From ebbd5c78516c490a2852525ce9358ef5d6c336d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Thu, 12 May 2016 10:02:43 +0000
Subject: [PATCH] Improve the SpamAssassin config

---
 roles/spamassassin/files/local.cf    | 55 ++++++++++++++++++++++++++++
 roles/spamassassin/files/sa-update   |  9 +++++
 roles/spamassassin/files/sysconfig   |  2 +-
 roles/spamassassin/handlers/main.yml |  3 ++
 roles/spamassassin/tasks/main.yml    | 21 ++++++++++-
 5 files changed, 88 insertions(+), 2 deletions(-)
 create mode 100644 roles/spamassassin/files/local.cf
 create mode 100644 roles/spamassassin/files/sa-update
 create mode 100644 roles/spamassassin/handlers/main.yml

diff --git a/roles/spamassassin/files/local.cf b/roles/spamassassin/files/local.cf
new file mode 100644
index 0000000000..8854b42f3c
--- /dev/null
+++ b/roles/spamassassin/files/local.cf
@@ -0,0 +1,55 @@
+# These values can be overridden by editing ~/.spamassassin/user_prefs.cf 
+# (see spamassassin(1) for details)
+
+# These should be safe assumptions and allow for simple visual sifting
+# without risking lost emails.
+
+required_hits 5
+report_safe 0
+bayes_auto_learn_threshold_nonspam -4
+
+# disable certain kinds of blacklists since their dns checks were timing out
+score RCVD_IN_BL_SPAMCOP_NET 0
+score RCVD_IN_RP_RNBL 0
+score RCVD_IN_RP_CERTIFIED 0
+score RCVD_IN_RP_SAFE 0
+
+# Red Hat's private PSBL zone mirror
+header   RCVD_IN_PSBL  eval:check_rbl('psbl-lastexternal', 'psbl.redhat.com.')
+
+# Red Hat's private spamhaus mirror
+header __RCVD_IN_ZEN            eval:check_rbl('zen', 'sh-zen.redhat.com.')
+header RCVD_IN_XBL              eval:check_rbl('zen-lastexternal', 'sh-zen.redhat.com.', '127.0.0.[45678]')
+header RCVD_IN_PBL              eval:check_rbl('zen-lastexternal', 'sh-zen.redhat.com.', '127.0.0.1[01]')
+header RCVD_IN_CSS              eval:check_rbl_sub('zen', 'sh-zen.redhat.com.', '127.0.0.3')
+uridnsbl        URIBL_SBL       sh-sbl.redhat.com.       TXT
+
+# Red Hat's private anubis mirror
+header __RCVD_IN_ANBREP eval:check_rbl('anubisrep-lastexternal', 'anb-rep.redhat.com.')
+tflags __RCVD_IN_ANBREP          net
+
+header RCVD_IN_ANBREP_Z     eval:check_rbl_sub('anubisrep-lastexternal', '^127.0.0.2$')
+describe RCVD_IN_ANBREP_Z   Spam wave participant
+tflags RCVD_IN_ANBREP_Z     net
+header RCVD_IN_ANBREP_L5 eval:check_rbl_sub('anubisrep-lastexternal', '^127.0.0.10$')
+describe RCVD_IN_ANBREP_L5   Very bad reputation (-5)
+tflags RCVD_IN_ANBREP_L5     net
+header RCVD_IN_ANBREP_L4 eval:check_rbl_sub('anubisrep-lastexternal', '^127.0.0.11$')
+describe RCVD_IN_ANBREP_L4   Bad reputation (-4)
+tflags RCVD_IN_ANBREP_L4     net
+header RCVD_IN_ANBREP_L3 eval:check_rbl_sub('anubisrep-lastexternal', '^127.0.0.12$')
+describe RCVD_IN_ANBREP_L3   Low reputation (-3)
+tflags RCVD_IN_ANBREP_L3     net
+header RCVD_IN_ANBREP_L2 eval:check_rbl_sub('anubisrep-lastexternal', '^127.0.0.13$')
+describe RCVD_IN_ANBREP_L2   Suspicious sender (-2)
+tflags RCVD_IN_ANBREP_L2     net
+score RCVD_IN_ANBREP_Z       0.5
+score RCVD_IN_ANBREP_L5      0.9
+score RCVD_IN_ANBREP_L4      0.7
+score RCVD_IN_ANBREP_L3      0.6
+score RCVD_IN_ANBREP_L2      0.5
+
+# disable razor2
+score RAZOR2_CF_RANGE_51_100 0
+score RAZOR2_CF_RANGE_E8_51_100 0
+score RAZOR2_CHECK 0
diff --git a/roles/spamassassin/files/sa-update b/roles/spamassassin/files/sa-update
new file mode 100644
index 0000000000..fe49cc4150
--- /dev/null
+++ b/roles/spamassassin/files/sa-update
@@ -0,0 +1,9 @@
+### OPTIONAL: Spamassassin Rules Updates ###
+#
+# http://wiki.apache.org/spamassassin/RuleUpdates
+# Highly recommended that you read the documentation before using this.
+# ENABLE UPDATES AT YOUR OWN RISK.
+#
+# /var/log/sa-update.log contains a history log of sa-update runs
+
+10 4 * * * root /usr/share/spamassassin/sa-update.cron 2>&1 | tee -a /var/log/sa-update.log
diff --git a/roles/spamassassin/files/sysconfig b/roles/spamassassin/files/sysconfig
index 22a7158176..5773f2faa3 100644
--- a/roles/spamassassin/files/sysconfig
+++ b/roles/spamassassin/files/sysconfig
@@ -1,2 +1,2 @@
 # Options to spamd
-SPAMDOPTIONS="-d -c -m5 -H -u spammy -g spammy"
+SPAMDOPTIONS="-d -c -m10 -H -u spammy -g spammy"
diff --git a/roles/spamassassin/handlers/main.yml b/roles/spamassassin/handlers/main.yml
new file mode 100644
index 0000000000..5abb3ffb75
--- /dev/null
+++ b/roles/spamassassin/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: restart spamassassin
+  action: service name=spamassassin state=restarted
+
diff --git a/roles/spamassassin/tasks/main.yml b/roles/spamassassin/tasks/main.yml
index d60f40d66c..91557b63d5 100644
--- a/roles/spamassassin/tasks/main.yml
+++ b/roles/spamassassin/tasks/main.yml
@@ -2,7 +2,10 @@
 # tasklist for setting up a SpamAssassin server
 
 - name: install the package
-  yum: pkg=spamassassin state=present
+  yum: pkg={{ item }} state=present
+  with_items:
+  - spamassassin
+  - perl-Razor-Agent
   tags:
   - packages
 
@@ -18,8 +21,24 @@
 
 - name: setup the sysconfig file
   copy: src=sysconfig dest=/etc/sysconfig/spamassassin
+  notify:
+  - restart spamassassin
+  tags:
+  - config
+
+- name: setup the config file
+  copy: src=local.cf dest=/etc/mail/spamassassin/local.cf
+  notify:
+  - restart spamassassin
+  tags:
+  - config
+
+- name: setup the cron job
+  copy: src=sa-update dest=/etc/cron.d/sa-update
   tags:
   - config
 
 - name: set the service running/enabled
   service: name=spamassassin enabled=true state=running
+  tags:
+  - service