✨: add postgrey, treat spamd as milter

2024-07-05 11:53:49 +02:00
parent 66fc316071
commit 6eb1f4e470
9 changed files with 86 additions and 4 deletions
--- a/mail.yml
+++ b/mail.yml
@@ -8,5 +8,6 @@
    - dovecot
    - opendkim
    - opendmarc
+    - postgrey
    - spamassassin
    - mailman
--- a/roles/postfix/files/main.cf
+++ b/roles/postfix/files/main.cf
@@ -1,4 +1,5 @@
 ## Configuration de postfix
+## 22/02/2024	mortal	Ajout de postgrey
 ## 26/02/2023	mortal	Ajout des futures adresses IPv4/v6 pour Free
 ## 27/01/2022	mortal	Ajout de nouveaux paramètres pour mailman3
 ## 05/08/2018	mortal	Suppression de mailbox_command au profit de mailbox_transport : c'est toujours dovecot qui fait la livraison mais à travers une socket plutôt qu'un programme lancé par postfix
@@ -53,6 +54,10 @@ smtpd_tls_protocols =  !SSLv2,!SSLv3
 smtpd_tls_auth_only = yes
 smtpd_tls_session_cache_timeout = 10s
 smtpd_tls_loglevel = 1
+smtpd_recipient_restrictions = permit_sasl_authenticated,
+           permit_mynetworks,
+           reject_unauth_destination,
+           check_policy_service inet:127.0.0.1:10023
 # client SMTP
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_cert_file = /etc/x509/smtp.libertus.eu/fullchain.cer
@@ -72,7 +77,6 @@ smtpd_sasl_path = inet:localhost:26
 # DKIM
 milter_default_action = accept
 milter_protocol = 2
-smtpd_milters = inet:localhost:8891,inet:localhost:8892
+smtpd_milters = inet:localhost:8891,inet:localhost:8892,unix:/var/spool/postfix/spamass/spamass.sock

 compatibility_level = 2
-
--- a/roles/postfix/files/master.cf
+++ b/roles/postfix/files/master.cf
@@ -8,7 +8,7 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
-smtp      inet  n       -       -       -       -       smtpd -o content_filter=spamassassin
+smtp      inet  n       -       -       -       -       smtpd
 submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
--- a/roles/postgrey/files/postgrey
+++ b/roles/postgrey/files/postgrey
@@ -0,0 +1,12 @@
+# postgrey startup options, created for Debian
+
+# you may want to set
+#   --delay=N   how long to greylist, seconds (default: 300)
+#   --max-age=N delete old entries after N days (default: 35)
+# see also the postgrey(8) manpage
+
+POSTGREY_OPTS="--inet=10023 --delay=300 --max-age=365"
+
+# the --greylist-text commandline argument can not be easily passed through
+# POSTGREY_OPTS when it contains spaces.  So, insert your text here:
+#POSTGREY_TEXT="Your customized rejection message here"
--- a/roles/postgrey/handlers/main.yml
+++ b/roles/postgrey/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Restart postgrey
+  ansible.builtin.service:
+    name: postgrey
+    state: restarted
--- a/roles/postgrey/tasks/main.yml
+++ b/roles/postgrey/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+
+- name: Install postgrey
+  ansible.builtin.package:
+    name: postgrey
+    state: present
+
+- name: Put main configuration files
+  ansible.builtin.copy:
+    src: files/postgrey
+    dest: /etc/default/postgrey
+    mode: 0644
+  notify:
+    - Restart postgrey
--- a/roles/spamassassin/files/spamass-milter
+++ b/roles/spamassassin/files/spamass-milter
@@ -0,0 +1,28 @@
+# spamass-milt startup defaults
+
+# OPTIONS are passed directly to spamass-milter.
+# man spamass-milter for details
+
+# Non-standard configuration notes:
+# See README.Debian if you use the -x option with sendmail
+# You should not pass the -d option in OPTIONS; use SOCKET for that.
+
+# Default, use the spamass-milter user as the default user, ignore
+# messages from localhost
+OPTIONS="-u spamass-milter -i 127.0.0.1"
+
+# Reject emails with spamassassin scores > 15.
+OPTIONS="${OPTIONS} -r 15"
+
+# Do not modify Subject:, Content-Type: or body.
+#OPTIONS="${OPTIONS} -m"
+
+######################################
+# If /usr/sbin/postfix is executable, the following are set by
+# default. You can override them by uncommenting and changing them
+# here.
+######################################
+# SOCKET="/var/spool/postfix/spamass/spamass.sock"
+# SOCKETOWNER="postfix:postfix"
+# SOCKETMODE="0660"
+######################################
--- a/roles/spamassassin/handlers/main.yml
+++ b/roles/spamassassin/handlers/main.yml
@@ -4,3 +4,8 @@
  ansible.builtin.service:
    name: spamd
    state: restarted
+
+- name: Restart spamass-milter
+  ansible.builtin.service:
+    name: spamass-milter
+    state: restarted
--- a/roles/spamassassin/tasks/main.yml
+++ b/roles/spamassassin/tasks/main.yml
@@ -6,10 +6,11 @@
    state: present
  loop:
    - spamassassin
+    - spamass-milter
    - libmail-dkim-perl
    - libmail-spf-perl

- name: Put configuration files
+- name: Put configuration files for spamassassin
  ansible.builtin.copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
@@ -17,5 +18,16 @@
  loop:
    - {src: "./files/local.cf", dest: "/etc/spamassassin/local.cf"}
    - {src: "./files/spamassassin", dest: "/etc/default/spamassassin"}
+    - {src: "./files/spamass-milter", dest: "/etc/default/spamass-milter"}
  notify:
    - Restart spamassassin
+    - Restart spamass-milter
+
+- name: Ensure that spam services are up
+  ansible.builtin.service:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  loop:
+    - spamass-milter
+    - spamd