Fix the ssl setup on both spamd and spamc (milter). Add pyzor setup.

2020-04-14 19:03:57 +02:00 · 2020-04-14 19:03:57 +02:00 · bfba891bb7
parent 1b1716508e
commit bfba891bb7
5 changed files with 33 additions and 22 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -12,18 +12,24 @@ spamassassin_home: /etc/mail/spamassassin
 spamassassin_rh_packages:
  - spamassassin
  - spamassassin-iXhash2
-  - pyzor
+  - python2-pip

 spamassassin_sql_rh_packages:
  - perl-DBD-Pg
  - perl-DBI

+spamassassin_pyzor_pip_packages:
+  - pip
+  - pyzor
+
+spamassassin_listen_ip: '127.0.0.1'
+spamassassin_authorized_ip_addresses: '127.0.0.1'
 spamassassin_spamd_port: 783
 spamassassin_conf_dir: '{{ spamassassin_home }}'
 spamassassin_sysconfig_file: '/etc/sysconfig/spamassassin'
 # Only postgresql support for the time being
 spamassassin_db_user_config: True
-spamassassin_spamd_sql_opts: '-q -x '
+spamassassin_spamd_sql_opts: '-q -x -u {{ spamassassin_user }} -g {{ spamassassin_group }}'
 spamassassin_db_name: 'spamassassin'
 spamassassin_db_user: 'spamassassin_u'
 # spamassassin_db_pwd: 'use a vault file'
@ -35,15 +41,20 @@ spamassassin_db_allowed_hosts:
  - '127.0.0.1'
  - '{{ ansible_fqdn }}'

+spamassassin_enable_pyzor: True
 spamassassin_use_bayes: False
 spamassassin_bayes_sql_db: '{{ spamassassin_db_user_config }}'
 spamassassin_use_bayes_autolearn: '0'
 spamassassin_use_bayes_auto_expire: '1'
 spamassassin_auto_whitelist: False
 spamassassin_auto_whitelist_sql_db: '{{ spamassassin_db_user_config }}'
+spamassassin_disable_rbls: False
+spamassassin_disabled_rbls_list: []
+#  - bldomain
+#  - sorbs.net

 spamassassin_spamd_ssl_enabled: True
-spamassassin_spamd_ssl_opts: '-u {{ spamassassin_user }} -g {{ spamassassin_group }} --ssl --server-key {{ spamassassin_home }}/client-key.pem --server-cert {{ spamassassin_home }}/client-cert.pem'
+spamassassin_spamd_ssl_opts: '--ssl --server-key {{ spamassassin_home }}/client-key.pem --server-cert {{ spamassassin_home }}/client-cert.pem'

 psql_db_data:
  - { name: '{{ spamassassin_db_name }}', encoding: 'UTF8', user: '{{ spamassassin_db_user }}', roles: 'NOCREATEDB,NOSUPERUSER', pwd: '{{ spamassassin_db_pwd }}', managedb: True, allowed_hosts: '{{ spamassassin_db_allowed_hosts }}', extensions: [ '' ], schema_file: '/srv/spamassassin.sql' }
@ -60,18 +71,14 @@ spamassassin_milter_pref_default_user: 'root'
 spamassassin_milter_reject_code: '5.7.1'
 spamassassin_milter_reject_message: 'Blocked by SpamAssassin'
 spamassassin_milter_connect_to_external_spamd: False
-spamassassin_milter_external_spamd_host: '127.0.0.1'
+# separate with a comma if more than one
+spamassassin_milter_external_spamd_hosts: '127.0.0.1'
+spamassassin_milter_external_round_robin_hosts: True
 spamassassin_milter_external_spamd_port: '{{ spamassassin_spamd_port }}'
 spamassassin_milter_exclude_whitelisted_networks: False
 # Separate with commas
 spamassassin_milter_whitelisted_networks: '127.0.0.1/8'
 spamassassin_milter_reject_limit: 15
 spamassassin_milter_change_headers: True
-
-spamassassin_disable_rbls: False
-spamassassin_disabled_rbls_list: []
-#  - bldomain
-#  - sorbs.net
-
-spamassassin_enable_pyzor: True
+spamassassin_milter_ssl_enabled: '{{ spamassassin_spamd_ssl_enabled }}'

--- a/tasks/spamassassin.yml
+++ b/tasks/spamassassin.yml
@ -1,5 +1,5 @@
 ---
- name: Create the spamassasin user and install the Spamassassin packages
+- name: Create the spamassassin user and install the Spamassassin packages on RH based systems
  block:
    - name: Create the spamassassin user
      user: name={{ spamassassin_user }} home={{ spamassassin_home }} comment="Spamassassin Service Account" createhome=no shell=/usr/sbin/nologin system=yes
@ -20,6 +20,17 @@
  when: ansible_distribution_file_variety == "RedHat"
  tags: [ 'spamassassin' ]

+- name: Install pyzor from pip
+  block:
+    - name: Install the pyzor pip packages
+      pip: name={{ spamassassin_pyzor_pip_packages }} state=latest
+
+    - name: Create the pyzor home
+      file: dest={{ spamassassin_conf_dir }}/pyzor state=directory owner={{ spamassassin_user }} mode=0750
+
+  when: spamassassin_enable_pyzor | bool
+  tags: [ 'spamassassin', 'pyzor', 'spamassassin_conf' ]
+
 - name: Manage the letsencrypt configuration
  block:
  - name: Check if the letsencrypt certificates are in place
@ -57,13 +68,6 @@
      template: src=spamassassin_sysconfig.j2 dest=/etc/sysconfig/spamassassin owner=root group=root mode=0444
      notify: Reload spamassassin

-    - name: Configure pyzor if enabled
-      command: pyzor --homedir {{ spamassassin_conf_dir }} discover
-      args:
-        creates: '{{ spamassassin_conf_dir }}/servers'
-      when: spamassassin_enable_pyzor | bool
-      notify: Reload spamassassin
-
  tags: [ 'spamassassin', 'spamassassin_conf' ]
  
 - name: Install the Spamassassin DB configuration
--- a/templates/spamass-milter_sysconfig.j2
+++ b/templates/spamass-milter_sysconfig.j2
@ -5,4 +5,4 @@
 ### spamass-milter-root.service instead of spamass-milter.service if you
 ### wish to do this but otherwise it's best to run as the unprivileged user
 ### sa-milt by using the normal spamass-milter.service
-EXTRA_FLAGS="{% if not spamassassin_milter_change_headers %}-m {% endif %}{% if spamassassin_milter_set_pref_dom_and_user %}-e {{ spamassassin_milter_pref_default_domain }} -u {{ spamassassin_milter_pref_default_user }}{% endif %} -r {{ spamassassin_milter_reject_limit }} -C {{ spamassassin_milter_reject_code }} -R '{{ spamassassin_milter_reject_message }}' {% if spamassassin_milter_exclude_whitelisted_networks %}-i {{ spamassassin_milter_whitelisted_networks }}{% endif %} {% if spamassassin_milter_connect_to_external_spamd %}-- -d {{ spamassassin_milter_external_spamd_host }}:{{ spamassassin_milter_external_spamd_port }}{% endif %}"
+EXTRA_FLAGS="{% if not spamassassin_milter_change_headers %}-m {% endif %}{% if spamassassin_milter_set_pref_dom_and_user %}-e {{ spamassassin_milter_pref_default_domain }} -u {{ spamassassin_milter_pref_default_user }}{% endif %} -r {{ spamassassin_milter_reject_limit }} -C {{ spamassassin_milter_reject_code }} -R '{{ spamassassin_milter_reject_message }}' {% if spamassassin_milter_exclude_whitelisted_networks %}-i {{ spamassassin_milter_whitelisted_networks }}{% endif %} {% if spamassassin_milter_connect_to_external_spamd %}-- -d {{ spamassassin_milter_external_spamd_hosts }} -p {{ spamassassin_milter_external_spamd_port }}{% if spamassassin_milter_external_round_robin_hosts %} -H{% endif %}{%if spamassassin_milter_ssl_enabled %} -S{% endif %}{% endif %}"
--- a/templates/spamassassin-local.cf.j2
+++ b/templates/spamassassin-local.cf.j2
@ -24,5 +24,5 @@ skip_rbl_checks 1
 dns_query_restriction deny {{ rbl }}
 {% endfor %}
 {% if spamassassin_enable_pyzor %}
-pyzor_options --homedir {{ spamassassin_conf_dir }}
+pyzor_options --homedir {{ spamassassin_conf_dir }}/pyzor
 {% endif %}
--- a/templates/spamassassin_sysconfig.j2
+++ b/templates/spamassassin_sysconfig.j2
@ -1,2 +1,2 @@
 # Options to spamd
-SPAMDOPTIONS="-d -m5 -H {% if spamassassin_db_user_config %}{{ spamassassin_spamd_sql_opts }}{% else %} -c{% endif %} {% if spamassassin_spamd_ssl_enabled %}{{ spamassassin_spamd_ssl_opts }}{% endif %}"
+SPAMDOPTIONS="-d -m5 -i {{ spamassassin_listen_ip }}:{{ spamassassin_spamd_port }} -H {% if spamassassin_db_user_config %}{{ spamassassin_spamd_sql_opts }}{% else %} -c{% endif %} {% if spamassassin_spamd_ssl_enabled %}{{ spamassassin_spamd_ssl_opts }}{% endif %} -A {{ spamassassin_authorized_ip_addresses }}"