Update to 2021-12-01 19:13

roles/pmg/templates/dehydrated_deploy_hook.j2

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+{% if pmg_letsencrypt_cert is defined %}
+if [ $1 == "{{ pmg_letsencrypt_cert }}" ]; then
+  cat /var/lib/dehydrated/certificates/certs/{{ pmg_letsencrypt_cert }}/privkey.pem > /etc/pmg/pmg-tls.pem
+  cat /var/lib/dehydrated/certificates/certs/{{ pmg_letsencrypt_cert }}/fullchain.pem >> /etc/pmg/pmg-tls.pem
+  chown root:root /etc/pmg/pmg-tls.pem
+  chmod 600 /etc/pmg/pmg-tls.pem
+  /bin/systemctl reload postfix
+fi
+{% endif %}

roles/pmg/templates/filebeat.yml.j2

@@ -0,0 +1,8 @@
+- type: log
+  enabled: True
+  paths:
+    - /var/log/postgresql/postgresql-11-main.log
+    - /var/log/pmgproxy/*.log
+  exclude_files:
+    - '\.[gx]z$'
+    - '\d+$'

roles/pmg/templates/imap-sa-learn.j2

@@ -0,0 +1,15 @@
+{% if pmg_bayes_imap_server is defined %}
+IMAP_SA_LEARN_SERVER={{ pmg_bayes_imap_server }}
+{% endif %}
+{% if pmg_bayes_imap_user is defined %}
+IMAP_SA_LEARN_USER={{ pmg_bayes_imap_user }}
+{% endif %}
+{% if pmg_bayes_imap_pass is defined %}
+IMAP_SA_LEARN_PASSWORD={{ pmg_bayes_imap_pass | quote }}
+{% endif %}
+IMAP_SA_LEARN_SPAMDIR={{ pmg_bayes_imap_spam }}
+IMAP_SA_LEARN_HAMDIR={{ pmg_bayes_imap_ham }}
+IMAP_SA_LEARN_SECURITY={{ pmg_bayes_imap_security }}
+{% if pmg_bays_imap_attachment %}
+IMAP_SA_LEARN_ATTACHMENT=1
+{% endif %}

roles/pmg/templates/imap-sa-learn.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=Train spamassassin beayes from an IMAP account
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/default/imap-sa-learn
+ExecStart=/usr/local/bin/imap-sa-learn
+TimeoutSec=7200

roles/pmg/templates/imap-sa-learn.timer.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=Train spamassassin beayes from an IMAP account
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target

roles/pmg/templates/keytable.j2

@@ -0,0 +1,3 @@
+{% for domain in pmg_dkim_sign %}
+{{ (domain.domain == '*') | ternary('default',domain.domain) }} {{ (domain.domain == '*') | ternary('%',domain.domain) }}:{{ domain.selector | default('default') }}:/etc/opendkim/keys/{{ (domain.domain == '*') | ternary('default',domain.domain) }}/{{ domain.selector | default('default') }}.private
+{% endfor %}

roles/pmg/templates/logrotate.d/rsyslog.j2

@@ -0,0 +1,37 @@
+/var/log/syslog
+{
+        rotate 24
+        monthly
+        missingok
+        notifempty
+        delaycompress
+        compress
+        postrotate
+                /usr/lib/rsyslog/rsyslog-rotate
+        endscript
+}
+
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+        rotate 52
+        weekly
+        missingok
+        notifempty
+        compress
+        delaycompress
+        sharedscripts
+        postrotate
+                /usr/lib/rsyslog/rsyslog-rotate
+        endscript
+}

roles/pmg/templates/master.cf.in.j2

@@ -0,0 +1,154 @@
+#
+# Postfix master process configuration file.  Each logical line
+# describes how a Postfix daemon program should be run.
+#
+# A logical line starts with non-whitespace, non-comment text.
+# Empty lines and whitespace-only lines are ignored, as are comment
+# lines whose first non-whitespace character is a `#'.
+# A line that starts with whitespace continues a logical line.
+#
+# The fields that make up each line are described below. A "-" field
+# value requests that a default value be used for that field.
+#
+# Service: any name that is valid for the specified transport type
+# (the next field).  With INET transports, a service is specified as
+# host:port.  The host part (and colon) may be omitted. Either host
+# or port may be given in symbolic form or in numeric form. Examples
+# for the SMTP server:  localhost:smtp receives mail via the loopback
+# interface only; 10025 receives mail on port 10025.
+#
+# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
+# sockets, "fifo" for named pipes.
+#
+# Private: whether or not access is restricted to the mail system.
+# Default is private service.  Internet (inet) sockets can't be private.
+#
+# Unprivileged: whether the service runs with root privileges or as
+# the owner of the Postfix system (the owner name is controlled by the
+# mail_owner configuration variable in the main.cf file). Only the
+# pipe, virtual and local delivery daemons require privileges.
+#
+# Chroot: whether or not the service runs chrooted to the mail queue
+# directory (pathname is controlled by the queue_directory configuration
+# variable in the main.cf file). Presently, all Postfix daemons can run
+# chrooted, except for the pipe, virtual and local delivery daemons.
+# The proxymap server can run chrooted, but doing so defeats most of
+# the purpose of having that service in the first place.
+# The files in the examples/chroot-setup subdirectory describe how
+# to set up a Postfix chroot environment for your type of machine.
+#
+# Wakeup time: automatically wake up the named service after the
+# specified number of seconds. A ? at the end of the wakeup time
+# field requests that wake up events be sent only to services that
+# are actually being used.  Specify 0 for no wakeup. Presently, only
+# the pickup, queue manager and flush daemons need a wakeup timer.
+#
+# Max procs: the maximum number of processes that may execute this
+# service simultaneously. Default is to use a globally configurable
+# limit (the default_process_limit configuration parameter in main.cf).
+# Specify 0 for no process count limit.
+#
+# Command + args: the command to be executed. The command name is
+# relative to the Postfix program directory (pathname is controlled by
+# the daemon_directory configuration variable). Adding one or more
+# -v options turns on verbose logging for that service; adding a -D
+# option enables symbolic debugging (see the debugger_command variable
+# in the main.cf configuration file). See individual command man pages
+# for specific command-line options, if any.
+#
+# In order to use the "uucp" message transport below, set up entries
+# in the transport table.
+#
+# In order to use the "cyrus" message transport below, configure it
+# in main.cf as the mailbox_transport.
+#
+# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
+# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
+#
+# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+
+[% IF ! pmg.mail.before_queue_filtering -%]
+scan      unix  -       -       n       -       [% pmg.mail.max_filters %]      lmtp
+  -o lmtp_send_xforward_command=yes
+  -o lmtp_connection_cache_on_demand=no
+  -o disable_dns_lookups=yes
+[% END -%]
+
+[% pmg.mail.int_port %]       inet  n -       -       -       [% pmg.mail.max_smtpd_out %]      smtpd
+[% IF pmg.mail.before_queue_filtering -%]
+  -o smtpd_proxy_filter=127.0.0.1:10023
+  -o smtpd_proxy_options=speed_adjust
+  -o smtpd_client_connection_count_limit=[% pmg.mail.conn_count_limit div 5 %]
+[%- ELSE -%]
+  -o content_filter=scan:127.0.0.1:10023
+[%- END %]
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
+  -o smtpd_helo_restrictions=
+  -o smtpd_client_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_milters={{ pmg_smtpd_milters_int | join(',') }}
+
+[% pmg.mail.ext_port %]       inet  n -       -       -       1 postscreen
+
+smtpd       pass  - -       -       -       [% pmg.mail.max_smtpd_in %]      smtpd
+[% IF pmg.mail.before_queue_filtering -%]
+  -o smtpd_proxy_filter=127.0.0.1:10024
+  -o smtpd_proxy_options=speed_adjust
+  -o smtpd_client_connection_count_limit=[% pmg.mail.conn_count_limit div 5 %]
+[%- ELSE -%]
+  -o content_filter=scan:127.0.0.1:10024
+[%- END %]
+  -o receive_override_options=no_address_mappings
+  -o smtpd_discard_ehlo_keywords=silent-discard,dsn
+  -o mynetworks=127.0.0.0/8,[% postfix.int_ip %]
+
+127.0.0.1:10025 inet  n       -       n       -       -      smtpd
+  -o content_filter=
+  -o local_recipient_maps=
+  -o relay_recipient_maps=
+  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
+  -o smtpd_helo_restrictions=
+  -o smtpd_client_restrictions=
+  -o smtpd_restriction_classes=
+  -o smtpd_sender_restrictions=
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o mynetworks=127.0.0.0/8
+  -o smtpd_error_sleep_time=0
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o smtpd_tls_security_level=none
+  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+  -o message_size_limit=[% (pmg.mail.maxsize*2) %]
+
+pickup    fifo  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+  -o message_size_limit=[% (pmg.mail.maxsize*2) %]
+
+qmgr      fifo  n       -       -       300     1       qmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+smtp      unix  -       -       -       -       -       smtp
+relay     unix  -       -       -       -       -       smtp
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+verify    unix  -       -       -       -       1       verify
+trace     unix  -       -       n       -       0       bounce
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+discard   unix  -       -       -       -       -       discard
+retry     unix  -       -       -       -       -       error
+dnsblog   unix  -       -       -       -       0       dnsblog
+tlsproxy  unix  -       -       -       -       0       tlsproxy
+

roles/pmg/templates/opendkim.conf.j2

@@ -0,0 +1,23 @@
+Syslog yes
+LogResults yes
+LogWhy yes
+SyslogSuccess yes
+UMask 007
+{% if item == 'signer' %}
+KeyTable /etc/opendkim/keytable
+SigningTable /etc/opendkim/signingtable
+Mode s
+InternalHosts 0.0.0.0/0
+{% else %}
+Mode v
+AllowSHA1Only yes
+AlwaysAddARHeader yes
+{% endif %}
+Socket local:/var/run/opendkim/{{ item }}.sock
+PidFile /var/run/opendkim/{{ item }}.pid
+TrustAnchorFile /usr/share/dns/root.key
+UserID opendkim
+Background no
+{% if pmg_dkim_nameservers is defined and pmg_dkim_nameservers | length > 0 %}
+Nameservers {{ pmg_dkim_nameservers | join(',') }}
+{% endif %}

roles/pmg/templates/opendkim.service.j2

@@ -0,0 +1,23 @@
+[Unit]
+Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter - {{ item }}
+Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
+After=network.target nss-lookup.target
+
+[Service]
+Type=simple
+UMask=0007
+ExecStart=/usr/sbin/opendkim -x /etc/opendkim/{{ item }}.conf
+User=opendkim
+Group=opendkim
+MemoryLimit=50M
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+Restart=on-failure
+ExecReload=/bin/kill -USR1 $MAINPID
+
+[Install]
+WantedBy=multi-user.target
+

roles/pmg/templates/pmg_post_backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+find /home/lbkp/pmg/ -type f -mtime +7 -exec rm -f "{}" \;

roles/pmg/templates/pmg_pre_backup.sh.j2

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eo pipefail
+
+/usr/bin/systemd-cat /usr/bin/pmgbackup backup
+cp -a /etc/opendkim/keys /home/lbkp/pmg/

roles/pmg/templates/saslauthd.conf.j2

@@ -0,0 +1,10 @@
+ldap_servers: {{ pmg_ldap_servers | join(' ') }}
+ldap_start_tls: {{ pmg_ldap_starttls | ternary('yes','no') }}
+ldap_tls_check_peer: yes
+ldap_tls_cacert_file: /etc/ssl/certs/ca-certificates.crt
+ldap_search_base: {{ pmg_ldap_search_base }}
+ldap_filter: {{ pmg_ldap_filter }}
+{% if pmg_ldap_bind_dn is defined and pmg_ldap_bind_pass is defined %}
+ldap_bind_dn: {{ pmg_ldap_bind_dn }}
+ldap_password: {{ pmg_ldap_bind_pass }}
+{% endif %}

roles/pmg/templates/saslauthd.j2

@@ -0,0 +1,6 @@
+START=yes
+DESC="SASL Authentication Daemon"
+NAME="saslauthd"
+MECHANISMS="ldap"
+MECH_OPTIONS=""
+OPTIONS="-c -m /var/run/saslauthd"

roles/pmg/templates/signingtable.j2

@@ -0,0 +1,3 @@
+{% for domain in pmg_dkim_sign | sort(attribute='priority') %}
+{{ domain.domain }} {{ (domain.domain == '*') | ternary('default',domain.domain) }}
+{% endfor %}

roles/pmg/templates/smtpd.conf.j2

@@ -0,0 +1,2 @@
+pwcheck_method: saslauthd
+mech_list: plain login

roles/pmg/templates/spamassassin/bayes_auto_learn.cf.j2

@@ -0,0 +1,2 @@
+# Bayes autolearn never gave any interesting results
+bayes_auto_learn 0

roles/pmg/templates/spamassassin/fromnamespoof.cf.j2

@@ -0,0 +1,36 @@
+# skip messages with one or more of these headers
+fns_ignore_headers List-Id List-Post Mailing-List X-Forwarded-For
+
+# Does the From:name look like an email address
+header   __PLUGIN_FROMNAME_EMAIL eval:check_fromname_contains_email()
+
+# Is the From:name differen to the from header
+header   __PLUGIN_FROMNAME_DIFFERENT eval:check_fromname_different()
+
+# From:name owners differ
+header   __PLUGIN_FROMNAME_OWNERS_DIFFER eval:check_fromname_owners_differ()
+
+# From:name domain differs to from header
+header   __PLUGIN_FROMNAME_DOMAIN_DIFFER eval:check_fromname_domain_differ()
+
+# From:name and From:address don't match and owners differ
+header   __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
+
+# From:name address matches To:address
+header   __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
+
+meta     FROMNAME_SPOOF  (__PLUGIN_FROMNAME_SPOOF)
+describe FROMNAME_SPOOF From:name doesn't match From:address
+score    FROMNAME_SPOOF 1
+
+meta     FROMNAME_SPOOF_EQUALS_TO  (FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
+describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
+score    FROMNAME_SPOOF_EQUALS_TO 1
+
+meta     FROMNAME_EQUALS_TO (!FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
+describe FROMNAME_EQUALS_TO From:name matches To: address
+score    FROMNAME_EQUALS_TO 0.01
+
+meta     FROMNAME_SPOOF_FREEMAIL (FREEMAIL_FROM && FROMNAME_SPOOF)
+describe FROMNAME_SPOOF_FREEMAIL From:name spoof and Freemail From:address
+score    FROMNAME_SPOOF_FREEMAIL 2.0

roles/pmg/templates/spamassassin/fromnamespoof.pre.j2

@@ -0,0 +1 @@
+loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

roles/pmg/templates/spamassassin/hashbl.cf.j2

@@ -0,0 +1,3 @@
+header   HASHBL_EMAIL       eval:check_hashbl_emails('ebl.msbl.org')
+describe HASHBL_EMAIL       Message contains email address found on EBL
+score    HASHBL_EMAIL       2.5

roles/pmg/templates/spamassassin/hashbl.pre.j2

@@ -0,0 +1 @@
+loadplugin Mail::SpamAssassin::Plugin::HashBL

roles/pmg/templates/spamassassin/phishing.cf.j2

@@ -0,0 +1,7 @@
+{% if pmg_use_openphish %}
+phishing_openphish_feed /etc/mail/spamassassin/openphish.txt
+{% endif %}
+phishing_phishtank_feed /var/lib/spamassassin/phishtank.txt
+body     URI_PHISHING      eval:check_phishing()
+describe URI_PHISHING      Url match phishing in feed
+score    URI_PHISHING      3

roles/pmg/templates/spamassassin/phishing.pre.j2

@@ -0,0 +1 @@
+loadplugin Mail::SpamAssassin::Plugin::Phishing

roles/pmg/templates/update-phishing-feeds.j2

@@ -0,0 +1,34 @@
+#!/bin/bash -e
+
+NEED_RELOAD=0
+
+TEMP=$(mktemp -u)
+wget https://data.phishtank.com/data/online-valid.csv -O $TEMP
+OLD_SHA1=""
+if [ -e /var/lib/spamassassin/phishtank-feed.csv ]; then
+  OLD_SHA1=$(sha1sum /var/lib/spamassassin/phishtank.txt)
+fi
+NEW_SHA1=$(sha1sum $TEMP)
+
+if [ "$OLD_SHA1" != "$NEW_SHA1" ]; then
+  mv -f $TEMP /var/lib/spamassassin/phishtank.txt
+  NEED_RELOAD=1
+fi
+
+{% if pmg_use_openphish %}
+wget https://openphish.com/feed.txt -O $TEMP
+OLD_SHA1=""
+if [ -e /var/lib/spamassassin/openphish.txt ]; then
+  OLD_SHA1=$(sha1sum /var/lib/spamassassin/openphish.txt)
+fi
+NEW_SHA1=$(sha1sum $TEMP)
+
+if [ "$OLD_SHA1" != "$NEW_SHA1" ]; then
+  mv -f $TEMP /var/lib/spamassassin/openphish.txt
+  NEED_RELOAD=1
+fi
+{% endif %}
+
+if [ "$NEED_RELOAD" == "1" ]; then
+  systemctl reload pmg-smtp-filter
+fi