diff --git a/amavis/conf/amavisd.conf b/amavis/conf/amavisd.conf deleted file mode 100644 index 295389f9..00000000 --- a/amavis/conf/amavisd.conf +++ /dev/null @@ -1,166 +0,0 @@ -use strict; -use Socket; - -############### -# General -############### - -$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; -$max_servers = 2; -$daemon_user = 'amavis'; -$daemon_group = 'amavis'; -$mydomain = $ENV{DOMAIN}; -$myhostname = $ENV{HOSTNAME}; - -$MYHOME = '/var/amavis'; -$TEMPBASE = "$MYHOME/tmp"; -$ENV{TMPDIR} = $TEMPBASE; -$QUARANTINEDIR = '/var/amavis/quarantine'; - -$log_level = 1; -$do_syslog = 1; - -$enable_db = 1; -$nanny_details_level = 2; -$enable_dkim_verification = 1; - -@local_domains_maps = ( ["."] ); -@local_domains_acl = ( "." ); - -@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 - 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); -@inet_acl = @mynetworks; - -$unix_socketname = "$MYHOME/amavisd.sock"; -$inet_socket_port = 2525; -$inet_socket_bind = undef; -$forward_method = 'lmtp:imap:2525'; - -############### -# Policies -############### - -$interface_policy{'2525'} = 'EXT'; - -$policy_bank{'EXT'} = { -}; - -############### -# Notifications -############### -$virus_admin = "$ENV{POSTMASTER}\@$mydomain"; -$mailfrom_notify_admin = "$ENV{POSTMASTER}\@$mydomain"; -$mailfrom_notify_recip = "$ENV{POSTMASTER}\@$mydomain"; -$mailfrom_notify_spamadmin = "$ENV{POSTMASTER}\@$mydomain"; -$mailfrom_to_quarantine = ''; - -@addr_extension_virus_maps = ('virus'); -@addr_extension_banned_maps = ('banned'); -@addr_extension_spam_maps = ('spam'); -@addr_extension_bad_header_maps = ('badh'); -$recipient_delimiter = '+'; - -############### -# Antispam -############### - -$sa_tag_level_deflt = -9999; # add spam info headers if at, or above that level -$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level -$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail) -$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent -$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From -$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) -$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam -$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces -$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger -$sa_local_tests_only = 0; # only tests which do not require internet access? -$sa_spam_subject_tag = ''; - -############### -# Antivirus -############### - -$MAXLEVELS = 14; -$MAXFILES = 3000; -$MIN_EXPANSION_QUOTA = 100*1024; -$MAX_EXPANSION_QUOTA = 500*1024*1024; - -$defang_virus = 1; # MIME-wrap passed infected mail -$defang_banned = 1; # MIME-wrap passed mail containing banned name -$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header -$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters -$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error - -@av_scanners = ( - ['ClamAV-clamd', - \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.sock"], - qr/\bOK$/m, qr/\bFOUND$/m, - qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], -); - -@av_scanners_backup = (); - -############### -# Maps and fine-tuning -############### - -@score_sender_maps = ({ '.' => [], }); - -@keep_decoded_original_maps = (new_RE( - qr'^MAIL$', # let virus scanner see full original message - qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable - qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, -)); - -$banned_filename_re = new_RE( - # BLOCKED ANYWHERE - qr'^\.(exe|lha|cab|dll)$', - qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, - - # BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: - [ qr'^\.(gz|bz2)$' => 0 ], - [ qr'^\.(rpm|cpio|tar)$' => 0 ], - qr'.\.(pif|scr)$'i, - - # BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: - [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], - qr'^application/x-msdownload$'i, - qr'^application/x-msdos-program$'i, - qr'^application/hta$'i, - - # Block certain double extensions in filenames - qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, -); - -@decoders = ( - ['mail', \&do_mime_decode], - ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], - ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], - ['gz', \&do_uncompress, 'gzip -d'], - ['gz', \&do_gunzip], - ['bz2', \&do_uncompress, 'bzip2 -d'], - ['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], - ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma', - 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], - ['lrz', \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], - ['lzo', \&do_uncompress, 'lzop -d'], - ['lz4', \&do_uncompress, ['lz4c -d'] ], - [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], - ['deb', \&do_ar, 'ar'], - ['rar', \&do_unrar, ['unrar', 'rar'] ], - ['arj', \&do_unarj, ['unarj', 'arj'] ], - ['arc', \&do_arc, ['nomarch', 'arc'] ], - ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], - ['doc', \&do_ole, 'ripole'], - ['cab', \&do_cabextract, 'cabextract'], - ['tnef', \&do_tnef_ext, 'tnef'], - ['tnef', \&do_tnef], - [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], - [['zip','kmz'], \&do_unzip], - ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], - [[qw(gz bz2 Z tar)], \&do_7zip, ['7za', '7z'] ], - [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&do_7zip, '7z' ], - ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], -); - -1; # insure a defined return value diff --git a/amavis/start.sh b/amavis/start.sh deleted file mode 100755 index 4763abcf..00000000 --- a/amavis/start.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -# Prepare the databases -sa-update - -# Update the AV database -freshclam - -# Actually run Amavis -rm -f /var/run/rsyslogd.pid -/usr/sbin/clamd -/usr/sbin/amavisd -rsyslogd -n diff --git a/clamav/Dockerfile b/clamav/Dockerfile new file mode 100644 index 00000000..e2b41a91 --- /dev/null +++ b/clamav/Dockerfile @@ -0,0 +1,13 @@ +FROM alpine + +RUN apk add --update \ + clamav \ + rsyslog \ + wget \ + && rm -rf /var/cache/apk/* + + +COPY conf /etc/clamav + + +CMD ["/usr/sbin/clamd"] diff --git a/amavis/conf/clamav/clamd.conf b/clamav/conf/clamd.conf similarity index 93% rename from amavis/conf/clamav/clamd.conf rename to clamav/conf/clamd.conf index ee872624..563cbc05 100644 --- a/amavis/conf/clamav/clamd.conf +++ b/clamav/conf/clamd.conf @@ -3,10 +3,11 @@ ############### DatabaseDirectory /data -LogSyslog yes LogTime yes -PidFile /run/clamav/clamd.pid +PidFile /run/clamd.pid LocalSocket /tmp/clamd.sock +TCPSocket 3310 +Foreground yes ############### # Results diff --git a/amavis/conf/clamav/freshclam.conf b/clamav/conf/freshclam.conf similarity index 100% rename from amavis/conf/clamav/freshclam.conf rename to clamav/conf/freshclam.conf diff --git a/amavis/Dockerfile b/rmilter/Dockerfile similarity index 52% rename from amavis/Dockerfile rename to rmilter/Dockerfile index a8d43d1f..41999852 100644 --- a/amavis/Dockerfile +++ b/rmilter/Dockerfile @@ -1,19 +1,13 @@ -FROM alpine +FROM alpine:edge RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ && apk add --update \ - perl-socket6 \ - perl-io-socket-inet6@testing \ - amavisd-new \ - spamassassin \ - clamav \ - rsyslog \ - wget \ + rmilter@testing rsyslog \ && rm -rf /var/cache/apk/* - -COPY conf /etc/ + +COPY rmilter.conf /etc/rmilter.conf COPY rsyslog.conf /etc/rsyslog.conf COPY start.sh /start.sh -CMD ["/start.sh"] +CMD ["/start.sh"] \ No newline at end of file diff --git a/rmilter/rmilter.conf b/rmilter/rmilter.conf new file mode 100644 index 00000000..7ed30df1 --- /dev/null +++ b/rmilter/rmilter.conf @@ -0,0 +1,119 @@ +# pidfile - path to pid file +pidfile = /run/rmilter.pid; + +# bind_socket - socket credits for local bind: +bind_socket = inet:9900 + +# tempdir - path to directory that contains temporary files +tempdir = /tmp; + +# tempfiles_mode - set permission for temp files +tempfiles_mode = 00600; + +# max_size - maximum size of scanned mail with clamav and dcc +max_size = 10M; + +# strict_auth - strict checks for mails from authenticated senders +strict_auth = no; + +# use_dcc - whether use or not dcc system +use_dcc = no; +use_redis = yes; + +clamav { + # servers - clamav socket definitions in format: + servers = antivirus:3310; + # connect_timeout - timeout in miliseconds for connecting to clamav + connect_timeout = 1s; + # port_timeout - timeout in miliseconds for waiting for clamav port response + port_timeout = 4s; + # results_timeout - timeout in miliseconds for waiting for clamav response + results_timeout = 20s; + # error_time - time in seconds during which we are counting errors + error_time = 10; + # dead_time - time in seconds during which we are thinking that server is down + dead_time = 300; + # maxerrors - maximum number of errors that can occur during error_time to make us thinking that + # Default: 10 + maxerrors = 10; +}; + +spamd { + # servers - spamd socket definitions in format: + servers = r:antispam:11333; + # connect_timeout - timeout in milliseconds for connecting to spamd + connect_timeout = 1s; + # results_timeout - timeout in milliseconds for waiting for spamd response + results_timeout = 20s; + # error_time - time in seconds during which we are counting errors + error_time = 10; + # dead_time - time in seconds during which we are thinking that server is down + dead_time = 300; + # maxerrors - maximum number of errors that can occur during error_time to make us thinking that + maxerrors = 10; + # reject_message - reject message for spam + reject_message = "Spam message rejected; If this is not spam contact abuse"; + # whitelist - list of ips or nets that should be not checked with spamd + whitelist = 127.0.0.1/32, [::1]/128; + # rspamd_metric - metric for using with rspamd + rspamd_metric = "default"; + # Do not reject, add header + spamd_never_reject = yes; +}; + +redis { + # servers_grey - redis servers for greylisting in format: + servers_grey = redis:6379; + # servers_white - redis servers for whitelisting in format similar to that is used + servers_white = redis:6379; + # servers_limits - redis servers used for limits storing, can not be mirrored + servers_limits = redis:6379; + # servers_id - redis servers used for message id storing, can not be mirrored + servers_id = redis:6379; + # id_prefix - prefix for extracting message ids from redis + id_prefix = "message_id."; + # grey_prefix - prefix for extracting greylisted records from redis + grey_prefix = "grey."; + # id_prefix - prefix for extracting whitelisted records from redis + white_prefix = "white."; + # connect_timeout - timeout in miliseconds for waiting for redis + connect_timeout = 1s; + # error_time - time in seconds during which we are counting errors + error_time = 10; + # dead_time - time in seconds during which we are thinking that server is down + dead_time = 300; + # maxerrors - maximum number of errors that can occur during error_time to make us thinking that + maxerrors = 10; +}; + +# limits section +limits { + # Whitelisted ip or networks + limit_whitelist = 127.0.0.1/32, [::1]/128; + # Whitelisted recipients + limit_whitelist_rcpt = postmaster, mailer-daemon; + # Addrs for bounce checks + limit_bounce_addrs = postmaster, mailer-daemon, symantec_antivirus_for_smtp_gateways, <>, null, fetchmail-daemon; + # Limit for bounce mail + limit_bounce_to = 5:0.000277778; + # Limit for bounce mail per one source ip + limit_bounce_to_ip = 5:0.000277778; + # Limit for all mail per recipient + limit_to = 20:0.016666667; + # Limit for all mail per one source ip + limit_to_ip = 30:0.025; + # Limit for all mail per one source ip and from address + limit_to_ip_from = 100:0.033333333; +}; + + +greylisting { + timeout = 300s; + expire = 3d; + whitelist = 127.0.0.1, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, [::1]/128; + awl_enable = yes; + awl_pool = 10M; + awl_hits = 10; + awl_ttl = 3600s; +}; + diff --git a/amavis/rsyslog.conf b/rmilter/rsyslog.conf similarity index 100% rename from amavis/rsyslog.conf rename to rmilter/rsyslog.conf diff --git a/rmilter/start.sh b/rmilter/start.sh new file mode 100755 index 00000000..2521ea98 --- /dev/null +++ b/rmilter/start.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +rm -f /var/run/rsyslogd.pid +rmilter -c /etc/rmilter.conf +rsyslogd -n diff --git a/rspamd/Dockerfile b/rspamd/Dockerfile new file mode 100644 index 00000000..068404d7 --- /dev/null +++ b/rspamd/Dockerfile @@ -0,0 +1,10 @@ +FROM alpine:edge + +RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ + && apk add --update \ + rspamd@testing rsyslog \ + && rm -rf /var/cache/apk/* + +RUN mkdir /run/rspamd + +CMD ["rspamd", "-f", "-i"] \ No newline at end of file diff --git a/rspamd/rsyslog.conf b/rspamd/rsyslog.conf new file mode 100644 index 00000000..13353b80 --- /dev/null +++ b/rspamd/rsyslog.conf @@ -0,0 +1,4 @@ +$ModLoad imuxsock +$template noTimestampFormat,"%syslogtag%%msg%\n" +$ActionFileDefaultTemplate noTimestampFormat +*.*;auth,authpriv.none /dev/stdout diff --git a/rspamd/start.sh b/rspamd/start.sh new file mode 100755 index 00000000..12b32f8a --- /dev/null +++ b/rspamd/start.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +rspamd -i +rsyslogd -n