summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2020-05-08 16:03:05 -0300
committerSilvio Rhatto <rhatto@riseup.net>2020-05-08 16:03:05 -0300
commita12e2949947f4a131b9fcbdaa30f5fbff9518ce8 (patch)
tree456ec514640730ae5be592fe61a9ec8be711b823
parent6f215690167ce4c23005feec574c91a8db1ae999 (diff)
downloadpuppet-mail-a12e2949947f4a131b9fcbdaa30f5fbff9518ce8.tar.gz
puppet-mail-a12e2949947f4a131b9fcbdaa30f5fbff9518ce8.tar.bz2
Debian Buster changes
-rw-r--r--files/amavisd/20-debian_defaults85
-rw-r--r--manifests/amavisd.pp16
-rw-r--r--manifests/virtual/web/admin.pp2
-rw-r--r--templates/dovecot/dovecot.conf.buster.erb75
4 files changed, 129 insertions, 49 deletions
diff --git a/files/amavisd/20-debian_defaults b/files/amavisd/20-debian_defaults
index d28e02e..e1c6756 100644
--- a/files/amavisd/20-debian_defaults
+++ b/files/amavisd/20-debian_defaults
@@ -33,10 +33,10 @@ $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$inet_socket_port = 10024; # default listening socket
$sa_spam_subject_tag = '***SPAM*** ';
-$sa_tag_level_deflt = undef; # add spam info headers if at, or above that level
-$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
-$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
-$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
+$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
+$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
+$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?
@@ -66,10 +66,12 @@ $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes
# D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
-$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA
-$final_spam_destiny = D_DISCARD;
+$final_banned_destiny = D_DISCARD;
+$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
+$enable_dkim_verification = 0; #disabled to prevent warning
+
$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
# Set to empty ("") to add no header
@@ -107,7 +109,7 @@ $banned_filename_re = new_RE(
# block certain double extensions anywhere in the base name
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
- qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class ID CLSID, strict
+ qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
@@ -121,6 +123,7 @@ $banned_filename_re = new_RE(
# [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
# [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives
+# [ qr'^application/x-zip-compressed$'i => 0], # allow any within such archives
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
@@ -163,42 +166,44 @@ $banned_filename_re = new_RE(
# read_hash("/var/amavis/sender_scores_sitewide"),
+# This are some examples for whitelists, since envelope senders can be forged
+# they are not enabled by default.
{ # a hash-type lookup table (associative array)
- 'nobody@cert.org' => -3.0,
- 'cert-advisory@us-cert.gov' => -3.0,
- 'owner-alert@iss.net' => -3.0,
- 'slashdot@slashdot.org' => -3.0,
- 'securityfocus.com' => -3.0,
- 'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
- 'security-alerts@linuxsecurity.com' => -3.0,
- 'mailman-announce-admin@python.org' => -3.0,
- 'amavis-user-admin@lists.sourceforge.net'=> -3.0,
- 'amavis-user-bounces@lists.sourceforge.net' => -3.0,
- 'spamassassin.apache.org' => -3.0,
- 'notification-return@lists.sophos.com' => -3.0,
- 'owner-postfix-users@postfix.org' => -3.0,
- 'owner-postfix-announce@postfix.org' => -3.0,
- 'owner-sendmail-announce@lists.sendmail.org' => -3.0,
- 'sendmail-announce-request@lists.sendmail.org' => -3.0,
- 'donotreply@sendmail.org' => -3.0,
- 'ca+envelope@sendmail.org' => -3.0,
- 'noreply@freshmeat.net' => -3.0,
- 'owner-technews@postel.acm.org' => -3.0,
- 'ietf-123-owner@loki.ietf.org' => -3.0,
- 'cvs-commits-list-admin@gnome.org' => -3.0,
- 'rt-users-admin@lists.fsck.com' => -3.0,
- 'clp-request@comp.nus.edu.sg' => -3.0,
- 'surveys-errors@lists.nua.ie' => -3.0,
- 'emailnews@genomeweb.com' => -5.0,
- 'yahoo-dev-null@yahoo-inc.com' => -3.0,
- 'returns.groups.yahoo.com' => -3.0,
- 'clusternews@linuxnetworx.com' => -3.0,
- lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
- lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
+ #'nobody@cert.org' => -3.0,
+ #'cert-advisory@us-cert.gov' => -3.0,
+ #'owner-alert@iss.net' => -3.0,
+ #'slashdot@slashdot.org' => -3.0,
+ #'securityfocus.com' => -3.0,
+ #'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
+ #'security-alerts@linuxsecurity.com' => -3.0,
+ #'mailman-announce-admin@python.org' => -3.0,
+ #'amavis-user-admin@lists.sourceforge.net'=> -3.0,
+ #'amavis-user-bounces@lists.sourceforge.net' => -3.0,
+ #'spamassassin.apache.org' => -3.0,
+ #'notification-return@lists.sophos.com' => -3.0,
+ #'owner-postfix-users@postfix.org' => -3.0,
+ #'owner-postfix-announce@postfix.org' => -3.0,
+ #'owner-sendmail-announce@lists.sendmail.org' => -3.0,
+ #'sendmail-announce-request@lists.sendmail.org' => -3.0,
+ #'donotreply@sendmail.org' => -3.0,
+ #'ca+envelope@sendmail.org' => -3.0,
+ #'noreply@freshmeat.net' => -3.0,
+ #'owner-technews@postel.acm.org' => -3.0,
+ #'ietf-123-owner@loki.ietf.org' => -3.0,
+ #'cvs-commits-list-admin@gnome.org' => -3.0,
+ #'rt-users-admin@lists.fsck.com' => -3.0,
+ #'clp-request@comp.nus.edu.sg' => -3.0,
+ #'surveys-errors@lists.nua.ie' => -3.0,
+ #'emailnews@genomeweb.com' => -5.0,
+ #'yahoo-dev-null@yahoo-inc.com' => -3.0,
+ #'returns.groups.yahoo.com' => -3.0,
+ #'clusternews@linuxnetworx.com' => -3.0,
+ #lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
+ #lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
# soft-blacklisting (positive score)
- 'sender@example.net' => 3.0,
- '.example.net' => 1.0,
+ #'sender@example.net' => 3.0,
+ #'.example.net' => 1.0,
},
], # end of site-wide tables
diff --git a/manifests/amavisd.pp b/manifests/amavisd.pp
index d726e00..c5d4d22 100644
--- a/manifests/amavisd.pp
+++ b/manifests/amavisd.pp
@@ -23,14 +23,14 @@ class mail::amavisd {
notify => Service['amavis'],
}
- file { "/etc/amavis/conf.d/20-debian_defaults":
- ensure => present,
- owner => root,
- group => root,
- mode => '0644',
- source => "puppet:///modules/mail/amavisd/20-debian_defaults",
- notify => Service['amavis'],
- }
+ #file { "/etc/amavis/conf.d/20-debian_defaults":
+ # ensure => present,
+ # owner => root,
+ # group => root,
+ # mode => '0644',
+ # source => "puppet:///modules/mail/amavisd/20-debian_defaults",
+ # notify => Service['amavis'],
+ #}
file { "/etc/amavis/conf.d/50-user":
ensure => present,
diff --git a/manifests/virtual/web/admin.pp b/manifests/virtual/web/admin.pp
index 76cd715..a71589d 100644
--- a/manifests/virtual/web/admin.pp
+++ b/manifests/virtual/web/admin.pp
@@ -9,7 +9,7 @@ class mail::virtual::web::admin(
}
apache::site { "postfixadmin":
- docroot => '/usr/share/postfixadmin',
+ docroot => '/usr/share/postfixadmin/public',
#docroot => "${apache::sites_folder}/postfixadmin/site",
#use => [ "Site postfixadmin" ],
mpm => false,
diff --git a/templates/dovecot/dovecot.conf.buster.erb b/templates/dovecot/dovecot.conf.buster.erb
new file mode 100644
index 0000000..94c4f09
--- /dev/null
+++ b/templates/dovecot/dovecot.conf.buster.erb
@@ -0,0 +1,75 @@
+# 2.1.7: /etc/dovecot/dovecot.conf
+# OS: Linux 2.6.32-5-vserver-amd64 x86_64 Debian 7.3 ufs
+
+# See http://help.directadmin.com/item.php?id=348
+listen = *
+
+auth_mechanisms = plain login
+log_timestamp = "%Y-%m-%d %H:%M:%S "
+login_log_format_elements = user=<%%u> method=%m %c
+mail_location = maildir:/var/mail/virtual/%u
+mail_privileged_group = mail
+passdb {
+ args = /etc/dovecot/dovecot-sql.conf
+ driver = sql
+}
+plugin {
+ sieve = ~/.dovecot.sieve
+ sieve_storage = ~/sieve
+}
+protocols = imap
+service auth {
+ unix_listener /var/spool/postfix/private/auth {
+ group = postfix
+ mode = 0660
+ user = postfix
+ }
+ unix_listener auth-master {
+ group = mail
+ mode = 0600
+ user = vmail
+ }
+ user = root
+}
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root.
+ssl_cert = </etc/ssl/certs/cert.crt
+ssl_key = </etc/ssl/private/cert.pem
+
+# SSL ciphers to use
+#
+# Since Dovecot started using OpenSSL 1.1, we don't have to disable
+# SSLv2 anymore as it's already removed from OpenSSL.
+#
+# See http://www.virtualmin.com/node/25057
+# https://zmap.io/sslv3/servers.html
+# https://security.stackexchange.com/questions/71872/disable-sslv3-in-dovecot-tls-handshaking-failed-no-shared-cipher
+# https://bbs.archlinux.org/viewtopic.php?id=225535
+ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:SSLv3
+
+# See https://wiki2.dovecot.org/Upgrading/2.3
+#ssl_protocols = !SSLv3
+ssl_min_protocol = TLSv1
+ssl_dh = </etc/dovecot/dh.pem
+
+userdb {
+ args = uid=5000 gid=5000 home=/var/mail/virtual/%u allow_all_users=yes
+ driver = static
+}
+userdb {
+ args = /etc/dovecot/dovecot-sql.conf
+ driver = sql
+}
+protocol pop3 {
+ pop3_uidl_format = %08Xu%08Xv
+}
+protocol lda {
+ auth_socket_path = /var/run/dovecot/auth-master
+ mail_plugins = sieve
+ postmaster_address = postmaster@<%= @fqdn %>
+}
+
+# Should saving a mail to a non-existing mailbox automatically create it?
+lda_mailbox_autocreate = yes