diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2020-05-08 16:03:05 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2020-05-08 16:03:05 -0300 |
| commit | a12e2949947f4a131b9fcbdaa30f5fbff9518ce8 (patch) | |
| tree | 456ec514640730ae5be592fe61a9ec8be711b823 | |
| parent | 6f215690167ce4c23005feec574c91a8db1ae999 (diff) | |
| download | puppet-mail-a12e2949947f4a131b9fcbdaa30f5fbff9518ce8.tar.gz puppet-mail-a12e2949947f4a131b9fcbdaa30f5fbff9518ce8.tar.bz2 | |
Debian Buster changes
| -rw-r--r-- | files/amavisd/20-debian_defaults | 85 | ||||
| -rw-r--r-- | manifests/amavisd.pp | 16 | ||||
| -rw-r--r-- | manifests/virtual/web/admin.pp | 2 | ||||
| -rw-r--r-- | templates/dovecot/dovecot.conf.buster.erb | 75 |
4 files changed, 129 insertions, 49 deletions
diff --git a/files/amavisd/20-debian_defaults b/files/amavisd/20-debian_defaults index d28e02e..e1c6756 100644 --- a/files/amavisd/20-debian_defaults +++ b/files/amavisd/20-debian_defaults @@ -33,10 +33,10 @@ $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $inet_socket_port = 10024; # default listening socket $sa_spam_subject_tag = '***SPAM*** '; -$sa_tag_level_deflt = undef; # add spam info headers if at, or above that level -$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level -$sa_kill_level_deflt = 6.31; # triggers spam evasive actions -$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent +$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level +$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level +$sa_kill_level_deflt = 6.31; # triggers spam evasive actions +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? @@ -66,10 +66,12 @@ $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes # D_REJECT it (and don't D_REJECT mail coming from your forwarders!). $final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) -$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA -$final_spam_destiny = D_DISCARD; +$final_banned_destiny = D_DISCARD; +$final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; # False-positive prone (for spam) +$enable_dkim_verification = 0; #disabled to prevent warning + $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default # Set to empty ("") to add no header @@ -107,7 +109,7 @@ $banned_filename_re = new_RE( # block certain double extensions anywhere in the base name qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, - qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class ID CLSID, strict + qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, @@ -121,6 +123,7 @@ $banned_filename_re = new_RE( # [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed # [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives +# [ qr'^application/x-zip-compressed$'i => 0], # allow any within such archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| @@ -163,42 +166,44 @@ $banned_filename_re = new_RE( # read_hash("/var/amavis/sender_scores_sitewide"), +# This are some examples for whitelists, since envelope senders can be forged +# they are not enabled by default. { # a hash-type lookup table (associative array) - 'nobody@cert.org' => -3.0, - 'cert-advisory@us-cert.gov' => -3.0, - 'owner-alert@iss.net' => -3.0, - 'slashdot@slashdot.org' => -3.0, - 'securityfocus.com' => -3.0, - 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, - 'security-alerts@linuxsecurity.com' => -3.0, - 'mailman-announce-admin@python.org' => -3.0, - 'amavis-user-admin@lists.sourceforge.net'=> -3.0, - 'amavis-user-bounces@lists.sourceforge.net' => -3.0, - 'spamassassin.apache.org' => -3.0, - 'notification-return@lists.sophos.com' => -3.0, - 'owner-postfix-users@postfix.org' => -3.0, - 'owner-postfix-announce@postfix.org' => -3.0, - 'owner-sendmail-announce@lists.sendmail.org' => -3.0, - 'sendmail-announce-request@lists.sendmail.org' => -3.0, - 'donotreply@sendmail.org' => -3.0, - 'ca+envelope@sendmail.org' => -3.0, - 'noreply@freshmeat.net' => -3.0, - 'owner-technews@postel.acm.org' => -3.0, - 'ietf-123-owner@loki.ietf.org' => -3.0, - 'cvs-commits-list-admin@gnome.org' => -3.0, - 'rt-users-admin@lists.fsck.com' => -3.0, - 'clp-request@comp.nus.edu.sg' => -3.0, - 'surveys-errors@lists.nua.ie' => -3.0, - 'emailnews@genomeweb.com' => -5.0, - 'yahoo-dev-null@yahoo-inc.com' => -3.0, - 'returns.groups.yahoo.com' => -3.0, - 'clusternews@linuxnetworx.com' => -3.0, - lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, - lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, + #'nobody@cert.org' => -3.0, + #'cert-advisory@us-cert.gov' => -3.0, + #'owner-alert@iss.net' => -3.0, + #'slashdot@slashdot.org' => -3.0, + #'securityfocus.com' => -3.0, + #'ntbugtraq@listserv.ntbugtraq.com' => -3.0, + #'security-alerts@linuxsecurity.com' => -3.0, + #'mailman-announce-admin@python.org' => -3.0, + #'amavis-user-admin@lists.sourceforge.net'=> -3.0, + #'amavis-user-bounces@lists.sourceforge.net' => -3.0, + #'spamassassin.apache.org' => -3.0, + #'notification-return@lists.sophos.com' => -3.0, + #'owner-postfix-users@postfix.org' => -3.0, + #'owner-postfix-announce@postfix.org' => -3.0, + #'owner-sendmail-announce@lists.sendmail.org' => -3.0, + #'sendmail-announce-request@lists.sendmail.org' => -3.0, + #'donotreply@sendmail.org' => -3.0, + #'ca+envelope@sendmail.org' => -3.0, + #'noreply@freshmeat.net' => -3.0, + #'owner-technews@postel.acm.org' => -3.0, + #'ietf-123-owner@loki.ietf.org' => -3.0, + #'cvs-commits-list-admin@gnome.org' => -3.0, + #'rt-users-admin@lists.fsck.com' => -3.0, + #'clp-request@comp.nus.edu.sg' => -3.0, + #'surveys-errors@lists.nua.ie' => -3.0, + #'emailnews@genomeweb.com' => -5.0, + #'yahoo-dev-null@yahoo-inc.com' => -3.0, + #'returns.groups.yahoo.com' => -3.0, + #'clusternews@linuxnetworx.com' => -3.0, + #lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, + #lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) - 'sender@example.net' => 3.0, - '.example.net' => 1.0, + #'sender@example.net' => 3.0, + #'.example.net' => 1.0, }, ], # end of site-wide tables diff --git a/manifests/amavisd.pp b/manifests/amavisd.pp index d726e00..c5d4d22 100644 --- a/manifests/amavisd.pp +++ b/manifests/amavisd.pp @@ -23,14 +23,14 @@ class mail::amavisd { notify => Service['amavis'], } - file { "/etc/amavis/conf.d/20-debian_defaults": - ensure => present, - owner => root, - group => root, - mode => '0644', - source => "puppet:///modules/mail/amavisd/20-debian_defaults", - notify => Service['amavis'], - } + #file { "/etc/amavis/conf.d/20-debian_defaults": + # ensure => present, + # owner => root, + # group => root, + # mode => '0644', + # source => "puppet:///modules/mail/amavisd/20-debian_defaults", + # notify => Service['amavis'], + #} file { "/etc/amavis/conf.d/50-user": ensure => present, diff --git a/manifests/virtual/web/admin.pp b/manifests/virtual/web/admin.pp index 76cd715..a71589d 100644 --- a/manifests/virtual/web/admin.pp +++ b/manifests/virtual/web/admin.pp @@ -9,7 +9,7 @@ class mail::virtual::web::admin( } apache::site { "postfixadmin": - docroot => '/usr/share/postfixadmin', + docroot => '/usr/share/postfixadmin/public', #docroot => "${apache::sites_folder}/postfixadmin/site", #use => [ "Site postfixadmin" ], mpm => false, diff --git a/templates/dovecot/dovecot.conf.buster.erb b/templates/dovecot/dovecot.conf.buster.erb new file mode 100644 index 0000000..94c4f09 --- /dev/null +++ b/templates/dovecot/dovecot.conf.buster.erb @@ -0,0 +1,75 @@ +# 2.1.7: /etc/dovecot/dovecot.conf +# OS: Linux 2.6.32-5-vserver-amd64 x86_64 Debian 7.3 ufs + +# See http://help.directadmin.com/item.php?id=348 +listen = * + +auth_mechanisms = plain login +log_timestamp = "%Y-%m-%d %H:%M:%S " +login_log_format_elements = user=<%%u> method=%m %c +mail_location = maildir:/var/mail/virtual/%u +mail_privileged_group = mail +passdb { + args = /etc/dovecot/dovecot-sql.conf + driver = sql +} +plugin { + sieve = ~/.dovecot.sieve + sieve_storage = ~/sieve +} +protocols = imap +service auth { + unix_listener /var/spool/postfix/private/auth { + group = postfix + mode = 0660 + user = postfix + } + unix_listener auth-master { + group = mail + mode = 0600 + user = vmail + } + user = root +} + +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. +ssl_cert = </etc/ssl/certs/cert.crt +ssl_key = </etc/ssl/private/cert.pem + +# SSL ciphers to use +# +# Since Dovecot started using OpenSSL 1.1, we don't have to disable +# SSLv2 anymore as it's already removed from OpenSSL. +# +# See http://www.virtualmin.com/node/25057 +# https://zmap.io/sslv3/servers.html +# https://security.stackexchange.com/questions/71872/disable-sslv3-in-dovecot-tls-handshaking-failed-no-shared-cipher +# https://bbs.archlinux.org/viewtopic.php?id=225535 +ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:SSLv3 + +# See https://wiki2.dovecot.org/Upgrading/2.3 +#ssl_protocols = !SSLv3 +ssl_min_protocol = TLSv1 +ssl_dh = </etc/dovecot/dh.pem + +userdb { + args = uid=5000 gid=5000 home=/var/mail/virtual/%u allow_all_users=yes + driver = static +} +userdb { + args = /etc/dovecot/dovecot-sql.conf + driver = sql +} +protocol pop3 { + pop3_uidl_format = %08Xu%08Xv +} +protocol lda { + auth_socket_path = /var/run/dovecot/auth-master + mail_plugins = sieve + postmaster_address = postmaster@<%= @fqdn %> +} + +# Should saving a mail to a non-existing mailbox automatically create it? +lda_mailbox_autocreate = yes |