From 4db1b34d386456fcc3c2ac562cfe5330b61af847 Mon Sep 17 00:00:00 2001 From: Jon Lockwood Date: Mon, 14 Feb 2022 09:49:31 +0930 Subject: [PATCH] feat(amavis): added amavis and configured spam Spamassassin added as spam filter. MR !1 --- dockerfile | 16 ++- include/docker-entrypoint.sh | 14 +++ .../etc/amavis/conf.d/15-content_filter_mode | 27 ++++ include/etc/amavis/conf.d/50-user | 39 ++++++ include/etc/default/spamassassin | 2 + include/etc/spamassassin/local.cf | 119 ++++++++++++++++++ .../etc/supervisor/conf.d/supervisord.conf | 21 ++++ 7 files changed, 237 insertions(+), 1 deletion(-) create mode 100644 include/etc/amavis/conf.d/15-content_filter_mode create mode 100644 include/etc/amavis/conf.d/50-user create mode 100644 include/etc/default/spamassassin create mode 100644 include/etc/spamassassin/local.cf diff --git a/dockerfile b/dockerfile index 3662615..a81ccdc 100644 --- a/dockerfile +++ b/dockerfile @@ -32,6 +32,17 @@ RUN apt update && DEBIAN_FRONTEND=noninteractive apt -y --no-install-recommends postfix-ldap=3.5.6-1+b1 \ libsasl2-modules \ sasl2-bin \ + # Amavis + amavisd-new=1:2.11.1-5 \ + spamassassin=3.4.6-1 \ + spamc=3.4.6-1 \ + # Amavis decoders + arj bzip2 cabextract cpio file gzip nomarch pax unzip zip xzdec lrzip lzop rpm2cpio unrar-free p7zip-full lz4 \ +# clamav=0.103.5+dfsg-0+deb11u1 \ +# clamav-daemon=0.103.5+dfsg-0+deb11u1 \ + libmailtools-perl=2.21-1 \ + fam=2.7.0-17.3 \ + libnet-dns-perl=1.29-1 \ # Cleanup, remove cron jobs not required RUN rm -f /etc/cron.d/e2scrub_all \ && rm -f /etc/cron.daily/apt-compat \ @@ -68,9 +79,12 @@ RUN chmod +x /docker-entrypoint.sh \ && mkdir -p /var/spool/postfix/private/dovecot \ && chown postfix:postfix /var/spool/postfix/private/dovecot \ && chown vmail:vmail /var/lib/dovecot \ + # Spammassassin related Commands + && mkdir -p /var/spool/spamassassin \ + && chmod 777 /var/spool/spamassassin \ # Setup data volumes -VOLUME /srv/mail /ssl /var/log +VOLUME /srv/mail /ssl /var/spool/spamassassin /var/log # Configure postfix RUN postconf -e "maillog_file=/var/log/postfix.log" \ diff --git a/include/docker-entrypoint.sh b/include/docker-entrypoint.sh index 4506ec6..72a7914 100644 --- a/include/docker-entrypoint.sh +++ b/include/docker-entrypoint.sh @@ -8,6 +8,20 @@ if [ "0$POST_MASTER_EMAIL" != "0" ]; then export MAILTO="$POST_MASTER_EMAIL"; fi printenv | grep -v "no_proxy" > /etc/environment +if [ -f "/var/run/amavis/amavisd.pid" ]; then rm /var/run/amavis/amavisd.pid; fi + + +if [ "$1" == "" ]; then + + echo "Setup server type ($SERVERTYPE)" + + echo "[Information] starting supervisor daemon" + /usr/bin/supervisord -c /etc/supervisor/supervisord.conf + + bash + +fi + # compile sieve scripts for file in /etc/dovecot/sieve/*.sieve ; do diff --git a/include/etc/amavis/conf.d/15-content_filter_mode b/include/etc/amavis/conf.d/15-content_filter_mode new file mode 100644 index 0000000..1d5ffab --- /dev/null +++ b/include/etc/amavis/conf.d/15-content_filter_mode @@ -0,0 +1,27 @@ +use strict; + +# You can modify this file to re-enable SPAM checking through spamassassin +# and to re-enable antivirus checking. + +# +# Default antivirus checking mode +# Please note, that anti-virus checking is DISABLED by +# default. +# If You wish to enable it, please uncomment the following lines: + + +#@bypass_virus_checks_maps = ( +# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); + + +# +# Default SPAM checking mode +# Please note, that anti-spam checking is DISABLED by +# default. +# If You wish to enable it, please uncomment the following lines: + + +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); + +1; # ensure a defined return diff --git a/include/etc/amavis/conf.d/50-user b/include/etc/amavis/conf.d/50-user new file mode 100644 index 0000000..3e008c0 --- /dev/null +++ b/include/etc/amavis/conf.d/50-user @@ -0,0 +1,39 @@ +use strict; + +# +# Place your configuration directives here. They will override those in +# earlier files. +# +# See /usr/share/doc/amavisd-new/ for documentation and examples of +# the directives you can use in this file +# + +# Higher log level to get expected messages at startup +$log_level = 2; + +$X_HEADER_LINE = "Virus Scanning product"; + +$virus_admin = "postmaster"; +$banned_admin = "postmaster"; + +$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) +$final_banned_destiny = D_DISCARD; +$final_spam_destiny = D_PASS; +$final_bad_header_destiny = D_PASS; + +$sa_spam_subject_tag = ''; +$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level +$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level +$sa_kill_level_deflt = 6.31; # triggers spam evasive actions +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent + +$spam_quarantine_to = undef; + +# disable the "Received" headers to be added to the mail header +$allowed_added_header_fields{lc('Received')} = 0; + + +#------------ Do not modify anything below this line ------------- +1; # ensure a defined return + + diff --git a/include/etc/default/spamassassin b/include/etc/default/spamassassin new file mode 100644 index 0000000..f648bf4 --- /dev/null +++ b/include/etc/default/spamassassin @@ -0,0 +1,2 @@ +OPTIONS="--create-prefs --max-children 5 --username debian-spamd --helper-home-dir /home/spamd/ -s /var/log/spamd.log" +CRON=1 diff --git a/include/etc/spamassassin/local.cf b/include/etc/spamassassin/local.cf new file mode 100644 index 0000000..c712a48 --- /dev/null +++ b/include/etc/spamassassin/local.cf @@ -0,0 +1,119 @@ +# This is the right place to customize your installation of SpamAssassin. +# +# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be +# tweaked. +# +# Only a small subset of options are listed below +# +########################################################################### + +# A 'contact address' users should contact for more info. (replaces +# _CONTACTADDRESS_ in the report template) +# report_contact youremailaddress@domain.tld + + +# Add *****SPAM***** to the Subject header of spam e-mails +# +# rewrite_header Subject *****SPAM***** + + +# Save spam messages as a message/rfc822 MIME attachment instead of +# modifying the original message (0: off, 2: use text/plain instead) +# +report_safe 2 + + +# Set which networks or hosts are considered 'trusted' by your mail +# server (i.e. not spammers) +# +# trusted_networks 212.17.35. + + +# Set file-locking method (flock is not safe over NFS, but is faster) +# +# lock_method flock + + +# Set the threshold at which a message is considered spam (default: 5.0) +# +required_score 5.0 + + +# Use Bayesian classifier (default: 1) +# +use_bayes 1 + + +# Bayesian classifier auto-learning (default: 1) +# +bayes_auto_learn 1 + +bayes_path /var/spool/spamassassin/bayes + +bayes_file_mode 775 + + + +# Set headers which may provide inappropriate cues to the Bayesian +# classifier +# +# bayes_ignore_header X-Bogosity +# bayes_ignore_header X-Spam-Flag +# bayes_ignore_header X-Spam-Status + + +# Whether to decode non- UTF-8 and non-ASCII textual parts and recode +# them to UTF-8 before the text is given over to rules processing. +# +# normalize_charset 1 + +# Textual body scan limit (default: 50000) +# +# Amount of data per email text/* mimepart, that will be run through body +# rules. This enables safer and faster scanning of large messages, +# perhaps having very large textual attachments. There should be no need +# to change this well tested default. +# +# body_part_scan_size 50000 + +# Textual rawbody data scan limit (default: 500000) +# +# Amount of data per email text/* mimepart, that will be run through +# rawbody rules. +# +# rawbody_part_scan_size 500000 + +# Some shortcircuiting, if the plugin is enabled +# +ifplugin Mail::SpamAssassin::Plugin::Shortcircuit +# +# default: strongly-whitelisted mails are *really* whitelisted now, if the +# shortcircuiting plugin is active, causing early exit to save CPU load. +# Uncomment to turn this on +# +# SpamAssassin tries hard not to launch DNS queries before priority -100. +# If you want to shortcircuit without launching unneeded queries, make +# sure such rule priority is below -100. These examples are already: +# +# shortcircuit USER_IN_WHITELIST on +# shortcircuit USER_IN_DEF_WHITELIST on +# shortcircuit USER_IN_ALL_SPAM_TO on +# shortcircuit SUBJECT_IN_WHITELIST on + +# the opposite; blacklisted mails can also save CPU +# +# shortcircuit USER_IN_BLACKLIST on +# shortcircuit USER_IN_BLACKLIST_TO on +# shortcircuit SUBJECT_IN_BLACKLIST on + +# if you have taken the time to correctly specify your "trusted_networks", +# this is another good way to save CPU +# +# shortcircuit ALL_TRUSTED on + +# and a well-trained bayes DB can save running rules, too +# +# shortcircuit BAYES_99 spam +# shortcircuit BAYES_00 ham + +endif # Mail::SpamAssassin::Plugin::Shortcircuit diff --git a/include/etc/supervisor/conf.d/supervisord.conf b/include/etc/supervisor/conf.d/supervisord.conf index a3fab40..65a3373 100644 --- a/include/etc/supervisor/conf.d/supervisord.conf +++ b/include/etc/supervisor/conf.d/supervisord.conf @@ -31,6 +31,15 @@ stderr_logfile=/var/log/supervisor/%(program_name)s.log command=/usr/sbin/cron -f +[program:amavis] +startsecs=0 +stopwaitsecs=55 +autostart=true +autorestart=true +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s.log +command=/usr/sbin/amavisd-new foreground + [program:dovecot] startsecs=0 @@ -54,3 +63,15 @@ autostart=false stdout_logfile=/var/log/supervisor/%(program_name)s.log stderr_logfile=/var/log/supervisor/%(program_name)s.log + + + + +[program:spamassassin] +#directory=/etc/dovecot +command=spamd --username debian-spamd --nouser-config --syslog stderr --pidfile /var/run/spamd.pid --helper-home-dir /var/lib/spamassassin --ip-address --allowed-ips 0.0.0.0/0 +autorestart=false +autostart=false +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s.log +