mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-26 20:06:13 +02:00
Code Issues

Replace SpamAssassin with Rspamd 

Switching to Rspamd has some advantages:
* It is probably faster than SA[1] (C + Lua vs Perl)
* We can reduce the number of moving parts. Rspamd has built-in DKIM
  signing, greylisting, DMARC checking to name a few
* It doesn't just mark the mail as spam/not-spam, it gives every mail a
  score and depending on the score it does either: nothing, greylist it,
  mark it as spam or reject it[2] (more actions is available and it can
  be tweaked)
* Replies whitelisting[3]
* It supports ARC signing, which can be useful
* A cool looking WebUi :)
* ... and more[4]...

[1] https://rspamd.com/doc/tutorials/migrate_sa.html#why-migrate-to-rspamd
[2] https://rspamd.com/doc/faq.html#what-are-rspamd-actions
[3] https://rspamd.com/doc/modules/replies.html
[4] https://rspamd.com/comparison.html
This commit is contained in:
Kristian Klausen 2020-08-02 21:51:27 +02:00 committed by Sven-Hendrik Haase
parent f853a2923a
commit bcf1c981bb
31 changed files with 55 additions and 690 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/apollo.yml
View File

@ -27,7 +27,7 @@
- { role: borg_client, tags: ["borg"] }
- { role: certbot }
- { role: nginx }
- { role: spampd, tags: ["mail"] }
- { role: rspamd, tags: ["mail"] }
- { role: unbound, tags: ["mail"] }
- { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] }
- { role: opendkim, dkim_selector: apollo, tags: ['mail'] }

2
playbooks/luna.yml
View File

@ -26,7 +26,7 @@
- firewall
roles:
- nginx
- spampd
- rspamd
- { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
# luna is hosting mailman lists; this postfix role does not cater to this yet
# TODO: make postfix role handle mailman config?

2
playbooks/mail.archlinux.org.yml
View File

@ -10,7 +10,7 @@
- { role: certbot }
- { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
- { role: dovecot }
- { role: spampd, tags: ["mail"] }
- { role: rspamd, tags: ["mail"] }
- { role: unbound, tags: ["mail"] }
- { role: postfwd, tags: ['mail'] }
- { role: archusers }

2
playbooks/orion.yml
View File

@ -11,7 +11,7 @@
- { role: borg_client, tags: ['borg'] }
- { role: opendkim, dkim_selector: orion, tags: ['mail'] }
- { role: dovecot }
- { role: spampd, tags: ["mail"] }
- { role: rspamd, tags: ["mail"] }
- { role: unbound, tags: ["mail"] }
- { role: postfwd, tags: ['mail'] }
- { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }

5
roles/dovecot/files/spam-to-folder.sieve Normal file
View File

@ -0,0 +1,5 @@
require ["mailbox", "fileinto"];
if header "X-Spam" "Yes"{
fileinto :create "Junk";
stop;
}

4
roles/dovecot/handlers/main.yml
View File

@ -3,3 +3,7 @@
- name: reload dovecot
service: name=dovecot state=restarted
- name: run sievec
command: /usr/bin/sievec /etc/dovecot/sieve/{{ item }}
loop:
- spam-to-folder.sieve

8
roles/dovecot/tasks/main.yml
View File

@ -18,6 +18,14 @@
- name: install PAM config
copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root
- name: create dovecot sieve dir
file: path=/etc/dovecot/sieve state=directory owner=root group=root mode=0755
- name: install spam-to-folder.sieve
copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve/ mode=0644 owner=root group=root
notify:
- run sievec
- name: install dovecot cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/dovecot owner=root group=root mode=0755

1
roles/dovecot/templates/dovecot.conf.j2
View File

@ -44,6 +44,7 @@ plugin {
sieve_dir = ~/.sieve
sieve_global_dir = /etc/dovecot/sieve/global/
sieve_global_path = /etc/dovecot/sieve/default.sieve
sieve_before = /etc/dovecot/sieve/spam-to-folder.sieve
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size

1
roles/postfix/files/header_checks
View File

@ -1 +0,0 @@
/X-Spam-Status: Yes,/ REJECT Your message has been rejected by Spamassassin

4
roles/postfix/templates/main.cf.j2
View File

@ -165,8 +165,8 @@ submission_recipient_restrictions=
permit_sasl_authenticated,
reject
smtpd_milters=unix:/var/spool/opendkim/opendkim
non_smtpd_milters=unix:/var/spool/opendkim/opendkim
smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332
non_smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332
# Pass internal mails through filters so they get signed by opendkim
# XXX: Be careful not to have filters that may reject mails!

2
roles/postfix/templates/master.cf.j2
View File

@ -14,7 +14,6 @@
# ==========================================================================
{% if postfix_smtpd_public %}
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=[127.0.0.1]:10025
-o smtpd_client_connection_count_limit=20
-o smtpd_proxy_options=speed_adjust
{% else %}
@ -30,7 +29,6 @@ submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o content_filter=smtp:[127.0.0.1]:10025
-o smtpd_client_connection_count_limit=10
#-o smtpd_milters=unix:/var/spool/opendkim/opendkim
{% endif %}

6
roles/redis/tasks/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: install redis
pacman: name=redis state=present
- name: start and enable redis
service: name=redis enabled=yes state=started

2
roles/rspamd/files/local.d/logging.inc Normal file
View File

@ -0,0 +1,2 @@
systemd = true;
type = "console";

3
roles/rspamd/files/local.d/milter_headers.conf Normal file
View File

@ -0,0 +1,3 @@
extended_spam_headers = true;
use = ["authentication-results"];
authenticated_headers = ["authentication-results"];

2
roles/rspamd/files/local.d/redis.conf Normal file
View File

@ -0,0 +1,2 @@
write_servers = "127.0.0.1";
read_servers = "127.0.0.1";

3
roles/rspamd/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: reload rspamd
service: name=rspamd state=reloaded

3
roles/rspamd/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
dependencies:
- role: redis

11
roles/rspamd/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: install rspamd
pacman: name=rspamd state=present
- name: install config
copy: src=local.d/ dest=/etc/rspamd/local.d/ owner=root group=root mode=0644
notify:
- reload rspamd
- name: start and enable rspamd
service: name=rspamd enabled=yes state=started

9
roles/spampd/files/sa-update.hook
View File

@ -1,9 +0,0 @@
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = spamassassin
[Action]
When = PostTransaction
Exec = /usr/bin/systemctl start sa-update.service

6
roles/spampd/files/sa-update.service
View File

@ -1,6 +0,0 @@
[Unit]
Description=sa-update
[Service]
Type=oneshot
ExecStart=/usr/local/bin/sa-update.sh

15
roles/spampd/files/sa-update.sh
View File

@ -1,15 +0,0 @@
#!/bin/bash
set -e
/usr/bin/vendor_perl/sa-update --channelfile /etc/mail/spamassassin/update-channels --gpgkeyfile /etc/mail/spamassassin/update-gpgkeys || {
exitcode=$?
if ((exitcode == 1)); then
exit 0
else
echo "sa-update failed"
exit 1
fi
}
/usr/bin/vendor_perl/sa-compile --quiet
systemctl restart spampd

8
roles/spampd/files/sa-update.timer
View File

@ -1,8 +0,0 @@
[Unit]
Description=sa-update
[Timer]
OnCalendar=*-*-* 00:05:00
[Install]
WantedBy=timers.target

5
roles/spampd/files/update-channels
View File

@ -1,5 +0,0 @@
updates.spamassassin.org
# temporarily disabled due to missing compatability with SA 3.4.2 (missing sha256/512 checksum files)
#sought.rules.yerp.org
#sa.zmi.at

5
roles/spampd/files/update-gpgkeys
View File

@ -1,5 +0,0 @@
# sa.zmi.at
40F74481
# sought.rules.yerp.org
6C6191E3

41
roles/spampd/files/yerp.gpg.key
View File

@ -1,41 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)
mQGiBEa/l+YRBACC+uJfIThEoEWrNxdDD/1tAwb5L8v7H3gGt+LtuOwwn5ZU7XsT
s1DOok1oZVRnTQJYdlth7QlU9wqijwLEVzW1LDWnxXXKwPmlTlkcdGoBcb+cBbYI
miJ/TlAetvbprcZdROS4Ey31GjPRmWPPnVE2Xcwy+e4+RmnhqfZBmOaE7wCgo1GG
pkik2OPD1le4LGGOGHL5HiED/0TyvTiSS3NnUtoDFQAPrnezOCjxv8zMjYEnJs/I
h7uyIgHRsbB75cD2O1LWyO8Vz8r/snVuG35zcZagPf/7Tc9AJoaxVmCIk9DEmWZp
iuvqpMhwHAbNvY3jY2oKsDl1rNx0IIctoJwjXia99kvNTHK/Yz/HqhIyLModhiMB
aYYZA/wIdPOHGHaP5vjlbWBwGlRR9m0Rf4ob5sul8MjCyehOYcRVLwfOEfzX308v
0enOGnbbBKXU2QvA0Z068aBmJkJaaPhlIjZApQJDsb7pt6k8jMPj/Xpr779wAFQ8
IZC7Tw21OtqkjrUb3dZlEljrTwWNc6FVxuIidBBg7HCdP24WKLRESnVzdGluIE1h
c29uIFNpZ25pbmcgS2V5IChDb2RlIFNpZ25pbmcgT25seSkgPHNpZ25pbmdrZXlA
am1hc29uLm9yZz6IZAQTEQIAJAUCRr+X5gIbAwUJEswDAAYLCQgHAwIDFQIDAxYC
AQIeAQIXgAAKCRDchTQfbGGR4/GJAKCC6X6AF8nM+H00b/XeZl9vYihXBgCcDYuU
AtXjWWxndkneakmbnD0O4Z25BA0ERr+YdxAQAIYYUQHMzVsRAzpIRLfni0aeczrr
armwXMJ8y5p74lVLbJyQOjkQyIJWP80twrN8SjNyUFBr/52SlOPOuAbGZY1ZKpux
vkbsug2wWvkoj8xGjnexrSDahRgpNhf/otLRNTyUFZTM6mjZt0ItnYDl6xszY4kd
O5rVzjQuivNB4BsHcd8qQ7zVo9+VZ5R77iM4dtk6t5ycpXlAom5pD8qLb7ZzTVe0
SuhzOeynF51rwjS+wa3hzZisvJqZA5uJcAyYslgP1UTW+2e5wutSktSZmL/XnlEF
p86GPjAgDPL2Q0TgzVL6sPt0blNCyzOJrcBqBHrgZfraYgqtmGepLpk72q4VD23c
aV2wTqjnfJAsNR3y8jgVNwF8LpXtlbxrBByFRwEqsc/gzdMEnJ728XBDqT2IhZLY
maL/WxiDKNWD/Mae69HTyInIYgrfT7nJKDeKQA81+e5+UmqBVoi5/AICMlDm1DgR
gG6bbOXGhLVPh+gHjGG4Jdd/ZLedncUsjW9KyK261sqM3tSDSfgnF99w2/32ToFu
ChN8JOfQ6VZ7QbL1BWRtQWZ3tyauUUXmsrYDv1w1nx51MqxQdlitnmTRWaRW0GmD
b5XapJfSK+FiGXaynl3HHxHHpcUauX9zBa/LRp8oXiGPLfJEWmjWcGCyGZawASj3
pTTJUnbkYs0fUyUXAAQND/42mh8f3mTA+24I3lY4K8mxH9GSFgOkLoYwok8xL5Md
OUJAyvs34ixqvM2u560YJkegEO/xzg2abddfoqL8eNnjfvG3bI7KOCT+m+mM/5Cg
ul8XFSnHIEivuOXNtc/x/dwYSidKM8atkdpKtv++psd6hVbJQMfLlzf0S2QyiaGk
yXur/pM3A97lvkjAgvIKQt8NbJ/sITFlrN2TFxcbE8OED7LC4nBo54TJ1AxVsHlT
LB5XPKU8pBv0fABZrNKxf6a2iXx9jT9sSYdnb0y+hBjnoWZUNbhxo6jpAqt1quUy
buGWugvG8J75JvT6X+lwEEkg1lplmm+HuaFtegOqTUTKmffKduY+E00le+3Kh8gW
bLR8P1qp/xnxQxZJYcQ+mT4QsYpj6Pkcj0ON3NQO5wP6dr2UGhGcSzS2Cxv8TERN
7HSdFbFXQWPCekx+i7OjeRSY/XTUf2zYquPNP2oU0MjgnXhnkHq+6EaQPpM59fMd
MyLeOiUMOxpPOkeaAC8Ku0Oj2aZU/eyizuBDnhq1PAxBprSW5SSkxP4kz9BnA42x
tkMKMzzPohdfMIRI6zSu0chr76w2UeoViSsMtmWnR6qAXbQvzR+HHxhhB/Rzp6Gc
u9gybrv58IBkybn5ztST6NqgIgcQ/E7XIsB0Eooohfw+QiPlCdoghSxspbzwqcEZ
B4hPBBgRAgAPBQJGv5h3AhsMBQkSzAMAAAoJENyFNB9sYZHjUh0AnA3u5TNYHGLQ
DXLPP0qWHkTeOz8dAJ4wkrLBTaXz3CPCjoTdoBiQsNt3fw==
=nK43
-----END PGP PUBLIC KEY BLOCK-----

52
roles/spampd/files/zmi.gpg.key
View File

@ -1,52 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.12 (GNU/Linux)
mQINBE9CEIwBEACb16mHs381gLlwiAMP1YpGpjZ82U9cJfjX3okCvhFCSnlvDzad
fj3J3sVX96aDKkeqg6CLFuNtw0FjzxG3UUCI5IqPplJqGlmpzrznUYpNP4t9cXaN
5lUdhzlZzbICM3E3o9BjdhGajfbmd2zrNJJOjFXblN/gWatOo9NPTP0L3s6wx/EF
AEtWJUI9Ohn+jl53p9Kog/GIITD7UPT7mRkd3iwXHVj3yl9hgK0cXX5iP5rIkK+v
FXHXMyaL0/ZwEe7cpC9wvPGK4LNrG/HiI9bIJJqqmXbIUB6Z0OJ9Gas3LcI/O3/i
jMLs2cAw2PlY60bG9QLrgI68SpksMZQfAg6FGCdu6Oj3rvcXMXrxO8xOwv3roQjh
QZVYEik6xxepjtLf37ua5+rXgq0B/nhzKgwByR2UTpaYhTRJwOgNruaE+ViE+21N
nNLngtKkFuna8kS+AQtVvgmiXhVn8fcHGOsfFqc+e/RFLS+iZAaxg1sPy7sDn+ab
vmXHyep7lAyezmFn98cCkjK13Gmi5CZELCFlT2yewtjUVfToG9R+yLNFLoCLLGFK
cVwNRn6PGzEeTNjP82w+wIi2zT7YLV42SJDrVfARPsyKU2Xpbo2KDcdbd1cXTPRd
rnWQxPGPajA3ovRaVlhNhwzUY34SwB9JIcCiEsOpCUky1als/8LGh/2jtQARAQAB
tC5zYS56bWkuYXQgKHNhLXVwZGF0ZSBrZXkpIDxzcGFtLWdlcm1hbkB6bWkuYXQ+
iQI8BBMBAgAmBQJPQhCMAhsDBQkSzAMABgsJCAcDAgQVAggDBBYCAwECHgECF4AA
CgkQrsKK2UD3RIErLw/+JXbmcPRbEIefVtPh6Um7/MFEMd5TLy70OmjrBaTnEx6Z
LAsvj0qBT/V3VAQw8TT1XaiLSlNyxY1bp9pVQdO4RhMV1g4VGWiV1SA/W2beqJGo
oRWQuvyRqQkJAC0x1MVjnCWo0d0FGO9fE9xlifX6pSGcjEwTPjktilGwF3VihFJ1
OevMhH73L+a8GytxdgZMVFpAL8JNdGE3d/mpuNV4igzriP8lNiAXz3SoA4pE76Bm
lRj1AXgp/ITDSNiVpBCtQijMI701EwFpvdtd1hnVxqqDvs7Tlti8Ulqda0MP82xQ
hkoPzQxxww7drqmvmHsEqt5noJiCtsgS1Xjuzwk2UDVL5AL5d0Af2uMkRFPUFsRy
ZwtqYPZ8mTwjeykuXDnGmpiMuQEFj+efRd3Fs3IGrZBYb/bAuH4ciwuCde45V6Q5
LkZkzxb73qrDuBn32Szr9KrQ8oW4mVtfqek/QiU6ODnNw5ED1fQ7Q0rFqB46IFNK
8OE7qE0fSA2679uiPMJDPw6S3QtCTaRwhfmrG/fYXWwNlr/k3IoWW5kHEuSzbXdq
U0Vm96HBxfFnHK75zC5QBxRHxYoO314+NeS+aJqDjLoZ7Jmcr9vs1e7asKndwEWI
fJoTP+RHfoNKvu/t5mKzCuK/1Dl1nrsfSgQzLoOF48r4BQelg2xgzvhPHsd9eIm5
Ag0ET0IQjAEQAMv0ZQ5qdUjZzb8R1GwnvuQxmltsZr/ArZMNs6XxP8JaVmT9877p
7j80P34+RI45o8ITsJiphurlSh15hWqA8BamaYu2gvmOAGAaAvUTsZDzHaIfcpzi
3kFeMqpoUFs9A3m2Dv5kbI23ALe4pZbG29ZtqgLXBIQc7JqVlxTO6mvL4/ME9JRz
3cBHbd31ZGdavUHCR2pN8Pu/GbDacoEITkQwZBbJgfzY9/1p7w5xKQ9GcZfycHZ5
GhtvepsDDFU10JWK+Ey4amvzt3jfjrmTFmh9YH/rk3aWMfayIjtSg/mxWGk4OegC
+BdEf7VAX0T9UXQDenbdGEpi6C9KI/wzDS1hUUNpud8kp/HVlPXD6kcbdJ6acu70
Xw98rAkh3dnep4NzP5YjZVRCg+rd31BbmjHEuJ10KoFDnv8L3vve6PmvvRzKE9LM
aMSB+YRxYvgbnxExA84w7wtJjY3LGNZS9xyD+WM1SzEuMEmALImnIXG/N7MXvGSc
gM1dJo5fArKOUc0GGejKJY0vcZ8UcofucxJADR/zflPj3/oOtTVdz/+f2DZLbClv
wAHg/h2ehK/jk4sW5JXIcIoYRCVKznPEZdouoav4Mxf9xk4ol6foY/Ppy+cu28zR
Wikv2bpPKXjp9qqFCAts0HLDDlIRkNLI6Be7IsZxUdlrAzJoNY9LkgMJABEBAAGJ
AiUEGAECAA8FAk9CEIwCGwwFCRLMAwAACgkQrsKK2UD3RIG3gA//VGJ151ovYmqz
AVLdgxl7n1oSMpShJ5I6N88tANE2oMum9OvRDcUWh3hA0I460j6fxXf2JvddPR0c
zU5dj5N8VlOtgItLCA0PkfrH3hdKhkDjtAnUbw5BloprfmoE2xfTJvRFsVh/dvkD
aKVrV4iMmY0q/r6+NGynRqkObelii0lhwQnbXxayP0/3i4d65SumtUqX6tfswkih
TvK97aO5YCGiJzYJGVWqBx6hGql6bng/bNfEAcAB+5zai2/uLRt9gk/IMz8Rjpy0
rdn/IlpZMA4N+pGWqJf/VC2xLAlMH5T6GVPHUbPMm9R/BM4BJwfAFZwRphfkCVPs
IhWHIbJlMQely+t3PEW9IgmyoD6GDXAUZyV3lGA3F8maQHltHl5GB8H9wXF4ptQs
LXjWTTOmnsVN5l1N1FXFpg1LMcqQoicQWe6CJTDdLgrGlcPCQa0oUloO5SKmmXGB
j1Ig8enxET7v60fQ75KReZewsrn3Ni7DKw4W3o5clFBO17UZcY559U5EfWnvwlCl
oht87m+PqpRLod2mFSh8JJg6Z0QCThGOMGjS85E9v8OtaQCnowqKic5k9UKy7jTB
hn2BBVMy9dqnVyh6O0RZ8lvt2bGbfgOYrBoP50A4tbJ33jpnfov282h937Vq3ayi
cbXphKHfpKOu3R5vADTEhpF06HS7dfg=
=bBTm
-----END PGP PUBLIC KEY BLOCK-----

7
roles/spampd/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: restart spampd
service: name=spampd state=restarted
- name: restart sa-update
service: name=sa-update state=restarted

72
roles/spampd/tasks/main.yml
View File

@ -1,72 +0,0 @@
---
# make and gcc are required for sa-compile
- name: install spampd and dependencies
pacman: name=spampd,make,gcc,razor state=present
- name: install sa-update.sh
copy: src=sa-update.sh dest=/usr/local/bin/sa-update.sh owner=root group=root mode=0755
notify:
- restart sa-update
- name: install support files
copy: src={{ item }} dest=/etc/mail/spamassassin/{{ item }} owner=root group=root mode=0644
with_items:
- update-gpgkeys
- update-channels
- yerp.gpg.key
- zmi.gpg.key
- name: install systemd timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- sa-update.timer
- sa-update.service
notify:
- systemd daemon reload
- name: create pacman.d hooks dir
file: state=directory path="/etc/pacman.d/hooks" owner=root group=root mode=0755
- name: install pacman sa-update hook
copy: src=sa-update.hook dest=/etc/pacman.d/hooks/sa-update.hook owner=root group=root mode=0644
- name: create sa-update keyring directory
file: path=/etc/mail/spamassassin/sa-update-keys mode=700 owner=root group=root state=directory
- name: add gpg keys to SA keyring
command: /usr/bin/vendor_perl/sa-update --import "/etc/mail/spamassassin/{{ item }}"
with_items:
- yerp.gpg.key
- zmi.gpg.key
register: sa-update
changed_when: "sa-update.rc == 0"
- name: install SA configs
template: src={{ item }}.j2 dest=/etc/mail/spamassassin/{{ item }} owner=root group=root mode=0644
notify:
restart spampd
loop:
- local.cf
- rules-en.cf
- name: check SA config validity
command: /usr/bin/vendor_perl/spamassassin --lint
changed_when: false
- name: activate systemd timers
service: name={{ item }} enabled=yes state=started
with_items:
- sa-update.timer
- name: remove override directory
file: path=/etc/systemd/system/spampd.service.d/ state=absent
notify:
- restart spampd
- name: start spampd
systemd:
name: spampd
enabled: yes
state: started
daemon_reload: yes

325
roles/spampd/templates/local.cf.j2
View File

@ -1,325 +0,0 @@
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################
dns_server 127.0.0.1
# Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****
# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1
# Set which networks or hosts are considered 'trusted' by your mail
# server (i.e. not spammers)
#
# trusted_networks 212.17.35.
# Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock
# Set the threshold at which a message is considered spam (default: 5.0)
#
required_score 5.0
# Use Bayesian classifier (default: 1)
#
# use_bayes 1
# Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1
# Set headers which may provide inappropriate cues to the Bayesian
# classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status
#whitelist_to postmaster@*
# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
# them to UTF-8 before the text is given over to rules processing.
#
# normalize_charset 1
# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
# default: strongly-whitelisted mails are *really* whitelisted now, if the
# shortcircuiting plugin is active, causing early exit to save CPU load.
# Uncomment to turn this on
#
#shortcircuit USER_IN_WHITELIST ham
#shortcircuit USER_IN_WHITELIST_TO ham
# shortcircuit USER_IN_DEF_WHITELIST on
# shortcircuit USER_IN_ALL_SPAM_TO on
# shortcircuit SUBJECT_IN_WHITELIST on
# the opposite; blacklisted mails can also save CPU
#
#shortcircuit USER_IN_BLACKLIST on
#shortcircuit USER_IN_BLACKLIST_TO on
# shortcircuit SUBJECT_IN_BLACKLIST on
# if you have taken the time to correctly specify your "trusted_networks",
# this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED on
# and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99 spam
# shortcircuit BAYES_00 ham
endif # Mail::SpamAssassin::Plugin::Shortcircuit
loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES_ autolearn=_AUTOLEARN_ version=_VERSION_
# enable SPF plugin
loadplugin Mail::SpamAssassin::Plugin::SPF
# disable suspicious IADB stuff (they whitelisted some spam mails)
score __RCVD_IN_IADB 0
# reduce the positive weight of returnpath CERTIFIED/SAFE results
score RCVD_IN_RP_CERTIFIED -0.01 # default -3
score RCVD_IN_RP_SAFE -0.001 # default -2
# increase scores of some rules
score RCVD_IN_BL_SPAMCOP_NET 3.5
score RCVD_IN_SBL 3.5
score RCVD_IN_XBL 3.5
score URIBL_DBL_SPAM 3.5
score URIBL_SBL 3.5
score URIBL_BLACK 3.0
score URIBL_SBL_A 1.0
score RCVD_IN_SORBS_SPAM 3.5
score RCVD_IN_BRBL_LASTEXT 2.0
score URIBL_ABUSE_SURBL 2.0
score SPF_HELO_SOFTFAIL 0.25
score SPF_HELO_FAIL 0.5
score SPF_SOFTFAIL 0.25
score SPF_FAIL 0.5
score RDNS_NONE 3.5
score RDNS_DYNAMIC 1.6
score HELO_MISC_IP 0.25
score UNPARSEABLE_RELAY 1.0
score FREEMAIL_FORGED_REPLYTO 2.0
score BAYES_00 -1.0
score BAYES_05 -0.5
score BAYES_20 0
score BAYES_40 1.0
score BAYES_50 1.25
#score BAYES_60 3.0
#score BAYES_80 3.5
#score BAYES_90 4.0
#score BAYES_95 4.9
#score BAYES_99 5.0
score MISSING_HEADERS 1.3
score LOTS_OF_MONEY 0.5
score FREEMAIL_FROM 0.5
score DKIM_INVALID 1.0
score MONEY_FRAUD_3 0.75
score MONEY_FRAUD_5 1.0
score MONEY_FRAUD_8 1.25
score UPPERCASE_50_75 2.5
score UPPERCASE_75_100 3.0
# NIX
header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
describe RCVD_IN_NIX_SPAM Listed in NIX-SPAM DNSBL (www.dnsbl.manitu.net)
tflags RCVD_IN_NIX_SPAM net
score RCVD_IN_NIX_SPAM 3.5
# extremely long subjects
header LOCAL_LONG_SUBJECT_250 Subject =~ /^.{250,}/
describe LOCAL_LONG_SUBJECT_250 Subject field is extremely large (>250)
score LOCAL_LONG_SUBJECT_250 3.5
header LOCAL_LONG_SUBJECT_500 Subject =~ /^.{500,}/
describe LOCAL_LONG_SUBJECT_500 Subject field is extremely large (>500)
score LOCAL_LONG_SUBJECT_500 2.1
header LOCAL_SUBJECT_EXCLAMATION Subject =~ /!!!$/
score LOCAL_SUBJECT_EXCLAMATION 2
header LOCAL_EMPTY_SUBJECT Subject =~ /^\s*$/
score LOCAL_EMPTY_SUBJECT 1
body LOCAL_FAKE_OFFICE /180 Sansome Street/
score LOCAL_FAKE_OFFICE 1
# date tld
header LOCAL_DATE_TLD From =~ /\@.*?\.date/i
describe LOCAL_DATE_TLD Sender address is from a .date TLD
score LOCAL_DATE_TLD 1.0
# bitcoin
header __LOCAL_BITCOIN_SUBJ Subject =~ /\b(bitcoin)\b/i
body __LOCAL_BITCOIN_BODY /\b(bitcoin|BTC)\b/i
meta LOCAL_BITCOIN ((__LOCAL_BITCOIN_SUBJ + __LOCAL_BITCOIN_BODY) > 0)
describe LOCAL_BITCOIN Contains bitcoin keywords in body and/or subject
score LOCAL_BITCOIN 1.5
header LOCAL_VIDEO_SUBJECT Subject =~ /\.mp4\b/
score LOCAL_VIDEO_SUBJECT 0.75
meta LOCAL_VIDEO_EXTORTION ((LOCAL_VIDEO_SUBJECT && LOCAL_BITCOIN))
score LOCAL_VIDEO_EXTORTION 1.5
header __LOCAL_ARABIC_STUDENT From =~ /student.*1\./
header __LOCAL_ARABIC_STUDENT_MAILER X-Mailer =~ /^MBM 7\.9-US$/
meta LOCAL_ARABIC_STUDENT (__LOCAL_ARABIC_STUDENT && __LOCAL_ARABIC_STUDENT_MAILER)
score LOCAL_ARABIC_STUDENT 2
header LOCAL_SPAM1 Subject =~ /Reclame sus facturas impagadas/
score LOCAL_SPAM1 2.5
header LOCAL_ANON_HACKER From =~ /(anoniemehacker.club|hackeranonim.top)/
score LOCAL_ANON_HACKER 2.5
# Attachments
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader ZIP_ATTACHED Content-Type =~ /zip/i
describe ZIP_ATTACHED email contains a zip attachment
score ZIP_ATTACHED 1.0
mimeheader MSWORD_ATTACHED Content-Type =~ /ms-?word/i
describe MSWORD_ATTACHED email contains a msword attachment
score MSWORD_ATTACHED 1.0
### whitelist / negative rules for some senders ###
# whitelist abuse reports
header LOCAL_ABUSE_FROM From =~ /abuse@.*/
score LOCAL_ABUSE_FROM -2
header LOCAL_ABUSE_REPLY_TO Reply-To =~ /abuse@.*/
score LOCAL_ABUSE_REPLY_TO -2
header LOCAL_ABUSE_TO To =~ /abuse@.*/
score LOCAL_ABUSE_TO -2
##################################################
# from: https://forum.hetzner.de/thread/24022-spamassassin-filterregel/?postID=243392#post243392
add_header all BL-Results "_RBL_"
### Senderbase Reputation checks (rf.senderbase.org)
header __R_SB_FR eval:check_rbl_txt('rf.senderbase.org-lastexternal','rf.senderbase.org')
describe __R_SB_FR IP reputation of the sender at SenderBase
tflags __R_SB_FR net
reuse __R_SB_FR
header R_SB_R_NEG3 eval:check_rbl_sub('rf.senderbase.org-lastexternal', '^-[3-9]\.')
describe R_SB_R_NEG3 SenderBase Reputation is -3 to -10
score R_SB_R_NEG3 5
reuse R_SB_R_NEG3
header R_SB_R_NEU0 eval:check_rbl_sub('rf.senderbase.org-lastexternal', '^-[0-2]\.')
describe R_SB_R_NEU0 SenderBase Reputation is 0 to -2.9
score R_SB_R_NEU0 2
reuse R_SB_R_NEU0
header R_SB_R_POS1 eval:check_rbl_sub('rf.senderbase.org-lastexternal', '^[0-3]\.')
describe R_SB_R_POS1 SenderBase Reputation is 0 - 2.9
score R_SB_R_POS1 0.1
reuse R_SB_R_POS1
header R_SB_FR_POS3 eval:check_rbl_sub('rf.senderbase.org-lastexternal', '^[3-9]\.')
describe R_SB_FR_POS3 SenderBase Reputation is 3.0 - 9.9
score R_SB_FR_POS3 -0.5
reuse R_SB_FR_POS3
###################################################
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*none \s*(?:;|\z)/x
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*quarantine \s*(?:;|\z)/x
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*reject \s*(?:;|\z)/x
askdns __DMARC_ADKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* adkim\s*=\s*s \s*(?:;|\z)/x
# some common email domains that sign with the author domain
header __DMARC_SIMPLE_DKIM From:addr =~ /\@(?:gmail\.com|yahoo\.(?:com|\w\w|co\.\w\w))$/i
meta __DMARC_TESTS_FAIL !( DKIM_VALID_AU || DKIM_VALID && !__DMARC_ADKIM_S && !__DMARC_SIMPLE_DKIM || __HAS_LIST_ID && DKIM_SIGNED || SPF_PASS)
meta __DMARC_TESTS_PASS DKIM_VALID_AU && SPF_PASS
# TODO: increase scores if testing period is over and was successful
meta DMARC_FAIL_REJECT __DMARC_TESTS_FAIL && __DMARC_POLICY_REJECT
describe DMARC_FAIL_REJECT DMARC validation failed and policy is to reject
score DMARC_FAIL_REJECT 1.5
meta DMARC_FAIL_QUAR __DMARC_TESTS_FAIL && __DMARC_POLICY_QUAR
describe DMARC_FAIL_QUAR DMARC validation failed and policy is quarantine
#score DMARC_FAIL_QUAR 1.0
score DMARC_FAIL_QUAR 0.5
meta DMARC_FAIL_NONE __DMARC_TESTS_FAIL && __DMARC_POLICY_NONE
describe DMARC_FAIL_NONE DMARC validation failed and policy is none
score DMARC_FAIL_NONE 0.25
meta DMARC_PASS_REJECT __DMARC_TESTS_PASS && __DMARC_POLICY_REJECT
describe DMARC_PASS_REJECT DMARC validation passed and policy is to reject
tflags DMARC_PASS_REJECT nice
score DMARC_PASS_REJECT -1.0
meta DMARC_PASS_QUAR __DMARC_TESTS_PASS && __DMARC_POLICY_QUAR
describe DMARC_PASS_QUAR DMARC validation passed and policy is quarantine
tflags DMARC_PASS_QUAR nice
score DMARC_PASS_QUAR -0.5
meta DMARC_PASS_NONE __DMARC_TESTS_PASS && __DMARC_POLICY_NONE
describe DMARC_PASS_NONE DMARC validation passed and policy is none
tflags DMARC_PASS_NONE nice
score DMARC_PASS_NONE -0.1
meta DMARC_REJ_NO_DKIM __DMARC_POLICY_REJECT && !DKIM_SIGNED
describe DMARC_REJ_NO_DKIM DMARC policy is reject without any DKIM signatures
score DMARC_REJ_NO_DKIM 1.0
meta DMARC_QUAR_NO_DKIM __DMARC_POLICY_QUAR && !DKIM_SIGNED
describe DMARC_QUAR_NO_DKIM DMARC policy is quarantine without any DKIM signatures
score DMARC_QUAR_NO_DKIM 1.0
# some temporary informational rules
meta T_DMARC_TESTS_FAIL __DMARC_TESTS_FAIL
meta T_DMARC_TESTS_PASS __DMARC_TESTS_PASS
meta T_DMARC_POLICY_NONE __DMARC_POLICY_NONE
meta T_DMARC_POLICY_QUAR __DMARC_POLICY_QUAR
meta T_DMARC_POLICY_REJECT __DMARC_POLICY_REJECT
meta T_DMARC_ADKIM_STRICT __DMARC_ADKIM_STRICT
meta T_DMARC_SIMPLE_DKIM __DMARC_SIMPLE_DKIM
endif

135
roles/spampd/templates/rules-en.cf.j2
View File

@ -1,135 +0,0 @@
## English language spam rules
# cancer stuff
header __LOCAL_DISEASE_SUBJ Subject =~ /\b(cancer|ill|doctor|survive|disease|illness|admitted|hospital)\b/i
body __LOCAL_DISEASE_BODY /\b(cancer|ill|doctor|survive|disease|illness|admitted|hospital)\b/i
meta LOCAL_DISEASE ((__LOCAL_DISEASE_SUBJ + __LOCAL_DISEASE_BODY) > 0)
describe LOCAL_DISEASE Contains disease keywords in body and/or subject
score LOCAL_DISEASE 1.5
# charity stuff
header __LOCAL_CHARITY_SUBJ Subject =~ /\b(charity|donation|donate|humanity|orphan|orphanage|widow)\b/i
body __LOCAL_CHARITY_BODY /\b(charity|donation|donate|humanity|orphan|orphanage|widow)\b/i
meta LOCAL_CHARITY ((__LOCAL_CHARITY_SUBJ + __LOCAL_CHARITY_BODY) > 0)
describe LOCAL_CHARITY Contains charity or donate keywords in body and/or subject
score LOCAL_CHARITY 1.5
# fake business inquiries/agreements
header __LOCAL_FAKEBUSINESS_SUBJ Subject =~ /\b(mutual|business|agreement|offer|special|proposal|brand|affordable|marketing|services|development)\b/i
body __LOCAL_FAKEBUSINESS_BODY /\b(mutual|business|agreement|offer|special|proposal|brand|affordable|marketing|services|development)\b/i
meta LOCAL_FAKEBUSINESS ((__LOCAL_FAKEBUSINESS_SUBJ + __LOCAL_FAKEBUSINESS_BODY) > 0)
describe LOCAL_FAKEBUSINESS Contains fake business keywords in body and/or subject
score LOCAL_FAKEBUSINESS 0.5
# delivery notifications
header LOCAL_ITEM_DELIVERY Subject =~ /Item Delivery Notification/
score LOCAL_ITEM_DELIVERY 2.5
header __LOCAL_PARCEL Subject =~ /\bparcel\b/i
header __LOCAL_PACKAGE Subject =~ /\bpackage\b/i
header __LOCAL_DELIVERY Subject =~ /\bdelivery?\b/i
meta LOCAL_PARCEL_DELIVERY ((__LOCAL_PARCEL || __LOCAL_PACKAGE) && __LOCAL_DELIVERY)
describe LOCAL_PARCEL_DELIVERY Subject contains words delivery? and parcel or package
score LOCAL_PARCEL_DELIVERY 1.0
header LOCAL_PACKAGE_DELIVERY Subject =~ /Package Delivery( Notification|!!!)/
score LOCAL_PACKAGE_DELIVERY 2.5
# company documents
header LOCAL_COMPANY_DOC Subject =~ /Company Documents/
score LOCAL_COMPANY_DOC 2.5
header LOCAL_XEROX_1 Subject =~ /Scanned Image from a Xerox WorkCentre/
score LOCAL_XEROX_1 5
header LOCAL_AUDIO_TRANSCRIP Subject =~ /Audio Transcription Service Provider/
score LOCAL_AUDIO_TRANSCRIP 3
body LOCAL_SECURE_PAYMENT /Secure Online Payment/
score LOCAL_SECURE_PAYMENT 1
body LOCAL_SEO /This domain seo registration for .* search engine service optimization notification will expire/
score LOCAL_SEO 1.5
body LOCAL_MYNAME /My name is .*, please reply me\./
score LOCAL_MYNAME 2.5
header LOCAL_LOTTERY Subject =~ /\bLottery\b/i
score LOCAL_LOTTERY 0.2
header LOCAL_WINNER Subject =~ /\bWinner\b/i
score LOCAL_WINNER 0.2
meta LOCAL_LOTTERY_WINNER (LOCAL_LOTTERY && LOCAL_WINNER)
score LOCAL_LOTTERY_WINNER 1.2
body LOCAL_BANK_ALERT /\bbank(ing)? alert\b/i
score LOCAL_BANK_ALERT 2
header LOCAL_URGENT_SUBJECT Subject =~ /\burgent\b/i
score LOCAL_URGENT_SUBJECT 1
body __LOCAL_FUNDS_1 /\bfunds?\b/i
body __LOCAL_FUNDS_2 /\bconfirm(ation)?\b/i
body __LOCAL_FUNDS_3 /\bserious loan\b/i
meta LOCAL_FUNDS (__LOCAL_FUNDS_1 && (__LOCAL_FUNDS_2 || __LOCAL_FUNDS_3))
score LOCAL_FUNDS 1.5
body LOCAL_INVESTMENT_1 /,regarding my investment proposal\.\?/i
score LOCAL_INVESTMENT_1 4
header LOCAL_LOAN Subject =~ /\bloan\b/i
score LOCAL_LOAN 0.5
header LOCAL_APPLY_NOW Subject =~ /\bapply now\b/i
score LOCAL_APPLY_NOW 1
header LOCAL_APPROVED Subject =~ /^APPROVED!$/
score LOCAL_APPROVED 5
body LOCAL_BINARY_OPTIONS /Binary Options Success Network/
score LOCAL_BINARY_OPTIONS 3
body LOCAL_RIVER /Try River Team for FREE for 3 days/
score LOCAL_RIVER 3
header LOCAL_DEAR_BELOVED Subject =~ /Dear Beloved One,/
score LOCAL_DEAR_BELOVED 1.8
body LOCAL_BUSINESS_JOURNAL /got your email from a business web journal/
score LOCAL_BUSINESS_JOURNAL 3
body LOCAL_BOGUS_OFFER /We are currently expanding our global presence and portfolio by/
score LOCAL_BOGUS_OFFER 3.5
body LOCAL_MASTRUBATION /\bmasturbation\b/i
score LOCAL_MASTRUBATION 2
body LOCAL_VISIT_POLICE /You саn visit police but nobody will help you/i
score LOCAL_VISIT_POLICE 2
body LOCAL_BITCOINT_PAYMENT /waiting for your Bitcoin payment/i
score LOCAL_BITCOINT_PAYMENT 1
body LOCAL_TRY_TO_CHEAT /Do not try to cheat me/i
score LOCAL_TRY_TO_CHEAT 1.5
body LOCAL_HI_PERV /Hi perv,/
score LOCAL_HI_PERV 2
body LOCAL_CONTACT_INFO /We provide Business executive contact information/
score LOCAL_CONTACT_INFO 2
body LOCAL_CONTACT_INFO_LIST_TECH /Technology specific Lists/i
score LOCAL_CONTACT_INFO_LIST_TECH 0.5
body LOCAL_CONTACT_INFO_LIST_IND /Industry Specific Lists/i
score LOCAL_CONTACT_INFO_LIST_IND 0.5
body LOCAL_CONTACT_INFO_LIST_TITLE /Title Specific Lists/i
score LOCAL_CONTACT_INFO_LIST_TITLE 0.5
body LOCAL_CONTACT_INFO_DB_ORGA /We are a database organization/i
score LOCAL_CONTACT_INFO_DB_ORGA 0.5

2
roles/zabbix_agent/files/systemd-discover-accounting-units.py
View File

@ -27,7 +27,7 @@ unit_whitelist_regexes = [
r'quassel.service',
r'security-tracker-update.service',
r'syslog-ng@.*.service',
r'spampd.service',
r'rspamd.service',
r'sshd.service',
r'svnserve.service',
r'synapse.service',