mailgw: big upgrade from ASSP to Rspamd

mailgw/00-eth0.network

@@ -19,4 +19,4 @@ DNS=192.168.1.3
 DNS=fdb5:78b:64cc:0:f8c0::3
 NTP=192.168.1.4
 NTP=fdb5:78b:64cc:0:f8c0::4
-Domains=privacyidea.de
+Domains=unitas-network.de

mailgw/Makefile

@@ -1,4 +1,18 @@
+OT_VER ?= 0.54.2
+OT_SUBVER ?= b
+OT_TARBALL = oletools-$(OT_VER).tar.gz
+OT_URL = https://github.com/decalage2/oletools/releases/download/v$(OT_VER)$(OT_SUBVER)/$(OT_TARBALL)
+
+OF_COMMIT ?= 7929bd927eaa93d1d67a0cfa6da7bed2be57ca15
+OF_TARBALL = $(OF_COMMIT).tar.gz
+OF_URL = https://github.com/HeinleinSupport/olefy/archive/$(OF_TARBALL)
+
 preinstall:
+	# hardcoded users and groups
+	$(inroot) useradd --system --comment="created from appliance building - zabbix user" --home-dir="/var/lib/zabbix/home" --shell="/sbin/nologin" --no-create-home --uid 600 --user-group zabbix
+	$(inroot) useradd --system --comment="created from appliance building - clamav user" --home-dir="/dev/null" --shell="/sbin/nologin" --no-create-home --uid 601 --user-group clamav
+	$(inroot) useradd --system --comment="created from appliance building - rspamd user" --home-dir="/var/lib/rspamd" --shell="/sbin/nologin" --no-create-home --uid 602 --user-group rspamd
+	$(inroot) useradd --system --comment="created from appliance building - olefy user" --home-dir="/dev/null" --shell="/sbin/nologin" --no-create-home --uid 603 --user-group olefy
 	# switch to hardened, build hardened toolchain, rebuild everything
 	mkdir -p $(CHROOT)/etc/portage/profile
 	echo "-hardened" >> $(CHROOT)/etc/portage/profile/use.mask
@@ -7,9 +21,6 @@ preinstall:
 	-$(gcc_config)
 	$(inroot) $(EMERGE) $(USEPKG) --emptytree @world
 	$(inroot) bash -c 'yes YES | etc-update --automode -9'
-	# ASSP: Perl wurde auf ithreads umgestellt -> Module neu bauen
-	$(inroot) $(EMERGE) $(USEPKG) --oneshot dev-lang/perl
-	$(inroot) perl-cleaner --reallyall
 
 	# Unitas-Portage-Overlay einbinden
 	$(inroot) $(EMERGE) -n $(USEPKG) app-portage/layman
@@ -17,6 +28,16 @@ preinstall:
 	wget -P $(CHROOT)/etc/layman/overlays http://dev.unitas-network.de/raw/Gentoo/Unitas.git/master/unitas-overlays.xml
 	$(inroot) layman -l | grep -q unitas || $(inroot) layman -La unitas
 
+install_oletools:
+	$(inroot) test -f /usr/portage/distfiles/$(OT_TARBALL) || \
+		$(inroot) wget -P /usr/portage/distfiles $(OT_URL)
+	$(inroot) sh -c 'tar xf /usr/portage/distfiles/$(OT_TARBALL) -C /tmp && cd /tmp/oletools-$(OT_VER) && python setup.py install'
+
+install_olefy:
+	$(inroot) test -f /usr/portage/distfiles/$(OF_TARBALL) || \
+		$(inroot) wget -P /usr/portage/distfiles $(OF_URL)
+	$(inroot) sh -c 'tar xf /usr/portage/distfiles/$(OF_TARBALL) -C /tmp && cd /tmp/olefy-$(OF_COMMIT) && cp olefy.py /usr/bin && cp olefy.conf /etc && cp olefy.service /etc/systemd/system'
+
 postinstall: timesyncd.conf firstboot.start
 	# Konfigurationen anpassen
 	cp timesyncd.conf $(CHROOT)/etc/systemd/timesyncd.conf
@@ -26,7 +47,7 @@ postinstall: timesyncd.conf firstboot.start
 	sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' $(CHROOT)/etc/sudoers
 	$(inroot) useradd -m -G users,wheel -s /bin/bash admin
 	$(inroot) passwd -d admin; $(inroot) passwd -e admin
-	$(inroot) systemctl enable screen@adm.service
+	$(inroot) systemctl enable tmux@root.service
 
 	# Beispiel feste IP-Adresse
 	cp 00-eth0.network $(CHROOT)/00-eth0.network.example
@@ -38,14 +59,10 @@ postinstall: timesyncd.conf firstboot.start
 	rm -rf $(CHROOT)/var/lib/mysql/*
 	$(inroot) bash -c 'yes gentoo | emerge --config dev-db/mariadb'
 
-	# ASSP
-	$(inroot) usermod -aG clamav assp
-	cp system/50-assp-ulimit.conf $(CHROOT)/etc/security/limits.d/
-	sed -i 's/smtp      inet  n       -       n       -       -       smtpd/127.0.0.1:125 inet  n       -       n       -       -       smtpd/' $(CHROOT)/etc/postfix/master.cf
-	$(inroot) systemctl enable assp.service
-	$(inroot) systemctl enable freshclamd.service
-	$(inroot) systemctl enable clamd.service
-	$(inroot) systemctl enable postfix.service
-	$(inroot) systemctl enable pdns-recursor.service
+	# oletools zur Office-Macro-Erkennung in rspamd
+	$(MAKE) install_oletools
+	$(MAKE) install_olefy
 
+	# Anpassungen
+	$(inroot) usermod -a -G clamav rspamd
 clean:

mailgw/firstboot.start

@@ -34,29 +34,4 @@ if ! mount | grep /$LABEL > /dev/null; then
     exit 1
 fi
 
-if [ ! -d "/$LABEL/var/lib/mysql/assp" ]; then
-    echo 'Initialize MariaDB...'
-    systemctl stop mariadb
-    mkdir -p /$LABEL/var/lib/mysql
-    rm -rf /$LABEL/var/lib/mysql/*
-    cp -a /var/lib/mysql/. /$LABEL/var/lib/mysql
-    sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/my.cnf
-    systemctl start mariadb
-
-    echo 'Create ASSP database...'
-    mysql -u root -e "CREATE USER 'assp'@'localhost' IDENTIFIED BY '$DATABASE_PASS'"
-    mysql -u root -e "CREATE DATABASE assp;"
-    mysql -u root -e "GRANT ALL PRIVILEGES ON assp.* TO 'assp'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
-    mysql -u root -e "FLUSH PRIVILEGES;"
-else
-    echo 'Start MariaDB...'
-    sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/my.cnf
-    systemctl start mariadb
-fi
-echo 'Enable database...'
-systemctl enable mariadb
-
-# Perl (und damit ASSP) darf auch Ports unter 1024 öffnen
-setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/perl
-
 rm /firstboot

mailgw/make.conf

@@ -1,6 +1,6 @@
 CFLAGS="-O2 -pipe"
 CXXFLAGS="-O2 -pipe"
-USE="hardened justify pie ssp urandom xattr xtpax -fortran -jit -orc -pch -pic -prelink -profile -tcc"
+USE="hardened justify pie ssp urandom xattr xtpax -fortran -pch -pic -prelink -profile -tcc"
 MAKEOPTS="-j5"
 ACCEPT_LICENSE="*"
 PYTHON_TARGETS="python3_6"

mailgw/package.keywords

@@ -2,20 +2,8 @@
 app-emulation/open-vm-tools ~amd64 ~x86
 sys-auth/pam_ssh_agent_auth ~amd64 ~x86
 
-# ASSP
-dev-perl/Archive-Extract
-dev-perl/Email-Address-XS
-dev-perl/Email-MIME
-dev-perl/Email-MIME-ContentType
-dev-perl/Email-Simple
-dev-perl/File-Scan-ClamAV
-dev-perl/HTML-Strip
-dev-perl/Unicode-LineBreak
-dev-perl/Crypt-SMIME
-sys-libs/db:6.0
-virtual/perl-Encode
-dev-perl/Email-LocalDelivery
-dev-perl/Email-FolderType
+# rspamd
+mail-filter/rspamd
 
 # ClamAV Zusatz-Signaturen
 app-antivirus/clamav-unofficial-sigs
@@ -25,11 +13,11 @@ gnustep-base/gnustep-make
 gnustep-libs/sope
 gnustep-apps/sogo
 
-# LetsEncrypt
-app-crypt/acme
-app-crypt/certbot
-app-crypt/certbot-apache
-dev-python/zope-component
-dev-python/parsedatetime
-dev-python/pyrfc3339
-dev-python/python-augeas
+### LetsEncrypt
+##app-crypt/acme
+##app-crypt/certbot
+##app-crypt/certbot-apache
+##dev-python/zope-component
+##dev-python/parsedatetime
+##dev-python/pyrfc3339
+##dev-python/python-augeas

mailgw/package.use

@@ -20,21 +20,21 @@ sys-kernel/gentoo-sources symlink
 # Monitoring
 net-analyzer/zabbix agent
 
-# ASSP
-app-text/ghostscript-gpl cups
-app-text/tesseract tiff
-dev-lang/perl ithreads
-media-libs/leptonica tiff
-x11-libs/cairo X
-mail-filter/assp arc berkdb clamav dcc fakemx ldap ocr mysql razor sasl snmp spf srs ssl syslog
+# rspamd
+dev-db/redis jemalloc
+mail-filter/rspamd gd jemalloc pcre2
+media-libs/gd jpeg
+
+# Mail
 mail-mta/postfix cdb dovecot-sasl ldap mysql vda
 net-mail/dovecot ldap lucene managesieve mysql sieve suid
 net-nds/openldap overlays perl sasl
 
-# Apache
-www-servers/apache apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_connect apache2_modules_proxy_http apache2_modules_proxy_wstunnel
-
 # SOGo
 sys-devel/gcc objc
+x11-libs/cairo X
 gnustep-libs/sope ldap mysql
 gnustep-apps/sogo activesync
+
+# Apache
+www-servers/apache apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_connect apache2_modules_proxy_http apache2_modules_proxy_wstunnel

mailgw/system/50-assp-ulimit.conf

@@ -1,2 +0,0 @@
-*               hard    nofile          65536
-*               soft    nofile          32768

mailgw/world

@@ -2,17 +2,21 @@ app-admin/logrotate
 app-admin/sudo
 app-emulation/open-vm-tools
 app-misc/mc
-app-misc/screenservice
+app-misc/tmuxservice
 net-analyzer/zabbix
 sys-auth/pam_ssh_agent_auth
 sys-fs/mdadm
 sys-power/acpid
 app-antivirus/clamav
 app-antivirus/clamav-unofficial-sigs
-app-arch/libarchive
 app-crypt/certbot-apache
+dev-db/mariadb
+dev-db/redis
+dev-python/pyzor
 gnustep-apps/sogo
-mail-filter/assp
+mail-filter/dcc
+mail-filter/razor
+mail-filter/rspamd
 mail-mta/postfix
 net-dns/pdns-recursor
 net-mail/dovecot
@@ -20,3 +24,6 @@ net-mail/imapsync
 net-misc/netkit-telnetd
 net-nds/openldap
 www-servers/apache
+dev-python/python-magic
+dev-python/pyparsing
+dev-python/olefile

mailgw/world.README.md

@@ -0,0 +1,6 @@
+für https://github.com/HeinleinSupport/olefy:
+dev-python/python-magic
+
+für https://github.com/decalage2/oletools:
+dev-python/pyparsing
+dev-python/olefile