๐Ÿ“— Ansible playbooks and roles for building an idempotent, interconnected and scalable infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
ansible-playbooks/roles/rspamd/defaults/main.yml

309 lines
6.3 KiB

rspamd_user: rspamd
rspamd_group: rspamd
rspamd_conf_dir: /etc/rspamd
rspamd_local_dir: "{{ rspamd_conf_dir }}/local.d"
rspamd_local_map_dir: "{{ rspamd_local_dir }}/maps.d"
rspamd_override_dir: "{{ rspamd_conf_dir }}/override.d"
rspamd_dkim_rsa2048_key: "{{ rspamd_local_dir }}/dkim-rsa2048.key"
rspamd_dkim_ed25519_key: "{{ rspamd_local_dir }}/dkim-ed25519.key"
rspamd_redis_socket: /run/redis/redis.sock
rspamd_controller_port: 11334
rspamd_default_config:
actions:
reject: 1000
add_header: 8
greylist: 12
grow_factor: 1.1
logging:
type: syslog
facility: mail
level: notice
log_re_cache: no
log_severity: yes
options:
local_addrs:
- "{{ int_net }}"
- "fe80::/10"
max_message: 100Mb
monitoring_watch_interval: 600s
dns:
nameserver:
- "{{ hostvars[services.recursive_ns.hostname]['ansible_host'] }}:53"
timeout: 2s
settings:
authenticated:
priority: high
authenticated: yes
apply:
groups_disabled:
- rbl
- spf
- headers
- excessb64
- arc
worker-controller:
bind_socket: "*:{{ rspamd_controller_port }}"
password: "{{ rspamd_controller_password }}"
enable_password: "{{ rspamd_controller_password }}"
secure_ip: []
worker-normal:
enabled: no
worker-proxy:
milter: yes
timeout: 40s
bind_socket: "*:{{ mail_server.rspamd_port }}"
reject_message: "Message rejected"
upstream:
local:
default: yes
hosts: localhost
self_scan: yes
worker-fuzzy:
expire: 30d
backend: redis
antivirus:
enabled: no
arc:
enabled: yes
domain:
__tld__:
selector: rsa2048
path: "{{ rspamd_dkim_rsa2048_key }}"
use_domain: recipient
allow_envfrom_empty: yes
allow_hdrfrom_mismatch: yes
allow_hdrfrom_multiple: no
allow_username_mismatch: yes
sign_authenticated: no
sign_inbound: yes
sign_local: no
try_fallback: no
use_redis: no
use_esld: yes
sign_headers: "(o)From:(o)Sender:(o)Reply-To:(o)Subject:(o)To:(o)Cc:(o)In-Reply-To:(o)References:(o)Message-ID:BIMI-Selector:DKIM-Signature"
sign_networks: []
chartable:
threshold: 0.3
classifier-bayes:
backend: redis
new_schema: yes
expire: 8640000
min_learns: 50
autolearn:
spam_threshold: 7.5
ham_threshold: -0.01
check_balance: yes
min_balance: 0.9
dkim:
time_jitter: 6h
trusted_only: no
dkim_signing:
enabled: yes
domain:
__tld__:
selectors:
- selector: ed25519
path: "{{ rspamd_dkim_ed25519_key }}"
- selector: rsa2048
path: "{{ rspamd_dkim_rsa2048_key }}"
use_domain: header
allow_envfrom_empty: yes
allow_hdrfrom_mismatch: yes
allow_hdrfrom_multiple: yes
allow_username_mismatch: yes
sign_authenticated: yes
sign_local: yes
try_fallback: no
use_redis: no
use_esld: yes
sign_headers: "(o)From:(x)Sender:(o)Reply-To:(o)Subject:(o)To:(o)Cc:(x)In-Reply-To:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:References:Message-ID:BIMI-Selector"
sign_networks: []
dmarc:
actions:
quarantine: add_header
reject: add_header
greylist:
whitelisted_ip: "$LOCAL_CONFDIR/local.d/maps.d/local_ip_ranges.inc"
whitelisted_domains_url: "$LOCAL_CONFDIR/local.d/maps.d/local_domains.inc"
expire: 3d
timeout: 10min
greylist_min_score: 12
ipv4_mask: 32
ipv6_mask: 64
message: "Your message has been temporarily greylisted. Try again later"
action: "soft reject"
history_redis:
servers: "{{ rspamd_redis_socket }}"
key_prefix: rs_history
compress: yes
milter_headers:
use:
- remove-headers
- spam-header
- x-spamd-bar
- x-spam-level
- fuzzy-hashes
- authentication-results
authenticated_headers:
- authentication-results
extended_spam_headers: no
skip_local: yes
skip_authenticated: yes
routines:
remove-headers:
headers:
X-Spamd-Bar: 1
X-Spam-Level: 1
X-Spam-Score: 1
X-Spam-Status: 1
X-Spam-Flag: 1
spam-header:
header: X-Spam-Flag
value: "YES"
remove: 1
fuzzy-hashes:
header: X-Spam-Fuzzy
authentication-results:
header: Authentication-Results
remove: 1
spf_symbols:
pass: R_SPF_ALLOW
fail: R_SPF_FAIL
softfail: R_SPF_SOFTFAIL
neutral: R_SPF_NEUTRAL
temperror: R_SPF_DNSFAIL
none: R_SPF_NA
permerror: R_SPF_PERMFAIL
dkim_symbols:
pass: R_DKIM_ALLOW
fail: R_DKIM_REJECT
temperror: R_DKIM_TEMPFAIL
none: R_DKIM_NA
permerror: R_DKIM_PERMFAIL
dmarc_symbols:
pass: DMARC_POLICY_ALLOW
permerror: DMARC_BAD_POLICY
temperror: DMARC_DNSFAIL
none: DMARC_NA
reject: DMARC_POLICY_REJECT
softfail: DMARC_POLICY_SOFTFAIL
quarantine: DMARC_POLICY_QUARANTINE
mime_types:
application/pdf: "-0.5"
application/gzip: "-0.25"
multimap:
FILENAME_BLACKLISTED:
type: filename
filter: extension
map: '${LOCAL_CONFDIR}/local.d/maps.d/bad_filenames.map'
symbol: FILENAME_BLACKLISTED
score: 100
action: reject
message: "Your mail has been rejected because a potentially malicious file has been found in its attachments"
mx_check:
enabled: yes
timeout: 5
neural:
enabled: yes
symbols:
NEURAL_SPAM:
weight: "3.0"
description: "Neural network spam"
NEURAL_HAM:
weight: "-3.0"
description: "Neural network ham"
phishing:
enabled: yes
openphish_enabled: yes
openphish_map: "https://www.openphish.com/feed.txt"
redis:
servers: "{{ rspamd_redis_socket }}"
replies:
action: "no action"
rspamd_bad_filenames:
- ade
- adp
- apk
- appx
- appxbundle
- bat
- cab
- chm
- cmd
- com
- cpl
- dll
- dmg
- ex
- ex_
- exe
- hta
- ins
- isp
- iso
- jar
- js
- jse
- lib
- lnk
- mde
- msc
- msi
- msix
- msixbundle
- msp
- mst
- nsh
- pif
- ps1
- scr
- sct
- shb
- sys
- vb
- vbe
- vbs
- vxd
- wsc
- wsf
- wsh