diff --git a/amavis/defaults/main.yml b/amavis/defaults/main.yml new file mode 100644 index 00000000..5c727eff --- /dev/null +++ b/amavis/defaults/main.yml @@ -0,0 +1,2 @@ +--- +amavis_is_active: True diff --git a/amavis/files/spam.sh b/amavis/files/spam.sh new file mode 100644 index 00000000..10d5e62a --- /dev/null +++ b/amavis/files/spam.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +#set -x + +umask 022 + +tmp_file=$(mktemp) + +tmp=$(mktemp -d) + +if [ -f $tmp_file ] ; + then rm $tmp_file ; +fi + +sleep $[ $RANDOM / 1024 ] + +# Postfix +cd $tmp + +wget -q -t 3 http://antispam00.evolix.org/spam/client.access -O $tmp_file +cp $tmp_file /etc/postfix/client.access +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/sender.access -O $tmp_file +cp $tmp_file /etc/postfix/sender.access +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/recipient.access -O $tmp_file +cp $tmp_file /etc/postfix/recipient.access +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/header_kill -O $tmp_file +cp $tmp_file /etc/postfix/header_kill +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access -O sa-blacklist.access +wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access.md5 -O $tmp_file +if md5sum -c $tmp_file > /dev/null && [ -s sa-blacklist.access ] ; then + cp sa-blacklist.access /etc/postfix/sa-blacklist.access +fi +rm sa-blacklist.access +rm $tmp_file + +/usr/sbin/postmap hash:/etc/postfix/client.access +/usr/sbin/postmap hash:/etc/postfix/sender.access +/usr/sbin/postmap hash:/etc/postfix/recipient.access +/usr/sbin/postmap -r hash:/etc/postfix/sa-blacklist.access + +wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr -O spamd.cidr +wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr.md5 -O $tmp_file +if md5sum -c $tmp_file > /dev/null && [ -s spamd.cidr ] ; then + cp spamd.cidr /etc/postfix/spamd.cidr +fi +rm spamd.cidr +rm $tmp_file + + +# SpamAssassin +cd $tmp +wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf -O evolix_rules.cf +wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf.md5 -O $tmp_file +if md5sum -c $tmp_file > /dev/null && [ -s evolix_rules.cf ] ; then + dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp evolix_rules.cf /etc/spamassassin + dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/spamassassin reload > /dev/null + if [ -d /etc/spamassassin/sa-update-hooks.d ]; then + run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d + fi +fi + +# ClamAV +cd $tmp +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file +dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb +if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then + dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/ +fi +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file +dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb +if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then + dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/ +fi +dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null +rm $tmp_file + +rm -rf $tmp diff --git a/amavis/handlers/main.yml b/amavis/handlers/main.yml new file mode 100644 index 00000000..62049999 --- /dev/null +++ b/amavis/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart amavis + service: + name: amavis + state: restarted diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml new file mode 100644 index 00000000..880c3a66 --- /dev/null +++ b/amavis/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: install Amavis + apt: + name: "{{ item }}" + state: present + with_items: + - postgrey + - amavisd-new + tags: + - amavis + +- name: configure Amavis + template: + src: amavis.conf.j2 + dest: /etc/amavis/conf.d/49-evolinux-defaults.conf + mode: "0644" + notify: restart amavis + tags: + - amavis + +- name: copy spam.sh script + copy: + src: spam.sh + dest: /usr/share/scripts/spam.sh + mode: "0700" + tags: + - amavis + +- name: enable spam.sh cron + lineinfile: + dest: /etc/cron.d/spam + line: "42 * * * * /usr/share/scripts/spam.sh" + create: yes + state: present + mode: "0640" + tags: + - amavis + +- name: update antispam list + command: /usr/share/scripts/spam.sh + changed_when: false + tags: + - amavis diff --git a/amavis/templates/amavis.conf.j2 b/amavis/templates/amavis.conf.j2 new file mode 100644 index 00000000..cbe597a2 --- /dev/null +++ b/amavis/templates/amavis.conf.j2 @@ -0,0 +1,57 @@ +use strict; + +## Liste des domaines considérés comme locaux +#@local_domains_acl = qw(.); +@local_domains_acl = (".example.net","example.com"); + +# On customise la ligne ajoutée dans les entêtes +$X_HEADER_LINE = "by Amavis at $mydomain"; + +# On precise les FROM pour etre (bugs dans certaines version d'Amavis) +$mailfrom_notify_admin = "postmaster\@$mydomain"; +$mailfrom_notify_recip = "postmaster\@$mydomain"; +$mailfrom_notify_spamadmin = "postmaster\@$mydomain"; + +# Notifications de fichiers bannis / virus +$virus_admin = "postmaster\@$mydomain"; +# Ne pas recevoir des notifications pour les mails UNCHECKED +delete $admin_maps_by_ccat{&CC_UNCHECKED}; + +# Que faire avec les messages détectés +$final_virus_destiny = D_DISCARD; +$final_banned_destiny = D_BOUNCE; +$final_spam_destiny = D_BOUNCE; +$final_bad_header_destiny = D_PASS; + +# Pour recevoir des bounces (mails originals) des fichiers bloqués / virus +#$banned_quarantine_to = "banned\@$mydomain"; +#$virus_quarantine_to = "virus\@$mydomain"; + +# Note tueuse +$sa_tag2_level_deflt = 6.31; +# Pour un comportement "normal" de SA +$sa_tag_level_deflt = -1999; +$sa_kill_level_deflt = 1999; +$sa_dsn_cutoff_level = -99; +$sa_spam_subject_tag = '[SPAM]'; + +# log +$log_level = 2; + +# En fonction besoin/ressources, on a juste le nbre de process +$max_servers = 2; + +$enable_ldap = 1; +$default_ldap = { + hostname => '127.0.0.1', tls => 0, + base => '{{ ldap_suffix }}', scope => 'sub', + query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))' +}; + +# Activer l'antivirus et antivirus +@bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); + +1; # ensure a defined return diff --git a/clamav/handlers/main.yml b/clamav/handlers/main.yml new file mode 100644 index 00000000..e053f01a --- /dev/null +++ b/clamav/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart clamav + service: + name: clamav-daemon + state: restarted diff --git a/clamav/meta/main.yml b/clamav/meta/main.yml new file mode 100644 index 00000000..510b6855 --- /dev/null +++ b/clamav/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: amavis } diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml new file mode 100644 index 00000000..c6cd16a4 --- /dev/null +++ b/clamav/tasks/main.yml @@ -0,0 +1,111 @@ +--- +- name: install ClamAV + apt: + name: "{{ item }}" + state: present + with_items: + - clamav-daemon + - clamav + - clamdscan + - clamav-freshclam + - arc + - arj + - zoo + - pax + - bzip2 + - cabextract + - rpm + - lzop + - razor + tags: + - clamav + +- name: add clamav user to amavis group + user: + name: clamav + groups: amavis + append: True + tags: + - clamav + +- name: allow supplementary groups + replace: + dest: /etc/clamav/clamd.conf + regexp: 'AllowSupplementaryGroups false' + replace: 'AllowSupplementaryGroups true' + notify: restart clamav + tags: + - clamav + +- name: configure clamav-daemon + debconf: + name: clamav-daemon + question: "{{ item.key }}" + value: "{{ item.value }}" + vtype: "{{ item.type }}" + with_items: + - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' } + - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' } + - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' } + - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' } + - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' } + - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' } + - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' } + - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' } + - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' } + - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' } + - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' } + - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' } + - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' } + - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' } + - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' } + - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' } + - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' } + - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' } + - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' } + - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' } + - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' } + - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' } + - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' } + - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' } + - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' } + - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' } + tags: + - clamav + +- name: configure clamav-freshclam + debconf: + name: clamav-freshclam + question: "{{ item.key }}" + value: "{{ item.value }}" + vtype: "{{ item.type }}" + with_items: + - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' } + - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' } + - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' } + - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' } + - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' } + - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' } + - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' } + - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' } + tags: + - clamav diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index f9138046..9b144692 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -2,6 +2,9 @@ dependencies: - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } + - { role: amavis } + - { role: spamassasin } + - { role: clamav } - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 99111a23..bc4f2240 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -57,8 +57,8 @@ default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" - name: deploy packmail master.cf - copy: - src: packmail_master.cf + template: + src: packmail_master.cf.j2 dest: /etc/postfix/master.cf mode: "0644" when: postfix_packmail == True diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index a81a991b..86a03768 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -413,3 +413,7 @@ slow_destination_concurrency_failed_cohort_limit = 100 slow_destination_recipient_limit = 25 transport_maps = hash:$config_directory/transport {% endif %} + +{% if amavis_is_active is defined and amavis_is_active == True %} +content_filter = smtp-amavis:[127.0.0.1]:10024 +{% endif %} diff --git a/postfix/files/packmail_master.cf b/postfix/templates/packmail_master.cf.j2 similarity index 83% rename from postfix/files/packmail_master.cf rename to postfix/templates/packmail_master.cf.j2 index 2043f488..69964605 100644 --- a/postfix/files/packmail_master.cf +++ b/postfix/templates/packmail_master.cf.j2 @@ -130,3 +130,40 @@ localhost:10026 inet n - y - 10 smtpd -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 + +{% if amavis_is_active is defined and amavis_is_active == True %} +smtp-amavis unix - - y - 2 lmtp + -o lmtp_data_done_timeout=1200 + -o lmtp_send_xforward_command=yes + +127.0.0.1:10025 inet n - y - - smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions=reject_unauth_pipelining + -o smtpd_end_of_data_restrictions= + -o mynetworks=127.0.0.0/8 + -o strict_rfc821_envelopes=yes + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_client_connection_count_limit=0 + -o smtpd_client_connection_rate_limit=0 + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks + +pre-cleanup unix n - n - 0 cleanup + -o virtual_alias_maps= + -o canonical_maps= + -o sender_canonical_maps= + -o recipient_canonical_maps= + -o masquerade_domains= + -o always_bcc= + -o sender_bcc_maps= + -o recipient_bcc_maps= +{% endif %} diff --git a/spamassasin/files/sa-update.sh b/spamassasin/files/sa-update.sh new file mode 100644 index 00000000..b138c285 --- /dev/null +++ b/spamassasin/files/sa-update.sh @@ -0,0 +1,68 @@ +#!/bin/sh + +# Evolix sa-update, based on: +# Duncan Findlay +# duncf@debian.org + +mail=$(grep EVOMAINTMAIL /etc/evomaintenance.cf | cut -d'=' -f2) +test -x /usr/bin/sa-update || exit 0 +test -x /etc/init.d/spamassassin || exit 0 + +# If there's a problem with the ruleset or configs, print the output +# of spamassassin --lint (which will typically get emailed to root) +# and abort. +die_with_lint() { + su debian-spamd -c "spamassassin --lint -D 2>&1" + exit 1 +} + +do_compile() { +# Compile, if rules have previously been compiled, and it's possible + if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \ + -a -d /var/lib/spamassassin/compiled ]; then + su debian-spamd -c "sa-compile --quiet" + # Fixup perms -- group and other should be able to + # read and execute, but never write. Works around + # sa-compile's failure to obey umask. + chmod -R go-w,go+rX /var/lib/spamassassin/compiled + fi +} + +# Tell a running spamd to reload its configs and rules. +reload() { + # Reload + if which invoke-rc.d >/dev/null 2>&1; then + invoke-rc.d spamassassin reload > /dev/null + else + /etc/init.d/spamassassin reload > /dev/null + fi + if [ -d /etc/spamassassin/sa-update-hooks.d ]; then + run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d + fi +} + +# Update +umask 022 +su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys" + +case $? in + 0) + # got updates! + su debian-spamd -c "spamassassin --lint" || die_with_lint + do_compile + reload + echo -e "Les règles SpamAsassin ont été mises à jour. Merci de reporter toute anomalie." | \ + mail -s "SpamAsassin's rules updated." $mail + ;; + 1) + # no updates + exit 0 + ;; + 2) + # lint failed! + die_with_lint + ;; + *) + echo "sa-update failed for unknown reasons" 1>&2 + ;; +esac diff --git a/spamassasin/files/spamassassin.cf b/spamassasin/files/spamassassin.cf new file mode 100644 index 00000000..821f51d4 --- /dev/null +++ b/spamassasin/files/spamassassin.cf @@ -0,0 +1,117 @@ +#required_score 5 -> assure par Amavis +report_safe 0 +#rewrite_header Subject [SPAM] -> assure par Amavis +add_header all Report _REPORT_ + +# filtre bayesien +# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/ +use_bayes 1 +bayes_auto_learn 1 +bayes_path /var/spool/spam/bayes +bayes_file_mode 0777 + +# AWL : AutoWhitelist +# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/ +loadplugin Mail::SpamAssassin::Plugin::AWL +use_auto_whitelist 1 +auto_whitelist_path /var/spool/spam/auto_whitelist +auto_whitelist_file_mode 0666 + +# LANG TESTS +loadplugin Mail::SpamAssassin::Plugin::TextCat +ok_languages en fr es it +ok_locales en fr es it + +score BODY_8BITS 1.500 +score CHARSET_FARAWAY 3.200 +score CHARSET_FARAWAY_HEADER 3.200 +score HTML_CHARSET_FARAWAY 0.500 +score MIME_CHARSET_FARAWAY 2.450 +score UNWANTED_LANGUAGE_BODY 2.800 + +# DCC +# use_dcc 1 => un plugin maintenant... +score DCC_CHECK 2.9 + +# RAZOR : http://razor.sourceforge.net +use_razor2 1 +score RAZOR2_CHECK 2.9 +score RAZOR2_CF_RANGE_51_100 1.3 + +# pyzor : http://pyzor.sourceforge.net/ +use_pyzor 0 + +# RBL (Realtime Blackhole List) +skip_rbl_checks 0 +score RCVD_IN_BL_SPAMCOP_NET 3 + +# misc +score HELO_DYNAMIC_IPADDR 0.3 +score BIZ_TLD 0.1 +score PRIORITY_NO_NAME 0.2 + +# disable HTML tests + +score HTML_MESSAGE 0 +score HTML_00_10 0 +score HTML_10_20 0 +score HTML_20_30 0 +score HTML_30_40 0 +score HTML_40_50 0 +score HTML_50_60 0 +score HTML_60_70 0 +score HTML_70_80 0 +score HTML_80_90 0 +score HTML_90_100 0 +#score HTML_COMMENT_8BITS 0 +score UPPERCASE_25_50 0 +score UPPERCASE_50_75 0 +score UPPERCASE_75_100 0 +score MIME_HTML_ONLY 0.1 +# From http://maxime.ritter.eu.org/Spam/user_prefs +# Trop de faux negatifs avec BAYES_(0|1|2|3|4)* +score BAYES_00 0 0 -0.01 -0.01 +score BAYES_01 0 0 -0.01 -0.01 +score BAYES_10 0 0 -0.01 -0.01 +score BAYES_20 0 0 -0.01 -0.01 +score BAYES_30 0 0 -0.01 -0.01 +score BAYES_40 0 0 -0.01 -0.01 +score BAYES_44 0 0 -0.01 -0.01 +score BAYES_50 0 0 0.1 0.1 +score BAYES_56 0 0 0.5 0.5 +score BAYES_60 0 0 1.0 1.0 +score BAYES_70 0 0 2.5 2.5 +score BAYES_80 0 0 3.5 3.5 +score BAYES_90 0 0 4.5 4.5 +score BAYES_99 0 0 8.0 8.0 + +score RCVD_IN_SORBS_DUL 0.3 +score SUBJ_ILLEGAL_CHARS 0 +score RCVD_IN_NJABL_DUL 0.3 + +score ADDRESS_IN_SUBJECT 0.1 + +score HELO_LH_HOME 1.0 + +#internal_networks 192.168.XXX/24 +trusted_networks 62.212.111.216 88.179.18.233 85.118.59.50 31.170.8.0/21 +#score ALL_TRUSTED 0.3 +score HELO_DYNAMIC_IPADDR 0.3 + +score FORGED_MUA_OUTLOOK 0.5 + +# Eudora sucks +score EXTRA_MPART_TYPE 0.1 +score MIME_BOUND_EQ_REL 0.1 +score MIME_QP_LONG_LINE 0.1 + +# SMTP senders *have* dynamic IP addresses +# A.B.C.D.dnsbl.sorbs.net -> 127.0.0.10 +score RCVD_IN_DYNABLOCK 0 +score HELO_DYNAMIC_IPADDR 0.3 +score RCVD_IN_SORBS 0.1 +score RCVD_IN_PBL 0.1 +score RCVD_IN_SORBS_DUL 0 + +# old bug... +score FH_DATE_PAST_20XX 0.0 diff --git a/spamassasin/handlers/main.yml b/spamassasin/handlers/main.yml new file mode 100644 index 00000000..7479d736 --- /dev/null +++ b/spamassasin/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart spamassassin + service: + name: spamassassin + state: restarted diff --git a/spamassasin/meta/main.yml b/spamassasin/meta/main.yml new file mode 100644 index 00000000..510b6855 --- /dev/null +++ b/spamassasin/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: amavis } diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml new file mode 100644 index 00000000..ba6d7c3c --- /dev/null +++ b/spamassasin/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: install SpamAssasin + apt: + name: "{{ item }}" + state: present + with_items: + - spamassassin + tags: + - spamassassin + +- name: configure SpamAssasin + copy: + src: spamassassin.cf + dest: /etc/spamassassin/local_evolix.cf + mode: "0644" + notify: restart spamassassin + tags: + - spamassassin + +- name: enable SpamAssasin + replace: + dest: /etc/default/spamassassin + regexp: 'ENABLED=0' + replace: 'ENABLED=1' + notify: restart spamassassin + tags: + - spamassassin + +- name: copy sa-update.sh script + copy: + src: sa-update.sh + dest: /usr/share/scripts/sa-update.sh + mode: "0750" + tags: + - spamassassin + +- name: enable sa-update.sh cron + lineinfile: + dest: /etc/cron.d/sa-update + line: "42 6 5 1,4,7,10 * /usr/share/scripts/sa-update.sh" + create: yes + state: present + mode: "0640" + tags: + - spamassassin + +- name: update SpamAssasin's rules + command: /usr/share/scripts/sa-update.sh + changed_when: false + tags: + - spamassassin