gross: sendmail milter compatible RBL check based greylisting solution.

2014-02-21 11:17:25 +00:00 · 2014-02-21 11:17:25 +00:00 · 36aa32d1c4
commit 36aa32d1c4
parent 1ee9bf0105
2 changed files with 274 additions and 0 deletions
--- a/gross/manifests/init.pp
+++ b/gross/manifests/init.pp
@ -0,0 +1,84 @@
+
+# Install and configure Grossd.
+#
+#   $protocol:
+#     Activates the server protocols grossd will support. Valid
+#     protocols are 'sjsms', 'postfix' and 'milter'.
+#
+#   $number_buffers:
+#     The number of filters used in the ring queue raising this value
+#     will cause an entry to stay in the servers' memory longer.
+#
+#   $rotate_interval:
+#     The number of seconds between filter rotation. Let
+#     N := 'number_buffers' and I := 'rotate_interval'. An entry will stay
+#     in the servers' memory for (N - 0.5) * I seconds in average.
+#
+#   $grey_delay:
+#     The time in seconds new triplets are kept on the greylist.
+#
+#   $block_treshold:
+#     The threshold after which grossd sends a permanent error to the
+#     client. Every check that considers client_ip as suspicious
+#     returns a value (check weight). When sum of these values gets
+#     equivalent or greater than 'block_threshold', grossd sends a
+#     STATUS_BLOCK response.
+#
+#   $dnsbl:
+#     Dns domain name of the dnsbl that 'dnsbl' check will
+#     query. There are no defaults, but below is a list of dnsbls you
+#     could be using you may assign different weights for the dnsbl's,
+#     default weight is 1.
+#     Syntax: dnsbl = [ 'bl.spamcop.net;2', 'dnsbl.sorbs.net' ]
+#
+#   $dnswl:
+#    Analogous to 'dnsbl'. Remember that dnswl is a *definitive*
+#    check, that is grossd waits for the check to complete before
+#    deciding how to respond. This may cause unwanted latency. Highly
+#    recommended if you use grossd as a traditional greylister.
+#
+#  $rpm:
+#    Location of RPM package.
+#
+class gross(
+  $protocol        = 'milter',
+  $number_buffers  = '8',
+  $rotate_interval = '3600',
+  $grey_delay      = '10',
+  $block_treshold  = '0',
+  $dnsbl           = [],
+  $dnswl           = [],
+  $rpm             =
+  'https://bitbucket.org/oherrala/gross/downloads/gross-1.0.2-1.el6.x86_64.rpm'
+){
+
+  package { 'gross':
+    ensure   => 'installed',
+    provider => 'rpm',
+    source   => $rpm,
+  }
+
+  service { 'gross':
+    ensure  => 'running',
+    enable  => true,
+    require => Package['gross'],
+  }
+
+  file { '/var/db/grossd/':
+    ensure => 'directory',
+    owner  => 'nobody',
+    group  => 'root',
+    mode   => '0750',
+    before => Service['gross'],
+  }
+
+  file { '/etc/grossd.conf':
+    ensure  => 'present',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0444',
+    content => template('gross/grossd.conf.erb'),
+    before  => Service['gross'],
+    notify  => Service['gross'],
+  }
+}
--- a/gross/templates/grossd.conf.erb
+++ b/gross/templates/grossd.conf.erb
@ -0,0 +1,190 @@
+#
+# This is a sample configuration for grossd
+#
+# This file includes all valid configuration parameters, with their
+# default values. All the default values are commented out, so any
+# all lines not commented out change the default settings.
+#
+# syntax is
+#
+# name = value [; param]...
+#
+# you can also add comments after a line 	# this is a comment
+
+
+# 'host' is the address the server should listen for queries
+# DEFAULT: host = localhost
+
+# 'port' is the port the server should listen for queries
+# DEFAULT: port = 5525
+
+# 'protocol' activates the server protocols grossd will support
+# Valid protocols are 'sjsms', 'postfix' and 'milter'
+# protocol = sjsms
+# protocol = postfix
+protocol = <%= @protocol %>
+
+# 'stat_type' is the name of the requested statistic. There can be multiple
+# 'stat_type' options in the configuration file (Using both none and full is
+# undefined). Default is none. Valid options are currently:
+# full: grossd sends all possible statistics
+# none: no statistics at all
+# status: basic statistics set
+# since_startup: basic set since the startup
+# delay: processing delay statistics
+# EXAMPLE: stat_type = status
+# EXAMPLE: stat_type = delay
+
+# 'stat_interval' is the number of seconds between status log entries
+# DEFAULT: stat_interval = 3600
+
+# 'filter_bits' is the size of the bloom filter. Size will be 2^filter_bits
+# lowering this value will increase the probability of false matches
+# in each individual bloom filter
+# DEFAULT: filter_bits = 24
+
+# 'number_buffers' is the number of filters used in the ring queue
+# raising this value will cause an entry to stay in the servers' memory longer
+# DEFAULT: number_buffers = 8
+number_buffers = <%= @number_buffers %>
+
+# 'rotate_interval' is the number of seconds between filter rotation.
+# Let N := 'number_buffers' and I := 'rotate_interval'. An entry will
+# stay in the servers' memory for (N - 0.5) * I seconds in average.
+# DEFAULT: rotate_interval = 3600
+rotate_interval = <%= @rotate_interval %>
+
+# 'sync_listen' is the address to listen for communication with the peer
+# defaults to 'host' option
+# sync_listen =
+
+# 'sync_peer' is the address of the peer used in clustered mode
+# sync_peer =
+
+# 'sync_port' is the port number to listen to and connect to in
+# communication with the peer.
+# DEFAULT: sync_port = 5524
+
+# 'status_host' is the address grossd listens for status queries
+# DEFAULT: status_host = localhost
+
+# 'status_port' is the port number grossd listens for status queries
+# DEFAULT: status_port = 5522
+
+# 'statefile' is the full path of the file that the server will use to
+# store the state information.
+# statefile = /var/db/grossd.state
+statefile = /var/db/grossd/grossd.state
+
+# 'pidfile' is the full path of the file grossd writes its pid into.
+# You can set parameter 'check', if you want to keep grossd
+# from starting if pidfile already exists.
+# pidfile = /var/run/grossd.pid;check
+
+# 'log_method' is used to list all the possible logging facilities.
+# currently only syslog is implemented
+# DEFAULT: log_method = syslog
+
+# 'log_level' Possible log levels are 'debug', 'info', 'notice'
+# 'warning' and 'error'.
+# DEFAULT: log_level = info
+
+# 'syslog_facility' is the facility syslog sends log messages with.
+# DEFAULT: syslog_facility = mail
+
+# 'update' is the way server updates the database. Valid options are
+# 'grey' and 'always'. If 'update = grey' grossd will update the database
+# only if response is STATUS_GREY
+# DEFAULT: update = grey
+
+# 'grey_mask' is the mask for grossd to use when matching client_ip
+# against the database. Default is 24, so grossd treats addresses
+# like a.b.c.d as a.b.c.0. Setting this to 32 makes grossd to
+# require that consecutive attempts are made from the same ip address.
+# DEFAULT: grey_mask = 24
+
+# 'grey_delay' is the time in seconds new triplets are kept on the greylist.
+# DEFAULT: grey_delay = 10
+grey_delay = <%= @grey_delay %>
+
+# 'query_timelimit' is the query timeout in milliseconds.
+# DEFAULT: query_timelimit = 5000
+
+# 'pool_maxthreads' is the maximum threadcount per pool. You may have
+# to raise the limit from the default if you get more than 100
+# queries per second and/or have slow dns servers. Rule of thumb would be
+# decide how many queries you want grossd to be able to handle per second,
+# and multiply that with query_timelimit (in seconds, of course).
+# DEFAULT: pool_maxthreads = 100
+
+# 'block_threshold' is the threshold after which grossd sends
+# a permanent error to the client. Every check that considers client_ip
+# as suspicious returns a value (check weight). When sum of these
+# values gets equivalent or greater than 'block_threshold', grossd
+# sends a STATUS_BLOCK response. Default is 0, which disables
+# this functionality.
+# DEFAULT: block_threshold = 0
+block_threshold = <%= @block_treshold %>
+
+# 'block_reason' is the reason given when client is too suspicious,
+# see block_threshold
+# DEFAULT: block_reason = Bad reputation
+
+# 'grey_threshold' is analogous to 'block_threshold', except at the
+# threshold grossd sends a STATUS_GREY response.
+# DEFAULT: grey_threshold = 1
+
+# 'check' lists all the checks grossd will do to judge if client_ip is
+# suspicious or not.
+#check = dnsbl
+#check = rhsbl
+#check = dnswl
+
+# 'dnsbl' is a dns domain name of the dnsbl that 'dnsbl' check will query
+# There are no defaults, but below is a list of dnsbls you could be using
+# you may assign different weights for the dnsbl's, default weight is 1
+# dnsbl = rbl-plus.mail-abuse.net # this is not free
+# dnsbl = bl.spamcop.net;2
+# dnsbl = combined.njabl.org
+# dnsbl = cbl.abuseat.org
+# dnsbl = dnsbl.sorbs.net
+
+<% if @dnsbl.size > 0 -%>
+check = dnsbl
+<% end -%>
+
+<% @dnsbl.each do |val| -%>
+dnsbl = <%= val %>
+<% end -%>
+
+# 'rhsbl' is analogous to 'dnsbl'
+#rhsbl = rhsbl.sorbs.net
+
+# 'dnswl' is analogous to 'dnsbl'. Remember that dnswl is a *definitive*
+# check, that is grossd waits for the check to complete before deciding
+# how to respond. This may cause unwanted latency. Highly recommended if
+# you use grossd as a traditional greylister.
+#dnswl = query.bondedsender.org
+
+<% if @dnswl.size > 0 -%>
+check = dnswl
+<% end -%>
+
+<% @dnswl.each do |val| -%>
+dnswl = <%= val %>
+<% end -%>
+
+# 'blocker_host' is the host name of the Sophos blocker server.
+# blocker_host =
+
+# 'blocker_port' is the tcp port of the Sophos blocker service.
+# DEFAULT: blocker_port = 4466
+
+# 'blocker_weight' is the weight of the blocker check. (See description of 'dnsbl')
+# DEFAULT: blocker_weight = 1
+
+# 'milter_listen' is the socket for milter service.
+# EXAMPLE: milter_listen = inet:5523@localhost
+<% if protocol == 'milter' %>
+milter_listen = inet:5523@localhost
+<% end %>