Fix the ssl setup on both spamd and spamc (milter). Add pyzor setup.

defaults/main.yml

@@ -12,18 +12,24 @@ spamassassin_home: /etc/mail/spamassassin
 spamassassin_rh_packages:
   - spamassassin
   - spamassassin-iXhash2
-  - pyzor
+  - python2-pip
 
 spamassassin_sql_rh_packages:
   - perl-DBD-Pg
   - perl-DBI
 
+spamassassin_pyzor_pip_packages:
+  - pip
+  - pyzor
+
+spamassassin_listen_ip: '127.0.0.1'
+spamassassin_authorized_ip_addresses: '127.0.0.1'
 spamassassin_spamd_port: 783
 spamassassin_conf_dir: '{{ spamassassin_home }}'
 spamassassin_sysconfig_file: '/etc/sysconfig/spamassassin'
 # Only postgresql support for the time being
 spamassassin_db_user_config: True
-spamassassin_spamd_sql_opts: '-q -x '
+spamassassin_spamd_sql_opts: '-q -x -u {{ spamassassin_user }} -g {{ spamassassin_group }}'
 spamassassin_db_name: 'spamassassin'
 spamassassin_db_user: 'spamassassin_u'
 # spamassassin_db_pwd: 'use a vault file'
@@ -35,15 +41,20 @@ spamassassin_db_allowed_hosts:
   - '127.0.0.1'
   - '{{ ansible_fqdn }}'
 
+spamassassin_enable_pyzor: True
 spamassassin_use_bayes: False
 spamassassin_bayes_sql_db: '{{ spamassassin_db_user_config }}'
 spamassassin_use_bayes_autolearn: '0'
 spamassassin_use_bayes_auto_expire: '1'
 spamassassin_auto_whitelist: False
 spamassassin_auto_whitelist_sql_db: '{{ spamassassin_db_user_config }}'
+spamassassin_disable_rbls: False
+spamassassin_disabled_rbls_list: []
+#  - bldomain
+#  - sorbs.net
 
 spamassassin_spamd_ssl_enabled: True
-spamassassin_spamd_ssl_opts: '-u {{ spamassassin_user }} -g {{ spamassassin_group }} --ssl --server-key {{ spamassassin_home }}/client-key.pem --server-cert {{ spamassassin_home }}/client-cert.pem'
+spamassassin_spamd_ssl_opts: '--ssl --server-key {{ spamassassin_home }}/client-key.pem --server-cert {{ spamassassin_home }}/client-cert.pem'
 
 psql_db_data:
   - { name: '{{ spamassassin_db_name }}', encoding: 'UTF8', user: '{{ spamassassin_db_user }}', roles: 'NOCREATEDB,NOSUPERUSER', pwd: '{{ spamassassin_db_pwd }}', managedb: True, allowed_hosts: '{{ spamassassin_db_allowed_hosts }}', extensions: [ '' ], schema_file: '/srv/spamassassin.sql' }
@@ -60,18 +71,14 @@ spamassassin_milter_pref_default_user: 'root'
 spamassassin_milter_reject_code: '5.7.1'
 spamassassin_milter_reject_message: 'Blocked by SpamAssassin'
 spamassassin_milter_connect_to_external_spamd: False
-spamassassin_milter_external_spamd_host: '127.0.0.1'
+# separate with a comma if more than one
+spamassassin_milter_external_spamd_hosts: '127.0.0.1'
+spamassassin_milter_external_round_robin_hosts: True
 spamassassin_milter_external_spamd_port: '{{ spamassassin_spamd_port }}'
 spamassassin_milter_exclude_whitelisted_networks: False
 # Separate with commas
 spamassassin_milter_whitelisted_networks: '127.0.0.1/8'
 spamassassin_milter_reject_limit: 15
 spamassassin_milter_change_headers: True
-
-spamassassin_disable_rbls: False
-spamassassin_disabled_rbls_list: []
-#  - bldomain
-#  - sorbs.net
-
-spamassassin_enable_pyzor: True
+spamassassin_milter_ssl_enabled: '{{ spamassassin_spamd_ssl_enabled }}'
 

tasks/spamassassin.yml

@@ -1,5 +1,5 @@
 ---
-- name: Create the spamassasin user and install the Spamassassin packages
+- name: Create the spamassassin user and install the Spamassassin packages on RH based systems
   block:
     - name: Create the spamassassin user
       user: name={{ spamassassin_user }} home={{ spamassassin_home }} comment="Spamassassin Service Account" createhome=no shell=/usr/sbin/nologin system=yes
@@ -20,6 +20,17 @@
   when: ansible_distribution_file_variety == "RedHat"
   tags: [ 'spamassassin' ]
 
+- name: Install pyzor from pip
+  block:
+    - name: Install the pyzor pip packages
+      pip: name={{ spamassassin_pyzor_pip_packages }} state=latest
+
+    - name: Create the pyzor home
+      file: dest={{ spamassassin_conf_dir }}/pyzor state=directory owner={{ spamassassin_user }} mode=0750
+
+  when: spamassassin_enable_pyzor | bool
+  tags: [ 'spamassassin', 'pyzor', 'spamassassin_conf' ]
+
 - name: Manage the letsencrypt configuration
   block:
   - name: Check if the letsencrypt certificates are in place
@@ -57,13 +68,6 @@
       template: src=spamassassin_sysconfig.j2 dest=/etc/sysconfig/spamassassin owner=root group=root mode=0444
       notify: Reload spamassassin
 
-    - name: Configure pyzor if enabled
-      command: pyzor --homedir {{ spamassassin_conf_dir }} discover
-      args:
-        creates: '{{ spamassassin_conf_dir }}/servers'
-      when: spamassassin_enable_pyzor | bool
-      notify: Reload spamassassin
-
   tags: [ 'spamassassin', 'spamassassin_conf' ]
   
 - name: Install the Spamassassin DB configuration

templates/spamass-milter_sysconfig.j2

@@ -5,4 +5,4 @@
 ### spamass-milter-root.service instead of spamass-milter.service if you
 ### wish to do this but otherwise it's best to run as the unprivileged user
 ### sa-milt by using the normal spamass-milter.service
-EXTRA_FLAGS="{% if not spamassassin_milter_change_headers %}-m {% endif %}{% if spamassassin_milter_set_pref_dom_and_user %}-e {{ spamassassin_milter_pref_default_domain }} -u {{ spamassassin_milter_pref_default_user }}{% endif %} -r {{ spamassassin_milter_reject_limit }} -C {{ spamassassin_milter_reject_code }} -R '{{ spamassassin_milter_reject_message }}' {% if spamassassin_milter_exclude_whitelisted_networks %}-i {{ spamassassin_milter_whitelisted_networks }}{% endif %} {% if spamassassin_milter_connect_to_external_spamd %}-- -d {{ spamassassin_milter_external_spamd_host }}:{{ spamassassin_milter_external_spamd_port }}{% endif %}"
+EXTRA_FLAGS="{% if not spamassassin_milter_change_headers %}-m {% endif %}{% if spamassassin_milter_set_pref_dom_and_user %}-e {{ spamassassin_milter_pref_default_domain }} -u {{ spamassassin_milter_pref_default_user }}{% endif %} -r {{ spamassassin_milter_reject_limit }} -C {{ spamassassin_milter_reject_code }} -R '{{ spamassassin_milter_reject_message }}' {% if spamassassin_milter_exclude_whitelisted_networks %}-i {{ spamassassin_milter_whitelisted_networks }}{% endif %} {% if spamassassin_milter_connect_to_external_spamd %}-- -d {{ spamassassin_milter_external_spamd_hosts }} -p {{ spamassassin_milter_external_spamd_port }}{% if spamassassin_milter_external_round_robin_hosts %} -H{% endif %}{%if spamassassin_milter_ssl_enabled %} -S{% endif %}{% endif %}"

templates/spamassassin-local.cf.j2

@@ -24,5 +24,5 @@ skip_rbl_checks 1
 dns_query_restriction deny {{ rbl }}
 {% endfor %}
 {% if spamassassin_enable_pyzor %}
-pyzor_options --homedir {{ spamassassin_conf_dir }}
+pyzor_options --homedir {{ spamassassin_conf_dir }}/pyzor
 {% endif %}

templates/spamassassin_sysconfig.j2

@@ -1,2 +1,2 @@
 # Options to spamd
-SPAMDOPTIONS="-d -m5 -H {% if spamassassin_db_user_config %}{{ spamassassin_spamd_sql_opts }}{% else %} -c{% endif %} {% if spamassassin_spamd_ssl_enabled %}{{ spamassassin_spamd_ssl_opts }}{% endif %}"
+SPAMDOPTIONS="-d -m5 -i {{ spamassassin_listen_ip }}:{{ spamassassin_spamd_port }} -H {% if spamassassin_db_user_config %}{{ spamassassin_spamd_sql_opts }}{% else %} -c{% endif %} {% if spamassassin_spamd_ssl_enabled %}{{ spamassassin_spamd_ssl_opts }}{% endif %} -A {{ spamassassin_authorized_ip_addresses }}"