Add amavis, clamav and spamassasin roles

This commit is contained in:
Victor LABORIE 2017-10-24 15:09:14 +02:00
parent dee2e2296c
commit 10ff2747e2
17 changed files with 603 additions and 2 deletions

2
amavis/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
amavis_is_active: True

87
amavis/files/spam.sh Normal file
View file

@ -0,0 +1,87 @@
#!/bin/bash
#set -x
umask 022
tmp_file=$(mktemp)
tmp=$(mktemp -d)
if [ -f $tmp_file ] ;
then rm $tmp_file ;
fi
sleep $[ $RANDOM / 1024 ]
# Postfix
cd $tmp
wget -q -t 3 http://antispam00.evolix.org/spam/client.access -O $tmp_file
cp $tmp_file /etc/postfix/client.access
rm $tmp_file
wget -q -t 3 http://antispam00.evolix.org/spam/sender.access -O $tmp_file
cp $tmp_file /etc/postfix/sender.access
rm $tmp_file
wget -q -t 3 http://antispam00.evolix.org/spam/recipient.access -O $tmp_file
cp $tmp_file /etc/postfix/recipient.access
rm $tmp_file
wget -q -t 3 http://antispam00.evolix.org/spam/header_kill -O $tmp_file
cp $tmp_file /etc/postfix/header_kill
rm $tmp_file
wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access -O sa-blacklist.access
wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access.md5 -O $tmp_file
if md5sum -c $tmp_file > /dev/null && [ -s sa-blacklist.access ] ; then
cp sa-blacklist.access /etc/postfix/sa-blacklist.access
fi
rm sa-blacklist.access
rm $tmp_file
/usr/sbin/postmap hash:/etc/postfix/client.access
/usr/sbin/postmap hash:/etc/postfix/sender.access
/usr/sbin/postmap hash:/etc/postfix/recipient.access
/usr/sbin/postmap -r hash:/etc/postfix/sa-blacklist.access
wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr -O spamd.cidr
wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr.md5 -O $tmp_file
if md5sum -c $tmp_file > /dev/null && [ -s spamd.cidr ] ; then
cp spamd.cidr /etc/postfix/spamd.cidr
fi
rm spamd.cidr
rm $tmp_file
# SpamAssassin
cd $tmp
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf -O evolix_rules.cf
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf.md5 -O $tmp_file
if md5sum -c $tmp_file > /dev/null && [ -s evolix_rules.cf ] ; then
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp evolix_rules.cf /etc/spamassassin
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/spamassassin reload > /dev/null
if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
fi
fi
# ClamAV
cd $tmp
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb
if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/
fi
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb
if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/
fi
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null
rm $tmp_file
rm -rf $tmp

5
amavis/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: restart amavis
service:
name: amavis
state: restarted

43
amavis/tasks/main.yml Normal file
View file

@ -0,0 +1,43 @@
---
- name: install Amavis
apt:
name: "{{ item }}"
state: present
with_items:
- postgrey
- amavisd-new
tags:
- amavis
- name: configure Amavis
template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults.conf
mode: "0644"
notify: restart amavis
tags:
- amavis
- name: copy spam.sh script
copy:
src: spam.sh
dest: /usr/share/scripts/spam.sh
mode: "0700"
tags:
- amavis
- name: enable spam.sh cron
lineinfile:
dest: /etc/cron.d/spam
line: "42 * * * * /usr/share/scripts/spam.sh"
create: yes
state: present
mode: "0640"
tags:
- amavis
- name: update antispam list
command: /usr/share/scripts/spam.sh
changed_when: false
tags:
- amavis

View file

@ -0,0 +1,57 @@
use strict;
## Liste des domaines considérés comme locaux
#@local_domains_acl = qw(.);
@local_domains_acl = (".example.net","example.com");
# On customise la ligne ajoutée dans les entêtes
$X_HEADER_LINE = "by Amavis at $mydomain";
# On precise les FROM pour etre (bugs dans certaines version d'Amavis)
$mailfrom_notify_admin = "postmaster\@$mydomain";
$mailfrom_notify_recip = "postmaster\@$mydomain";
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";
# Notifications de fichiers bannis / virus
$virus_admin = "postmaster\@$mydomain";
# Ne pas recevoir des notifications pour les mails UNCHECKED
delete $admin_maps_by_ccat{&CC_UNCHECKED};
# Que faire avec les messages détectés
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_BOUNCE;
$final_bad_header_destiny = D_PASS;
# Pour recevoir des bounces (mails originals) des fichiers bloqués / virus
#$banned_quarantine_to = "banned\@$mydomain";
#$virus_quarantine_to = "virus\@$mydomain";
# Note tueuse
$sa_tag2_level_deflt = 6.31;
# Pour un comportement "normal" de SA
$sa_tag_level_deflt = -1999;
$sa_kill_level_deflt = 1999;
$sa_dsn_cutoff_level = -99;
$sa_spam_subject_tag = '[SPAM]';
# log
$log_level = 2;
# En fonction besoin/ressources, on a juste le nbre de process
$max_servers = 2;
$enable_ldap = 1;
$default_ldap = {
hostname => '127.0.0.1', tls => 0,
base => '{{ ldap_suffix }}', scope => 'sub',
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
};
# Activer l'antivirus et antivirus
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return

5
clamav/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: restart clamav
service:
name: clamav-daemon
state: restarted

3
clamav/meta/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
dependencies:
- { role: amavis }

111
clamav/tasks/main.yml Normal file
View file

@ -0,0 +1,111 @@
---
- name: install ClamAV
apt:
name: "{{ item }}"
state: present
with_items:
- clamav-daemon
- clamav
- clamdscan
- clamav-freshclam
- arc
- arj
- zoo
- pax
- bzip2
- cabextract
- rpm
- lzop
- razor
tags:
- clamav
- name: add clamav user to amavis group
user:
name: clamav
groups: amavis
append: True
tags:
- clamav
- name: allow supplementary groups
replace:
dest: /etc/clamav/clamd.conf
regexp: 'AllowSupplementaryGroups false'
replace: 'AllowSupplementaryGroups true'
notify: restart clamav
tags:
- clamav
- name: configure clamav-daemon
debconf:
name: clamav-daemon
question: "{{ item.key }}"
value: "{{ item.value }}"
vtype: "{{ item.type }}"
with_items:
- { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
- { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
- { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
- { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
- { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
- { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
- { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
- { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
- { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
- { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
- { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
- { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
- { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
- { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
- { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
- { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
- { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
- { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
- { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
- { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
- { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
- { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
- { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
tags:
- clamav
- name: configure clamav-freshclam
debconf:
name: clamav-freshclam
question: "{{ item.key }}"
value: "{{ item.value }}"
vtype: "{{ item.type }}"
with_items:
- { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
- { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
- { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
- { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
- { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
- { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
- { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
- { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
- { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
- { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
- { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
tags:
- clamav

View file

@ -2,6 +2,9 @@
dependencies:
- { role: ldap, ldap_schema: 'cn4evolix.ldif' }
- { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True }
- { role: amavis }
- { role: spamassasin }
- { role: clamav }
- { role: dovecot }
- { role: apache }
- { role: php, php_apache_enable: True }

View file

@ -57,8 +57,8 @@
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
- name: deploy packmail master.cf
copy:
src: packmail_master.cf
template:
src: packmail_master.cf.j2
dest: /etc/postfix/master.cf
mode: "0644"
when: postfix_packmail == True

View file

@ -413,3 +413,7 @@ slow_destination_concurrency_failed_cohort_limit = 100
slow_destination_recipient_limit = 25
transport_maps = hash:$config_directory/transport
{% endif %}
{% if amavis_is_active is defined and amavis_is_active == True %}
content_filter = smtp-amavis:[127.0.0.1]:10024
{% endif %}

View file

@ -130,3 +130,40 @@ localhost:10026 inet n - y - 10 smtpd
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
{% if amavis_is_active is defined and amavis_is_active == True %}
smtp-amavis unix - - y - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=
-o canonical_maps=
-o sender_canonical_maps=
-o recipient_canonical_maps=
-o masquerade_domains=
-o always_bcc=
-o sender_bcc_maps=
-o recipient_bcc_maps=
{% endif %}

View file

@ -0,0 +1,68 @@
#!/bin/sh
# Evolix sa-update, based on:
# Duncan Findlay
# duncf@debian.org
mail=$(grep EVOMAINTMAIL /etc/evomaintenance.cf | cut -d'=' -f2)
test -x /usr/bin/sa-update || exit 0
test -x /etc/init.d/spamassassin || exit 0
# If there's a problem with the ruleset or configs, print the output
# of spamassassin --lint (which will typically get emailed to root)
# and abort.
die_with_lint() {
su debian-spamd -c "spamassassin --lint -D 2>&1"
exit 1
}
do_compile() {
# Compile, if rules have previously been compiled, and it's possible
if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \
-a -d /var/lib/spamassassin/compiled ]; then
su debian-spamd -c "sa-compile --quiet"
# Fixup perms -- group and other should be able to
# read and execute, but never write. Works around
# sa-compile's failure to obey umask.
chmod -R go-w,go+rX /var/lib/spamassassin/compiled
fi
}
# Tell a running spamd to reload its configs and rules.
reload() {
# Reload
if which invoke-rc.d >/dev/null 2>&1; then
invoke-rc.d spamassassin reload > /dev/null
else
/etc/init.d/spamassassin reload > /dev/null
fi
if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
fi
}
# Update
umask 022
su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys"
case $? in
0)
# got updates!
su debian-spamd -c "spamassassin --lint" || die_with_lint
do_compile
reload
echo -e "Les règles SpamAsassin ont été mises à jour. Merci de reporter toute anomalie." | \
mail -s "SpamAsassin's rules updated." $mail
;;
1)
# no updates
exit 0
;;
2)
# lint failed!
die_with_lint
;;
*)
echo "sa-update failed for unknown reasons" 1>&2
;;
esac

View file

@ -0,0 +1,117 @@
#required_score 5 -> assure par Amavis
report_safe 0
#rewrite_header Subject [SPAM] -> assure par Amavis
add_header all Report _REPORT_
# filtre bayesien
# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/
use_bayes 1
bayes_auto_learn 1
bayes_path /var/spool/spam/bayes
bayes_file_mode 0777
# AWL : AutoWhitelist
# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/
loadplugin Mail::SpamAssassin::Plugin::AWL
use_auto_whitelist 1
auto_whitelist_path /var/spool/spam/auto_whitelist
auto_whitelist_file_mode 0666
# LANG TESTS
loadplugin Mail::SpamAssassin::Plugin::TextCat
ok_languages en fr es it
ok_locales en fr es it
score BODY_8BITS 1.500
score CHARSET_FARAWAY 3.200
score CHARSET_FARAWAY_HEADER 3.200
score HTML_CHARSET_FARAWAY 0.500
score MIME_CHARSET_FARAWAY 2.450
score UNWANTED_LANGUAGE_BODY 2.800
# DCC
# use_dcc 1 => un plugin maintenant...
score DCC_CHECK 2.9
# RAZOR : http://razor.sourceforge.net
use_razor2 1
score RAZOR2_CHECK 2.9
score RAZOR2_CF_RANGE_51_100 1.3
# pyzor : http://pyzor.sourceforge.net/
use_pyzor 0
# RBL (Realtime Blackhole List)
skip_rbl_checks 0
score RCVD_IN_BL_SPAMCOP_NET 3
# misc
score HELO_DYNAMIC_IPADDR 0.3
score BIZ_TLD 0.1
score PRIORITY_NO_NAME 0.2
# disable HTML tests
score HTML_MESSAGE 0
score HTML_00_10 0
score HTML_10_20 0
score HTML_20_30 0
score HTML_30_40 0
score HTML_40_50 0
score HTML_50_60 0
score HTML_60_70 0
score HTML_70_80 0
score HTML_80_90 0
score HTML_90_100 0
#score HTML_COMMENT_8BITS 0
score UPPERCASE_25_50 0
score UPPERCASE_50_75 0
score UPPERCASE_75_100 0
score MIME_HTML_ONLY 0.1
# From http://maxime.ritter.eu.org/Spam/user_prefs
# Trop de faux negatifs avec BAYES_(0|1|2|3|4)*
score BAYES_00 0 0 -0.01 -0.01
score BAYES_01 0 0 -0.01 -0.01
score BAYES_10 0 0 -0.01 -0.01
score BAYES_20 0 0 -0.01 -0.01
score BAYES_30 0 0 -0.01 -0.01
score BAYES_40 0 0 -0.01 -0.01
score BAYES_44 0 0 -0.01 -0.01
score BAYES_50 0 0 0.1 0.1
score BAYES_56 0 0 0.5 0.5
score BAYES_60 0 0 1.0 1.0
score BAYES_70 0 0 2.5 2.5
score BAYES_80 0 0 3.5 3.5
score BAYES_90 0 0 4.5 4.5
score BAYES_99 0 0 8.0 8.0
score RCVD_IN_SORBS_DUL 0.3
score SUBJ_ILLEGAL_CHARS 0
score RCVD_IN_NJABL_DUL 0.3
score ADDRESS_IN_SUBJECT 0.1
score HELO_LH_HOME 1.0
#internal_networks 192.168.XXX/24
trusted_networks 62.212.111.216 88.179.18.233 85.118.59.50 31.170.8.0/21
#score ALL_TRUSTED 0.3
score HELO_DYNAMIC_IPADDR 0.3
score FORGED_MUA_OUTLOOK 0.5
# Eudora sucks
score EXTRA_MPART_TYPE 0.1
score MIME_BOUND_EQ_REL 0.1
score MIME_QP_LONG_LINE 0.1
# SMTP senders *have* dynamic IP addresses
# A.B.C.D.dnsbl.sorbs.net -> 127.0.0.10
score RCVD_IN_DYNABLOCK 0
score HELO_DYNAMIC_IPADDR 0.3
score RCVD_IN_SORBS 0.1
score RCVD_IN_PBL 0.1
score RCVD_IN_SORBS_DUL 0
# old bug...
score FH_DATE_PAST_20XX 0.0

View file

@ -0,0 +1,5 @@
---
- name: restart spamassassin
service:
name: spamassassin
state: restarted

View file

@ -0,0 +1,3 @@
---
dependencies:
- { role: amavis }

View file

@ -0,0 +1,51 @@
---
- name: install SpamAssasin
apt:
name: "{{ item }}"
state: present
with_items:
- spamassassin
tags:
- spamassassin
- name: configure SpamAssasin
copy:
src: spamassassin.cf
dest: /etc/spamassassin/local_evolix.cf
mode: "0644"
notify: restart spamassassin
tags:
- spamassassin
- name: enable SpamAssasin
replace:
dest: /etc/default/spamassassin
regexp: 'ENABLED=0'
replace: 'ENABLED=1'
notify: restart spamassassin
tags:
- spamassassin
- name: copy sa-update.sh script
copy:
src: sa-update.sh
dest: /usr/share/scripts/sa-update.sh
mode: "0750"
tags:
- spamassassin
- name: enable sa-update.sh cron
lineinfile:
dest: /etc/cron.d/sa-update
line: "42 6 5 1,4,7,10 * /usr/share/scripts/sa-update.sh"
create: yes
state: present
mode: "0640"
tags:
- spamassassin
- name: update SpamAssasin's rules
command: /usr/share/scripts/sa-update.sh
changed_when: false
tags:
- spamassassin