From 6eb1f4e4705e86006f275cd86a97ced00a0201e3 Mon Sep 17 00:00:00 2001
From: VC <veretcle+framagit@mateu.be>
Date: Fri, 5 Jul 2024 11:53:49 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8:=20add=20postgrey,=20treat=20spamd=20?=
 =?UTF-8?q?as=20milter?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 mail.yml                                |  1 +
 roles/postfix/files/main.cf             |  8 +++++--
 roles/postfix/files/master.cf           |  2 +-
 roles/postgrey/files/postgrey           | 12 +++++++++++
 roles/postgrey/handlers/main.yml        |  6 ++++++
 roles/postgrey/tasks/main.yml           | 14 +++++++++++++
 roles/spamassassin/files/spamass-milter | 28 +++++++++++++++++++++++++
 roles/spamassassin/handlers/main.yml    |  5 +++++
 roles/spamassassin/tasks/main.yml       | 14 ++++++++++++-
 9 files changed, 86 insertions(+), 4 deletions(-)
 create mode 100644 roles/postgrey/files/postgrey
 create mode 100644 roles/postgrey/handlers/main.yml
 create mode 100644 roles/postgrey/tasks/main.yml
 create mode 100644 roles/spamassassin/files/spamass-milter

diff --git a/mail.yml b/mail.yml
index 454a777..a8ea0b4 100644
--- a/mail.yml
+++ b/mail.yml
@@ -8,5 +8,6 @@
     - dovecot
     - opendkim
     - opendmarc
+    - postgrey
     - spamassassin
     - mailman
diff --git a/roles/postfix/files/main.cf b/roles/postfix/files/main.cf
index a099801..c3ec5a1 100644
--- a/roles/postfix/files/main.cf
+++ b/roles/postfix/files/main.cf
@@ -1,4 +1,5 @@
 ## Configuration de postfix
+## 22/02/2024	mortal	Ajout de postgrey
 ## 26/02/2023	mortal	Ajout des futures adresses IPv4/v6 pour Free
 ## 27/01/2022	mortal	Ajout de nouveaux paramètres pour mailman3
 ## 05/08/2018	mortal	Suppression de mailbox_command au profit de mailbox_transport : c'est toujours dovecot qui fait la livraison mais à travers une socket plutôt qu'un programme lancé par postfix
@@ -53,6 +54,10 @@ smtpd_tls_protocols =  !SSLv2,!SSLv3
 smtpd_tls_auth_only = yes
 smtpd_tls_session_cache_timeout = 10s
 smtpd_tls_loglevel = 1
+smtpd_recipient_restrictions = permit_sasl_authenticated,
+           permit_mynetworks,
+           reject_unauth_destination,
+           check_policy_service inet:127.0.0.1:10023
 # client SMTP
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_cert_file = /etc/x509/smtp.libertus.eu/fullchain.cer
@@ -72,7 +77,6 @@ smtpd_sasl_path = inet:localhost:26
 # DKIM
 milter_default_action = accept
 milter_protocol = 2
-smtpd_milters = inet:localhost:8891,inet:localhost:8892
+smtpd_milters = inet:localhost:8891,inet:localhost:8892,unix:/var/spool/postfix/spamass/spamass.sock
 
 compatibility_level = 2
-
diff --git a/roles/postfix/files/master.cf b/roles/postfix/files/master.cf
index b1416f9..12dd304 100644
--- a/roles/postfix/files/master.cf
+++ b/roles/postfix/files/master.cf
@@ -8,7 +8,7 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
-smtp      inet  n       -       -       -       -       smtpd -o content_filter=spamassassin
+smtp      inet  n       -       -       -       -       smtpd
 submission inet n       -       -       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
diff --git a/roles/postgrey/files/postgrey b/roles/postgrey/files/postgrey
new file mode 100644
index 0000000..cc3624e
--- /dev/null
+++ b/roles/postgrey/files/postgrey
@@ -0,0 +1,12 @@
+# postgrey startup options, created for Debian
+
+# you may want to set
+#   --delay=N   how long to greylist, seconds (default: 300)
+#   --max-age=N delete old entries after N days (default: 35)
+# see also the postgrey(8) manpage
+
+POSTGREY_OPTS="--inet=10023 --delay=300 --max-age=365"
+
+# the --greylist-text commandline argument can not be easily passed through
+# POSTGREY_OPTS when it contains spaces.  So, insert your text here:
+#POSTGREY_TEXT="Your customized rejection message here"
diff --git a/roles/postgrey/handlers/main.yml b/roles/postgrey/handlers/main.yml
new file mode 100644
index 0000000..19c8520
--- /dev/null
+++ b/roles/postgrey/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Restart postgrey
+  ansible.builtin.service:
+    name: postgrey
+    state: restarted
diff --git a/roles/postgrey/tasks/main.yml b/roles/postgrey/tasks/main.yml
new file mode 100644
index 0000000..2ebace6
--- /dev/null
+++ b/roles/postgrey/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+
+- name: Install postgrey
+  ansible.builtin.package:
+    name: postgrey
+    state: present
+
+- name: Put main configuration files
+  ansible.builtin.copy:
+    src: files/postgrey
+    dest: /etc/default/postgrey
+    mode: 0644
+  notify:
+    - Restart postgrey
diff --git a/roles/spamassassin/files/spamass-milter b/roles/spamassassin/files/spamass-milter
new file mode 100644
index 0000000..5d9125c
--- /dev/null
+++ b/roles/spamassassin/files/spamass-milter
@@ -0,0 +1,28 @@
+# spamass-milt startup defaults
+
+# OPTIONS are passed directly to spamass-milter.
+# man spamass-milter for details
+
+# Non-standard configuration notes:
+# See README.Debian if you use the -x option with sendmail
+# You should not pass the -d option in OPTIONS; use SOCKET for that.
+
+# Default, use the spamass-milter user as the default user, ignore
+# messages from localhost
+OPTIONS="-u spamass-milter -i 127.0.0.1"
+
+# Reject emails with spamassassin scores > 15.
+OPTIONS="${OPTIONS} -r 15"
+
+# Do not modify Subject:, Content-Type: or body.
+#OPTIONS="${OPTIONS} -m"
+
+######################################
+# If /usr/sbin/postfix is executable, the following are set by
+# default. You can override them by uncommenting and changing them
+# here.
+######################################
+# SOCKET="/var/spool/postfix/spamass/spamass.sock"
+# SOCKETOWNER="postfix:postfix"
+# SOCKETMODE="0660"
+######################################
diff --git a/roles/spamassassin/handlers/main.yml b/roles/spamassassin/handlers/main.yml
index 8057cc3..f183161 100644
--- a/roles/spamassassin/handlers/main.yml
+++ b/roles/spamassassin/handlers/main.yml
@@ -4,3 +4,8 @@
   ansible.builtin.service:
     name: spamd
     state: restarted
+
+- name: Restart spamass-milter
+  ansible.builtin.service:
+    name: spamass-milter
+    state: restarted
diff --git a/roles/spamassassin/tasks/main.yml b/roles/spamassassin/tasks/main.yml
index 925a68e..1bc50a1 100644
--- a/roles/spamassassin/tasks/main.yml
+++ b/roles/spamassassin/tasks/main.yml
@@ -6,10 +6,11 @@
     state: present
   loop:
     - spamassassin
+    - spamass-milter
     - libmail-dkim-perl
     - libmail-spf-perl
 
-- name: Put configuration files
+- name: Put configuration files for spamassassin
   ansible.builtin.copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -17,5 +18,16 @@
   loop:
     - {src: "./files/local.cf", dest: "/etc/spamassassin/local.cf"}
     - {src: "./files/spamassassin", dest: "/etc/default/spamassassin"}
+    - {src: "./files/spamass-milter", dest: "/etc/default/spamass-milter"}
   notify:
     - Restart spamassassin
+    - Restart spamass-milter
+
+- name: Ensure that spam services are up
+  ansible.builtin.service:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  loop:
+    - spamass-milter
+    - spamd