|
Chris PeBenito |
bbc40b5 |
policy_module(milter, 1.4.0)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Declarations
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# attributes common to all milters
|
|
|
1ec3d1a |
attribute milter_domains;
|
|
|
1ec3d1a |
attribute milter_data_type;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
|
|
|
1ec3d1a |
milter_template(dkim)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# type for the private key of dkim-milter
|
|
|
1ec3d1a |
type dkim_milter_private_key_t;
|
|
|
1ec3d1a |
files_type(dkim_milter_private_key_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
|
|
|
1ec3d1a |
milter_template(greylist)
|
|
|
1ec3d1a |
milter_template(regex)
|
|
|
1ec3d1a |
milter_template(spamass)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# Type for the spamass-milter home directory, under which spamassassin will
|
|
|
1ec3d1a |
# store system-wide preferences, bayes databases etc. if not configured to
|
|
|
1ec3d1a |
# use per-user configuration
|
|
|
1ec3d1a |
type spamass_milter_state_t;
|
|
|
1ec3d1a |
files_type(spamass_milter_state_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#######################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# dkim-milter local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow dkim_milter_t self:capability { kill setgid setuid };
|
|
|
1ec3d1a |
allow dkim_milter_t self:process signal;
|
|
|
d0cf722 |
allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
|
|
|
1ec3d1a |
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
|
|
|
1ec3d1a |
|
|
|
ceec3a3 |
kernel_read_kernel_sysctls(dkim_milter_t)
|
|
|
ceec3a3 |
|
|
|
1ec3d1a |
auth_use_nsswitch(dkim_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
sysnet_dns_name_resolve(dkim_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
mta_read_config(dkim_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# milter-greylist local policy
|
|
Chris PeBenito |
9401ae1 |
# ensure smtp clients retry mail like real MTAs and not spamware
|
|
Chris PeBenito |
9401ae1 |
# http://hcpnet.free.fr/milter-greylist/
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# It removes any existing socket (not owned by root) whilst running as root,
|
|
|
1ec3d1a |
# fixes permissions, renices itself and then calls setgid() and setuid() to
|
|
|
1ec3d1a |
# drop privileges
|
|
|
1ec3d1a |
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
|
|
|
1ec3d1a |
allow greylist_milter_t self:process { setsched getsched };
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# It creates a pid file /var/run/milter-greylist.pid
|
|
|
1ec3d1a |
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
kernel_read_kernel_sysctls(greylist_milter_t)
|
|
|
1ec3d1a |
|
|
|
1d046a4 |
dev_read_rand(greylist_milter_t)
|
|
|
1d046a4 |
dev_read_urand(greylist_milter_t)
|
|
|
1d046a4 |
|
|
|
1ec3d1a |
corecmd_exec_bin(greylist_milter_t)
|
|
|
1ec3d1a |
corecmd_exec_shell(greylist_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
|
|
|
d79c718 |
corenet_tcp_bind_rtsclient_port(greylist_milter_t)
|
|
|
1ec3d1a |
|
|
|
1d046a4 |
# perl getgroups() reads a bunch of files in /etc
|
|
|
1ec3d1a |
# Allow the milter to read a GeoIP database in /usr/share
|
|
|
1ec3d1a |
# The milter runs from /var/lib/milter-greylist and maintains files there
|
|
|
1ec3d1a |
files_search_var_lib(greylist_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# Look up username for dropping privs
|
|
|
1ec3d1a |
auth_use_nsswitch(greylist_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# Config is in /etc/mail/greylist.conf
|
|
|
1ec3d1a |
mta_read_config(greylist_milter_t)
|
|
|
1ec3d1a |
|
|
|
1d046a4 |
|
|
|
1d046a4 |
sysnet_read_config(greylist_milter_t)
|
|
|
1d046a4 |
|
|
|
1d046a4 |
|
|
|
1d046a4 |
optional_policy(`
|
|
|
304b8b6 |
mysql_stream_connect(greylist_milter_t)
|
|
|
1d046a4 |
')
|
|
|
1d046a4 |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# milter-regex local policy
|
|
Chris PeBenito |
9401ae1 |
# filter emails using regular expressions
|
|
Chris PeBenito |
9401ae1 |
# http://www.benzedrine.cx/milter-regex.html
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# It removes any existing socket (not owned by root) whilst running as root
|
|
|
1ec3d1a |
# and then calls setgid() and setuid() to drop privileges
|
|
|
1ec3d1a |
allow regex_milter_t self:capability { setuid setgid dac_override };
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# The milter's socket directory lives under /var/spool
|
|
|
1ec3d1a |
files_search_spool(regex_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# Look up username for dropping privs
|
|
|
1ec3d1a |
auth_use_nsswitch(regex_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# Config is in /etc/mail/milter-regex.conf
|
|
|
1ec3d1a |
mta_read_config(regex_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# spamass-milter local policy
|
|
Chris PeBenito |
9401ae1 |
# pipe emails through SpamAssassin
|
|
Chris PeBenito |
9401ae1 |
# http://savannah.nongnu.org/projects/spamass-milt/
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# The milter runs from /var/lib/spamass-milter
|
|
|
1ec3d1a |
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
|
|
|
1ec3d1a |
files_search_var_lib(spamass_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
kernel_read_system_state(spamass_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# When used with -b or -B options, the milter invokes sendmail to send mail
|
|
|
1ec3d1a |
# to a spamtrap address, using popen()
|
|
|
1ec3d1a |
corecmd_exec_shell(spamass_milter_t)
|
|
|
1ec3d1a |
corecmd_read_bin_symlinks(spamass_milter_t)
|
|
|
1ec3d1a |
corecmd_search_bin(spamass_milter_t)
|
|
|
1ec3d1a |
|
|
|
63c36f6 |
auth_use_nsswitch(spamass_milter_t)
|
|
|
63c36f6 |
|
|
|
1ec3d1a |
mta_send_mail(spamass_milter_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# The main job of the milter is to pipe spam through spamc and act on the result
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
spamassassin_domtrans_client(spamass_milter_t)
|
|
|
1ec3d1a |
')
|