VA
/
appliances-old
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

mailgw: big upgrade from ASSP to Rspamd

This commit is contained in:
Joerg Deckert 2019-07-07 14:03:26 +02:00
parent 11b724dad4
commit dc9b5939dd
10 changed files with 809 additions and 787 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mailgw/00-eth0.network
View File

@ -19,4 +19,4 @@ DNS=192.168.1.3
DNS=fdb5:78b:64cc:0:f8c0::3 DNS=fdb5:78b:64cc:0:f8c0::3
NTP=192.168.1.4 NTP=192.168.1.4
NTP=fdb5:78b:64cc:0:f8c0::4 NTP=fdb5:78b:64cc:0:f8c0::4
Domains=privacyidea.de Domains=unitas-network.de

43
mailgw/Makefile
View File

@ -1,4 +1,18 @@
OT_VER ?= 0.54.2
OT_SUBVER ?= b
OT_TARBALL = oletools-$(OT_VER).tar.gz
OT_URL = https://github.com/decalage2/oletools/releases/download/v$(OT_VER)$(OT_SUBVER)/$(OT_TARBALL)
OF_COMMIT ?= 7929bd927eaa93d1d67a0cfa6da7bed2be57ca15
OF_TARBALL = $(OF_COMMIT).tar.gz
OF_URL = https://github.com/HeinleinSupport/olefy/archive/$(OF_TARBALL)
preinstall: preinstall:
# hardcoded users and groups
$(inroot) useradd --system --comment="created from appliance building - zabbix user" --home-dir="/var/lib/zabbix/home" --shell="/sbin/nologin" --no-create-home --uid 600 --user-group zabbix
$(inroot) useradd --system --comment="created from appliance building - clamav user" --home-dir="/dev/null" --shell="/sbin/nologin" --no-create-home --uid 601 --user-group clamav
$(inroot) useradd --system --comment="created from appliance building - rspamd user" --home-dir="/var/lib/rspamd" --shell="/sbin/nologin" --no-create-home --uid 602 --user-group rspamd
$(inroot) useradd --system --comment="created from appliance building - olefy user" --home-dir="/dev/null" --shell="/sbin/nologin" --no-create-home --uid 603 --user-group olefy
# switch to hardened, build hardened toolchain, rebuild everything # switch to hardened, build hardened toolchain, rebuild everything
mkdir -p $(CHROOT)/etc/portage/profile mkdir -p $(CHROOT)/etc/portage/profile
echo "-hardened" >> $(CHROOT)/etc/portage/profile/use.mask echo "-hardened" >> $(CHROOT)/etc/portage/profile/use.mask
@ -7,9 +21,6 @@ preinstall:
-$(gcc_config) -$(gcc_config)
$(inroot) $(EMERGE) $(USEPKG) --emptytree @world $(inroot) $(EMERGE) $(USEPKG) --emptytree @world
$(inroot) bash -c 'yes YES | etc-update --automode -9' $(inroot) bash -c 'yes YES | etc-update --automode -9'
# ASSP: Perl wurde auf ithreads umgestellt -> Module neu bauen
$(inroot) $(EMERGE) $(USEPKG) --oneshot dev-lang/perl
$(inroot) perl-cleaner --reallyall
# Unitas-Portage-Overlay einbinden # Unitas-Portage-Overlay einbinden
$(inroot) $(EMERGE) -n $(USEPKG) app-portage/layman $(inroot) $(EMERGE) -n $(USEPKG) app-portage/layman
@ -17,6 +28,16 @@ preinstall:
wget -P $(CHROOT)/etc/layman/overlays http://dev.unitas-network.de/raw/Gentoo/Unitas.git/master/unitas-overlays.xml wget -P $(CHROOT)/etc/layman/overlays http://dev.unitas-network.de/raw/Gentoo/Unitas.git/master/unitas-overlays.xml
$(inroot) layman -l | grep -q unitas || $(inroot) layman -La unitas $(inroot) layman -l | grep -q unitas || $(inroot) layman -La unitas
install_oletools:
$(inroot) test -f /usr/portage/distfiles/$(OT_TARBALL) || \
$(inroot) wget -P /usr/portage/distfiles $(OT_URL)
$(inroot) sh -c 'tar xf /usr/portage/distfiles/$(OT_TARBALL) -C /tmp && cd /tmp/oletools-$(OT_VER) && python setup.py install'
install_olefy:
$(inroot) test -f /usr/portage/distfiles/$(OF_TARBALL) || \
$(inroot) wget -P /usr/portage/distfiles $(OF_URL)
$(inroot) sh -c 'tar xf /usr/portage/distfiles/$(OF_TARBALL) -C /tmp && cd /tmp/olefy-$(OF_COMMIT) && cp olefy.py /usr/bin && cp olefy.conf /etc && cp olefy.service /etc/systemd/system'
postinstall: timesyncd.conf firstboot.start postinstall: timesyncd.conf firstboot.start
# Konfigurationen anpassen # Konfigurationen anpassen
cp timesyncd.conf $(CHROOT)/etc/systemd/timesyncd.conf cp timesyncd.conf $(CHROOT)/etc/systemd/timesyncd.conf
@ -26,7 +47,7 @@ postinstall: timesyncd.conf firstboot.start
sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' $(CHROOT)/etc/sudoers sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' $(CHROOT)/etc/sudoers
$(inroot) useradd -m -G users,wheel -s /bin/bash admin $(inroot) useradd -m -G users,wheel -s /bin/bash admin
$(inroot) passwd -d admin; $(inroot) passwd -e admin $(inroot) passwd -d admin; $(inroot) passwd -e admin
$(inroot) systemctl enable screen@adm.service $(inroot) systemctl enable tmux@root.service
# Beispiel feste IP-Adresse # Beispiel feste IP-Adresse
cp 00-eth0.network $(CHROOT)/00-eth0.network.example cp 00-eth0.network $(CHROOT)/00-eth0.network.example
@ -38,14 +59,10 @@ postinstall: timesyncd.conf firstboot.start
rm -rf $(CHROOT)/var/lib/mysql/* rm -rf $(CHROOT)/var/lib/mysql/*
$(inroot) bash -c 'yes gentoo | emerge --config dev-db/mariadb' $(inroot) bash -c 'yes gentoo | emerge --config dev-db/mariadb'
# ASSP # oletools zur Office-Macro-Erkennung in rspamd
$(inroot) usermod -aG clamav assp $(MAKE) install_oletools
cp system/50-assp-ulimit.conf $(CHROOT)/etc/security/limits.d/ $(MAKE) install_olefy
sed -i 's/smtp inet n - n - - smtpd/127.0.0.1:125 inet n - n - - smtpd/' $(CHROOT)/etc/postfix/master.cf
$(inroot) systemctl enable assp.service
$(inroot) systemctl enable freshclamd.service
$(inroot) systemctl enable clamd.service
$(inroot) systemctl enable postfix.service
$(inroot) systemctl enable pdns-recursor.service
# Anpassungen
$(inroot) usermod -a -G clamav rspamd
clean: clean:

25
mailgw/firstboot.start
View File

@ -34,29 +34,4 @@ if ! mount | grep /$LABEL > /dev/null; then
exit 1 exit 1
fi fi
if [ ! -d "/$LABEL/var/lib/mysql/assp" ]; then
echo 'Initialize MariaDB...'
systemctl stop mariadb
mkdir -p /$LABEL/var/lib/mysql
rm -rf /$LABEL/var/lib/mysql/*
cp -a /var/lib/mysql/. /$LABEL/var/lib/mysql
sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/my.cnf
systemctl start mariadb
echo 'Create ASSP database...'
mysql -u root -e "CREATE USER 'assp'@'localhost' IDENTIFIED BY '$DATABASE_PASS'"
mysql -u root -e "CREATE DATABASE assp;"
mysql -u root -e "GRANT ALL PRIVILEGES ON assp.* TO 'assp'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
mysql -u root -e "FLUSH PRIVILEGES;"
else
echo 'Start MariaDB...'
sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/my.cnf
systemctl start mariadb
fi
echo 'Enable database...'
systemctl enable mariadb
# Perl (und damit ASSP) darf auch Ports unter 1024 öffnen
setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/perl
rm /firstboot rm /firstboot

1451
mailgw/kernel.config
View File

File diff suppressed because it is too large Load Diff

2
mailgw/make.conf
View File

@ -1,6 +1,6 @@
CFLAGS="-O2 -pipe" CFLAGS="-O2 -pipe"
CXXFLAGS="-O2 -pipe" CXXFLAGS="-O2 -pipe"
USE="hardened justify pie ssp urandom xattr xtpax -fortran -jit -orc -pch -pic -prelink -profile -tcc" USE="hardened justify pie ssp urandom xattr xtpax -fortran -pch -pic -prelink -profile -tcc"
MAKEOPTS="-j5" MAKEOPTS="-j5"
ACCEPT_LICENSE="*" ACCEPT_LICENSE="*"
PYTHON_TARGETS="python3_6" PYTHON_TARGETS="python3_6"

32
mailgw/package.keywords
View File

@ -2,20 +2,8 @@
app-emulation/open-vm-tools ~amd64 ~x86 app-emulation/open-vm-tools ~amd64 ~x86
sys-auth/pam_ssh_agent_auth ~amd64 ~x86 sys-auth/pam_ssh_agent_auth ~amd64 ~x86
# ASSP # rspamd
dev-perl/Archive-Extract mail-filter/rspamd
dev-perl/Email-Address-XS
dev-perl/Email-MIME
dev-perl/Email-MIME-ContentType
dev-perl/Email-Simple
dev-perl/File-Scan-ClamAV
dev-perl/HTML-Strip
dev-perl/Unicode-LineBreak
dev-perl/Crypt-SMIME
sys-libs/db:6.0
virtual/perl-Encode
dev-perl/Email-LocalDelivery
dev-perl/Email-FolderType
# ClamAV Zusatz-Signaturen # ClamAV Zusatz-Signaturen
app-antivirus/clamav-unofficial-sigs app-antivirus/clamav-unofficial-sigs
@ -25,11 +13,11 @@ gnustep-base/gnustep-make
gnustep-libs/sope gnustep-libs/sope
gnustep-apps/sogo gnustep-apps/sogo
# LetsEncrypt ### LetsEncrypt
app-crypt/acme ##app-crypt/acme
app-crypt/certbot ##app-crypt/certbot
app-crypt/certbot-apache ##app-crypt/certbot-apache
dev-python/zope-component ##dev-python/zope-component
dev-python/parsedatetime ##dev-python/parsedatetime
dev-python/pyrfc3339 ##dev-python/pyrfc3339
dev-python/python-augeas ##dev-python/python-augeas

20
mailgw/package.use
View File

@ -20,21 +20,21 @@ sys-kernel/gentoo-sources symlink
# Monitoring # Monitoring
net-analyzer/zabbix agent net-analyzer/zabbix agent
# ASSP # rspamd
app-text/ghostscript-gpl cups dev-db/redis jemalloc
app-text/tesseract tiff mail-filter/rspamd gd jemalloc pcre2
dev-lang/perl ithreads media-libs/gd jpeg
media-libs/leptonica tiff
x11-libs/cairo X # Mail
mail-filter/assp arc berkdb clamav dcc fakemx ldap ocr mysql razor sasl snmp spf srs ssl syslog
mail-mta/postfix cdb dovecot-sasl ldap mysql vda mail-mta/postfix cdb dovecot-sasl ldap mysql vda
net-mail/dovecot ldap lucene managesieve mysql sieve suid net-mail/dovecot ldap lucene managesieve mysql sieve suid
net-nds/openldap overlays perl sasl net-nds/openldap overlays perl sasl
# Apache
www-servers/apache apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_connect apache2_modules_proxy_http apache2_modules_proxy_wstunnel
# SOGo # SOGo
sys-devel/gcc objc sys-devel/gcc objc
x11-libs/cairo X
gnustep-libs/sope ldap mysql gnustep-libs/sope ldap mysql
gnustep-apps/sogo activesync gnustep-apps/sogo activesync
# Apache
www-servers/apache apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_connect apache2_modules_proxy_http apache2_modules_proxy_wstunnel

2
mailgw/system/50-assp-ulimit.conf
View File

@ -1,2 +0,0 @@
* hard nofile 65536
* soft nofile 32768

13
mailgw/world
View File

@ -2,17 +2,21 @@ app-admin/logrotate
app-admin/sudo app-admin/sudo
app-emulation/open-vm-tools app-emulation/open-vm-tools
app-misc/mc app-misc/mc
app-misc/screenservice app-misc/tmuxservice
net-analyzer/zabbix net-analyzer/zabbix
sys-auth/pam_ssh_agent_auth sys-auth/pam_ssh_agent_auth
sys-fs/mdadm sys-fs/mdadm
sys-power/acpid sys-power/acpid
app-antivirus/clamav app-antivirus/clamav
app-antivirus/clamav-unofficial-sigs app-antivirus/clamav-unofficial-sigs
app-arch/libarchive
app-crypt/certbot-apache app-crypt/certbot-apache
dev-db/mariadb
dev-db/redis
dev-python/pyzor
gnustep-apps/sogo gnustep-apps/sogo
mail-filter/assp mail-filter/dcc
mail-filter/razor
mail-filter/rspamd
mail-mta/postfix mail-mta/postfix
net-dns/pdns-recursor net-dns/pdns-recursor
net-mail/dovecot net-mail/dovecot
@ -20,3 +24,6 @@ net-mail/imapsync
net-misc/netkit-telnetd net-misc/netkit-telnetd
net-nds/openldap net-nds/openldap
www-servers/apache www-servers/apache
dev-python/python-magic
dev-python/pyparsing
dev-python/olefile

6
mailgw/world.README.md Normal file
View File

@ -0,0 +1,6 @@
für https://github.com/HeinleinSupport/olefy:
dev-python/python-magic
für https://github.com/decalage2/oletools:
dev-python/pyparsing
dev-python/olefile