Browse Source

Add amavis, clamav and spamassasin roles

evolinux-users
Victor Laborie 2 years ago
parent
commit
10ff2747e2
17 changed files with 603 additions and 2 deletions
  1. +2
    -0
      amavis/defaults/main.yml
  2. +87
    -0
      amavis/files/spam.sh
  3. +5
    -0
      amavis/handlers/main.yml
  4. +43
    -0
      amavis/tasks/main.yml
  5. +57
    -0
      amavis/templates/amavis.conf.j2
  6. +5
    -0
      clamav/handlers/main.yml
  7. +3
    -0
      clamav/meta/main.yml
  8. +111
    -0
      clamav/tasks/main.yml
  9. +3
    -0
      packmail/meta/main.yml
  10. +2
    -2
      postfix/tasks/main.yml
  11. +4
    -0
      postfix/templates/packmail_main.cf.j2
  12. +37
    -0
      postfix/templates/packmail_master.cf.j2
  13. +68
    -0
      spamassasin/files/sa-update.sh
  14. +117
    -0
      spamassasin/files/spamassassin.cf
  15. +5
    -0
      spamassasin/handlers/main.yml
  16. +3
    -0
      spamassasin/meta/main.yml
  17. +51
    -0
      spamassasin/tasks/main.yml

+ 2
- 0
amavis/defaults/main.yml View File

@@ -0,0 +1,2 @@
---
amavis_is_active: True

+ 87
- 0
amavis/files/spam.sh View File

@@ -0,0 +1,87 @@
#!/bin/bash

#set -x

umask 022

tmp_file=$(mktemp)

tmp=$(mktemp -d)

if [ -f $tmp_file ] ;
then rm $tmp_file ;
fi

sleep $[ $RANDOM / 1024 ]

# Postfix
cd $tmp

wget -q -t 3 http://antispam00.evolix.org/spam/client.access -O $tmp_file
cp $tmp_file /etc/postfix/client.access
rm $tmp_file

wget -q -t 3 http://antispam00.evolix.org/spam/sender.access -O $tmp_file
cp $tmp_file /etc/postfix/sender.access
rm $tmp_file

wget -q -t 3 http://antispam00.evolix.org/spam/recipient.access -O $tmp_file
cp $tmp_file /etc/postfix/recipient.access
rm $tmp_file

wget -q -t 3 http://antispam00.evolix.org/spam/header_kill -O $tmp_file
cp $tmp_file /etc/postfix/header_kill
rm $tmp_file

wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access -O sa-blacklist.access
wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access.md5 -O $tmp_file
if md5sum -c $tmp_file > /dev/null && [ -s sa-blacklist.access ] ; then
cp sa-blacklist.access /etc/postfix/sa-blacklist.access
fi
rm sa-blacklist.access
rm $tmp_file

/usr/sbin/postmap hash:/etc/postfix/client.access
/usr/sbin/postmap hash:/etc/postfix/sender.access
/usr/sbin/postmap hash:/etc/postfix/recipient.access
/usr/sbin/postmap -r hash:/etc/postfix/sa-blacklist.access

wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr -O spamd.cidr
wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr.md5 -O $tmp_file
if md5sum -c $tmp_file > /dev/null && [ -s spamd.cidr ] ; then
cp spamd.cidr /etc/postfix/spamd.cidr
fi
rm spamd.cidr
rm $tmp_file


# SpamAssassin
cd $tmp
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf -O evolix_rules.cf
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf.md5 -O $tmp_file
if md5sum -c $tmp_file > /dev/null && [ -s evolix_rules.cf ] ; then
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp evolix_rules.cf /etc/spamassassin
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/spamassassin reload > /dev/null
if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
fi
fi

# ClamAV
cd $tmp
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb
if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/
fi
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb
if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/
fi
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null
rm $tmp_file

rm -rf $tmp

+ 5
- 0
amavis/handlers/main.yml View File

@@ -0,0 +1,5 @@
---
- name: restart amavis
service:
name: amavis
state: restarted

+ 43
- 0
amavis/tasks/main.yml View File

@@ -0,0 +1,43 @@
---
- name: install Amavis
apt:
name: "{{ item }}"
state: present
with_items:
- postgrey
- amavisd-new
tags:
- amavis

- name: configure Amavis
template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults.conf
mode: "0644"
notify: restart amavis
tags:
- amavis

- name: copy spam.sh script
copy:
src: spam.sh
dest: /usr/share/scripts/spam.sh
mode: "0700"
tags:
- amavis

- name: enable spam.sh cron
lineinfile:
dest: /etc/cron.d/spam
line: "42 * * * * /usr/share/scripts/spam.sh"
create: yes
state: present
mode: "0640"
tags:
- amavis

- name: update antispam list
command: /usr/share/scripts/spam.sh
changed_when: false
tags:
- amavis

+ 57
- 0
amavis/templates/amavis.conf.j2 View File

@@ -0,0 +1,57 @@
use strict;

## Liste des domaines considérés comme locaux
#@local_domains_acl = qw(.);
@local_domains_acl = (".example.net","example.com");

# On customise la ligne ajoutée dans les entêtes
$X_HEADER_LINE = "by Amavis at $mydomain";

# On precise les FROM pour etre (bugs dans certaines version d'Amavis)
$mailfrom_notify_admin = "postmaster\@$mydomain";
$mailfrom_notify_recip = "postmaster\@$mydomain";
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";

# Notifications de fichiers bannis / virus
$virus_admin = "postmaster\@$mydomain";
# Ne pas recevoir des notifications pour les mails UNCHECKED
delete $admin_maps_by_ccat{&CC_UNCHECKED};

# Que faire avec les messages détectés
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_BOUNCE;
$final_bad_header_destiny = D_PASS;

# Pour recevoir des bounces (mails originals) des fichiers bloqués / virus
#$banned_quarantine_to = "banned\@$mydomain";
#$virus_quarantine_to = "virus\@$mydomain";

# Note tueuse
$sa_tag2_level_deflt = 6.31;
# Pour un comportement "normal" de SA
$sa_tag_level_deflt = -1999;
$sa_kill_level_deflt = 1999;
$sa_dsn_cutoff_level = -99;
$sa_spam_subject_tag = '[SPAM]';

# log
$log_level = 2;

# En fonction besoin/ressources, on a juste le nbre de process
$max_servers = 2;

$enable_ldap = 1;
$default_ldap = {
hostname => '127.0.0.1', tls => 0,
base => '{{ ldap_suffix }}', scope => 'sub',
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
};

# Activer l'antivirus et antivirus
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1; # ensure a defined return

+ 5
- 0
clamav/handlers/main.yml View File

@@ -0,0 +1,5 @@
---
- name: restart clamav
service:
name: clamav-daemon
state: restarted

+ 3
- 0
clamav/meta/main.yml View File

@@ -0,0 +1,3 @@
---
dependencies:
- { role: amavis }

+ 111
- 0
clamav/tasks/main.yml View File

@@ -0,0 +1,111 @@
---
- name: install ClamAV
apt:
name: "{{ item }}"
state: present
with_items:
- clamav-daemon
- clamav
- clamdscan
- clamav-freshclam
- arc
- arj
- zoo
- pax
- bzip2
- cabextract
- rpm
- lzop
- razor
tags:
- clamav

- name: add clamav user to amavis group
user:
name: clamav
groups: amavis
append: True
tags:
- clamav

- name: allow supplementary groups
replace:
dest: /etc/clamav/clamd.conf
regexp: 'AllowSupplementaryGroups false'
replace: 'AllowSupplementaryGroups true'
notify: restart clamav
tags:
- clamav

- name: configure clamav-daemon
debconf:
name: clamav-daemon
question: "{{ item.key }}"
value: "{{ item.value }}"
vtype: "{{ item.type }}"
with_items:
- { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
- { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
- { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
- { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
- { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
- { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
- { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
- { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
- { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
- { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
- { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
- { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
- { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
- { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
- { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
- { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
- { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
- { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
- { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
- { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
- { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
- { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
- { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
tags:
- clamav

- name: configure clamav-freshclam
debconf:
name: clamav-freshclam
question: "{{ item.key }}"
value: "{{ item.value }}"
vtype: "{{ item.type }}"
with_items:
- { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
- { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
- { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
- { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
- { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
- { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
- { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
- { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
- { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
- { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
- { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
tags:
- clamav

+ 3
- 0
packmail/meta/main.yml View File

@@ -2,6 +2,9 @@
dependencies:
- { role: ldap, ldap_schema: 'cn4evolix.ldif' }
- { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True }
- { role: amavis }
- { role: spamassasin }
- { role: clamav }
- { role: dovecot }
- { role: apache }
- { role: php, php_apache_enable: True }

+ 2
- 2
postfix/tasks/main.yml View File