Filter messages sent over authenticated SMTP with Spamassassin

This should mitigate to some extent the effect of compromised accounts, in the time between compromise and when the account is blocked.

Filter messages sent over authenticated SMTP with Spamassassin
9504f2b0 · ale · 26bf9cc7 · 9504f2b0 · 9504f2b0 · 9504f2b0
Commit 9504f2b0 authored 4 years ago by ale
--- a/roles/mail/tasks/backend.yml
+++ b/roles/mail/tasks/backend.yml
@@ -204,7 +204,7 @@
    owner: root
    group: debian-spamd
    mode: 0750
-  with_filetree: "templates/spamassassin/"
+  with_filetree: "templates/spamassassin/backend/"
  when: item.state == 'directory'
 - name: Install Spamassassin config (files)
@@ -214,12 +214,12 @@
    owner: root
    group: debian-spamd
    mode: 0640
-  with_filetree: "templates/spamassassin/"
+  with_filetree: "templates/spamassassin/backend/"
  when: item.state == 'file'
  notify: "reload spamassassin"
 - copy:
-    src: spamassassin.default
+    src: spamassassin.backend.default
    dest: /etc/default/spamassassin
  notify: "reload spamassassin"
@@ -236,9 +236,12 @@
    src: spamassassin-cleanup-txrep.cron
    dest: /etc/cron.d/spamassassin-cleanup-txrep
- copy:
+- name: Configure spamass-milter
-    src: spamass-milter.default
+  template:
+    src: spamass-milter.default.j2
    dest: /etc/default/spamass-milter
+  vars:
+    postfix_instance: "postfix-delivery"
  notify: "reload spamass-milter"
 - name: Create Spamassassin MySQL user

--- a/roles/mail/tasks/frontend.yml
+++ b/roles/mail/tasks/frontend.yml
@@ -11,6 +11,9 @@
      - opendkim
      - libpam-authclient
      - auth-sasl-server
+      - spamassassin
+      - spamass-milter
+      - sa-compile
 - name: Add postfix user to the opendkim and sasl groups
  user:
@@ -71,17 +74,6 @@
    dest: /etc/postfix-policyd-spf-python/policyd-spf.conf
  notify: "reload postfix-in"
-# Install opendkim
- template:
-    src: opendkim.conf.j2
-    dest: /etc/opendkim.conf
-  notify: "reload opendkim"
- file:
-    path: /etc/opendkim
-    state: directory
 # Set up policyd-rate-limit for the postfix-smtp-auth instance.
 - include_tasks: policyd_rate_limit.yml
  vars:
@@ -94,6 +86,17 @@
    src: mtail/postfix-ratelimit.mtail
    dest: "/etc/mtail/postfix-ratelimit.mtail"
+# Install opendkim
+- template:
+    src: opendkim.conf.j2
+    dest: /etc/opendkim.conf
+  notify: "reload opendkim"
+- file:
+    path: /etc/opendkim
+    state: directory
 # In testing, we install a random RSA key, while in production we
 # expect to find the key in credentials_dir (externally managed, will
 # not be autogenerated in that case).
@@ -135,6 +138,46 @@
    state: touch
  changed_when: false
+# Spamassassin setup
+- name: Install Spamassassin config (dirs)
+  file:
+    path: "/etc/spamassassin/{{ item.path }}"
+    state: directory
+    owner: root
+    group: debian-spamd
+    mode: 0750
+  with_filetree: "templates/spamassassin/frontend/"
+  when: item.state == 'directory'
+- name: Install Spamassassin config (files)
+  template:
+    src: "{{ item.src }}"
+    dest: "/etc/spamassassin/{{ item.path }}"
+    owner: root
+    group: debian-spamd
+    mode: 0640
+  with_filetree: "templates/spamassassin/frontend/"
+  when: item.state == 'file'
+  notify: "reload spamassassin"
+- copy:
+    src: spamassassin.frontend.default
+    dest: /etc/default/spamassassin
+  notify: "reload spamassassin"
+- template:
+    src: spamassassin-openphish.cron.j2
+    dest: /etc/cron.d/spamassassin-openphish
+- name: Configure spamass-milter
+  template:
+    src: spamass-milter.default.j2
+    dest: /etc/default/spamass-milter
+  vars:
+    postfix_instance: "postfix-smtp-auth"
+  notify: "reload spamass-milter"
 # Generate self-signed public certificates. This is only so Postfix
 # can start, certificates will be eventually replaced by ACME managed
 # ones.

--- a/roles/mail/templates/postfix-smtp-auth/main.cf
+++ b/roles/mail/templates/postfix-smtp-auth/main.cf
@@ -31,6 +31,11 @@ relay_transport = $default_transport
 virtual_transport = $default_transport
 transport_maps =
+# Run antispam milters before delivery.
+smtpd_milters = unix:spamass/spamass.sock
+milter_connect_macros = j {daemon_name} v {if_name} _
+milter_default_action = tempfail
 # Pass original client log information through the filter.
 smtp_send_xforward_command = yes

--- a/roles/mail/files/spamass-milter.default
+++ b/roles/mail/files/spamass-milter.default
 OPTIONS="-u __GLOBAL__ -e localhost -m"
-SOCKET="/var/spool/postfix-delivery/spamass/spamass.sock"
+SOCKET="/var/spool/{{ postfix_instance }}/spamass/spamass.sock"
--- a/roles/mail/templates/spamassassin/init.pre
+++ b/roles/mail/templates/spamassassin/init.pre
--- a/roles/mail/templates/spamassassin/local.cf
+++ b/roles/mail/templates/spamassassin/local.cf
--- a/roles/mail/templates/spamassassin/schema.sql
+++ b/roles/mail/templates/spamassassin/schema.sql
--- a/roles/mail/templates/spamassassin/v310.pre
+++ b/roles/mail/templates/spamassassin/v310.pre
--- a/roles/mail/templates/spamassassin/v320.pre
+++ b/roles/mail/templates/spamassassin/v320.pre
--- a/roles/mail/templates/spamassassin/v341.pre
+++ b/roles/mail/templates/spamassassin/v341.pre
--- a/roles/mail/templates/spamassassin/v342.pre
+++ b/roles/mail/templates/spamassassin/v342.pre
--- a/roles/mail/templates/spamassassin/frontend/init.pre
+++ b/roles/mail/templates/spamassassin/frontend/init.pre
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file will be loaded before *all other* configuration files, including
+# the system configuration.  As such, it's a good place to set things that
+# will affect how those files are parsed, like which plugins are loaded
+# etc.
+#
+###########################################################################
+# RelayCountry - add metadata for Bayes learning, marking the countries
+# a message was relayed through
+#
+# loadplugin Mail::SpamAssassin::Plugin::RelayCountry
+# DCC
+#
+#loadplugin Mail::SpamAssassin::Plugin::DCC
+# URIDNSBL - look up URLs found in the message against several DNS
+# blocklists.
+#
+loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
+# Hashcash - perform hashcash verification.
+#
+loadplugin Mail::SpamAssassin::Plugin::Hashcash
+# SPF - perform SPF verification.
+#
+#loadplugin Mail::SpamAssassin::Plugin::SPF
+# DKIM verification
+#
+#loadplugin Mail::SpamAssassin::Plugin::DKIM
+# language guesser
+loadplugin Mail::SpamAssassin::Plugin::TextCat
--- a/roles/mail/templates/spamassassin/frontend/local.cf
+++ b/roles/mail/templates/spamassassin/frontend/local.cf
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+###########################################################################
+#
+# rewrite_header Subject *****SPAM*****
+# report_safe 1
+# Trust only localhost (we're scanning outbound emails).
+trusted_networks 127.0.0.1
+internal_networks 127.0.0.1
+lock_method flock
+report_safe 0
+ok_locales all
+# Use a "service-like" hostname for headers. Does not need to exist.
+report_hostname spamassassin.investici.org
+envelope_sender_header X-Envelope-From
+required_hits 3
+use_txrep 0
+use_bayes 0
+# I check RBL li fa gia' Postfix.
+skip_rbl_checks 1
+use_pyzor 1
+#   Some shortcircuiting, if the plugin is enabled
+# 
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+#   default: strongly-whitelisted mails are *really* whitelisted now, if the
+#   shortcircuiting plugin is active, causing early exit to save CPU load.
+#   Uncomment to turn this on
+#
+shortcircuit USER_IN_WHITELIST       on
+shortcircuit USER_IN_DEF_WHITELIST   on
+shortcircuit USER_IN_ALL_SPAM_TO     on
+shortcircuit SUBJECT_IN_WHITELIST    on
+#   the opposite; blacklisted mails can also save CPU
+#
+shortcircuit USER_IN_BLACKLIST       on
+shortcircuit USER_IN_BLACKLIST_TO    on
+shortcircuit SUBJECT_IN_BLACKLIST    on
+#   if you have taken the time to correctly specify your "trusted_networks",
+#   this is another good way to save CPU
+#
+shortcircuit ALL_TRUSTED             on
+#   and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99                spam
+# shortcircuit BAYES_00                ham
+endif # Mail::SpamAssassin::Plugin::Shortcircuit
+# Score URIBL failures.
+score URIBL_BLACK	5.7
+score URIBL_DBL_SPAM	5.0
+score URIBL_JP_SURBL	5.0
+score URIBL_RHS_DOB	2.5
+score URIBL_SC_SURBL	5.0
+score URIBL_WS_SURBL	5.0
+score URIBL_PH_SURBL    3.5
+### Rule customization and tuning.
+# Skip spam checking on list bounces
+whitelist_to *-bounces@*
+# bug di questa regola assegna 3.4 punti di spam ai messaggi con data 2010-2099
+score FH_DATE_PAST_20XX 0.0
+# questo becca come spam da viagra frasi come "via gramsci"
+score FR_ALMOST_VIAG2 0.0
+# questo avrebbe 1.8 come punteggio e non si capisce bene cosa faccia, lo caliamo un po'.
+score HTML_COMMENT_SAVED_URL 0.5
+# punteggio di 2.9 che pero' si attiva spesso sui msg firmati con GPG
+score TVD_SPACE_RATIO 0.5
+# email.it ad esempio fa questa cosa dell'helo numerico
+score RCVD_NUMERIC_HELO  0.5
+# freemail non ci piace, score aumentato per via del fatto
+# che stiamo analizzando posta in uscita.
+score FREEMAIL_REPLYTO 0.5
+score FREEMAIL_FORGED_FROMDOMAIN 7.0
+# Message has X-MSMail-Priority, but no X-MimeOLE  (1.9 mi pare troppo)
+score MISSING_MIMEOLE 0.5
+# Define a rule that triggers in case of from name spoofing.
+ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
+    header	__PLUGIN_FROMNAME_SPOOF		eval:check_fromname_spoof()
+    header	__PLUGIN_FROMNAME_EQUALS_TO	eval:check_fromname_equals_to()
+    meta	FROMNAME_SPOOF_EQUALS_TO	(__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
+    describe	FROMNAME_SPOOF_EQUALS_TO	From:name is spoofed to look like To: address
+    score	FROMNAME_SPOOF_EQUALS_TO	1.2
+endif
+# Rule that matches OpenPhish/PhishTank URLs.
+ifplugin Mail::SpamAssassin::Plugin::Phishing
+    phishing_openphish_feed /var/lib/spamassassin/openphish-feed.txt
+{% if phishtank_url is defined %}
+    phishing_phishtank_feed /var/lib/spamassassin/phishtank-feed.csv
+{% endif %}
+    body     URI_PHISHING      eval:check_phishing()
+    describe URI_PHISHING      Phishing URL found
+    score    URI_PHISHING      8
+endif
+{% if rbl_domain_name != 'zen.spamhaus.org' %}
+{% set bare_rbl_domain_name = rbl_domain_name.split('=')[0] %}
+# Override the RBL lookup domain, even though we should be using the RBL data
+# tagged by postscreen in the first place.
+#
+# Most of the default definitions are what we want, we only need to override
+# lines where the zone is listed so we can use our local copy
+header __RCVD_IN_ZEN eval:check_rbl('zen','{{ bare_rbl_domain_name }}.')
+# RCVD_IN_SBL default rule references above so doesn't need to be changed
+header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', '{{ bare_rbl_domain_name }}.','127.0.0.[45678]')
+header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', '{{ bare_rbl_domain_name }}.', '127.0.0.1[01]')
+uridnssub URIBL_SBL       {{ bare_rbl_domain_name }}. A 127.0.0.2
+urirhssub URIBL_DBL_SPAM  {{ dbl_domain_name }}. A 127.0.1.2
+urirhssub URIBL_DBL_REDIR {{ dbl_domain_name }}. A 127.0.1.3
+urirhssub URIBL_DBL_ERROR {{ dbl_domain_name }}. A 127.0.1.255
+{% endif %}
+{% if uribl_domain_name != 'uribl.com' %}
+# Override URIBL lookups with a custom zone.
+urirhssub       URIBL_BLACK     multi.{{ uribl_domain_name }}.        A   2
+urirhssub       URIBL_GREY      multi.{{ uribl_domain_name }}.        A   4
+urirhssub       URIBL_RED       multi.{{ uribl_domain_name }}.        A   8
+urirhssub       URIBL_BLOCKED   multi.{{ uribl_domain_name }}.        A   1
+# The feeds include a GOLD zone too.
+urirhssub       URIBL_GOLD      multi.{{ uribl_domain_name }}.        A   16
+body            URIBL_GOLD      eval:check_uridnsbl('URIBL_GOLD')
+describe        URIBL_GOLD      Contains an URL listed in the URIBL redlist
+tflags          URIBL_GOLD      net
+score           URIBL_GOLD      0 1.5 0 1.5
+{% endif %}
--- a/roles/mail/templates/spamassassin/frontend/v310.pre
+++ b/roles/mail/templates/spamassassin/frontend/v310.pre
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 3.1.0,
+# and contains plugin loading commands for the new plugins added in that
+# release.  It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read.  Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read.  As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+# DCC - perform DCC message checks.
+#
+# DCC is disabled here because it is not open source.  See the DCC
+# license for more details.
+#
+#loadplugin Mail::SpamAssassin::Plugin::DCC
+# Pyzor - perform Pyzor message checks.
+#
+loadplugin Mail::SpamAssassin::Plugin::Pyzor
+# Razor2 - perform Razor2 message checks.
+#
+#loadplugin Mail::SpamAssassin::Plugin::Razor2
+# SpamCop - perform SpamCop message reporting
+#
+#loadplugin Mail::SpamAssassin::Plugin::SpamCop
+# AntiVirus - some simple anti-virus checks, this is not a replacement
+# for an anti-virus filter like Clam AntiVirus
+#
+#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
+# AWL - do auto-whitelist checks
+#
+#loadplugin Mail::SpamAssassin::Plugin::AWL
+# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning
+#
+#loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
+# TextCat - language guesser
+#
+#loadplugin Mail::SpamAssassin::Plugin::TextCat
+# AccessDB - lookup from-addresses in access database
+#
+#loadplugin Mail::SpamAssassin::Plugin::AccessDB
+# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions
+#
+loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
+###########################################################################
+# experimental plugins
+# DomainKeys - perform DomainKeys verification
+#
+# This plugin has been removed as of v3.3.0.  Use the DKIM plugin instead,
+# which supports both Domain Keys and DKIM.
+# MIMEHeader - apply regexp rules against MIME headers in the message
+#
+loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
+# ReplaceTags
+#
+loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
--- a/roles/mail/templates/spamassassin/frontend/v320.pre
+++ b/roles/mail/templates/spamassassin/frontend/v320.pre
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 3.2.0,
+# and contains plugin loading commands for the new plugins added in that
+# release.  It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read.  Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read.  As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+# Check - Provides main check functionality
+#
+loadplugin Mail::SpamAssassin::Plugin::Check
+# HTTPSMismatch - find URI mismatches between href and anchor text
+#
+loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
+# URIDetail - test URIs using detailed URI information
+#
+loadplugin Mail::SpamAssassin::Plugin::URIDetail
+# Shortcircuit - stop evaluation early if high-accuracy rules fire
+# 
+loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
+# Plugins which used to be EvalTests.pm
+# broken out into separate plugins
+loadplugin Mail::SpamAssassin::Plugin::Bayes
+loadplugin Mail::SpamAssassin::Plugin::BodyEval
+loadplugin Mail::SpamAssassin::Plugin::DNSEval
+loadplugin Mail::SpamAssassin::Plugin::HTMLEval
+loadplugin Mail::SpamAssassin::Plugin::HeaderEval
+loadplugin Mail::SpamAssassin::Plugin::MIMEEval
+loadplugin Mail::SpamAssassin::Plugin::RelayEval
+loadplugin Mail::SpamAssassin::Plugin::URIEval
+loadplugin Mail::SpamAssassin::Plugin::WLBLEval
+# VBounce - anti-bounce-message rules, see rules/20_vbounce.cf
+#
+loadplugin Mail::SpamAssassin::Plugin::VBounce
+# Rule2XSBody - speedup by compilation of ruleset to native code
+#
+loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
+# ASN - Look up the Autonomous System Number of the connecting IP
+# and create a header containing ASN data for bayes tokenization.
+# See plugin's POD docs for usage info.
+#
+# loadplugin Mail::SpamAssassin::Plugin::ASN
+# ImageInfo - rules to match metadata of image attachments
+#
+loadplugin Mail::SpamAssassin::Plugin::ImageInfo
--- a/roles/mail/templates/spamassassin/frontend/v341.pre
+++ b/roles/mail/templates/spamassassin/frontend/v341.pre
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 3.4.1,
+# and contains plugin loading commands for the new plugins added in that
+# release.  It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read.  Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read.  As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+# TxRep - Reputation database that replaces AWL
+# loadplugin Mail::SpamAssassin::Plugin::TxRep
+# URILocalBL - Provides ISP and Country code based filtering as well as
+# quick IP based blocks without a full RBL implementation - Bug 7060
+# loadplugin Mail::SpamAssassin::Plugin::URILocalBL
+# PDFInfo - Use several methods to detect a PDF file's ham/spam traits
+# loadplugin Mail::SpamAssassin::Plugin::PDFInfo
--- a/roles/mail/templates/spamassassin/frontend/v342.pre
+++ b/roles/mail/templates/spamassassin/frontend/v342.pre
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 3.4.1,
+# and contains plugin loading commands for the new plugins added in that
+# release.  It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read.  Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read.  As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+# HashBL - Use EBL email blocklist
+# loadplugin Mail::SpamAssassin::Plugin::HashBL
+# ResourceLimits - assure your spamd child processes
+# do not exceed specified CPU or memory limit
+# loadplugin Mail::SpamAssassin::Plugin::ResourceLimits
+# FromNameSpoof - help stop spam that tries to spoof other domains using 
+# the from name
+loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
+# Phishing - finds uris used in phishing campaigns detected by
+# OpenPhish or PhishTank feeds.
+loadplugin Mail::SpamAssassin::Plugin::Phishing