Project

General

Profile

Revision baae2ab9

IDbaae2ab9996ec7e6747c9c3714bff5e6245f0641
Parent 3caf716f
Child 0cbb4780

Added by Marc Dequènes 11 months ago

add policyd-weight

View differences:

ansible/playbooks/tenants/duckcorp/mail.yml
1 1
---
2 2

  
3
- hosts: mx1_servers,mx2_servers
4
  tasks:
5
    - name: Install DNSBL Checker
6
      import_role:
7
        name: dc-policyd-weight
8
  tags: antispam_dnsbl
9

  
3 10
- hosts: mx_servers
4 11
  tasks:
5 12
    - name: Install MTA
ansible/roles/dc-policyd-weight/README.md
1
# Ansible role to manage policyd-weight
2

  
3
## Introduction
4

  
5
[policyd-weight](http://www.policyd-weight.org/) is a to check the mail envelope/HELO and query DNSBL and give it a score.
6

  
7
This role install policyd-weight and setup the configuration to use DNSBL only, as other checks have prouved unreliable.
8

  
9
Parameters are hardcoded for DuckCorp's needs.
10

  
ansible/roles/dc-policyd-weight/files/policyd-weight.conf
1

  
2
# DNSBL doc:
3
#   - http://www.sdsc.edu/~jeff/spam/cbc.html
4
#   - http://www.spamcannibal.org/dnsbl_compare.shtml
5
#   - http://spamlinks.net/filter-dnsbl-lists.htm#spamsource
6

  
7
# Duck: HELO checks SUX!!!
8
$dnsbl_checks_only = 1;
9

  
10
   $REJECTLEVEL  = 3;               # Mails with scores which exceed this
11
                                    # REJECTLEVEL will be rejected
12

  
13
#   $DEFER_LEVEL  = 5;               # DEFER mail only up to this level
14
                                    # scores greater than DEFER_LEVEL will be
15
                                    # rejected
16
                                    # DEFAULT: 5
17
#@dnsbl_checks_only_regexps = (
18
#	qr/yahoo.com$/
19
#);
20

  
21
## DNSBL settings
22
#   @dnsbl_score = (
23
##    HOST,                    HIT SCORE,  MISS SCORE,  LOG NAME
24
#    'pbl.spamhaus.org',       3.25,          0,        'DYN_PBL_SPAMHAUS',
25
#    'sbl-xbl.spamhaus.org',   4.35,       -1.5,        'SBL_XBL_SPAMHAUS',
26
#    'bl.spamcop.net',         2.75,       -0.5,        'SPAMCOP',
27
#    'dnsbl.njabl.org',        4.25,       -1.5,        'BL_NJABL',
28
#    'ix.dnsbl.manitu.net',    4.35,          0,        'IX_MANITU',
29
#    'rbl.ipv6-world.net',     4.25,          0,        'IPv6_RBL'
30
#);
31
   @dnsbl_score = (
32
#    HOST,                    HIT SCORE,  MISS SCORE,  LOG NAME
33
#   'list.dnswl.org',          -10,          0,        'DNSWL_PASS',
34
    'b.barracudacentral.org', 5.00,          0,        'BARRACUDA',
35
    'zen.spamhaus.org',       5.00,          0,        'ZEN_SPAMHAUS',
36
    'psbl.surriel.com',       4.25,          0,        'PSBL_SURRIEL',
37
    'l2.apews.org',           4.00,          0,        'APEWS_L2',
38
    'bl.mailspike.net',       3.25,          0,        'MAILSPIKE',
39
    'cbl.abuseat.org',        3.25,          0,        'ABUSEAT',
40
    'virus.rbl.jp',           3.00,          0,        'VIRUS_JP',
41
    'ix.dnsbl.manitu.net',    3.00,          0,        'IX_MANITU',
42
    'bl.spamcop.net',         2.50,          0,        'SPAMCOP',
43
    'dnsbl-2.uceprotect.net', 2.00,          0,        'UCEPROTECT_2',
44
    'dyna.spamrats.com',      2.00,          0,        'SPAMRATS_DYNA',
45
    'bl.spameatingmonkey.net',2.00,          0,        'SEM_BL',
46
);
47

  
48

  
49
   $MAXDNSBLHITS  = 2;  # If Client IP is listed in MORE
50
#   $MAXDNSBLHITS  = 4;  # If Client IP is listed in MORE
51
                        # DNSBLS than this var, it gets
52
                        # REJECTed immediately
53

  
54
   $MAXDNSBLSCORE = 7;  # alternatively, if the score of
55
#   $MAXDNSBLSCORE = 9;  # alternatively, if the score of
56
                        # DNSBLs is ABOVE this
57
                        # level, reject immediately
58

  
59
## RHSBL settings
60
   @rhsbl_score = (
61
    'multi.surbl.org',             4,        0,        'SURBL',
62
#    'dsn.rfc-ignorant.org',        1,        0,        'DSN_RFCI',
63
#    'postmaster.rfc-ignorant.org', 0.1,      0,        'PM_RFCI',
64
#    'abuse.rfc-ignorant.org',      0.1,      0,        'ABUSE_RFCI'
65
);
66

  
67

  
68
# scores for checks, WARNING: they may manipulate eachother
69
# or be factors for other scores.
70
#                                       HIT score, MISS Score
71
#   @client_ip_eq_helo_score          = (1.5,       -1.25 );
72
#   @helo_score                       = (1.5,       -2    );
73
    @helo_from_mx_eq_ip_score         = (0,         -1.5  );
74
#   @helo_numeric_score               = (2.5,        0    );
75
    @from_match_regex_verified_helo   = (0.1,       -2    );
76
    @from_match_regex_unverified_helo = (0.2,       -1.5  );
77
#   @from_match_regex_failed_helo     = (2.5,        0    );
78
#   @helo_seems_dialup                = (1.5,        0    );
79
#   @failed_helo_seems_dialup         = (2,          0    );
80
#   @helo_ip_in_client_subnet         = (0,         -1.2  );
81
#   @helo_ip_in_cl16_subnet           = (0,         -0.41 );
82
#   @client_seems_dialup_score        = (3.75,       0    );
83
    @from_multiparted                 = (0,          0    );
84
#   @from_anon                        = (1.17,       0    );
85
#   @bogus_mx_score                   = (2.1,        0    );
86
#   @random_sender_score              = (0.25,       0    );
87
    @rhsbl_penalty_score              = (1  ,        0    );
88
#   @enforce_dyndns_score             = (3,          0    );
89

  
90

  
91
#   $VERBOSE = 0;
92

  
93
#
94
# Process Options
95
#
96

  
97
#   $MAX_PROC        = 50;          # Upper limit if child processes
98
#   $MIN_PROC        = 3;           # keep that minimum processes alive
99

  
100
#   $SOMAXCONN       = 1024;        # Maximum of client connections
101
                                   # policyd-weight accepts
102
                                   # Default: 1024
103

  
104

  
105
#   $CHILDIDLE       = 240;         # how many seconds a child may be idle before
106
                                   # it dies.
107

  
ansible/roles/dc-policyd-weight/handlers/main.yml
1
---
2

  
3
- name: Restart policyd-weight
4
  service:
5
    name: policyd-weight
6
    state: restarted
7

  
ansible/roles/dc-policyd-weight/meta/main.yml
1
---
2
galaxy_info:
3
  author: Marc Dequènes (Duck)
4
  description: Ansible role to manage policyd-weight
5
  license: gplv3
6
  min_ansible_version: 2.5
7
  platforms:
8
  - name: Debian
9
    versions:
10
    - 9
11
  categories:
12
  - antispam
13
  - dnsbl
14
dependencies:
ansible/roles/dc-policyd-weight/tasks/main.yml
1
---
2

  
3
- name: Install policyd-weight
4
  package:
5
    name: policyd-weight
6
    state: present
7

  
8
- name: Copy policyd-weight configuration
9
  copy:
10
    src: policyd-weight.conf
11
    dest: /etc/
12
    owner: root
13
    group: root
14
    mode: 0644
15
  notify: Restart policyd-weight
16

  
17
- name: Start policyd-weight Service
18
  service:
19
    name: policyd-weight
20
    enabled: yes
21
    state: started
22

  

Also available in: Unified diff