dave
/
ansible-playbooks
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
๐Ÿ“— Ansible playbooks and roles for building an idempotent, interconnected and scalable infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
2 Branches
0 Tags
425 KiB
Tag: Branch: Tree: 6155f074c8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6155f074c8'
${ noResults }
ansible-playbooks/roles/rspamd/defaults/main.yml

310 lines
6.3 KiB
Raw Normal View History Unescape

init
2 years ago
rspamd_user: rspamd
rspamd_group: rspamd
rspamd_conf_dir: /etc/rspamd
rspamd_local_dir: "{{ rspamd_conf_dir }}/local.d"
rspamd_local_map_dir: "{{ rspamd_local_dir }}/maps.d"
rspamd_override_dir: "{{ rspamd_conf_dir }}/override.d"
rspamd_dkim_rsa2048_key: "{{ rspamd_local_dir }}/dkim-rsa2048.key"
rspamd_dkim_ed25519_key: "{{ rspamd_local_dir }}/dkim-ed25519.key"
rspamd_redis_socket: /run/redis/redis.sock
rspamd_controller_port: 11334
rspamd_default_config:
actions:
reject: 1000
add_header: 8
greylist: 12
grow_factor: 1.1
logging:
type: syslog
facility: mail
level: notice
log_re_cache: no
log_severity: yes
options:
local_addrs:
- "{{ int_net }}"
- "fe80::/10"
max_message: 100Mb
monitoring_watch_interval: 600s
dns:
nameserver:
- "{{ hostvars[services.recursive_ns.hostname]['ansible_host'] }}:53"
timeout: 2s
settings:
authenticated:
priority: high
authenticated: yes
apply:
groups_disabled:
- rbl
- spf
- headers
- excessb64
- arc
worker-controller:
bind_socket: "*:{{ rspamd_controller_port }}"
password: "{{ rspamd_controller_password }}"
enable_password: "{{ rspamd_controller_password }}"
secure_ip: []
worker-normal:
enabled: no
worker-proxy:
milter: yes
timeout: 40s
bind_socket: "*:{{ mail_server.rspamd_port }}"
reject_message: "Message rejected"
upstream:
local:
default: yes
hosts: localhost
self_scan: yes
worker-fuzzy:
expire: 30d
backend: redis
antivirus:
enabled: no
arc:
enabled: yes
domain:
__tld__:
selector: rsa2048
path: "{{ rspamd_dkim_rsa2048_key }}"
use_domain: recipient
allow_envfrom_empty: yes
allow_hdrfrom_mismatch: yes
allow_hdrfrom_multiple: no
allow_username_mismatch: yes
sign_authenticated: no
sign_inbound: yes
sign_local: no
try_fallback: no
use_redis: no
use_esld: yes
sign_headers: "(o)From:(o)Sender:(o)Reply-To:(o)Subject:(o)To:(o)Cc:(o)In-Reply-To:(o)References:(o)Message-ID:BIMI-Selector:DKIM-Signature"
sign_networks: []
chartable:
threshold: 0.3
classifier-bayes:
backend: redis
new_schema: yes
expire: 8640000
min_learns: 50
autolearn:
spam_threshold: 7.5
ham_threshold: -0.01
check_balance: yes
min_balance: 0.9
dkim:
time_jitter: 6h
trusted_only: no
dkim_signing:
enabled: yes
domain:
__tld__:
selectors:
- selector: ed25519
path: "{{ rspamd_dkim_ed25519_key }}"
- selector: rsa2048
path: "{{ rspamd_dkim_rsa2048_key }}"
use_domain: header
allow_envfrom_empty: yes
allow_hdrfrom_mismatch: yes
allow_hdrfrom_multiple: yes
allow_username_mismatch: yes
sign_authenticated: yes
sign_local: yes
try_fallback: no
use_redis: no
use_esld: yes
sign_headers: "(o)From:(x)Sender:(o)Reply-To:(o)Subject:(o)To:(o)Cc:(x)In-Reply-To:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:References:Message-ID:BIMI-Selector"
sign_networks: []
dmarc:
actions:
quarantine: add_header
reject: add_header
greylist:
whitelisted_ip: "$LOCAL_CONFDIR/local.d/maps.d/local_ip_ranges.inc"
whitelisted_domains_url: "$LOCAL_CONFDIR/local.d/maps.d/local_domains.inc"
expire: 3d
timeout: 10min
greylist_min_score: 12
ipv4_mask: 32
ipv6_mask: 64
message: "Your message has been temporarily greylisted. Try again later"
action: "soft reject"
history_redis:
servers: "{{ rspamd_redis_socket }}"
key_prefix: rs_history
compress: yes
milter_headers:
use:
- remove-headers
- spam-header
- x-spamd-bar
- x-spam-level
- fuzzy-hashes
- authentication-results
authenticated_headers:
- authentication-results
extended_spam_headers: no
skip_local: yes
skip_authenticated: yes
routines:
remove-headers:
headers:
X-Spamd-Bar: 1
X-Spam-Level: 1
X-Spam-Score: 1
X-Spam-Status: 1
X-Spam-Flag: 1
spam-header:
header: X-Spam-Flag
value: "YES"
remove: 1
fuzzy-hashes:
header: X-Spam-Fuzzy
authentication-results:
header: Authentication-Results
remove: 1
spf_symbols:
pass: R_SPF_ALLOW
fail: R_SPF_FAIL
softfail: R_SPF_SOFTFAIL
neutral: R_SPF_NEUTRAL
temperror: R_SPF_DNSFAIL
none: R_SPF_NA
permerror: R_SPF_PERMFAIL
dkim_symbols:
pass: R_DKIM_ALLOW
fail: R_DKIM_REJECT
temperror: R_DKIM_TEMPFAIL
none: R_DKIM_NA
permerror: R_DKIM_PERMFAIL
dmarc_symbols:
pass: DMARC_POLICY_ALLOW
permerror: DMARC_BAD_POLICY
temperror: DMARC_DNSFAIL
none: DMARC_NA
reject: DMARC_POLICY_REJECT
softfail: DMARC_POLICY_SOFTFAIL
quarantine: DMARC_POLICY_QUARANTINE
mime_types:
application/pdf: "-0.5"
application/gzip: "-0.25"
multimap:
FILENAME_BLACKLISTED:
type: filename
filter: extension
map: '${LOCAL_CONFDIR}/local.d/maps.d/bad_filenames.map'
symbol: FILENAME_BLACKLISTED
score: 100
action: reject
message: "Your mail has been rejected because a potentially malicious file has been found in its attachments"
mx_check:
enabled: yes
timeout: 5
neural:
enabled: yes
symbols:
NEURAL_SPAM:
weight: "3.0"
description: "Neural network spam"
NEURAL_HAM:
weight: "-3.0"
description: "Neural network ham"
phishing:
enabled: yes
openphish_enabled: yes
openphish_map: "https://www.openphish.com/feed.txt"
redis:
servers: "{{ rspamd_redis_socket }}"
replies:
action: "no action"
rspamd_bad_filenames:
- ade
- adp
- apk
- appx
- appxbundle
- bat
- cab
- chm
- cmd
- com
- cpl
- dll
- dmg
- ex
- ex_
- exe
- hta
- ins
- isp
- iso
- jar
- js
- jse
- lib
- lnk
- mde
- msc
- msi
- msix
- msixbundle
- msp
- mst
- nsh
- pif
- ps1
- scr
- sct
- shb
- sys
- vb
- vbe
- vbs
- vxd
- wsc
- wsf
- wsh