Commit 9504f2b0 authored by ale's avatar ale
Browse files

Filter messages sent over authenticated SMTP with Spamassassin

This should mitigate to some extent the effect of compromised
accounts, in the time between compromise and when the account is
blocked.
parent 26bf9cc7
Pipeline #13367 passed with stage
in 23 seconds
......@@ -204,7 +204,7 @@
owner: root
group: debian-spamd
mode: 0750
with_filetree: "templates/spamassassin/"
with_filetree: "templates/spamassassin/backend/"
when: item.state == 'directory'
- name: Install Spamassassin config (files)
......@@ -214,12 +214,12 @@
owner: root
group: debian-spamd
mode: 0640
with_filetree: "templates/spamassassin/"
with_filetree: "templates/spamassassin/backend/"
when: item.state == 'file'
notify: "reload spamassassin"
- copy:
src: spamassassin.default
src: spamassassin.backend.default
dest: /etc/default/spamassassin
notify: "reload spamassassin"
......@@ -236,9 +236,12 @@
src: spamassassin-cleanup-txrep.cron
dest: /etc/cron.d/spamassassin-cleanup-txrep
- copy:
src: spamass-milter.default
- name: Configure spamass-milter
template:
src: spamass-milter.default.j2
dest: /etc/default/spamass-milter
vars:
postfix_instance: "postfix-delivery"
notify: "reload spamass-milter"
- name: Create Spamassassin MySQL user
......
......@@ -11,6 +11,9 @@
- opendkim
- libpam-authclient
- auth-sasl-server
- spamassassin
- spamass-milter
- sa-compile
- name: Add postfix user to the opendkim and sasl groups
user:
......@@ -71,17 +74,6 @@
dest: /etc/postfix-policyd-spf-python/policyd-spf.conf
notify: "reload postfix-in"
# Install opendkim
- template:
src: opendkim.conf.j2
dest: /etc/opendkim.conf
notify: "reload opendkim"
- file:
path: /etc/opendkim
state: directory
# Set up policyd-rate-limit for the postfix-smtp-auth instance.
- include_tasks: policyd_rate_limit.yml
vars:
......@@ -94,6 +86,17 @@
src: mtail/postfix-ratelimit.mtail
dest: "/etc/mtail/postfix-ratelimit.mtail"
# Install opendkim
- template:
src: opendkim.conf.j2
dest: /etc/opendkim.conf
notify: "reload opendkim"
- file:
path: /etc/opendkim
state: directory
# In testing, we install a random RSA key, while in production we
# expect to find the key in credentials_dir (externally managed, will
# not be autogenerated in that case).
......@@ -135,6 +138,46 @@
state: touch
changed_when: false
# Spamassassin setup
- name: Install Spamassassin config (dirs)
file:
path: "/etc/spamassassin/{{ item.path }}"
state: directory
owner: root
group: debian-spamd
mode: 0750
with_filetree: "templates/spamassassin/frontend/"
when: item.state == 'directory'
- name: Install Spamassassin config (files)
template:
src: "{{ item.src }}"
dest: "/etc/spamassassin/{{ item.path }}"
owner: root
group: debian-spamd
mode: 0640
with_filetree: "templates/spamassassin/frontend/"
when: item.state == 'file'
notify: "reload spamassassin"
- copy:
src: spamassassin.frontend.default
dest: /etc/default/spamassassin
notify: "reload spamassassin"
- template:
src: spamassassin-openphish.cron.j2
dest: /etc/cron.d/spamassassin-openphish
- name: Configure spamass-milter
template:
src: spamass-milter.default.j2
dest: /etc/default/spamass-milter
vars:
postfix_instance: "postfix-smtp-auth"
notify: "reload spamass-milter"
# Generate self-signed public certificates. This is only so Postfix
# can start, certificates will be eventually replaced by ACME managed
# ones.
......
......@@ -31,6 +31,11 @@ relay_transport = $default_transport
virtual_transport = $default_transport
transport_maps =
# Run antispam milters before delivery.
smtpd_milters = unix:spamass/spamass.sock
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = tempfail
# Pass original client log information through the filter.
smtp_send_xforward_command = yes
......
OPTIONS="-u __GLOBAL__ -e localhost -m"
SOCKET="/var/spool/postfix-delivery/spamass/spamass.sock"
SOCKET="/var/spool/{{ postfix_instance }}/spamass/spamass.sock"
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file will be loaded before *all other* configuration files, including
# the system configuration. As such, it's a good place to set things that
# will affect how those files are parsed, like which plugins are loaded
# etc.
#
###########################################################################
# RelayCountry - add metadata for Bayes learning, marking the countries
# a message was relayed through
#
# loadplugin Mail::SpamAssassin::Plugin::RelayCountry
# DCC
#
#loadplugin Mail::SpamAssassin::Plugin::DCC
# URIDNSBL - look up URLs found in the message against several DNS
# blocklists.
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
# Hashcash - perform hashcash verification.
#
loadplugin Mail::SpamAssassin::Plugin::Hashcash
# SPF - perform SPF verification.
#
#loadplugin Mail::SpamAssassin::Plugin::SPF
# DKIM verification
#
#loadplugin Mail::SpamAssassin::Plugin::DKIM
# language guesser
loadplugin Mail::SpamAssassin::Plugin::TextCat
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
# rewrite_header Subject *****SPAM*****
# report_safe 1
# Trust only localhost (we're scanning outbound emails).
trusted_networks 127.0.0.1
internal_networks 127.0.0.1
lock_method flock
report_safe 0
ok_locales all
# Use a "service-like" hostname for headers. Does not need to exist.
report_hostname spamassassin.investici.org
envelope_sender_header X-Envelope-From
required_hits 3
use_txrep 0
use_bayes 0
# I check RBL li fa gia' Postfix.
skip_rbl_checks 1
use_pyzor 1
# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
# default: strongly-whitelisted mails are *really* whitelisted now, if the
# shortcircuiting plugin is active, causing early exit to save CPU load.
# Uncomment to turn this on
#
shortcircuit USER_IN_WHITELIST on
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_ALL_SPAM_TO on
shortcircuit SUBJECT_IN_WHITELIST on
# the opposite; blacklisted mails can also save CPU
#
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_BLACKLIST_TO on
shortcircuit SUBJECT_IN_BLACKLIST on
# if you have taken the time to correctly specify your "trusted_networks",
# this is another good way to save CPU
#
shortcircuit ALL_TRUSTED on
# and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99 spam
# shortcircuit BAYES_00 ham
endif # Mail::SpamAssassin::Plugin::Shortcircuit
# Score URIBL failures.
score URIBL_BLACK 5.7
score URIBL_DBL_SPAM 5.0
score URIBL_JP_SURBL 5.0
score URIBL_RHS_DOB 2.5
score URIBL_SC_SURBL 5.0
score URIBL_WS_SURBL 5.0
score URIBL_PH_SURBL 3.5
### Rule customization and tuning.
# Skip spam checking on list bounces
whitelist_to *-bounces@*
# bug di questa regola assegna 3.4 punti di spam ai messaggi con data 2010-2099
score FH_DATE_PAST_20XX 0.0
# questo becca come spam da viagra frasi come "via gramsci"
score FR_ALMOST_VIAG2 0.0
# questo avrebbe 1.8 come punteggio e non si capisce bene cosa faccia, lo caliamo un po'.
score HTML_COMMENT_SAVED_URL 0.5
# punteggio di 2.9 che pero' si attiva spesso sui msg firmati con GPG
score TVD_SPACE_RATIO 0.5
# email.it ad esempio fa questa cosa dell'helo numerico
score RCVD_NUMERIC_HELO 0.5
# freemail non ci piace, score aumentato per via del fatto
# che stiamo analizzando posta in uscita.
score FREEMAIL_REPLYTO 0.5
score FREEMAIL_FORGED_FROMDOMAIN 7.0
# Message has X-MSMail-Priority, but no X-MimeOLE (1.9 mi pare troppo)
score MISSING_MIMEOLE 0.5
# Define a rule that triggers in case of from name spoofing.
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
meta FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
describe FROMNAME_SPOOF_EQUALS_TO From:name is spoofed to look like To: address
score FROMNAME_SPOOF_EQUALS_TO 1.2
endif
# Rule that matches OpenPhish/PhishTank URLs.
ifplugin Mail::SpamAssassin::Plugin::Phishing
phishing_openphish_feed /var/lib/spamassassin/openphish-feed.txt
{% if phishtank_url is defined %}
phishing_phishtank_feed /var/lib/spamassassin/phishtank-feed.csv
{% endif %}
body URI_PHISHING eval:check_phishing()
describe URI_PHISHING Phishing URL found
score URI_PHISHING 8
endif
{% if rbl_domain_name != 'zen.spamhaus.org' %}
{% set bare_rbl_domain_name = rbl_domain_name.split('=')[0] %}
# Override the RBL lookup domain, even though we should be using the RBL data
# tagged by postscreen in the first place.
#
# Most of the default definitions are what we want, we only need to override
# lines where the zone is listed so we can use our local copy
header __RCVD_IN_ZEN eval:check_rbl('zen','{{ bare_rbl_domain_name }}.')
# RCVD_IN_SBL default rule references above so doesn't need to be changed
header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', '{{ bare_rbl_domain_name }}.','127.0.0.[45678]')
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', '{{ bare_rbl_domain_name }}.', '127.0.0.1[01]')
uridnssub URIBL_SBL {{ bare_rbl_domain_name }}. A 127.0.0.2
urirhssub URIBL_DBL_SPAM {{ dbl_domain_name }}. A 127.0.1.2
urirhssub URIBL_DBL_REDIR {{ dbl_domain_name }}. A 127.0.1.3
urirhssub URIBL_DBL_ERROR {{ dbl_domain_name }}. A 127.0.1.255
{% endif %}
{% if uribl_domain_name != 'uribl.com' %}
# Override URIBL lookups with a custom zone.
urirhssub URIBL_BLACK multi.{{ uribl_domain_name }}. A 2
urirhssub URIBL_GREY multi.{{ uribl_domain_name }}. A 4
urirhssub URIBL_RED multi.{{ uribl_domain_name }}. A 8
urirhssub URIBL_BLOCKED multi.{{ uribl_domain_name }}. A 1
# The feeds include a GOLD zone too.
urirhssub URIBL_GOLD multi.{{ uribl_domain_name }}. A 16
body URIBL_GOLD eval:check_uridnsbl('URIBL_GOLD')
describe URIBL_GOLD Contains an URL listed in the URIBL redlist
tflags URIBL_GOLD net
score URIBL_GOLD 0 1.5 0 1.5
{% endif %}
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file was installed during the installation of SpamAssassin 3.1.0,
# and contains plugin loading commands for the new plugins added in that
# release. It will not be overwritten during future SpamAssassin installs,
# so you can modify it to enable some disabled-by-default plugins below,
# if you so wish.
#
# There are now multiple files read to enable plugins in the
# /etc/mail/spamassassin directory; previously only one, "init.pre" was
# read. Now both "init.pre", "v310.pre", and any other files ending in
# ".pre" will be read. As future releases are made, new plugins will be
# added to new files, named according to the release they're added in.
###########################################################################
# DCC - perform DCC message checks.
#
# DCC is disabled here because it is not open source. See the DCC
# license for more details.
#
#loadplugin Mail::SpamAssassin::Plugin::DCC
# Pyzor - perform Pyzor message checks.
#
loadplugin Mail::SpamAssassin::Plugin::Pyzor
# Razor2 - perform Razor2 message checks.
#
#loadplugin Mail::SpamAssassin::Plugin::Razor2
# SpamCop - perform SpamCop message reporting
#
#loadplugin Mail::SpamAssassin::Plugin::SpamCop
# AntiVirus - some simple anti-virus checks, this is not a replacement
# for an anti-virus filter like Clam AntiVirus
#
#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
# AWL - do auto-whitelist checks
#
#loadplugin Mail::SpamAssassin::Plugin::AWL
# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning
#
#loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
# TextCat - language guesser
#
#loadplugin Mail::SpamAssassin::Plugin::TextCat
# AccessDB - lookup from-addresses in access database
#
#loadplugin Mail::SpamAssassin::Plugin::AccessDB
# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions
#
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
###########################################################################
# experimental plugins
# DomainKeys - perform DomainKeys verification
#
# This plugin has been removed as of v3.3.0. Use the DKIM plugin instead,
# which supports both Domain Keys and DKIM.
# MIMEHeader - apply regexp rules against MIME headers in the message
#
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
# ReplaceTags
#
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file was installed during the installation of SpamAssassin 3.2.0,
# and contains plugin loading commands for the new plugins added in that
# release. It will not be overwritten during future SpamAssassin installs,
# so you can modify it to enable some disabled-by-default plugins below,
# if you so wish.
#
# There are now multiple files read to enable plugins in the
# /etc/mail/spamassassin directory; previously only one, "init.pre" was
# read. Now both "init.pre", "v310.pre", and any other files ending in
# ".pre" will be read. As future releases are made, new plugins will be
# added to new files, named according to the release they're added in.
###########################################################################
# Check - Provides main check functionality
#
loadplugin Mail::SpamAssassin::Plugin::Check
# HTTPSMismatch - find URI mismatches between href and anchor text
#
loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
# URIDetail - test URIs using detailed URI information
#
loadplugin Mail::SpamAssassin::Plugin::URIDetail
# Shortcircuit - stop evaluation early if high-accuracy rules fire
#
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
# Plugins which used to be EvalTests.pm
# broken out into separate plugins
loadplugin Mail::SpamAssassin::Plugin::Bayes
loadplugin Mail::SpamAssassin::Plugin::BodyEval
loadplugin Mail::SpamAssassin::Plugin::DNSEval
loadplugin Mail::SpamAssassin::Plugin::HTMLEval
loadplugin Mail::SpamAssassin::Plugin::HeaderEval
loadplugin Mail::SpamAssassin::Plugin::MIMEEval
loadplugin Mail::SpamAssassin::Plugin::RelayEval
loadplugin Mail::SpamAssassin::Plugin::URIEval
loadplugin Mail::SpamAssassin::Plugin::WLBLEval
# VBounce - anti-bounce-message rules, see rules/20_vbounce.cf
#
loadplugin Mail::SpamAssassin::Plugin::VBounce
# Rule2XSBody - speedup by compilation of ruleset to native code
#
loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
# ASN - Look up the Autonomous System Number of the connecting IP
# and create a header containing ASN data for bayes tokenization.
# See plugin's POD docs for usage info.
#
# loadplugin Mail::SpamAssassin::Plugin::ASN
# ImageInfo - rules to match metadata of image attachments
#
loadplugin Mail::SpamAssassin::Plugin::ImageInfo
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file was installed during the installation of SpamAssassin 3.4.1,
# and contains plugin loading commands for the new plugins added in that
# release. It will not be overwritten during future SpamAssassin installs,
# so you can modify it to enable some disabled-by-default plugins below,
# if you so wish.
#
# There are now multiple files read to enable plugins in the
# /etc/mail/spamassassin directory; previously only one, "init.pre" was
# read. Now both "init.pre", "v310.pre", and any other files ending in
# ".pre" will be read. As future releases are made, new plugins will be
# added to new files, named according to the release they're added in.
###########################################################################
# TxRep - Reputation database that replaces AWL
# loadplugin Mail::SpamAssassin::Plugin::TxRep
# URILocalBL - Provides ISP and Country code based filtering as well as
# quick IP based blocks without a full RBL implementation - Bug 7060
# loadplugin Mail::SpamAssassin::Plugin::URILocalBL
# PDFInfo - Use several methods to detect a PDF file's ham/spam traits
# loadplugin Mail::SpamAssassin::Plugin::PDFInfo
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file was installed during the installation of SpamAssassin 3.4.1,
# and contains plugin loading commands for the new plugins added in that
# release. It will not be overwritten during future SpamAssassin installs,
# so you can modify it to enable some disabled-by-default plugins below,
# if you so wish.
#
# There are now multiple files read to enable plugins in the
# /etc/mail/spamassassin directory; previously only one, "init.pre" was
# read. Now both "init.pre", "v310.pre", and any other files ending in
# ".pre" will be read. As future releases are made, new plugins will be
# added to new files, named according to the release they're added in.
###########################################################################
# HashBL - Use EBL email blocklist
# loadplugin Mail::SpamAssassin::Plugin::HashBL
# ResourceLimits - assure your spamd child processes
# do not exceed specified CPU or memory limit
# loadplugin Mail::SpamAssassin::Plugin::ResourceLimits
# FromNameSpoof - help stop spam that tries to spoof other domains using
# the from name
loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
# Phishing - finds uris used in phishing campaigns detected by
# OpenPhish or PhishTank feeds.
loadplugin Mail::SpamAssassin::Plugin::Phishing
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment