Explorar el Código

Partially working Rspamd replacement for dspam

Alex Payne hace 9 años
padre
commit
ecaa4c2330

+ 3
- 3
README.md Ver fichero

@@ -26,10 +26,10 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
26 26
 -   An RSS Reader via [Selfoss](http://selfoss.aditu.de/).
27 27
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
28 28
 -   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
29
--   Spam fighting via [DSPAM](http://dspam.sourceforge.net/) and [Postgrey](http://postgrey.schweikert.ch/).
30
--   Mail server verification via [OpenDKIM](http://www.opendkim.org/), so folks know you’re legit.
29
+-   Spam fighting via [Rspamd](https://www.rspamd.com/) and [Postgrey](http://postgrey.schweikert.ch/).
30
+-   Mail server verification via [OpenDKIM](http://www.opendkim.org/) and [OpenDMARC](http://www.trusteddomain.org/opendmarc/) so the Internet knows your mailserver is legit.
31 31
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [ownCloud](http://owncloud.org/).
32
--   Your own private [Dropbox](https://www.dropbox.com/), also via [ownCloud](http://owncloud.org/).
32
+-   Your own private storage cloud via [ownCloud](http://owncloud.org/).
33 33
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
34 34
 -   An IRC bouncer via [ZNC](http://wiki.znc.in/ZNC).
35 35
 -   [Monit](http://mmonit.com/monit/) to keep everything running smoothly (and alert you when it’s not).

+ 0
- 13
roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf Ver fichero

@@ -7,19 +7,6 @@
7 7
 # their configuration. Note that %variable expansion is done for all values.
8 8
 
9 9
 plugin {
10
-  # Antispam (DSPAM)
11
-  antispam_backend = dspam
12
-  antispam_allow_append_to_spam = YES
13
-  antispam_spam = Spam;Junk
14
-  antispam_trash = trash;Trash
15
-  antispam_signature = X-DSPAM-Signature
16
-  antispam_signature_missing = error
17
-  antispam_dspam_binary = /usr/bin/dspam
18
-  antispam_dspam_args = --user;%u;--deliver=;--source=error
19
-  antispam_dspam_spam = --class=spam
20
-  antispam_dspam_notspam = --class=innocent
21
-  antispam_dspam_result_header = X-DSPAM-Result
22
-
23 10
   # FTS (full text search with Solr)
24 11
   fts = solr
25 12
   fts_solr = break-imap-search url=http://localhost:8080/solr/

+ 0
- 43
roles/mailserver/files/etc_dspam_default.prefs Ver fichero

@@ -1,43 +0,0 @@
1
-# $Id: default.prefs,v 1.2 2011/04/19 07:17:03 sbajic Exp $
2
-# default.prefs v3.2
3
-# Default preferences for DSPAM
4
-
5
-# This file serves two purposes. First, it sets the default preferences each
6
-# user will see when using the preferences section of the DSPAM Control
7
-# Center. Second, it may be symbolically linked (or copied) into DSPAM_HOME to
8
-# set the system-wide default preferences, overriding any commandline or
9
-# dspam.conf parameters. If symlinked, an administrator can edit these options 
10
-# in the DSPAM Administrative Suite.
11
-
12
-# Training Mode: TEFT, TOE, TUM, NOTRAIN
13
-trainingMode=TEFT
14
-
15
-# Spam Action: quarantine, tag, deliver
16
-spamAction=deliver         # { quarantine | tag | deliver } -> default:quarantine
17
-
18
-# Spam Subject: the text to be prepended onto the subject line of tagged spams
19
-spamSubject=[SPAM]
20
-
21
-# Bayesian Noise Reduction: on/off
22
-enableBNR=on
23
-
24
-# Automatic Whitelisting: on/off
25
-enableWhitelist=on
26
-
27
-# Statistical Sedation: 0-10
28
-statisticalSedation=5
29
-
30
-# Signature Location: message, headers, attachment
31
-signatureLocation=headers
32
-
33
-# Whitelist Threshold: the minimum number of innocent hits from a recipient to
34
-# be automatically whitelisted. Do not set this value too low!
35
-whitelistThreshold=10
36
-
37
-# showFactors: when set to on, the determining factors for each message will
38
-# be added to a X-DSPAM-Factors message header.
39
-showFactors=on
40
-
41
-# optIn/optOut: Depending on the opt mode set, you can also use one of these.
42
-#optIn=on
43
-#optOut=off

+ 0
- 699
roles/mailserver/files/etc_dspam_dspam.conf Ver fichero

@@ -1,699 +0,0 @@
1
-## $Id: dspam.conf.in,v 1.100 2011/07/09 00:00:52 sbajic Exp $
2
-## dspam.conf -- DSPAM configuration file
3
-##
4
-
5
-#
6
-# DSPAM Home: Specifies the base directory to be used for DSPAM storage
7
-#
8
-Home /decrypted/dspam
9
-
10
-#
11
-# StorageDriver: Specifies the storage driver backend (library) to use.
12
-# You'll only need to set this if you are using dynamic storage driver plugins
13
-# from a binary distribution. The default build statically links the storage
14
-# driver (when only one is specified at configure time), overriding this
15
-# setting, which only comes into play if multiple storage drivers are specified
16
-# at configure time. When using dynamic linking, be sure to include the path
17
-# to the library if necessary, and some systems may use an extension other
18
-# than .so (e.g. OSX uses .dylib).
19
-#
20
-# Options include:
21
-#
22
-#   libmysql_drv.so     libpgsql_drv.so
23
-#   libsqlite3_drv.so   libhash_drv.so
24
-#
25
-# IMPORTANT: Switching storage drivers requires more than merely changing
26
-# this option. If you do not wish to lose all of your data, you will need to
27
-# migrate it to the new backend before making this change.
28
-#
29
-StorageDriver /usr/lib/x86_64-linux-gnu/dspam/libhash_drv.so
30
-
31
-#
32
-# Trusted Delivery Agent: Specifies the local delivery agent DSPAM should call
33
-# when delivering mail as a trusted user. Use %u to specify the user DSPAM is
34
-# processing mail for. It is generally a good idea to allow the MTA to specify
35
-# the pass-through arguments at run-time, but they may also be specified here.
36
-#
37
-# Most operating system defaults:
38
-#TrustedDeliveryAgent "/usr/bin/procmail"       # Linux
39
-#TrustedDeliveryAgent "/usr/bin/mail"           # Solaris
40
-#TrustedDeliveryAgent "/usr/libexec/mail.local" # FreeBSD
41
-#TrustedDeliveryAgent "/usr/bin/procmail"       # Cygwin
42
-#
43
-# Other popular configurations:
44
-#TrustedDeliveryAgent "/usr/cyrus/bin/deliver"	# Cyrus
45
-#TrustedDeliveryAgent "/bin/maildrop"		# Maildrop
46
-#TrustedDeliveryAgent "/usr/local/sbin/exim -oMr spam-scanned -oi" # Exim
47
-#
48
-TrustedDeliveryAgent "/usr/sbin/sendmail"
49
-
50
-#
51
-# Untrusted Delivery Agent: Specifies the local delivery agent and arguments
52
-# DSPAM should use when delivering mail and running in untrusted user mode.
53
-# Because DSPAM will not allow pass-through arguments to be specified to
54
-# untrusted users, all arguments should be specified here. Use %u to specify
55
-# the user DSPAM is processing mail for. This configuration parameter is only
56
-# necessary if you plan on allowing untrusted processing.
57
-#
58
-UntrustedDeliveryAgent "/usr/lib/dovecot/deliver -d %u"
59
-
60
-#
61
-# SMTP or LMTP Delivery: Alternatively, you may wish to use SMTP or LMTP
62
-# delivery to deliver your message to the mail server instead of using a
63
-# delivery agent. You will need to configure with --enable-daemon to use host
64
-# delivery, however you do not need to operate in daemon mode. Specify an IP
65
-# address or UNIX path to a domain socket below as a host.
66
-#
67
-# If you would like to set up DeliveryHost's on a per-domain basis, use
68
-# the syntax: DeliveryHost.domain.com 1.2.3.4
69
-#
70
-#DeliveryHost		127.0.0.1
71
-#DeliveryPort		2424
72
-#DeliveryIdent		localhost
73
-#DeliveryProto		LMTP
74
-
75
-#
76
-# FallbackDomains: If you want to specify certain domains as fallback domains,
77
-# enable this option. For example, you could create a user @domain.com, and
78
-# if bob@domain.com does not resolve to a known user on the system, the user
79
-# could default to your @domain.com user. NOTE: This also requires designating
80
-# fallbackDomain for the domain name;
81
-# e.g. dspam_admin ch pref domain.com fallbackDomain on
82
-#
83
-#FallbackDomains on
84
-
85
-#
86
-# Quarantine Agent: DSPAM's default behavior is to quarantine all mail it
87
-# thinks is spam. If you wish to override this behavior, you may specify
88
-# a quarantine agent which will be called with all messages DSPAM thinks is
89
-# spam. Use %u to specify the user DSPAM is processing mail for.
90
-#
91
-#QuarantineAgent	"/usr/bin/procmail -d spam"
92
-
93
-#
94
-# DSPAM can optionally process "plused users" (addresses in the user+detail
95
-# form) by truncating the username just before the "+", so all internal
96
-# processing occurs for "user", but delivery will be performed for
97
-# "user+detail". This is only useful if the LDA can handle "plused users"
98
-# (for example Cyrus IMAP) and when configured for LMTP delivery above
99
-#
100
-#EnablePlusedDetail	on
101
-
102
-#
103
-# Character to use as seperator between user names and address extensions.
104
-# If you change this value then please adjust QuarantineMailbox to use the
105
-# new specified character. The default is '+'.
106
-#
107
-#PlusedCharacter	+
108
-
109
-#
110
-# Turn this feature on if you want to force DSPAM to lowercase the "plused
111
-# users" username.
112
-#
113
-#PlusedUserLowercase	on
114
-
115
-#
116
-# Quarantine Mailbox: DSPAM's LMTP code can send spam mail using LMTP to a
117
-# "plused" mailbox (such as user+quarantine) leaving quarantine processing
118
-# for retraining or deletion to be performed by the LDA and the mail client.
119
-# "plused" mailboxes are supported by Cyrus IMAP and possibly other LDAs. If
120
-# you don't set/change PlusedCharacter then the mailbox name must have the +
121
-# since the + is the default used character.
122
-#
123
-#QuarantineMailbox	+quarantine
124
-
125
-#
126
-# OnFail: What to do if local delivery or quarantine should fail. If set
127
-# to "unlearn", DSPAM will unlearn the message prior to exiting with an
128
-# un successful return code. The default option, "error" will not unlearn
129
-# the message but return the appropriate error code. The unlearn option
130
-# is use-ful on some systems where local delivery failures will cause the
131
-# message to be requeued for delivery, and could result in the message
132
-# being processed multiple times. During a very large failure, however,
133
-# this could cause a significant load increase.
134
-#
135
-OnFail error
136
-
137
-#
138
-# Trusted Users: Only the users specified below will be allowed to perform
139
-# administrative functions in DSPAM such as setting the active user and
140
-# accessing tools. All other users attempting to run DSPAM will be restricted;
141
-# their uids will be forced to match the active username and they will not be
142
-# able to specify delivery agent privileges or use tools.
143
-#
144
-Trust root
145
-Trust dspam
146
-Trust www-data
147
-Trust mail
148
-Trust daemon
149
-Trust amavis
150
-Trust vmail
151
-#Trust nobody
152
-#Trust majordomo
153
-
154
-#
155
-# Debugging: Enables debugging for some or all users. IMPORTANT: DSPAM must
156
-# be compiled with debug support in order to use this option. DSPAM should
157
-# never be running in production with debug active unless you are
158
-# troubleshooting problems.
159
-#
160
-# DebugOpt: One or more of: process, classify, spam, fp, inoculation, corpus
161
-#   process     standard message processing
162
-#   classify    message classification using --classify
163
-#   spam        error correction of missed spam
164
-#   fp          error correction of false positives
165
-#   inoculation message inoculations (source=inoculation)
166
-#   corpus      corpusfed messages (source=corpus)
167
-#
168
-#Debug *
169
-#Debug bob bill
170
-#
171
-#DebugOpt process spam fp
172
-
173
-#
174
-# ClassAlias: Alias a particular class to spam/nonspam. This is useful if
175
-# classifying things other than spam.
176
-#
177
-#ClassAliasSpam badstuff
178
-#ClassAliasNonspam goodstuff
179
-
180
-#
181
-# Training Mode: The default training mode to use for all operations, when
182
-# one has not been specified on the commandline or in the user's preferences.
183
-# Acceptable values are:
184
-#     toe     Train on Error (Only)
185
-#     teft    Train Everything (Trains on every message)
186
-#     tum     Train Until Mature (Train only tokens without enough data)
187
-#     notrain Do not train or store signatures (large ISP systems, post-train)
188
-#
189
-TrainingMode teft
190
-
191
-#
192
-# TestConditionalTraining: By default, dspam will retrain certain errors
193
-# until the condition is no longer met. This usually accelerates learning.
194
-# Some people argue that this can increase the risk of errors, however.
195
-#
196
-TestConditionalTraining on
197
-
198
-#
199
-# Features: Specify features to activate by default; can also be specified
200
-# on the commandline. See the documentation for a list of available features.
201
-# If _any_ features are specified on the commandline, these are ignored.
202
-#
203
-#Feature noise
204
-Feature whitelist
205
-
206
-# Training Buffer: The training buffer waters down statistics during training.
207
-# It is designed to prevent false positives, but can also dramatically reduce
208
-# dspam's catch rate during initial training. This can be a number from 0
209
-# (no buffering) to 10 (maximum buffering). If you are paranoid about false
210
-# positives, you should probably enable this option.
211
-#
212
-#Feature tb=5
213
-
214
-#
215
-# Algorithms: Specify the statistical algorithms to use, overriding any
216
-# defaults configured in the build. The options are:
217
-#    naive       Naive-Bayesian (All Tokens)
218
-#    graham      Graham-Bayesian ("A Plan for Spam")
219
-#    burton      Burton-Bayesian (SpamProbe)
220
-#    robinson    Robinson's Geometric Mean Test (Obsolete)
221
-#    chi-square  Fisher-Robinson's Chi-Square Algorithm
222
-#
223
-# You may have multiple algorithms active simultaneously, but it is strongly
224
-# recommended that you group Bayesian algorithms with other Bayesian
225
-# algorithms, and any use of Chi-Square remain exclusive.
226
-#
227
-# NOTE: For standard "CRM114" Markovian weighting, use 'naive', or consider
228
-#       using 'burton' for slightly better accuracy
229
-#
230
-# Don't mess with this unless you know what you're doing
231
-#
232
-#Algorithm chi-square
233
-#Algorithm naive
234
-Algorithm graham burton
235
-
236
-#
237
-# Tokenizer: Specify the tokenizer to use. The tokenizer is the piece
238
-# responsible for parsing the message into individual tokens. Depending on
239
-# how many resources you are willing to trade off vs. accuracy, you may
240
-# choose to use a less or more detailed tokenizer:
241
-#   word    uniGram (single word) tokenizer
242
-#           Tokenizes message into single individual words/tokens
243
-#           example: "free" and "viagra"
244
-#   chain   biGram (chained tokens) tokenizer (default)
245
-#           Single words + chains adjacent tokens together
246
-#           example: "free" and "viagra" and "free viagra"
247
-#   sbph    Sparse Binary Polynomial Hashing tokenizer
248
-#           Creates sparse token patterns across sliding window of 5-tokens
249
-#           example: "the quick * fox jumped" and "the * * fox jumped"
250
-#   osb     Orthogonal Sparse biGram tokenizer
251
-#           Similar to SBPH, but only uses the biGrams
252
-#           example: "the * * fox" and "the * * * jumped"
253
-#
254
-# In general the reccomendation is to use 'osb' for new installations.
255
-# The default value of 'chain' remains here as not to surprise anyone upgrading
256
-# that has not changed from the default value.
257
-#
258
-Tokenizer chain
259
-
260
-#
261
-# PValue: Specify the technique used for calculating Probability Values,
262
-# overriding any defaults configured in the build. These options are:
263
-#    bcr         Bayesian Chain Rule (Graham's Technique - "A Plan for Spam")
264
-#    robinson    Robinson's Technique (used in Chi-Square)
265
-#    markov      Markovian Weighted Technique (for Markovian discrimination)
266
-#
267
-# Unlike the "Algorithms" property, you may only have one of these defined.
268
-# Use of the chi-square algorithm automatically changes this to robinson.
269
-#
270
-# Don't mess with this unless you know what you're doing.
271
-#
272
-#PValue robinson
273
-#PValue markov
274
-PValue bcr
275
-
276
-#
277
-# WebStats: Enable this if you are using the CGI, which writes .stats files
278
-WebStats on
279
-
280
-#
281
-# ImprobabilityDrive: Calculate odds-ratios for ham/spam, and add to
282
-# X-DSPAM-Improbability headers
283
-#
284
-#ImprobabilityDrive on
285
-
286
-#
287
-# Preferences: Specify any preferences to set by default, unless otherwise
288
-# overridden by the user (see next section) or a default.prefs file.
289
-# If user or default.prefs are found, the user's preferences will override any
290
-# defaults.
291
-#
292
-Preference "trainingMode=TEFT"		# { TOE | TUM | TEFT | NOTRAIN } -> default:teft
293
-Preference "spamAction=tag"		# { quarantine | tag | deliver } -> default:quarantine
294
-Preference "spamSubject=[SPAM]"		# { string } -> default:[SPAM]
295
-Preference "statisticalSedation=5"	# { 0 - 10 } -> default:0
296
-Preference "enableBNR=on"		# { on | off } -> default:off
297
-Preference "enableWhitelist=on"		# { on | off } -> default:on
298
-Preference "signatureLocation=headers"	# { message | headers } -> default:message
299
-Preference "tagSpam=off"		# { on | off }
300
-Preference "tagNonspam=off"		# { on | off }
301
-Preference "showFactors=off"		# { on | off } -> default:off
302
-Preference "optIn=off"			# { on | off }
303
-Preference "optOut=off"			# { on | off }
304
-Preference "whitelistThreshold=10"	# { Integer } -> default:10
305
-Preference "makeCorpus=off"		# { on | off } -> default:off
306
-Preference "storeFragments=off"		# { on | off } -> default:off
307
-Preference "localStore="		# { on | off } -> default:username
308
-Preference "processorBias=on"		# { on | off } -> default:on
309
-Preference "fallbackDomain=off"		# { on | off } -> default:off
310
-Preference "trainPristine=off"		# { on | off } -> default:off
311
-Preference "optOutClamAV=off"		# { on | off } -> default:off
312
-Preference "ignoreRBLLookups=off"	# { on | off } -> default:off
313
-Preference "RBLInoculate=off"		# { on | off } -> default:off
314
-Preference "notifications=off"		# { on | off } -> default:off
315
-
316
-#
317
-# Overrides: Specifies the user preferences which may override configuration
318
-# and commandline defaults. Any other preferences supplied by an untrusted user
319
-# will be ignored.
320
-#
321
-AllowOverride enableBNR
322
-AllowOverride enableWhitelist
323
-AllowOverride fallbackDomain
324
-AllowOverride ignoreGroups
325
-AllowOverride ignoreRBLLookups
326
-AllowOverride localStore
327
-AllowOverride makeCorpus
328
-AllowOverride optIn
329
-AllowOverride optOut
330
-AllowOverride optOutClamAV
331
-AllowOverride processorBias
332
-AllowOverride RBLInoculate
333
-AllowOverride showFactors
334
-AllowOverride signatureLocation
335
-AllowOverride spamAction
336
-AllowOverride spamSubject
337
-AllowOverride statisticalSedation
338
-AllowOverride storeFragments
339
-AllowOverride tagNonspam
340
-AllowOverride tagSpam
341
-AllowOverride trainPristine
342
-AllowOverride trainingMode
343
-AllowOverride whitelistThreshold
344
-AllowOverride dailyQuarantineSummary
345
-AllowOverride notifications
346
-
347
-# --- Profiles ---
348
-
349
-#
350
-# You can specify multiple storage profiles, and specify the server to
351
-# use on the commandline with --profile. For example:
352
-#
353
-#Profile DECAlpha
354
-#MySQLServer.DECAlpha	10.0.0.1
355
-#MySQLPort.DECAlpha	3306
356
-#MySQLUser.DECAlpha	dspam
357
-#MySQLPass.DECAlpha	changeme
358
-#MySQLDb.DECAlpha	dspam
359
-#MySQLCompress.DECAlpha	true
360
-#MySQLReconnect.DECAlpha	true
361
-#
362
-#Profile Sun420R
363
-#MySQLServer.Sun420R	10.0.0.2
364
-#MySQLPort.Sun420R	3306
365
-#MySQLUser.Sun420R	dspam
366
-#MySQLPass.Sun420R	changeme
367
-#MySQLDb.Sun420R	dspam
368
-#MySQLCompress.Sun420R	false
369
-#MySQLReconnect.Sun420R	true
370
-#
371
-#DefaultProfile	DECAlpha
372
-
373
-#
374
-# If you're using storage profiles, you can set failovers for each profile.
375
-# Of course, if you'll be failing over to another database, that database
376
-# must have the same information as the first. If you're using a global
377
-# database with no training, this should be relatively simple. If you're
378
-# configuring per-user data, however, you'll need to set up some type of
379
-# replication between databases.
380
-#
381
-#Failover.DECAlpha	SUN420R
382
-#Failover.Sun420R	DECAlpha
383
-
384
-# If the storage fails, the agent will follow each profile's failover up to
385
-# a maximum number of failover attempts. This should be set to a maximum of
386
-# the number of profiles you have, otherwise the agent could loop and try
387
-# the same profile multiple times (unless this is your desired behavior).
388
-#
389
-#FailoverAttempts	1
390
-
391
-#
392
-# Ignored headers: If DSPAM is behind other tools which may add a header to
393
-# incoming emails, it may be beneficial to ignore these headers - especially
394
-# if they are coming from another spam filter. If you are _not_ using one of
395
-# these tools, however, leaving the appropriate headers commented out will
396
-# allow DSPAM to use them as telltale signs of forged email.
397
-#
398
-#IgnoreHeader X-Spam-Status
399
-#IgnoreHeader X-Spam-Scanned
400
-#IgnoreHeader X-Virus-Scanner-Result
401
-
402
-#
403
-# Lookup: Perform lookups on streamlined blackhole list servers (see
404
-# http://www.nuclearelephant.com/projects/sbl/). The streamlined blacklist
405
-# server is machine-automated, unsupervised blacklisting system designed to
406
-# provide real-time and highly accurate blacklisting based on network spread.
407
-# When performing a lookup, DSPAM will automatically learn the inbound message
408
-# as spam if the source IP is listed. Until an official public RABL server is
409
-# available, this feature is only useful if you are running your own
410
-# streamlined blackhole list server for internal reporting among multiple mail
411
-# servers. Provide the name of the lookup zone below to use.
412
-#
413
-# This function performs standard reverse-octet.domain lookups, and while it
414
-# will function with many RBLs, it's strongly discouraged to use those
415
-# maintained by humans as they're often inaccurate and could hurt filter
416
-# learning and accuracy.
417
-#
418
-#Lookup		"sbl.yourdomain.com"
419
-
420
-#
421
-# RBLInoculate: If you want to inoculate the user from RBL'd messages it would
422
-# have otherwise missed, set this to on.
423
-#
424
-#RBLInoculate	off
425
-
426
-#
427
-# Notifications: Enable the sending of notification emails to users (first
428
-# message, quarantine full, etc.)
429
-#
430
-Notifications	off
431
-
432
-#
433
-# QuarantineWarnSize: You may specify a size when DSPAM should send a "Quarantine
434
-# Full" message to each user. This is only working if you enable notifications
435
-# (see above). Value is in bytes. Default is 2097152 -> 2MB.
436
-#
437
-#QuarantineWarnSize 2097152
438
-
439
-#
440
-# Purge configuration: Set dspam_clean purge default options, if not otherwise
441
-# specified on the commandline
442
-#
443
-PurgeSignatures 14	# Stale signatures
444
-PurgeNeutral	90	# Tokens with neutralish probabilities
445
-PurgeUnused	90	# Unused tokens
446
-PurgeHapaxes	30	# Tokens with less than 5 hits (hapaxes)
447
-PurgeHits1S	15	# Tokens with only 1 spam hit
448
-PurgeHits1I	15	# Tokens with only 1 innocent hit
449
-
450
-#
451
-# Purge configuration for SQL-based installations using purge.sql
452
-#
453
-#PurgeSignature	off	# Specified in purge.sql
454
-#PurgeNeutral	90
455
-#PurgeUnused	off	# Specified in purge.sql
456
-#PurgeHapaxes	off	# Specified in purge.sql
457
-#PurgeHits1S	off	# Specified in purge.sql
458
-#PurgeHits1I	off	# Specified in purge.sql
459
-
460
-#
461
-# Local Mail Exchangers: Used for source address tracking, tells DSPAM which
462
-# mail exchangers are local and therefore should be ignored in the Received:
463
-# header when tracking the source of an email. Note: you should use the address
464
-# of the host as appears between brackets [ ] in the Received header.
465
-# By default DSPAM is considering the following IPs always as LocalMX:
466
-#	10.0.0.0/8	- Private IP addresses (RFC 1918)
467
-#	127.0.0.0/8	- Localhost Loopback Address (RFC 1700)
468
-#	169.254.0.0/16	- Zeroconf / APIPA (RFC 3330)
469
-#	172.16.0.0/12	- Private IP addresses (RFC 1918)
470
-#	192.168.0.0/16	- Private IP addresses (RFC 1918)
471
-#
472
-LocalMX 127.0.0.1
473
-
474
-#
475
-# Logging: Disabling logging for users will make usage graphs unavailable to
476
-# them. Disabling system logging will make admin graphs unavailable.
477
-#
478
-SystemLog	on
479
-UserLog		on
480
-
481
-#
482
-# TrainPristine: for systems where the original message remains server side
483
-# and can therefore be presented in pristine format for retraining. This option
484
-# will cause DSPAM to cease all writing of signatures and DSPAM headers to the
485
-# message, and deliver the message in as pristine format as possible. This mode
486
-# REQUIRES that the original message in its pristine format (as of delivery)
487
-# be presented for retraining, as in the case of webmail, imap, or other
488
-# applications where the message is actually kept server-side during reading,
489
-# and is preserved. DO NOT use this switch unless the original message can be
490
-# presented for retraining with the ORIGINAL HEADERS and NO MODIFICATIONS.
491
-#
492
-# NOTE: You can't use this setting with dspam_trian; if you're going to use it,
493
-#       wait until after you train any corpora.
494
-#
495
-#TrainPristine on
496
-
497
-#
498
-# Opt: in or out; determines DSPAM's default filtering behavior. If this value
499
-# is set to in, users must opt-in to filtering by dropping a .dspam file in
500
-# /var/dspam/opt-in/user.dspam (or if you have homedirs configured, a .dspam
501
-# folder in their home directory).  The default is opt-out, which means all
502
-# users will be filtered unless a .nodspam file is dropped in
503
-# /var/dspam/opt-out/user.nodspam
504
-#
505
-Opt out
506
-
507
-#
508
-# TrackSources: specify which (if any) source addresses to track and report
509
-# them to syslog (mail.info). This is useful if you're running a firewall or
510
-# blacklist and would like to use this information. Spam reporting also drops
511
-# RABL blacklist files (see http://www.nuclearelephant.com/projects/rabl/).
512
-#
513
-#TrackSources spam nonspam virus
514
-
515
-#
516
-# ParseToHeaders: In lieu of setting up individual aliases for each user,
517
-# DSPAM can be configured to automatically parse the To: address for spam and
518
-# false positive forwards. From there, it can be configured to either set the
519
-# DSPAM user based on the username specified in the header and/or change the
520
-# training class and source accordingly. The options below can be used to
521
-# customize most common types of header parsing behavior to avoid the need for
522
-# multiple aliases, or if using LMTP, aliases entirely..
523
-#
524
-# ParseToHeader: Parse the To: headers of an incoming message. This must be
525
-#                set to 'on' to use either of the following features.
526
-#
527
-# ChangeModeOnParse: Automatically change the class (to spam or innocent)
528
-#   depending on whether spam- or notspam- was specified, and change the source
529
-#   to 'error'. This is convenient if you're not using aliases at all, but
530
-#   are delivering via LMTP.
531
-#
532
-# ChangeUserOnParse: Automatically change the username to match that specified
533
-#   in the To: header. For example, spam-bob@domain.tld will set the username
534
-#   to bob, ignoring any --user passed in. This may not always be desirable if
535
-#   you are using virtual email addresses as usernames. Options:
536
-#     on or user	take the portion before the @ sign only
537
-#     full		take everything after the initial {spam,notspam}-.
538
-#
539
-#ParseToHeaders on
540
-#ChangeModeOnParse on
541
-#ChangeUserOnParse on
542
-
543
-#
544
-# Broken MTA Options: Some MTAs don't support the proper functionality
545
-# necessary. In these cases you can activate certain features in DSPAM to
546
-# compensate. 'returnCodes' causes DSPAM to return an exit code of 99 if
547
-# the message is spam, 0 if not, or a negative code if an error has occured.
548
-# Specifying 'case' causes DSPAM to force the input usernames to lowercase.
549
-# Specifying 'lineStripping' causes DSPAM to strip ^M's from messages passed
550
-# in.
551
-#
552
-#Broken returnCodes
553
-#Broken case
554
-#Broken lineStripping
555
-
556
-#
557
-# MaxMessageSize: You may specify a maximum message size for DSPAM to process.
558
-# If the message is larger than the maximum size, it will be delivered
559
-# without processing. Value is in bytes.
560
-#
561
-#MaxMessageSize 4194304
562
-
563
-# --- ClamAV ---
564
-
565
-#
566
-# Virus Checking: If you are running clamd, DSPAM can perform stream-based
567
-# virus checking using TCP. Uncomment the values below to enable virus
568
-# checking.
569
-#
570
-# ClamAVResponse: reject (reject or drop the message with a permanent failure)
571
-#                 accept (accept the message and quietly drop the message)
572
-#                 spam   (treat as spam and quarantine/tag/whatever)
573
-#
574
-#ClamAVPort		3310
575
-#ClamAVHost		127.0.0.1
576
-#ClamAVResponse		accept
577
-
578
-# --- CLIENT / SERVER ---
579
-
580
-#
581
-# Daemonized Server: If you are running DSPAM as a daemonized server using
582
-# --daemon, the following parameters will override the default. Use the
583
-# ServerPass option to set up accounts for each client machine. The DSPAM
584
-# server will process and deliver the message based on the parameters
585
-# specified. If you want the client machine to perform delivery, use
586
-# the --stdout option in conjunction with a local setup.
587
-#
588
-# ServerHost: Not enabling ServerHost will bind DSPAM server to all available
589
-# interfaces.
590
-#
591
-# ServerPort: Default upstream configuration is to run dspam daemon on port
592
-# 24. On Debian, dspam being run as a unprivileged user, default port is
593
-# set to 2424.
594
-#
595
-#ServerHost		127.0.0.1
596
-#ServerPort		2424
597
-#ServerQueueSize	32
598
-#ServerPID		/var/run/dspam/dspam.pid
599
-
600
-#
601
-# ServerMode specifies the type of LMTP server to start. This can be one of:
602
-#     dspam: DSPAM-proprietary DLMTP server, for communicating with dspamc
603
-#  standard: Standard LMTP server, for communicating with Postfix or other MTA
604
-#      auto: Speak both DLMTP and LMTP; auto-detect by ServerPass.IDENT
605
-#
606
-#ServerMode dspam
607
-
608
-# If supporting DLMTP (dspam) mode, dspam clients will require authentication
609
-# as they will be passing in parameters. The idents below will be used to
610
-# determine which clients will be speaking DLMTP, so if you will be using
611
-# both LMTP and DLMTP from the same host, be sure to use something other
612
-# than the server's hostname below (which will be sent by the MTA during a
613
-# standard LMTP LHLO).
614
-#
615
-#ServerPass.Relay1	"secret"
616
-#ServerPass.Relay2	"password"
617
-
618
-# If supporting standard LMTP mode, server parameters will need to be specified
619
-# here, as they will not be passed in by the mail server. The ServerIdent
620
-# specifies the 250 response code ident sent back to connecting clients and
621
-# should be set to the hostname of your server, or an alias.
622
-#
623
-# NOTE: If you specify --user in ServerParameters, the RCPT TO will be
624
-#       used only for delivery, and not set as the active user for processing.
625
-#
626
-#ServerParameters	"--deliver=innocent -d %u"
627
-#ServerIdent		"localhost.localdomain"
628
-
629
-# If you wish to use a local domain socket instead of a TCP socket, uncomment
630
-# the following. It is strongly recommended you use local domain sockets if
631
-# you are running the client and server on the same machine, as it eliminates
632
-# much of the bandwidth overhead.
633
-#
634
-ServerDomainSocketPath	"/var/run/dspam/dspam.sock"
635
-
636
-#
637
-# Client Mode: If you are running DSPAM in client/server mode, uncomment and
638
-# set these variables. A ClientHost beginning with a / will be treated as
639
-# a domain socket.
640
-#
641
-#ClientHost	/var/run/dspam/dspam.sock
642
-#ClientIdent	"secret@Relay1"
643
-#
644
-#ClientHost	127.0.0.1
645
-#ClientPort	2424
646
-#ClientIdent	"secret@Relay1"
647
-
648
-# --- RABL ---
649
-
650
-# RABLQueue: Touch files in the RABL queue
651
-# If you are a reporting streamlined blackhole list participant, you can
652
-# touch ip addresses within the directory the rabl_client process is watching.
653
-#
654
-#RABLQueue	/var/spool/rabl
655
-
656
-# ---  ---
657
-
658
-# DataSource: If you are using any type of data source that does not include
659
-# email-like headers (such as documents), uncomment the line below. This
660
-# will cause the entire input to be treated like a message "body"
661
-#
662
-#DataSource document
663
-
664
-# ProcessorWordFrequency: By default, words are only counted once per message.
665
-# If you are classifying large documents, however, you may wish to count once
666
-# per occurrence instead.
667
-#
668
-#ProcessorWordFrequency occurrence
669
-
670
-# ProcessorURLContext: By default, a URL context is generated for URLs, which
671
-# records their tokens as separate from words found in documents. To use
672
-# URL tokens in the same context as words, turn this feature off.
673
-#
674
-ProcessorURLContext on
675
-
676
-# ProcessorBias: Bias causes the filter to lean more toward 'innocent', and
677
-# usually greatly reduces false positives. It is the default behavior of
678
-# most Bayesian filters (including dspam).
679
-#
680
-# NOTE: You probably DONT want this if you're using Markovian Weighting, unless
681
-# you are paranoid about false positives.
682
-#
683
-ProcessorBias on
684
-
685
-# StripRcptDomain: Cut the domain (including the at sign) from recipients.
686
-# This is particularly useful if the recipient name is equal to real user
687
-# accounts as recipients with domains tend to cause permission issues with
688
-# dspam-web.
689
-#
690
-StripRcptDomain off
691
-
692
-# --- Split Configuration File Support ---
693
-
694
-# Include a directory with configuration items.
695
-Include /etc/dspam/dspam.d/
696
-
697
-# ---  ---
698
-
699
-## EOF

+ 0
- 1
roles/mailserver/files/etc_postfix_dspam_filter_access Ver fichero

@@ -1 +0,0 @@
1
-/./   FILTER dspam:dspam

+ 0
- 3
roles/mailserver/files/etc_postfix_master.cf Ver fichero

@@ -113,8 +113,5 @@ scalemail-backend unix	-	n	n	-	2	pipe
113 113
 mailman   unix  -       n       n       -       -       pipe
114 114
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
115 115
   ${nexthop} ${user}
116
-# spam protection
117
-dspam     unix  -       n       n       -       10      pipe
118
-  flags=Ru user=dspam argv=/usr/bin/dspam --deliver=innocent,spam --user ${user}@${domain} -i -f $sender -- $recipient
119 116
 dovecot   unix  -       n       n       -       -       pipe
120 117
   flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/lmtp -f ${sender} -d ${user}@${nexthop}

+ 3
- 0
roles/mailserver/handlers/main.yml Ver fichero

@@ -16,3 +16,6 @@
16 16
 
17 17
 - name: restart opendmarc
18 18
   service: name=opendmarc state=restarted
19
+
20
+- name: restart rspamd
21
+  service: name=rspamd.socket state=restarted

+ 0
- 44
roles/mailserver/tasks/dspam.yml Ver fichero

@@ -1,44 +0,0 @@
1
-- name: Install dspam and related packages on wheezy
2
-  apt: pkg={{ item }} state=installed default_release=wheezy-backports
3
-  with_items:
4
-    - dovecot-antispam
5
-    - dovecot-sieve
6
-    - dspam
7
-    - postfix-pcre
8
-  when: ansible_distribution_release == 'wheezy'
9
-  tags:
10
-    - dependencies
11
-
12
-- name: Install dspam and related packages on distributions other than wheezy
13
-  apt: pkg={{ item }} state=installed
14
-  with_items:
15
-    - dovecot-antispam
16
-    - dovecot-sieve
17
-    - dspam
18
-    - postfix-pcre
19
-  when: ansible_distribution_release != 'wheezy'
20
-  tags:
21
-    - dependencies
22
-
23
-- name: Create dspam directory
24
-  file: state=directory path=/decrypted/dspam group=dspam owner=dspam
25
-
26
-- name: Put dspam configuration files in place
27
-  copy: src=etc_dspam_{{ item }} dest=/etc/dspam/{{ item }} owner=dspam group=dspam
28
-  with_items:
29
-    - default.prefs
30
-    - dspam.conf
31
-  notify:
32
-    - restart postfix
33
-    - restart dovecot
34
-
35
-- name: Put dspam postfix configuration in place
36
-  copy: src=etc_postfix_dspam_filter_access dest=/etc/postfix/dspam_filter_access owner=root group=root
37
-  notify: restart postfix
38
-
39
-- name: Put dspam dovecot configuration in place
40
-  copy: src=etc_dovecot_conf.d_{{ item }} dest=/etc/dovecot/conf.d/{{ item }} owner=vmail group=dovecot
41
-  with_items:
42
-    - 20-imap.conf
43
-    - 90-plugin.conf
44
-  notify: restart dovecot

+ 1
- 1
roles/mailserver/tasks/main.yml Ver fichero

@@ -2,7 +2,7 @@
2 2
 - include: dovecot.yml tags=dovecot
3 3
 - include: opendkim.yml tags=opendkim
4 4
 - include: dmarc.yml tags=dmarc
5
-- include: dspam.yml tags=dspam
5
+- include: rspamd.yml tags=rspamd
6 6
 - include: solr.yml tags=solr
7 7
 - include: checkrbl.yml tags=checkrbl
8 8
 - include: z-push.yml tags=zpush

+ 35
- 0
roles/mailserver/tasks/rspamd.yml Ver fichero

@@ -0,0 +1,35 @@
1
+---
2
+# Installs and configures the Rspamd spam filtering system.
3
+
4
+- name: Ensure repository key for Rspamd is in place for Debian Jessie
5
+  apt_key: url=http://download.opensuse.org/repositories/home:cebka/Debian_8.0/Release.key state=present
6
+  tags:
7
+    - dependencies
8
+  when: ansible_distribution_release == 'jessie'
9
+
10
+- name: Ensure repository key for Rspamd is in place for Ubuntu Trusty
11
+  apt_key: url=http://download.opensuse.org/repositories/home:cebka/xUbuntu_14.10/Release.key state=present
12
+  tags:
13
+    - dependencies
14
+  when: ansible_distribution_release == 'trusty'
15
+
16
+- name: Add Rspamd repository for Debian Jesse
17
+  apt_repository: repo="deb http://download.opensuse.org/repositories/home:/cebka/Debian_8.0/ /"
18
+  tags:
19
+    - dependencies
20
+  when: ansible_distribution_release == 'jessie'
21
+
22
+- name: Add Rspamd repository for Ubuntu Trusty
23
+  apt_repository: repo="deb http://download.opensuse.org/repositories/home:/cebka/xUbuntu_14.10/ /"
24
+  tags:
25
+    - dependencies
26
+  when: ansible_distribution_release == 'jessie'
27
+
28
+- name: Install Rspamd and Rmilter
29
+  apt: pkg={{ item }} state=installed update_cache=yes
30
+  with_items:
31
+    - rspamd
32
+    - rmilter
33
+  tags:
34
+    - dependencies
35
+

+ 5
- 7
roles/mailserver/templates/etc_postfix_main.cf.j2 Ver fichero

@@ -100,16 +100,14 @@ virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
100 100
 virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
101 101
 local_recipient_maps = $virtual_mailbox_maps
102 102
 
103
-# OpenDKIM and OpenDMARC
104
-smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321
103
+# Milters: OpenDKIM, OpenDMARC, Rspamd
104
+smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321,unix:/var/run/rmilter/rmilter.sock
105 105
 non_smtpd_milters = $smtpd_milters
106
+milter_protocol = 6
107
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
106 108
 milter_default_action = accept
107 109
 
108
-# new settings for dspam: only scan one mail at a time, localhost doesn't get scanned, everything else does
109
-dspam_destination_recipient_limit = 1
110
-smtpd_client_restrictions =
111
-  permit_sasl_authenticated
112
-  check_client_access pcre:/etc/postfix/dspam_filter_access
110
+smtpd_client_restrictions = permit_sasl_authenticated
113 111
 
114 112
 # Postscreen
115 113
 postscreen_access_list = permit_mynetworks

+ 2
- 6
roles/webmail/files/etc_roundcube_global.sieve Ver fichero

@@ -1,11 +1,7 @@
1 1
 require ["regex", "fileinto", "imap4flags"];
2
-# Catch mail tagged as Spam, except Spam retrained and delivered to the mailbox
3
-if allof (header :regex "X-DSPAM-Result" "^(Spam|Virus|Bl[ao]cklisted)$",
4
-          not header :contains "X-DSPAM-Reclassified" "Innocent") {
5
-  # Mark as read
2
+
3
+if header :is "X-Spam-Action" "reject" {
6 4
   setflag "\\Seen";
7
-  # Move into the Junk folder
8 5
   fileinto "Spam";
9
-  # Stop processing here
10 6
   stop;
11 7
 }

+ 1
- 6
tests.py Ver fichero

@@ -318,7 +318,7 @@ class MailTests(unittest.TestCase):
318 318
         m.logout()
319 319
 
320 320
     def test_smtp_headers(self):
321
-        """Email sent from an MTA via SMTP+TLS has X-DSPAM and TLS headers"""
321
+        """Email sent from an MTA via SMTP+TLS has TLS headers"""
322 322
         import smtplib
323 323
         import imaplib
324 324
 
@@ -339,11 +339,6 @@ class MailTests(unittest.TestCase):
339 339
         _, data = m.fetch(res[0], '(RFC822)')
340 340
 
341 341
         self.assertIn(
342
-            'X-DSPAM-Result: ',
343
-            data[0][1]
344
-        )
345
-
346
-        self.assertIn(
347 342
             'ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)',
348 343
             data[0][1]
349 344
         )

Loading…
Cancelar
Guardar