Better configuration

2023-04-04 23:17:49 +02:00
parent 45870e20ef
commit 1423fe0e6e
11 changed files with 218 additions and 22 deletions
--- a/installer.cfg
+++ b/installer.cfg
@@ -0,0 +1,131 @@
+[general]
+hostname = mail.%(domain)s
+
+[certificate]
+generate = true
+type = letsencrypt
+
+[letsencrypt]
+email = aa@aa.fr
+
+[database]
+engine = postgres
+host = 127.0.0.1
+install = true
+
+[postgres]
+user = postgres
+password = 
+
+[mysql]
+user = root
+password = DPnHqZYHZ3gegiVT
+charset = utf8
+collation = utf8_general_ci
+
+[fail2ban]
+enabled = true
+config_dir = /etc/fail2ban
+max_retry = 20
+ban_time = 3600
+find_time = 30
+
+[modoboa]
+user = modoboa
+home_dir = /srv/modoboa
+venv_path = %(home_dir)s/env
+instance_path = %(home_dir)s/instance
+timezone = Europe/Paris
+dbname = modoboa
+dbuser = modoboa
+dbpassword = Zj3PY6G2M8Hw6Gig
+extensions = modoboa-rspamd modoboa-pdfcredentials modoboa-postfix-autoreply modoboa-sievefilters modoboa-webmail modoboa-contacts modoboa-radicale
+devmode = false
+
+[automx]
+enabled = true
+user = automx
+config_dir = /etc
+home_dir = /srv/automx
+venv_path = %(home_dir)s/env
+instance_path = %(home_dir)s/instance
+
+[rspamd]
+enabled = true
+password = B7ugujmFa2LLwu93
+dnsbl = true
+dkim_keys_storage_dir = /var/lib/dkim
+keys_path_map = /var/lib/dkim/keys.path.map
+selectors_path_map = /var/lib/dkim/selectors.path.map
+greylisting = true
+
+[amavis]
+enabled = false
+user = amavis
+max_servers = 2
+dbname = amavis
+dbuser = amavis
+dbpassword = YSidxAfIqPC191Ir
+
+[clamav]
+enabled = true
+user = clamav
+
+[dovecot]
+enabled = true
+config_dir = /etc/dovecot
+user = dovecot
+home_dir = /srv/vmail
+mailboxes_owner = vmail
+extra_protocols = 
+postmaster_address = postmaster@%(domain)s
+radicale_auth_socket_path = /var/run/dovecot/auth-radicale
+
+[nginx]
+enabled = true
+config_dir = /etc/nginx
+
+[razor]
+enabled = true
+config_dir = /etc/razor
+
+[postfix]
+enabled = true
+config_dir = /etc/postfix
+message_size_limit = 11534336
+
+[postwhite]
+enabled = true
+config_dir = /etc
+
+[spamassassin]
+enabled = false
+config_dir = /etc/mail/spamassassin
+dbname = spamassassin
+dbuser = spamassassin
+dbpassword = s44EHekTTwOboebX
+
+[uwsgi]
+enabled = true
+config_dir = /etc/uwsgi
+nb_processes = 2
+
+[radicale]
+enabled = true
+user = radicale
+config_dir = /etc/radicale
+home_dir = /srv/radicale
+venv_path = %(home_dir)s/env
+
+[opendkim]
+enabled = false
+user = opendkim
+config_dir = /etc
+port = 12345
+keys_storage_dir = /var/lib/dkim
+dbuser = opendkim
+dbpassword = acTggtM3vZeVBYRn
+
+[backup]
+default_path = ./modoboa_backup/
+
--- a/modoboa_installer/config_dict_template.py
+++ b/modoboa_installer/config_dict_template.py
@@ -283,8 +283,6 @@ ConfigDictTemplate = [
            {
                "option": "dbpassword",
                "default": make_password,
-                "customizable": True,
-                "question": "Please enter amavis db password"
            },
        ],
    },
--- a/modoboa_installer/scripts/files/postfix/main.cf.tpl
+++ b/modoboa_installer/scripts/files/postfix/main.cf.tpl
@@ -124,6 +124,7 @@ strict_rfc821_envelopes = yes

 # Rspamd setup
 %{rspamd_enabled}smtpd_milters = inet:localhost:11332
+%{rspamd_enabled}non_smtpd_milters = inet:localhost:11332
 %{rspamd_enabled}milter_default_action = accept
 %{rspamd_enabled}milter_protocol = 6

@@ -160,14 +161,14 @@ smtpd_recipient_restrictions =
 %{rspamd_disabled}postscreen_dnsbl_threshold = 3
 %{rspamd_disabled}postscreen_dnsbl_action = enforce

-postscreen_greet_banner = Welcome, please wait... 
-postscreen_greet_action = enforce
+%{rspamd_disabled}postscreen_greet_banner = Welcome, please wait...
+%{rspamd_disabled}postscreen_greet_action = enforce

-postscreen_pipelining_enable = yes
-postscreen_pipelining_action = enforce
+%{rspamd_disabled}postscreen_pipelining_enable = yes
+%{rspamd_disabled}postscreen_pipelining_action = enforce

-postscreen_non_smtp_command_enable = yes
-postscreen_non_smtp_command_action = enforce
+%{rspamd_disabled}postscreen_non_smtp_command_enable = yes
+%{rspamd_disabled}postscreen_non_smtp_command_action = enforce

-postscreen_bare_newline_enable = yes
-postscreen_bare_newline_action = enforce
+%{rspamd_disabled}postscreen_bare_newline_enable = yes
+%{rspamd_disabled}postscreen_bare_newline_action = enforce
--- a/modoboa_installer/scripts/files/postfix/master.cf.tpl
+++ b/modoboa_installer/scripts/files/postfix/master.cf.tpl
@@ -9,7 +9,8 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
-smtp      inet  n       -       -       -       1       postscreen
+%{rspamd_disabled}smtp      inet  n       -       -       -       1       postscreen
+%{rspamd_enabled}smtp      inet  n       -       -       -       -       smtpd
 smtpd     pass  -       -       -       -       -       smtpd
 %{amavis_enabled}  -o smtpd_proxy_filter=inet:[127.0.0.1]:10024 
 %{amavis_enabled}  -o smtpd_proxy_options=speed_adjust
--- a/modoboa_installer/scripts/files/rspamd/local.d/antivirus.conf.tpl
+++ b/modoboa_installer/scripts/files/rspamd/local.d/antivirus.conf.tpl
@@ -1,11 +1,14 @@
 clamav {
+  scan_mime_parts = true;
+  scan_text_mime = true;
+  scan_image_mime = true;
+
  symbol = "CLAM_VIRUS";
  type = "clamav";
-  servers = "127.0.0.1:3310";
+  servers = "/var/run/clamd.amavisd/clamd.sock";
+
  patterns {
    # symbol_name = "pattern";
-    JUST_EICAR = '^Eicar-Test-Signature$';
+    JUST_EICAR = "Test.EICAR";
  }
 }
-
-
--- a/modoboa_installer/scripts/files/rspamd/local.d/greylisting.conf.tpl
+++ b/modoboa_installer/scripts/files/rspamd/local.d/greylisting.conf.tpl
@@ -1,2 +1,3 @@
+%{greylisting_disabled}enabled = false;
 servers = "127.0.0.1:6379";
 %{postwhite_enabled}whitelisted_ip = "/etc/postfix/postscreen_spf_whitelist.cidr"
--- a/modoboa_installer/scripts/files/rspamd/local.d/metrics.conf.tpl
+++ b/modoboa_installer/scripts/files/rspamd/local.d/metrics.conf.tpl
@@ -0,0 +1,20 @@
+actions {
+    reject = 15; # normal value is 15, 150 so it will never be rejected
+    add_header = 6; # set to 0.1 for testing, 6 for normal operation.
+    rewrite_subject = 8; # Default: 8
+    greylist = 4; # Default: 4
+}
+
+group "antivirus" {
+  symbol "JUST_EICAR" {
+    weight = 10;
+    description = "Eicar test signature";
+  }
+  symbol "CLAM_VIRUS_FAIL" {
+    weight = 0;
+  }
+  symbol "CLAM_VIRUS" {
+    weight = 10;
+    description = "ClamAV found a Virus";
+  }
+}
--- a/modoboa_installer/scripts/files/rspamd/local.d/milter_headers.conf.tpl
+++ b/modoboa_installer/scripts/files/rspamd/local.d/milter_headers.conf.tpl
@@ -0,0 +1,33 @@
+use = ["x-spam-status", "my-x-spam-score" ,"x-virus","authentication-results" ];
+extended_spam_headers = false;
+skip_local = false;
+skip_authenticated = false;
+
+# Write the score as a header
+custom {
+   my-x-spam-score = <<EOD
+     return function(task, common_meta)
+       local sc = common_meta['metric_score'] or task:get_metric_score()
+       -- return no error
+       return nil,
+       -- header(s) to add
+       {['X-Spam-Score'] = string.format('%.2f', sc[1])},
+       -- header(s) to remove
+       {['X-Spam-Score'] = 1},
+       -- metadata to store
+       {}
+   end
+EOD;
+}
+
+routines {
+  x-virus {
+    header = "X-Virus";
+    remove = 1;
+    symbols = ["CLAM_VIRUS", "JUST_EICAR"];
+  }
+}
+
+
+
+
--- a/modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc
+++ b/modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc
@@ -1 +0,0 @@
-enable_password = %controller_password
--- a/modoboa_installer/scripts/postfix.py
+++ b/modoboa_installer/scripts/postfix.py
@@ -61,7 +61,7 @@ class Postfix(base.Installer):
                "modoboa", "instance_path"),
            "opendkim_port": self.config.get(
                "opendkim", "port"),
-            "rspamd_disabled": "" if not self.config.get(
+            "rspamd_disabled": "" if not self.config.getboolean(
                "rspamd", "enabled") else "#"
        })
        return context
--- a/modoboa_installer/scripts/rspamd.py
+++ b/modoboa_installer/scripts/rspamd.py
@@ -24,7 +24,10 @@ class Rspamd(base.Installer):
                    "local.d/spf.conf",
                    "local.d/worker-controller.inc",
                    "local.d/worker-normal.inc",
-                    "local.d/worker-proxy.inc"]
+                    "local.d/worker-proxy.inc",
+                    "local.d/greylist.conf",
+                    "local.d/milter_headers.conf",
+                    "local.d/metrics.conf"]

    @property
    def config_dir(self):
@@ -51,11 +54,9 @@ class Rspamd(base.Installer):
    def get_config_files(self):
        """Return appropriate config files."""
        _config_files = self.config_files
-        if self.config.get("clamav", "enabled"):
+        if self.config.getboolean("clamav", "enabled"):
            _config_files.append("local.d/antivirus.conf")
-        if self.app_config["dnsbl"]:
-            _config_files.append("local.d/greylisting.conf")
-        if not self.app_config["dnsbl"]:
+        if self.app_config["dnsbl"].lower() == "true":
            _config_files.append("local.d/rbl.conf")
        return _config_files

@@ -71,8 +72,16 @@ class Rspamd(base.Installer):
            _context["controller_password"] = password
        else:
            _context["controller_password"] = controller_password
+        _context["greylisting_disabled"] = "" if not self.app_config["greylisting"] else "#"
+        if not self.app_config["greylisting"]:
+            _context["postwhite_enabled"] = "#"
        return _context

+    def post_run(self):
+        """Additional tasks."""
+        if self.config("clamav", "enabled"):
+            install("clamav", self.config, self.upgrade, self.archive_path)
+
    def custom_backup(self, path):
        """Backup custom configuration if any."""
        custom_config_dir = os.path.join(self.config_dir,