From 36aa32d1c46a92c46f7287a6c2fe8e51ec317bef Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Fri, 21 Feb 2014 11:17:25 +0000 Subject: [PATCH] gross: sendmail milter compatible RBL check based greylisting solution. --- gross/manifests/init.pp | 84 ++++++++++++++ gross/templates/grossd.conf.erb | 190 ++++++++++++++++++++++++++++++++ 2 files changed, 274 insertions(+) create mode 100644 gross/manifests/init.pp create mode 100644 gross/templates/grossd.conf.erb diff --git a/gross/manifests/init.pp b/gross/manifests/init.pp new file mode 100644 index 0000000..2b235ea --- /dev/null +++ b/gross/manifests/init.pp @@ -0,0 +1,84 @@ + +# Install and configure Grossd. +# +# $protocol: +# Activates the server protocols grossd will support. Valid +# protocols are 'sjsms', 'postfix' and 'milter'. +# +# $number_buffers: +# The number of filters used in the ring queue raising this value +# will cause an entry to stay in the servers' memory longer. +# +# $rotate_interval: +# The number of seconds between filter rotation. Let +# N := 'number_buffers' and I := 'rotate_interval'. An entry will stay +# in the servers' memory for (N - 0.5) * I seconds in average. +# +# $grey_delay: +# The time in seconds new triplets are kept on the greylist. +# +# $block_treshold: +# The threshold after which grossd sends a permanent error to the +# client. Every check that considers client_ip as suspicious +# returns a value (check weight). When sum of these values gets +# equivalent or greater than 'block_threshold', grossd sends a +# STATUS_BLOCK response. +# +# $dnsbl: +# Dns domain name of the dnsbl that 'dnsbl' check will +# query. There are no defaults, but below is a list of dnsbls you +# could be using you may assign different weights for the dnsbl's, +# default weight is 1. +# Syntax: dnsbl = [ 'bl.spamcop.net;2', 'dnsbl.sorbs.net' ] +# +# $dnswl: +# Analogous to 'dnsbl'. Remember that dnswl is a *definitive* +# check, that is grossd waits for the check to complete before +# deciding how to respond. This may cause unwanted latency. Highly +# recommended if you use grossd as a traditional greylister. +# +# $rpm: +# Location of RPM package. +# +class gross( + $protocol = 'milter', + $number_buffers = '8', + $rotate_interval = '3600', + $grey_delay = '10', + $block_treshold = '0', + $dnsbl = [], + $dnswl = [], + $rpm = + 'https://bitbucket.org/oherrala/gross/downloads/gross-1.0.2-1.el6.x86_64.rpm' +){ + + package { 'gross': + ensure => 'installed', + provider => 'rpm', + source => $rpm, + } + + service { 'gross': + ensure => 'running', + enable => true, + require => Package['gross'], + } + + file { '/var/db/grossd/': + ensure => 'directory', + owner => 'nobody', + group => 'root', + mode => '0750', + before => Service['gross'], + } + + file { '/etc/grossd.conf': + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0444', + content => template('gross/grossd.conf.erb'), + before => Service['gross'], + notify => Service['gross'], + } +} diff --git a/gross/templates/grossd.conf.erb b/gross/templates/grossd.conf.erb new file mode 100644 index 0000000..3cbeb29 --- /dev/null +++ b/gross/templates/grossd.conf.erb @@ -0,0 +1,190 @@ +# +# This is a sample configuration for grossd +# +# This file includes all valid configuration parameters, with their +# default values. All the default values are commented out, so any +# all lines not commented out change the default settings. +# +# syntax is +# +# name = value [; param]... +# +# you can also add comments after a line # this is a comment + + +# 'host' is the address the server should listen for queries +# DEFAULT: host = localhost + +# 'port' is the port the server should listen for queries +# DEFAULT: port = 5525 + +# 'protocol' activates the server protocols grossd will support +# Valid protocols are 'sjsms', 'postfix' and 'milter' +# protocol = sjsms +# protocol = postfix +protocol = <%= @protocol %> + +# 'stat_type' is the name of the requested statistic. There can be multiple +# 'stat_type' options in the configuration file (Using both none and full is +# undefined). Default is none. Valid options are currently: +# full: grossd sends all possible statistics +# none: no statistics at all +# status: basic statistics set +# since_startup: basic set since the startup +# delay: processing delay statistics +# EXAMPLE: stat_type = status +# EXAMPLE: stat_type = delay + +# 'stat_interval' is the number of seconds between status log entries +# DEFAULT: stat_interval = 3600 + +# 'filter_bits' is the size of the bloom filter. Size will be 2^filter_bits +# lowering this value will increase the probability of false matches +# in each individual bloom filter +# DEFAULT: filter_bits = 24 + +# 'number_buffers' is the number of filters used in the ring queue +# raising this value will cause an entry to stay in the servers' memory longer +# DEFAULT: number_buffers = 8 +number_buffers = <%= @number_buffers %> + +# 'rotate_interval' is the number of seconds between filter rotation. +# Let N := 'number_buffers' and I := 'rotate_interval'. An entry will +# stay in the servers' memory for (N - 0.5) * I seconds in average. +# DEFAULT: rotate_interval = 3600 +rotate_interval = <%= @rotate_interval %> + +# 'sync_listen' is the address to listen for communication with the peer +# defaults to 'host' option +# sync_listen = + +# 'sync_peer' is the address of the peer used in clustered mode +# sync_peer = + +# 'sync_port' is the port number to listen to and connect to in +# communication with the peer. +# DEFAULT: sync_port = 5524 + +# 'status_host' is the address grossd listens for status queries +# DEFAULT: status_host = localhost + +# 'status_port' is the port number grossd listens for status queries +# DEFAULT: status_port = 5522 + +# 'statefile' is the full path of the file that the server will use to +# store the state information. +# statefile = /var/db/grossd.state +statefile = /var/db/grossd/grossd.state + +# 'pidfile' is the full path of the file grossd writes its pid into. +# You can set parameter 'check', if you want to keep grossd +# from starting if pidfile already exists. +# pidfile = /var/run/grossd.pid;check + +# 'log_method' is used to list all the possible logging facilities. +# currently only syslog is implemented +# DEFAULT: log_method = syslog + +# 'log_level' Possible log levels are 'debug', 'info', 'notice' +# 'warning' and 'error'. +# DEFAULT: log_level = info + +# 'syslog_facility' is the facility syslog sends log messages with. +# DEFAULT: syslog_facility = mail + +# 'update' is the way server updates the database. Valid options are +# 'grey' and 'always'. If 'update = grey' grossd will update the database +# only if response is STATUS_GREY +# DEFAULT: update = grey + +# 'grey_mask' is the mask for grossd to use when matching client_ip +# against the database. Default is 24, so grossd treats addresses +# like a.b.c.d as a.b.c.0. Setting this to 32 makes grossd to +# require that consecutive attempts are made from the same ip address. +# DEFAULT: grey_mask = 24 + +# 'grey_delay' is the time in seconds new triplets are kept on the greylist. +# DEFAULT: grey_delay = 10 +grey_delay = <%= @grey_delay %> + +# 'query_timelimit' is the query timeout in milliseconds. +# DEFAULT: query_timelimit = 5000 + +# 'pool_maxthreads' is the maximum threadcount per pool. You may have +# to raise the limit from the default if you get more than 100 +# queries per second and/or have slow dns servers. Rule of thumb would be +# decide how many queries you want grossd to be able to handle per second, +# and multiply that with query_timelimit (in seconds, of course). +# DEFAULT: pool_maxthreads = 100 + +# 'block_threshold' is the threshold after which grossd sends +# a permanent error to the client. Every check that considers client_ip +# as suspicious returns a value (check weight). When sum of these +# values gets equivalent or greater than 'block_threshold', grossd +# sends a STATUS_BLOCK response. Default is 0, which disables +# this functionality. +# DEFAULT: block_threshold = 0 +block_threshold = <%= @block_treshold %> + +# 'block_reason' is the reason given when client is too suspicious, +# see block_threshold +# DEFAULT: block_reason = Bad reputation + +# 'grey_threshold' is analogous to 'block_threshold', except at the +# threshold grossd sends a STATUS_GREY response. +# DEFAULT: grey_threshold = 1 + +# 'check' lists all the checks grossd will do to judge if client_ip is +# suspicious or not. +#check = dnsbl +#check = rhsbl +#check = dnswl + +# 'dnsbl' is a dns domain name of the dnsbl that 'dnsbl' check will query +# There are no defaults, but below is a list of dnsbls you could be using +# you may assign different weights for the dnsbl's, default weight is 1 +# dnsbl = rbl-plus.mail-abuse.net # this is not free +# dnsbl = bl.spamcop.net;2 +# dnsbl = combined.njabl.org +# dnsbl = cbl.abuseat.org +# dnsbl = dnsbl.sorbs.net + +<% if @dnsbl.size > 0 -%> +check = dnsbl +<% end -%> + +<% @dnsbl.each do |val| -%> +dnsbl = <%= val %> +<% end -%> + +# 'rhsbl' is analogous to 'dnsbl' +#rhsbl = rhsbl.sorbs.net + +# 'dnswl' is analogous to 'dnsbl'. Remember that dnswl is a *definitive* +# check, that is grossd waits for the check to complete before deciding +# how to respond. This may cause unwanted latency. Highly recommended if +# you use grossd as a traditional greylister. +#dnswl = query.bondedsender.org + +<% if @dnswl.size > 0 -%> +check = dnswl +<% end -%> + +<% @dnswl.each do |val| -%> +dnswl = <%= val %> +<% end -%> + +# 'blocker_host' is the host name of the Sophos blocker server. +# blocker_host = + +# 'blocker_port' is the tcp port of the Sophos blocker service. +# DEFAULT: blocker_port = 4466 + +# 'blocker_weight' is the weight of the blocker check. (See description of 'dnsbl') +# DEFAULT: blocker_weight = 1 + +# 'milter_listen' is the socket for milter service. +# EXAMPLE: milter_listen = inet:5523@localhost +<% if protocol == 'milter' %> +milter_listen = inet:5523@localhost +<% end %>