $virus_admin (lookup) nonempty
# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
# add address extensions for local recipients (when enabled)
# send (non-)delivery notifications
# to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS))
# virus_lovers or final_destiny==D_PASS ==> PASS
# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
# Mandatory DKIM signing and virus checking only
$policy_bank{'OUTGOING'} = {
originating => 1,
enable_dkim_verification => 0,
protocol => 'LMTP',
smtpd_greeting_banner => '${helo-name} ${protocol} ${product} OUTGOING service ready',
forward_method => $forward_method,
# No black or white lists
message_size_limit_maps => [],
whitelist_sender_maps => [],
blacklist_sender_maps => [],
# Check for viruses (regardless of the recipient), but bypass all other checks
bypass_virus_checks_maps => undef,
bypass_banned_checks_maps => 1,
bypass_header_checks_maps => 1,
bypass_spam_checks_maps => 1,
# If a virus is found, notify postmaster, quarantine, then discard.
# Treat unchecked mails (eg, encrypted) as clean.
quarantine_to_maps_by_ccat => { &CC_VIRUS => [$virus_quarantine_to], &CC_UNCHECKED => undef, &CC_CLEAN => undef },
quarantine_method_by_ccat => { &CC_VIRUS => [$virus_quarantine_method], &CC_UNCHECKED => undef, &CC_CLEAN => undef },
admin_maps_by_ccat => { &CC_VIRUS => ["postmaster\@$mydomain"], &CC_UNCHECKED => undef },
lovers_maps_by_ccat => { &CC_VIRUS => undef, &CC_UNCHECKED => 1 },
final_destiny_maps_by_ccat => { &CC_VIRUS => D_DISCARD, &CC_UNCHECKED => D_PASS, &CC_OVERSIZED => D_PASS },
};
$policy_bank{'INCOMING'} = {
originating => 0,
enable_dkim_verification => 1,
protocol => 'LMTP',
smtpd_greeting_banner => '${helo-name} ${protocol} ${product} INCOMING service ready',
forward_method => $forward_method,
message_size_limit_maps => [],
# Per-recipient Bayes Database
sa_username_maps => [ new_RE ( [ qr/^(.+\@.+)$/ => '$1' ] )
, 'amavis' # catch-all
],
# Never quarantine, and never notify.
# (Remember to disallow setting amavisSpamQuarantineCutoffLevel and
# amavisVirusQuarantine*To in the LDAP schema.)
# XXX: users might want to quarantine messages and get a notification instead
quarantine_method_by_ccat => { map {$_ => undef} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH, CC_CLEAN) },
admin_maps_by_ccat => { map {$_ => undef} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH ) },
# Always deliver messages
final_destiny_maps_by_ccat => { map {$_ => D_PASS} (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_BADH) },
lovers_maps_by_ccat => { map {$_ => 1 } (CC_VIRUS, CC_BANNED, CC_UNCHECKED, CC_SPAM, CC_SPAMMY, CC_BADH) },
};
#------------ Do not modify anything below this line -------------
1; # ensure a defined return
# vim: set filetype=perl :
|
