Replace amavis with rmilter plus clamav and rspamd

amavis/conf/amavisd.conf

@@ -1,166 +0,0 @@
-use strict;
-use Socket;
-
-###############
-# General
-###############
-
-$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
-$max_servers = 2;
-$daemon_user  = 'amavis';
-$daemon_group  = 'amavis';
-$mydomain = $ENV{DOMAIN};
-$myhostname = $ENV{HOSTNAME};
-
-$MYHOME = '/var/amavis';
-$TEMPBASE = "$MYHOME/tmp";
-$ENV{TMPDIR} = $TEMPBASE;
-$QUARANTINEDIR = '/var/amavis/quarantine';
-
-$log_level = 1;
-$do_syslog = 1;
-
-$enable_db = 1;
-$nanny_details_level = 2;
-$enable_dkim_verification = 1;
-
-@local_domains_maps = ( ["."] );
-@local_domains_acl = ( "." );
-
-@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
-                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
-@inet_acl = @mynetworks;
-
-$unix_socketname = "$MYHOME/amavisd.sock";
-$inet_socket_port = 2525;
-$inet_socket_bind = undef;
-$forward_method = 'lmtp:imap:2525';
-
-###############
-# Policies
-###############
-
-$interface_policy{'2525'} = 'EXT';
-
-$policy_bank{'EXT'} = {
-};
-
-###############
-# Notifications
-###############
-$virus_admin               = "$ENV{POSTMASTER}\@$mydomain";
-$mailfrom_notify_admin     = "$ENV{POSTMASTER}\@$mydomain";
-$mailfrom_notify_recip     = "$ENV{POSTMASTER}\@$mydomain";
-$mailfrom_notify_spamadmin = "$ENV{POSTMASTER}\@$mydomain";
-$mailfrom_to_quarantine = '';
-
-@addr_extension_virus_maps      = ('virus');
-@addr_extension_banned_maps     = ('banned');
-@addr_extension_spam_maps       = ('spam');
-@addr_extension_bad_header_maps = ('badh');
-$recipient_delimiter = '+';
-
-###############
-# Antispam
-###############
-
-$sa_tag_level_deflt  = -9999;  # add spam info headers if at, or above that level
-$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
-$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks mail)
-$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
-$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
-$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
-$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
-$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces
-$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
-$sa_local_tests_only = 0;    # only tests which do not require internet access?
-$sa_spam_subject_tag = '';
-
-###############
-# Antivirus
-###############
-
-$MAXLEVELS = 14;
-$MAXFILES = 3000;
-$MIN_EXPANSION_QUOTA =      100*1024;
-$MAX_EXPANSION_QUOTA = 500*1024*1024;
-
-$defang_virus  = 1;  # MIME-wrap passed infected mail
-$defang_banned = 1;  # MIME-wrap passed mail containing banned name
-$defang_by_ccat{CC_BADH.",3"} = 1;  # NUL or CR character in header
-$defang_by_ccat{CC_BADH.",5"} = 1;  # header line longer than 998 characters
-$defang_by_ccat{CC_BADH.",6"} = 1;  # header field syntax error
-
-@av_scanners = (
- ['ClamAV-clamd',
-   \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.sock"],
-   qr/\bOK$/m, qr/\bFOUND$/m,
-   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-);
-
-@av_scanners_backup = ();
-
-###############
-# Maps and fine-tuning
-###############
-
-@score_sender_maps = ({ '.' => [], });
-
-@keep_decoded_original_maps = (new_RE(
-  qr'^MAIL$',                # let virus scanner see full original message
-  qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
-  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
-));
-
-$banned_filename_re = new_RE(
-  # BLOCKED ANYWHERE
-  qr'^\.(exe|lha|cab|dll)$',
-  qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i,
-
-  # BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
-  [ qr'^\.(gz|bz2)$'             => 0 ],
-  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],
-  qr'.\.(pif|scr)$'i,
-
-  # BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
-  [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],
-  qr'^application/x-msdownload$'i,
-  qr'^application/x-msdos-program$'i,
-  qr'^application/hta$'i,
-
-  # Block certain double extensions in filenames
-  qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
-);
-
-@decoders = (
- ['mail', \&do_mime_decode],
- ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
- ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
- ['gz',   \&do_uncompress, 'gzip -d'],
- ['gz',   \&do_gunzip],
- ['bz2',  \&do_uncompress, 'bzip2 -d'],
- ['xz',   \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
- ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma',
-                            'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
- ['lrz',  \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
- ['lzo',  \&do_uncompress, 'lzop -d'],
- ['lz4',  \&do_uncompress, ['lz4c -d'] ],
- [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
- ['deb',  \&do_ar, 'ar'],
- ['rar',  \&do_unrar, ['unrar', 'rar'] ],
- ['arj',  \&do_unarj, ['unarj', 'arj'] ],
- ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
- ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
- ['doc',  \&do_ole,   'ripole'],
- ['cab',  \&do_cabextract, 'cabextract'],
- ['tnef', \&do_tnef_ext, 'tnef'],
- ['tnef', \&do_tnef],
- [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
- [['zip','kmz'], \&do_unzip],
- ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
- [[qw(gz bz2 Z tar)], \&do_7zip,  ['7za', '7z'] ],
- [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&do_7zip,  '7z' ],
- ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
-);
-
-1;  # insure a defined return value

amavis/start.sh

@@ -1,13 +0,0 @@
-#!/bin/sh
-
-# Prepare the databases
-sa-update
-
-# Update the AV database
-freshclam
-
-# Actually run Amavis
-rm -f /var/run/rsyslogd.pid
-/usr/sbin/clamd
-/usr/sbin/amavisd
-rsyslogd -n

clamav/Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine
+
+RUN apk add --update \
+      clamav \
+      rsyslog \
+      wget \
+ && rm -rf /var/cache/apk/*
+
+
+COPY conf /etc/clamav
+
+
+CMD ["/usr/sbin/clamd"]

clamav/conf/clamd.conf

@@ -3,10 +3,11 @@
 ###############
 
 DatabaseDirectory /data
-LogSyslog yes
 LogTime yes
-PidFile /run/clamav/clamd.pid
+PidFile /run/clamd.pid
 LocalSocket /tmp/clamd.sock
+TCPSocket 3310
+Foreground yes
 
 ###############
 # Results

rmilter/Dockerfile

@@ -1,17 +1,11 @@
-FROM alpine
+FROM alpine:edge
 
 RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
  && apk add --update \
-      perl-socket6 \
-      perl-io-socket-inet6@testing \
-      amavisd-new \
-      spamassassin \
-      clamav \
-      rsyslog \
-      wget \
+     rmilter@testing rsyslog \
  && rm -rf /var/cache/apk/*
  
-COPY conf /etc/
+COPY rmilter.conf /etc/rmilter.conf
 COPY rsyslog.conf /etc/rsyslog.conf
 
 COPY start.sh /start.sh

rmilter/rmilter.conf

@@ -0,0 +1,119 @@
+# pidfile - path to pid file
+pidfile = /run/rmilter.pid;
+
+# bind_socket - socket credits for local bind:
+bind_socket = inet:9900
+
+# tempdir - path to directory that contains temporary files
+tempdir = /tmp;
+
+# tempfiles_mode - set permission for temp files
+tempfiles_mode = 00600;
+
+# max_size - maximum size of scanned mail with clamav and dcc
+max_size = 10M;
+
+# strict_auth - strict checks for mails from authenticated senders
+strict_auth = no;
+
+# use_dcc - whether use or not dcc system
+use_dcc = no;
+use_redis = yes;
+
+clamav {
+	# servers - clamav socket definitions in format:
+	servers = antivirus:3310;
+	# connect_timeout - timeout in miliseconds for connecting to clamav
+	connect_timeout = 1s;
+	# port_timeout - timeout in miliseconds for waiting for clamav port response
+	port_timeout = 4s;
+	# results_timeout - timeout in miliseconds for waiting for clamav response
+	results_timeout = 20s;
+	# error_time - time in seconds during which we are counting errors
+	error_time = 10;
+	# dead_time - time in seconds during which we are thinking that server is down
+	dead_time = 300;
+	# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
+	# Default: 10
+	maxerrors = 10;
+};
+
+spamd {
+	# servers - spamd socket definitions in format:
+	servers = r:antispam:11333;
+	# connect_timeout - timeout in milliseconds for connecting to spamd
+	connect_timeout = 1s;
+	# results_timeout - timeout in milliseconds for waiting for spamd response
+	results_timeout = 20s;
+	# error_time - time in seconds during which we are counting errors
+	error_time = 10;
+	# dead_time - time in seconds during which we are thinking that server is down
+	dead_time = 300;
+	# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
+	maxerrors = 10;
+	# reject_message - reject message for spam
+	reject_message = "Spam message rejected; If this is not spam contact abuse";
+	# whitelist - list of ips or nets that should be not checked with spamd
+	whitelist = 127.0.0.1/32, [::1]/128;
+	# rspamd_metric - metric for using with rspamd
+	rspamd_metric = "default";
+    # Do not reject, add header
+    spamd_never_reject = yes;
+};
+
+redis {
+	# servers_grey - redis servers for greylisting in format:
+	servers_grey = redis:6379;
+	# servers_white - redis servers for whitelisting in format similar to that is used
+	servers_white = redis:6379;
+	# servers_limits - redis servers used for limits storing, can not be mirrored
+	servers_limits = redis:6379;
+	# servers_id - redis servers used for message id storing, can not be mirrored
+	servers_id = redis:6379;
+	# id_prefix - prefix for extracting message ids from redis
+	id_prefix = "message_id.";
+	# grey_prefix - prefix for extracting greylisted records from redis
+	grey_prefix = "grey.";
+	# id_prefix - prefix for extracting whitelisted records from redis
+	white_prefix = "white.";
+	# connect_timeout - timeout in miliseconds for waiting for redis
+	connect_timeout = 1s;
+	# error_time - time in seconds during which we are counting errors
+	error_time = 10;
+	# dead_time - time in seconds during which we are thinking that server is down
+	dead_time = 300;
+	# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
+	maxerrors = 10;
+};
+
+# limits section
+limits {
+	# Whitelisted ip or networks
+	limit_whitelist = 127.0.0.1/32, [::1]/128;
+	# Whitelisted recipients
+	limit_whitelist_rcpt =  postmaster, mailer-daemon;
+	# Addrs for bounce checks
+	limit_bounce_addrs = postmaster, mailer-daemon, symantec_antivirus_for_smtp_gateways, <>, null, fetchmail-daemon;
+	# Limit for bounce mail
+	limit_bounce_to = 5:0.000277778;
+	# Limit for bounce mail per one source ip
+	limit_bounce_to_ip = 5:0.000277778;
+	# Limit for all mail per recipient
+	limit_to = 20:0.016666667;
+	# Limit for all mail per one source ip
+	limit_to_ip = 30:0.025;
+	# Limit for all mail per one source ip and from address
+	limit_to_ip_from = 100:0.033333333;
+};
+
+
+greylisting {
+	timeout = 300s;
+	expire = 3d;
+	whitelist = 127.0.0.1, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, [::1]/128;
+	awl_enable = yes;
+	awl_pool = 10M;
+	awl_hits = 10;
+	awl_ttl = 3600s;
+};
+

rmilter/start.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+rm -f /var/run/rsyslogd.pid
+rmilter -c /etc/rmilter.conf
+rsyslogd -n

rspamd/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:edge
+
+RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
+ && apk add --update \
+     rspamd@testing rsyslog \
+ && rm -rf /var/cache/apk/*
+ 
+RUN mkdir /run/rspamd
+
+CMD ["rspamd", "-f", "-i"]

rspamd/rsyslog.conf

@@ -0,0 +1,4 @@
+$ModLoad imuxsock
+$template noTimestampFormat,"%syslogtag%%msg%\n"
+$ActionFileDefaultTemplate noTimestampFormat
+*.*;auth,authpriv.none /dev/stdout

rspamd/start.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+rspamd -i
+rsyslogd -n