Set up SpamAssassin

Scan incoming and outgoing email for spam. Use a local Unbound for DNS, so we don't run into blocks for RBL queries.
2023-12-06 12:12:00 +01:00
parent 05ccbcc58f
commit b3f2ca415e
40 changed files with 2145 additions and 4 deletions
--- a/site-cookbooks/kosmos_email/recipes/default.rb
+++ b/site-cookbooks/kosmos_email/recipes/default.rb
@@ -21,6 +21,8 @@ firewall_rule "private network access" do
  source   "10.1.1.0/24"
 end

+include_recipe 'unbound'
 include_recipe 'kosmos_email::opendkim'
+include_recipe 'kosmos_email::spamassassin'
 include_recipe 'kosmos_email::postfix'
 include_recipe 'kosmos_email::dovecot'
--- a/site-cookbooks/kosmos_email/recipes/postfix.rb
+++ b/site-cookbooks/kosmos_email/recipes/postfix.rb
@@ -36,9 +36,10 @@ node.normal['postfix']['main']['virtual_transport'] = "lmtp:unix:private/dovecot
 node.normal['postfix']['main']['smtputf8_enable'] = "no"
 node.normal['postfix']['main']['recipient_delimiter'] = "+"
 node.normal['postfix']['main']['alias_maps'] = "hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf"
-node.normal['postfix']['main']['milter_protocol'] = "2"
+node.normal['postfix']['main']['smtpd_sender_login_maps'] = "ldap:/etc/postfix/ldap-username-aliases.cf"
+node.normal['postfix']['main']['milter_protocol'] = "6"
 node.normal['postfix']['main']['milter_default_action'] = "accept"
-node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301"
+node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301 local:spamass/spamass.sock"
 node.normal['postfix']['main']['non_smtpd_milters'] = "inet:localhost:12301"

 node.normal['postfix']['master'] = {
--- a/site-cookbooks/kosmos_email/recipes/spamassassin.rb
+++ b/site-cookbooks/kosmos_email/recipes/spamassassin.rb
@@ -0,0 +1,34 @@
+#
+# Cookbook:: kosmos_email
+# Recipe:: spamassassin
+#
+
+%w[
+  spamassassin
+  spamc
+  spamass-milter
+].each do |pkg|
+  apt_package pkg
+end
+
+domain         = node["email"]["domain"]
+report_contact = node["email"]["report_contact"]
+
+template "/etc/default/spamassassin" do
+  source    "spamassassin_default.erb"
+  mode      0644
+  variables options: "-u debian-spamd --nouser-config --max-children 10"
+  notifies :restart, "service[spamassassin]", :delayed
+end
+
+template "/etc/spamassassin/local.cf" do
+  source    "spamassassin_local.cf.erb"
+  mode      0644
+  variables whitelist_auth: "*@#{domain}",
+            report_contact: report_contact
+  notifies :restart, "service[spamassassin]", :delayed
+end
+
+service "spamassassin" do
+  action [:enable, :start]
+end