From 042c1982d19630f8afd6a49a1c4aea08dc44660f Mon Sep 17 00:00:00 2001 From: Someone Date: Fri, 4 Oct 2024 13:42:40 +0200 Subject: [PATCH] [roles/server/mail/spamassassin] setup spamassassing milter --- .../mail/spamassassin/files/default/local.cf | 82 +++++++++++++++++++ .../files/default/spamassassin-expire.cron | 12 +++ .../spamassassin/files/default/spamd.defaults | 30 +++++++ .../mail/spamassassin/handlers/main.yml | 13 +++ roles/server/mail/spamassassin/tasks/main.yml | 67 +++++++++++++++ 5 files changed, 204 insertions(+) create mode 100644 roles/server/mail/spamassassin/files/default/local.cf create mode 100644 roles/server/mail/spamassassin/files/default/spamassassin-expire.cron create mode 100644 roles/server/mail/spamassassin/files/default/spamd.defaults create mode 100644 roles/server/mail/spamassassin/handlers/main.yml create mode 100644 roles/server/mail/spamassassin/tasks/main.yml diff --git a/roles/server/mail/spamassassin/files/default/local.cf b/roles/server/mail/spamassassin/files/default/local.cf new file mode 100644 index 0000000..cdcb1ab --- /dev/null +++ b/roles/server/mail/spamassassin/files/default/local.cf @@ -0,0 +1,82 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +# also see /etc/default/spamassassin +time_limit 1800 +dns_available yes + + +use_bayes 1 +bayes_store_module Mail::SpamAssassin::BayesStore::SDBM +bayes_path /var/lib/spamassassin/bayes +bayes_file_mode 0660 +bayes_auto_learn 1 +#bayes_learn_to_journal 1 +#bayes_journal_max_size 102400 + +# use periodic cronjob + lru cleanup instead. +bayes_auto_expire 0 +#bayes_expiry_max_db_size 5000000 +# not settable here - need to hardcode in default settings: +# /usr/share/perl5/Mail/SpamAssassin/Conf.pm +# $self->{bayes_expiry_max_exponent} = ...; + +# debug which file is learning by adding: +# /usr/share/perl5/Mail/SpamAssassin/ArchiveIterator.pm:368 +# dbg("archive-iterator: processing: $where"); + + +report_safe 0 +fold_headers 0 +clear_headers +add_header all Flag _YESNOCAPS_ +add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=[_TESTSSCORES_] autolearn=_AUTOLEARN_ _TOKENSUMMARY_ +add_header all Spammy _SPAMMYTOKENS(5,long)_ +add_header all Hammy _HAMMYTOKENS(5,long)_ + +bayes_ignore_header X-Cyrus-Session-Id +bayes_ignore_header X-Sieve +bayes_ignore_header X-Spam-Flag +bayes_ignore_header X-Spam-Status +bayes_ignore_header X-Spam-Spammy +bayes_ignore_header X-Spam-Hammy + +bayes_ignore_header Authentication-Results + +# ignored AND removed by postfix later. +bayes_ignore_header X-Spam-Checker-Version +bayes_ignore_header X-Spam +bayes_ignore_header X-Spamd-Bar +bayes_ignore_header X-Spamd-Result +bayes_ignore_header X-Rspamd-Action +bayes_ignore_header X-Rspamd-Queue-Id +bayes_ignore_header X-Rspamd-Server + +bayes_ignore_header X-Greylist +bayes_ignore_header X-Virus-Scanned + + +loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold +bayes_auto_learn_threshold_nonspam -1.0 +bayes_auto_learn_threshold_spam 7.0 + + +score BAYES_00 -2.9 +score BAYES_05 -1.2 +score BAYES_20 -0.5 +score BAYES_40 -0.1 +score BAYES_50 1.0 +score BAYES_60 1.9 +score BAYES_80 2.6 +score BAYES_95 3.4 +score BAYES_99 3.9 +score BAYES_999 1.4 + + +# allows too much spam over mailinglists +score RCVD_IN_DNSWL_MED 0 -0.3 0 -0.3 diff --git a/roles/server/mail/spamassassin/files/default/spamassassin-expire.cron b/roles/server/mail/spamassassin/files/default/spamassassin-expire.cron new file mode 100644 index 0000000..ac1d6c5 --- /dev/null +++ b/roles/server/mail/spamassassin/files/default/spamassassin-expire.cron @@ -0,0 +1,12 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +#MAILTO=root + +# TODO +# 0 13 * * 0 debian-spamd (cd /var/lib/spamassassin; sa-learn -L --sync; cp -a bayes_seen bayes_somexpire.seen; sa-learn -L --backup | grep -v "^s" | tee bayes_somexpire.data.old | grep "^v" > bayes_somexpire.data.new && grep "^t" bayes_somexpire.data.old | sort -k4 -r -n | head -n 9000000 >> bayes_somexpire.data.new && wc -l bayes_somexpire.data.* | grep bayes_somexpire.data && sa-learn -L --dbpath bayes_somexpire --restore bayes_somexpire.data.new && mv bayes_somexpire_toks bayes_toks && mv bayes_somexpire.seen bayes_seen; rm bayes_somexpire*) diff --git a/roles/server/mail/spamassassin/files/default/spamd.defaults b/roles/server/mail/spamassassin/files/default/spamd.defaults new file mode 100644 index 0000000..3634abf --- /dev/null +++ b/roles/server/mail/spamassassin/files/default/spamd.defaults @@ -0,0 +1,30 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# /etc/default/spamassassin +# Duncan Findlay + +# WARNING: please read README.spamd before using. +# There may be security risks. + +# Options +# See man spamd for possible options. The -d option is automatically added. + +# SpamAssassin uses a preforking model, so be careful! You need to +# make sure --max-children is not set to anything higher than 5, +# unless you know what you're doing. + +OPTIONS="--create-prefs --max-children 2 --timeout-child 1800 --helper-home-dir -u debian-spamd" + +# Pid file +# Where should spamd write its PID to file? If you use the -u or +# --username option above, this needs to be writable by that user. +# Note that this setting is not used when spamd is managed by systemd +PIDFILE="/run/spamd.pid" + +# Set nice level of spamd +#NICE="--nicelevel 15" diff --git a/roles/server/mail/spamassassin/handlers/main.yml b/roles/server/mail/spamassassin/handlers/main.yml new file mode 100644 index 0000000..5be6a11 --- /dev/null +++ b/roles/server/mail/spamassassin/handlers/main.yml @@ -0,0 +1,13 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: restart spamd.service + systemd: + name: spamd.service + daemon_reload: yes + state: restarted + ignore_errors: yes diff --git a/roles/server/mail/spamassassin/tasks/main.yml b/roles/server/mail/spamassassin/tasks/main.yml new file mode 100644 index 0000000..d505a1b --- /dev/null +++ b/roles/server/mail/spamassassin/tasks/main.yml @@ -0,0 +1,67 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: install spamassassin + apt: + pkg: + - sa-compile + - spamassassin + - spamc + - spamd + state: present + policy_rc_d: 101 + tags: "online" + + +- name: copy spamd defaults + copy: + src: "{{item}}" + dest: "/etc/default/spamd" + owner: "root" + group: "root" + mode: 0644 + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/spamd.defaults" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/spamd.defaults" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/spamd.defaults" + - "default/spamd.defaults" + notify: restart spamd.service + + +- name: copy spamassassin config + copy: + src: "{{item}}" + dest: "/etc/spamassassin/local.cf" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/local.cf" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/local.cf" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/local.cf" + - "default/local.cf" + notify: restart spamd.service + + +- name: copy spamassassin-expire cronjob + copy: + src: "{{item}}" + dest: "/etc/cron.d/spamassassin-expire" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/spamassassin-expire.cron" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/spamassassin-expire.cron" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/spamassassin-expire.cron" + - "default/spamassassin-expire.cron" + + +- name: enable and start spamd.service + include_role: name="base/systemd/enable-and-start" + vars: + service_name: spamd.service -- 2.43.0