Replace amavis with rmilter plus clamav and rspamd
parent
82ec86afd8
commit
ccb37addf1
@ -1,166 +0,0 @@
|
|||||||
use strict;
|
|
||||||
use Socket;
|
|
||||||
|
|
||||||
###############
|
|
||||||
# General
|
|
||||||
###############
|
|
||||||
|
|
||||||
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
|
|
||||||
$max_servers = 2;
|
|
||||||
$daemon_user = 'amavis';
|
|
||||||
$daemon_group = 'amavis';
|
|
||||||
$mydomain = $ENV{DOMAIN};
|
|
||||||
$myhostname = $ENV{HOSTNAME};
|
|
||||||
|
|
||||||
$MYHOME = '/var/amavis';
|
|
||||||
$TEMPBASE = "$MYHOME/tmp";
|
|
||||||
$ENV{TMPDIR} = $TEMPBASE;
|
|
||||||
$QUARANTINEDIR = '/var/amavis/quarantine';
|
|
||||||
|
|
||||||
$log_level = 1;
|
|
||||||
$do_syslog = 1;
|
|
||||||
|
|
||||||
$enable_db = 1;
|
|
||||||
$nanny_details_level = 2;
|
|
||||||
$enable_dkim_verification = 1;
|
|
||||||
|
|
||||||
@local_domains_maps = ( ["."] );
|
|
||||||
@local_domains_acl = ( "." );
|
|
||||||
|
|
||||||
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
|
|
||||||
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
|
|
||||||
@inet_acl = @mynetworks;
|
|
||||||
|
|
||||||
$unix_socketname = "$MYHOME/amavisd.sock";
|
|
||||||
$inet_socket_port = 2525;
|
|
||||||
$inet_socket_bind = undef;
|
|
||||||
$forward_method = 'lmtp:imap:2525';
|
|
||||||
|
|
||||||
###############
|
|
||||||
# Policies
|
|
||||||
###############
|
|
||||||
|
|
||||||
$interface_policy{'2525'} = 'EXT';
|
|
||||||
|
|
||||||
$policy_bank{'EXT'} = {
|
|
||||||
};
|
|
||||||
|
|
||||||
###############
|
|
||||||
# Notifications
|
|
||||||
###############
|
|
||||||
$virus_admin = "$ENV{POSTMASTER}\@$mydomain";
|
|
||||||
$mailfrom_notify_admin = "$ENV{POSTMASTER}\@$mydomain";
|
|
||||||
$mailfrom_notify_recip = "$ENV{POSTMASTER}\@$mydomain";
|
|
||||||
$mailfrom_notify_spamadmin = "$ENV{POSTMASTER}\@$mydomain";
|
|
||||||
$mailfrom_to_quarantine = '';
|
|
||||||
|
|
||||||
@addr_extension_virus_maps = ('virus');
|
|
||||||
@addr_extension_banned_maps = ('banned');
|
|
||||||
@addr_extension_spam_maps = ('spam');
|
|
||||||
@addr_extension_bad_header_maps = ('badh');
|
|
||||||
$recipient_delimiter = '+';
|
|
||||||
|
|
||||||
###############
|
|
||||||
# Antispam
|
|
||||||
###############
|
|
||||||
|
|
||||||
$sa_tag_level_deflt = -9999; # add spam info headers if at, or above that level
|
|
||||||
$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level
|
|
||||||
$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
|
|
||||||
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
|
|
||||||
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
|
|
||||||
$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database)
|
|
||||||
$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam
|
|
||||||
$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces
|
|
||||||
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
|
|
||||||
$sa_local_tests_only = 0; # only tests which do not require internet access?
|
|
||||||
$sa_spam_subject_tag = '';
|
|
||||||
|
|
||||||
###############
|
|
||||||
# Antivirus
|
|
||||||
###############
|
|
||||||
|
|
||||||
$MAXLEVELS = 14;
|
|
||||||
$MAXFILES = 3000;
|
|
||||||
$MIN_EXPANSION_QUOTA = 100*1024;
|
|
||||||
$MAX_EXPANSION_QUOTA = 500*1024*1024;
|
|
||||||
|
|
||||||
$defang_virus = 1; # MIME-wrap passed infected mail
|
|
||||||
$defang_banned = 1; # MIME-wrap passed mail containing banned name
|
|
||||||
$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header
|
|
||||||
$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters
|
|
||||||
$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error
|
|
||||||
|
|
||||||
@av_scanners = (
|
|
||||||
['ClamAV-clamd',
|
|
||||||
\&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.sock"],
|
|
||||||
qr/\bOK$/m, qr/\bFOUND$/m,
|
|
||||||
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
|
|
||||||
);
|
|
||||||
|
|
||||||
@av_scanners_backup = ();
|
|
||||||
|
|
||||||
###############
|
|
||||||
# Maps and fine-tuning
|
|
||||||
###############
|
|
||||||
|
|
||||||
@score_sender_maps = ({ '.' => [], });
|
|
||||||
|
|
||||||
@keep_decoded_original_maps = (new_RE(
|
|
||||||
qr'^MAIL$', # let virus scanner see full original message
|
|
||||||
qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
|
|
||||||
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
|
|
||||||
));
|
|
||||||
|
|
||||||
$banned_filename_re = new_RE(
|
|
||||||
# BLOCKED ANYWHERE
|
|
||||||
qr'^\.(exe|lha|cab|dll)$',
|
|
||||||
qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i,
|
|
||||||
|
|
||||||
# BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
|
|
||||||
[ qr'^\.(gz|bz2)$' => 0 ],
|
|
||||||
[ qr'^\.(rpm|cpio|tar)$' => 0 ],
|
|
||||||
qr'.\.(pif|scr)$'i,
|
|
||||||
|
|
||||||
# BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
|
|
||||||
[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],
|
|
||||||
qr'^application/x-msdownload$'i,
|
|
||||||
qr'^application/x-msdos-program$'i,
|
|
||||||
qr'^application/hta$'i,
|
|
||||||
|
|
||||||
# Block certain double extensions in filenames
|
|
||||||
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
|
|
||||||
);
|
|
||||||
|
|
||||||
@decoders = (
|
|
||||||
['mail', \&do_mime_decode],
|
|
||||||
['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
|
|
||||||
['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
|
|
||||||
['gz', \&do_uncompress, 'gzip -d'],
|
|
||||||
['gz', \&do_gunzip],
|
|
||||||
['bz2', \&do_uncompress, 'bzip2 -d'],
|
|
||||||
['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
|
|
||||||
['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma',
|
|
||||||
'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
|
|
||||||
['lrz', \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
|
|
||||||
['lzo', \&do_uncompress, 'lzop -d'],
|
|
||||||
['lz4', \&do_uncompress, ['lz4c -d'] ],
|
|
||||||
[['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
|
|
||||||
['deb', \&do_ar, 'ar'],
|
|
||||||
['rar', \&do_unrar, ['unrar', 'rar'] ],
|
|
||||||
['arj', \&do_unarj, ['unarj', 'arj'] ],
|
|
||||||
['arc', \&do_arc, ['nomarch', 'arc'] ],
|
|
||||||
['zoo', \&do_zoo, ['zoo', 'unzoo'] ],
|
|
||||||
['doc', \&do_ole, 'ripole'],
|
|
||||||
['cab', \&do_cabextract, 'cabextract'],
|
|
||||||
['tnef', \&do_tnef_ext, 'tnef'],
|
|
||||||
['tnef', \&do_tnef],
|
|
||||||
[['zip','kmz'], \&do_7zip, ['7za', '7z'] ],
|
|
||||||
[['zip','kmz'], \&do_unzip],
|
|
||||||
['7z', \&do_7zip, ['7zr', '7za', '7z'] ],
|
|
||||||
[[qw(gz bz2 Z tar)], \&do_7zip, ['7za', '7z'] ],
|
|
||||||
[[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&do_7zip, '7z' ],
|
|
||||||
['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
|
|
||||||
);
|
|
||||||
|
|
||||||
1; # insure a defined return value
|
|
@ -1,13 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Prepare the databases
|
|
||||||
sa-update
|
|
||||||
|
|
||||||
# Update the AV database
|
|
||||||
freshclam
|
|
||||||
|
|
||||||
# Actually run Amavis
|
|
||||||
rm -f /var/run/rsyslogd.pid
|
|
||||||
/usr/sbin/clamd
|
|
||||||
/usr/sbin/amavisd
|
|
||||||
rsyslogd -n
|
|
@ -0,0 +1,13 @@
|
|||||||
|
FROM alpine
|
||||||
|
|
||||||
|
RUN apk add --update \
|
||||||
|
clamav \
|
||||||
|
rsyslog \
|
||||||
|
wget \
|
||||||
|
&& rm -rf /var/cache/apk/*
|
||||||
|
|
||||||
|
|
||||||
|
COPY conf /etc/clamav
|
||||||
|
|
||||||
|
|
||||||
|
CMD ["/usr/sbin/clamd"]
|
@ -1,19 +1,13 @@
|
|||||||
FROM alpine
|
FROM alpine:edge
|
||||||
|
|
||||||
RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
|
RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
|
||||||
&& apk add --update \
|
&& apk add --update \
|
||||||
perl-socket6 \
|
rmilter@testing rsyslog \
|
||||||
perl-io-socket-inet6@testing \
|
|
||||||
amavisd-new \
|
|
||||||
spamassassin \
|
|
||||||
clamav \
|
|
||||||
rsyslog \
|
|
||||||
wget \
|
|
||||||
&& rm -rf /var/cache/apk/*
|
&& rm -rf /var/cache/apk/*
|
||||||
|
|
||||||
COPY conf /etc/
|
COPY rmilter.conf /etc/rmilter.conf
|
||||||
COPY rsyslog.conf /etc/rsyslog.conf
|
COPY rsyslog.conf /etc/rsyslog.conf
|
||||||
|
|
||||||
COPY start.sh /start.sh
|
COPY start.sh /start.sh
|
||||||
|
|
||||||
CMD ["/start.sh"]
|
CMD ["/start.sh"]
|
@ -0,0 +1,119 @@
|
|||||||
|
# pidfile - path to pid file
|
||||||
|
pidfile = /run/rmilter.pid;
|
||||||
|
|
||||||
|
# bind_socket - socket credits for local bind:
|
||||||
|
bind_socket = inet:9900
|
||||||
|
|
||||||
|
# tempdir - path to directory that contains temporary files
|
||||||
|
tempdir = /tmp;
|
||||||
|
|
||||||
|
# tempfiles_mode - set permission for temp files
|
||||||
|
tempfiles_mode = 00600;
|
||||||
|
|
||||||
|
# max_size - maximum size of scanned mail with clamav and dcc
|
||||||
|
max_size = 10M;
|
||||||
|
|
||||||
|
# strict_auth - strict checks for mails from authenticated senders
|
||||||
|
strict_auth = no;
|
||||||
|
|
||||||
|
# use_dcc - whether use or not dcc system
|
||||||
|
use_dcc = no;
|
||||||
|
use_redis = yes;
|
||||||
|
|
||||||
|
clamav {
|
||||||
|
# servers - clamav socket definitions in format:
|
||||||
|
servers = antivirus:3310;
|
||||||
|
# connect_timeout - timeout in miliseconds for connecting to clamav
|
||||||
|
connect_timeout = 1s;
|
||||||
|
# port_timeout - timeout in miliseconds for waiting for clamav port response
|
||||||
|
port_timeout = 4s;
|
||||||
|
# results_timeout - timeout in miliseconds for waiting for clamav response
|
||||||
|
results_timeout = 20s;
|
||||||
|
# error_time - time in seconds during which we are counting errors
|
||||||
|
error_time = 10;
|
||||||
|
# dead_time - time in seconds during which we are thinking that server is down
|
||||||
|
dead_time = 300;
|
||||||
|
# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
|
||||||
|
# Default: 10
|
||||||
|
maxerrors = 10;
|
||||||
|
};
|
||||||
|
|
||||||
|
spamd {
|
||||||
|
# servers - spamd socket definitions in format:
|
||||||
|
servers = r:antispam:11333;
|
||||||
|
# connect_timeout - timeout in milliseconds for connecting to spamd
|
||||||
|
connect_timeout = 1s;
|
||||||
|
# results_timeout - timeout in milliseconds for waiting for spamd response
|
||||||
|
results_timeout = 20s;
|
||||||
|
# error_time - time in seconds during which we are counting errors
|
||||||
|
error_time = 10;
|
||||||
|
# dead_time - time in seconds during which we are thinking that server is down
|
||||||
|
dead_time = 300;
|
||||||
|
# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
|
||||||
|
maxerrors = 10;
|
||||||
|
# reject_message - reject message for spam
|
||||||
|
reject_message = "Spam message rejected; If this is not spam contact abuse";
|
||||||
|
# whitelist - list of ips or nets that should be not checked with spamd
|
||||||
|
whitelist = 127.0.0.1/32, [::1]/128;
|
||||||
|
# rspamd_metric - metric for using with rspamd
|
||||||
|
rspamd_metric = "default";
|
||||||
|
# Do not reject, add header
|
||||||
|
spamd_never_reject = yes;
|
||||||
|
};
|
||||||
|
|
||||||
|
redis {
|
||||||
|
# servers_grey - redis servers for greylisting in format:
|
||||||
|
servers_grey = redis:6379;
|
||||||
|
# servers_white - redis servers for whitelisting in format similar to that is used
|
||||||
|
servers_white = redis:6379;
|
||||||
|
# servers_limits - redis servers used for limits storing, can not be mirrored
|
||||||
|
servers_limits = redis:6379;
|
||||||
|
# servers_id - redis servers used for message id storing, can not be mirrored
|
||||||
|
servers_id = redis:6379;
|
||||||
|
# id_prefix - prefix for extracting message ids from redis
|
||||||
|
id_prefix = "message_id.";
|
||||||
|
# grey_prefix - prefix for extracting greylisted records from redis
|
||||||
|
grey_prefix = "grey.";
|
||||||
|
# id_prefix - prefix for extracting whitelisted records from redis
|
||||||
|
white_prefix = "white.";
|
||||||
|
# connect_timeout - timeout in miliseconds for waiting for redis
|
||||||
|
connect_timeout = 1s;
|
||||||
|
# error_time - time in seconds during which we are counting errors
|
||||||
|
error_time = 10;
|
||||||
|
# dead_time - time in seconds during which we are thinking that server is down
|
||||||
|
dead_time = 300;
|
||||||
|
# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
|
||||||
|
maxerrors = 10;
|
||||||
|
};
|
||||||
|
|
||||||
|
# limits section
|
||||||
|
limits {
|
||||||
|
# Whitelisted ip or networks
|
||||||
|
limit_whitelist = 127.0.0.1/32, [::1]/128;
|
||||||
|
# Whitelisted recipients
|
||||||
|
limit_whitelist_rcpt = postmaster, mailer-daemon;
|
||||||
|
# Addrs for bounce checks
|
||||||
|
limit_bounce_addrs = postmaster, mailer-daemon, symantec_antivirus_for_smtp_gateways, <>, null, fetchmail-daemon;
|
||||||
|
# Limit for bounce mail
|
||||||
|
limit_bounce_to = 5:0.000277778;
|
||||||
|
# Limit for bounce mail per one source ip
|
||||||
|
limit_bounce_to_ip = 5:0.000277778;
|
||||||
|
# Limit for all mail per recipient
|
||||||
|
limit_to = 20:0.016666667;
|
||||||
|
# Limit for all mail per one source ip
|
||||||
|
limit_to_ip = 30:0.025;
|
||||||
|
# Limit for all mail per one source ip and from address
|
||||||
|
limit_to_ip_from = 100:0.033333333;
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
greylisting {
|
||||||
|
timeout = 300s;
|
||||||
|
expire = 3d;
|
||||||
|
whitelist = 127.0.0.1, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, [::1]/128;
|
||||||
|
awl_enable = yes;
|
||||||
|
awl_pool = 10M;
|
||||||
|
awl_hits = 10;
|
||||||
|
awl_ttl = 3600s;
|
||||||
|
};
|
||||||
|
|
@ -0,0 +1,5 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
rm -f /var/run/rsyslogd.pid
|
||||||
|
rmilter -c /etc/rmilter.conf
|
||||||
|
rsyslogd -n
|
@ -0,0 +1,10 @@
|
|||||||
|
FROM alpine:edge
|
||||||
|
|
||||||
|
RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
|
||||||
|
&& apk add --update \
|
||||||
|
rspamd@testing rsyslog \
|
||||||
|
&& rm -rf /var/cache/apk/*
|
||||||
|
|
||||||
|
RUN mkdir /run/rspamd
|
||||||
|
|
||||||
|
CMD ["rspamd", "-f", "-i"]
|
@ -0,0 +1,4 @@
|
|||||||
|
$ModLoad imuxsock
|
||||||
|
$template noTimestampFormat,"%syslogtag%%msg%\n"
|
||||||
|
$ActionFileDefaultTemplate noTimestampFormat
|
||||||
|
*.*;auth,authpriv.none /dev/stdout
|
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
rspamd -i
|
||||||
|
rsyslogd -n
|
Loading…
Reference in New Issue