Set up SpamAssassin

Scan incoming and outgoing email for spam. Use a local Unbound for DNS,
so we don't run into blocks for RBL queries.

site-cookbooks/kosmos_email/attributes/default.rb

@@ -1,4 +1,3 @@
 node.default["email"]["domain"] = "example.com"
 node.default["email"]["hostname"] = "mail.example.com"
-# node.default["email"]["user"] = "ray"
-# node.default["email"]["group"] = "email"
+node.default["email"]["report_contact"] = "abuse@example.com"

site-cookbooks/kosmos_email/metadata.rb

@@ -7,4 +7,5 @@ version '0.1.0'
 chef_version '>= 18.0'
 
 depends "hostname"
+depends "unbound"
 depends "postfix"

site-cookbooks/kosmos_email/recipes/default.rb

@@ -21,6 +21,8 @@ firewall_rule "private network access" do
   source   "10.1.1.0/24"
 end
 
+include_recipe 'unbound'
 include_recipe 'kosmos_email::opendkim'
+include_recipe 'kosmos_email::spamassassin'
 include_recipe 'kosmos_email::postfix'
 include_recipe 'kosmos_email::dovecot'

site-cookbooks/kosmos_email/recipes/postfix.rb

@@ -36,9 +36,10 @@ node.normal['postfix']['main']['virtual_transport'] = "lmtp:unix:private/dovecot
 node.normal['postfix']['main']['smtputf8_enable'] = "no"
 node.normal['postfix']['main']['recipient_delimiter'] = "+"
 node.normal['postfix']['main']['alias_maps'] = "hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf"
-node.normal['postfix']['main']['milter_protocol'] = "2"
+node.normal['postfix']['main']['smtpd_sender_login_maps'] = "ldap:/etc/postfix/ldap-username-aliases.cf"
+node.normal['postfix']['main']['milter_protocol'] = "6"
 node.normal['postfix']['main']['milter_default_action'] = "accept"
-node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301"
+node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301 local:spamass/spamass.sock"
 node.normal['postfix']['main']['non_smtpd_milters'] = "inet:localhost:12301"
 
 node.normal['postfix']['master'] = {

site-cookbooks/kosmos_email/recipes/spamassassin.rb

@@ -0,0 +1,34 @@
+#
+# Cookbook:: kosmos_email
+# Recipe:: spamassassin
+#
+
+%w[
+  spamassassin
+  spamc
+  spamass-milter
+].each do |pkg|
+  apt_package pkg
+end
+
+domain         = node["email"]["domain"]
+report_contact = node["email"]["report_contact"]
+
+template "/etc/default/spamassassin" do
+  source    "spamassassin_default.erb"
+  mode      0644
+  variables options: "-u debian-spamd --nouser-config --max-children 10"
+  notifies :restart, "service[spamassassin]", :delayed
+end
+
+template "/etc/spamassassin/local.cf" do
+  source    "spamassassin_local.cf.erb"
+  mode      0644
+  variables whitelist_auth: "*@#{domain}",
+            report_contact: report_contact
+  notifies :restart, "service[spamassassin]", :delayed
+end
+
+service "spamassassin" do
+  action [:enable, :start]
+end

site-cookbooks/kosmos_email/templates/spamass-milter.erb

@@ -0,0 +1,28 @@
+# spamass-milt startup defaults
+
+# OPTIONS are passed directly to spamass-milter.
+# man spamass-milter for details
+
+# Non-standard configuration notes:
+# See README.Debian if you use the -x option with sendmail
+# You should not pass the -d option in OPTIONS; use SOCKET for that.
+
+# Default, use the spamass-milter user as the default user, ignore
+# messages from localhost
+OPTIONS="-u spamass-milter -i 127.0.0.1"
+
+# Reject emails with spamassassin scores > 15.
+#OPTIONS="${OPTIONS} -r 15"
+
+# Do not modify Subject:, Content-Type: or body.
+#OPTIONS="${OPTIONS} -m"
+
+######################################
+# If /usr/sbin/postfix is executable, the following are set by
+# default. You can override them by uncommenting and changing them
+# here.
+######################################
+# SOCKET="/var/spool/postfix/spamass/spamass.sock"
+# SOCKETOWNER="postfix:postfix"
+# SOCKETMODE="0660"
+######################################

site-cookbooks/kosmos_email/templates/spamassassin_default.erb

@@ -0,0 +1,33 @@
+# /etc/default/spamassassin
+# Duncan Findlay
+
+# WARNING: please read README.spamd before using.
+# There may be security risks.
+
+# Prior to version 3.4.2-1, spamd could be enabled by setting
+# ENABLED=1 in this file. This is no longer supported. Instead, please
+# use the update-rc.d command, invoked for example as "update-rc.d
+# spamassassin enable", to enable the spamd service.
+
+# Options
+# See man spamd for possible options. The -d option is automatically added.
+
+# SpamAssassin uses a preforking model, so be careful! You need to
+# make sure --max-children is not set to anything higher than 5,
+# unless you know what you're doing.
+
+OPTIONS="<%= @options %>"
+
+# Pid file
+# Where should spamd write its PID to file? If you use the -u or
+# --username option above, this needs to be writable by that user.
+# Otherwise, the init script will not be able to shut spamd down.
+PIDFILE="/var/run/spamd.pid"
+
+# Set nice level of spamd
+#NICE="--nicelevel 15"
+
+# Cronjob
+# Set to anything but 0 to enable the cron job to automatically update
+# spamassassin's rules on a nightly basis
+CRON=0

site-cookbooks/kosmos_email/templates/spamassassin_local.cf.erb

@@ -0,0 +1,119 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# Only a small subset of options are listed below
+#
+###########################################################################
+
+dns_available yes
+dns_server 127.0.0.1
+
+whitelist_auth <%= @whitelist_auth %>
+
+#    A 'contact address' users should contact for more info. (replaces
+#    _CONTACTADDRESS_ in the report template)
+report_contact <%= @report_contact %>
+
+
+#   Add *****SPAM***** to the Subject header of spam e-mails
+#
+# rewrite_header Subject *****SPAM*****
+
+
+#   Save spam messages as a message/rfc822 MIME attachment instead of
+#   modifying the original message (0: off, 2: use text/plain instead)
+#
+# report_safe 1
+
+
+#   Set which networks or hosts are considered 'trusted' by your mail
+#   server (i.e. not spammers)
+#
+# trusted_networks 212.17.35.
+
+
+#   Set file-locking method (flock is not safe over NFS, but is faster)
+#
+# lock_method flock
+
+
+#   Set the threshold at which a message is considered spam (default: 5.0)
+#
+# required_score 5.0
+
+
+#   Use Bayesian classifier (default: 1)
+#
+# use_bayes 1
+
+
+#   Bayesian classifier auto-learning (default: 1)
+#
+# bayes_auto_learn 1
+
+
+#   Set headers which may provide inappropriate cues to the Bayesian
+#   classifier
+#
+# bayes_ignore_header X-Bogosity
+# bayes_ignore_header X-Spam-Flag
+# bayes_ignore_header X-Spam-Status
+
+
+#   Whether to decode non- UTF-8 and non-ASCII textual parts and recode
+#   them to UTF-8 before the text is given over to rules processing.
+#
+# normalize_charset 1
+
+#   Textual body scan limit    (default: 50000)
+#
+#   Amount of data per email text/* mimepart, that will be run through body
+#   rules.  This enables safer and faster scanning of large messages,
+#   perhaps having very large textual attachments.  There should be no need
+#   to change this well tested default.
+#
+# body_part_scan_size 50000
+
+#   Textual rawbody data scan limit    (default: 500000)
+#
+#   Amount of data per email text/* mimepart, that will be run through
+#   rawbody rules.
+#
+# rawbody_part_scan_size 500000
+
+#   Some shortcircuiting, if the plugin is enabled
+# 
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+#   default: strongly-whitelisted mails are *really* whitelisted now, if the
+#   shortcircuiting plugin is active, causing early exit to save CPU load.
+#   Uncomment to turn this on
+#
+#   SpamAssassin tries hard not to launch DNS queries before priority -100. 
+#   If you want to shortcircuit without launching unneeded queries, make
+#   sure such rule priority is below -100. These examples are already:
+#
+# shortcircuit USER_IN_WHITELIST       on
+# shortcircuit USER_IN_DEF_WHITELIST   on
+# shortcircuit USER_IN_ALL_SPAM_TO     on
+# shortcircuit SUBJECT_IN_WHITELIST    on
+
+#   the opposite; blacklisted mails can also save CPU
+#
+# shortcircuit USER_IN_BLACKLIST       on
+# shortcircuit USER_IN_BLACKLIST_TO    on
+# shortcircuit SUBJECT_IN_BLACKLIST    on
+
+#   if you have taken the time to correctly specify your "trusted_networks",
+#   this is another good way to save CPU
+#
+# shortcircuit ALL_TRUSTED             on
+
+#   and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99                spam
+# shortcircuit BAYES_00                ham
+
+endif # Mail::SpamAssassin::Plugin::Shortcircuit