Merge branch 'sme9'

createlinks

@@ -61,6 +61,9 @@ service_link_enhanced("ipmi", "K74", "6");
 # Autofs
 service_link_enhanced("autofs", "S28", "7");
 service_link_enhanced("autofs", "K72", "6");
+# Netfs
+service_link_enhanced("netfs", "S25", "7");
+service_link_enhanced("netfs", "K75", "6");
 
 # Panels
 panel_link('userinfo','manager');

ipasserelle-base.spec

@@ -1,12 +1,13 @@
-%define version 0.2.48
+%define version 0.2.64
 %define release 1
 %define name ipasserelle-base
 
 
 Summary: Meta-Package to turn a SME Server into an iPasserelle
-Name: %{name}
-Version: %{version}
-Release: %{release}%{?dist}
+Name: ipasserelle-base
+Version: 0.2.64
+Release: 1%{?dist}
+Epoch: 9
 License: GPL
 Group: Networking/Daemons
 Source: %{name}-%{version}.tar.gz
@@ -25,6 +26,7 @@ Requires: smeserver-shared-folders
 Requires: smeserver-qos
 Requires: smeserver-fetchmail
 Requires: smeserver-webapps-common
+Requires: smeserver-expire-accounts
 Requires: bash-completion
 Requires: ipasserelle-repo
 Requires: qmail-notify
@@ -36,7 +38,7 @@ Requires: perl(Net::LDAP)
 Requires: perl(Proc::ProcessTable)
 Requires: perl(Proc::ProcessTable::Process)
 Requires: pbzip2
-Requires: yum-downloadonly
+Requires: yum >= 3.2.29-69
 Requires: smeserver-fail2ban
 Obsoletes: smeserver-denyhosts
 Obsoletes: smeserver-mailstats
@@ -47,44 +49,98 @@ Based on SMEServer, iPasserelle is a specially configured
 SME Server, with some additionnal modules
 
 %changelog
-* Wed Dec 2 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.48-1
-- Fix ownership of /var/clamav
+* Wed Jul 19 2017 Daniel Berteaud <daniel@firewall-services.com> 0.2.64-1
+- Reduce spamassassin's BL score to 1.0 each
 
-* Fri Nov 27 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.47-1
+* Thu Jun 8 2017 Daniel Berteaud <daniel@firewall-services.com> 0.2.63-1
+- Set admins member full privileges on public mailboxes
+  If smeserver-dovecot-extras >= 0.1.3
+
+* Thu Jun 8 2017 Daniel Berteaud <daniel@firewall-services.com> 0.2.62-1
+- Slightly reduce spamassassin BL scores
+
+* Mon Jun 5 2017 Daniel Berteaud <daniel@firewall-services.com> 0.2.61-1
+- Add some blacklists to spamassassin
+
+* Thu Apr 6 2017 Daniel Berteaud <daniel@firewall-services.com> 0.2.60-1
+- Add support for separated __VILLE__ __RUE__ and __CODE_POSTAL__ tags
+  for email signature
+
+* Wed Mar 8 2017 Daniel Berteaud <daniel@firewall-services.com> 0.2.59-1
+- Make sure bayes auto learn is disabled when not enabled
+- Adjust default bayes auto learn threshold
+
+* Wed Nov 9 2016 Daniel Berteaud <daniel@firewall-services.com> 0.2.58-1
+- Enable access to /server-status for localhost
+
+* Wed May 18 2016 Daniel Berteaud <daniel@firewall-services.com> 0.2.57-1
+- Remove MailSpike BL
+
+* Fri May 13 2016 Daniel Berteaud <daniel@firewall-services.com> 0.2.56-1
+- Fix a syntax error in spamassassin conf template
+
+* Wed Apr 13 2016 Daniel Berteaud <daniel@firewall-services.com> 0.2.55-1
+- Remove S-A custom scores
+- Add MailSpike BL
+- Requires smeserver-expire-accounts
+- Add spamassassin autolearn param
+
+* Wed Dec 23 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.54-1
+- Fix home RecycleBin purge by using mtime instead of atime
+
+* Fri Dec 4 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.53-1
+- Define netfs service in the DB
+
+* Wed Dec 2 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.52-1
+- Fix /var/clamav ownership
+
+* Fri Nov 27 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.51-1
 - Ignore winnow.spam.ts.brokenspam.1 virus
 
-* Mon Jul 6 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.46-1
+* Fri Aug 7 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.50-1
+- Requires recent enough yum instead of yum-downloadonly
+
+* Mon Jul 6 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.49-1
 - Remove hardcoded value for open_files_limit
 - Set the default open_files_limit to 8192
 
-* Mon Feb 9 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.45-1
-- Add a new EmailPrimaryDomain prop to user account
+* Mon Feb 9 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.48-1
+- Add a EmailPrimaryDomain prop to user account
 
-* Fri Jan 30 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.44-1
+* Fri Jan 30 2015 Daniel Berteaud <daniel@firewall-services.com> 0.2.47-1
 - Download updates even when a dependencie issue would prevent the
   transaction
 
-* Fri Mar 21 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.43-1
+* Mon Jun 30 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.46-1
+- Replace header_access directive with request_header_access
+
+* Mon Jun 23 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.45-1
+- Replace syslog templates-custom with rsyslog fragment
+
+* Fri Mar 21 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.44-1
 - Fix AllowedRemoteIP (SPF Whitelist)
 
-* Wed Mar 12 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.42-1
+* Wed Mar 12 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.43-1
 - Add SPF support (qpsmtpd and tinydns)
 
-* Fri Jan 24 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.41-1
-- Add a simple audit page in the userinfo panel
+* Fri Jan 24 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.42-1
+- Add a simple audit page in userinfo panel
 
-* Mon Jan 20 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.40-1
+* Mon Jan 20 2014 Daniel Berteaud <daniel@firewall-services.com> 0.2.41-1
 - Update email address in LDAP if the first one in the list has changed
 
-* Wed Dec 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.2.39-1
-- remove the non templated qmail-notify cron file
+* Wed Dec 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.2.40-1
+- Remove the non templated qmail-notify cron file
 
-* Wed Dec 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.2.38-1
+* Wed Dec 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.2.39-1
 - Really fix qmail-notify cron
 
-* Wed Dec 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.2.37-1
+* Wed Dec 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.2.38-1
 - Fix qmail-notify cron
 
+* Tue Nov 12 2013 Daniel Berteaud <daniel@firewall-services.com> 0.2.37-1
+- New branch for SME9
+
 * Fri Nov 8 2013 Daniel Berteaud <daniel@firewall-services.com> 0.2.36-1
 - Allow placeholders in signatures templates to be removed if the
   corresponding value is empty

root/etc/cron.daily/purge-homes-recycle

@@ -46,8 +46,8 @@ foreach my $user ($a->get_all_by_prop(type=>'user')){
 sub remove{
     # Remove files with last modification older than $retention
     if ( -f ){
-        my $atime = stat($_)->atime;
-        (time() - $atime > $retention) && unlink($_);
+        my $mtime = stat($_)->mtime;
+        (time() - $mtime > $retention) && unlink($_);
     }
     # Remove empty directories
     elsif ( -d ){

root/etc/e-smith/db/configuration/defaults/netfs/status

@@ -0,0 +1 @@
+disabled

root/etc/e-smith/db/configuration/defaults/netfs/type

@@ -0,0 +1 @@
+service

root/etc/e-smith/events/actions/generate-email-sign

@@ -121,6 +121,9 @@ foreach my $user (@users){
         $src =~ s/__START_FONCTION3__.*__END_FONCTION3__//smg if ($func3 eq '');
         $src =~ s/__START_FONCTION4__.*__END_FONCTION4__//smg if ($func4 eq '');
         $src =~ s/__START_ENTREPRISE__.*__END_ENTREPRISE__//smg if ($comp eq '');
+        $src =~ s/__START_CODE_POSTAL__.*__END_CODE_POSTAL__//smg if ($postalcode eq '');
+        $src =~ s/__START_RUE__.*__END_RUE__//smg if ($street eq '');
+        $src =~ s/__START_VILLE__.*__END_VILLE__//smg if ($city eq '');
         $src =~ s/__START_ADRESSE__.*__END_ADRESSE__//smg if ($addr eq '');
         $src =~ s/__START_URL__.*__END_URL__//smg if ($url eq '');
 
@@ -137,6 +140,9 @@ foreach my $user (@users){
         $src =~ s/__SERVICE__/$dep/g;
         $src =~ s/__ENTREPRISE__/$comp/g;
         $src =~ s/__ADRESSE__/$addr/g;
+        $src =~ s/__CODE_POSTAL__/$postalcode/g;
+        $src =~ s/__RUE__/$street/g;
+        $src =~ s/__VILLE__/$city/g;
         $src =~ s/__URL__/$url/g;
 
         # Now remove any remaining __START_ and __END_ tags

root/etc/e-smith/templates-custom/etc/syslog.conf/local5

@@ -1,2 +0,0 @@
-local5.=notice					-/var/log/smb_audit.log
-local5.*;local5.!=notice			-{ "${messages}" }

root/etc/e-smith/templates-custom/etc/syslog.conf/local5.notice

@@ -1 +0,0 @@
-# Disable default samba logging, we log into /var/log/smb_audit.log

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/99Status

@@ -0,0 +1,7 @@
+<Location /server-status>
+    SetHandler server-status
+    Order deny,allow
+    deny from all
+    allow from 127.0.0.1
+</Location>
+ExtendedStatus On

root/etc/e-smith/templates/etc/mail/spamassassin/local.cf/10BayesAutoLearn

@@ -0,0 +1,16 @@
+{
+  if (($spamassassin{UseBayes} || '0') =~ m/^1|on|yes|enabled$/ && ($spamassassin{BayesAutoLearn} || 'no') =~ m/^1|on|yes|enabled$/){
+    my $ham_thres  = $spamassassin{BayesHamThreshold} || '-1.0';
+    my $spam_thres = $spamassassin{BayesSpamThreshold} || '6';
+    $OUT .=<<"_EOF";
+bayes_auto_learn 1 
+bayes_auto_learn_threshold_nonspam $ham_thres
+bayes_auto_learn_threshold_spam $spam_thres
+_EOF
+  }
+  else{
+    $OUT .=<<"_EOF";
+bayes_auto_learn 0
+_EOF
+  }
+}

root/etc/e-smith/templates/etc/mail/spamassassin/local.cf/91Scores

@@ -1,36 +0,0 @@
-# Ajustement de scores divers
-score HTML_MESSAGE 0.2
-score DKIM_VALID 0.1
-score DKIM_SIGNED 0.1
-score SPF_PASS -0.001
-score RP_MATCHES_RCVD -0.001
-score DKIM_VALID_AU 0.1
-score T_KHOP_FOREIGN_CLICK 0.4
-score HTML_IMAGE_RATIO_02 1
-score URIBL_BLACK 2.0
-score SPF_FAIL 2
-score SPF_SOFTFAIL 1.0
-score MIME_QP_LONG_LINE 0.2
-score FREEMAIL_FROM 0.3
-score HTML_IMAGE_RATIO_06 0.4
-score HTML_IMAGE_RATIO_04 0.4
-score SPF_HELO_FAIL 0.6
-score HTML_IMAGE_RATIO_08 0.4
-score RAZOR2_CHECK 1.0
-score LOTS_OF_MONEY 0.8
-score SUBJECT_NEEDS_ENCODING 0.5
-score HTML_MIME_NO_HTML_TAG 0.5
-score HTML_FONT_SIZE_LARGE 0.4
-score MSGID_FROM_MTA_HEADER 0.5
-score T_DKIM_INVALID 0.8
-score FILL_THIS_FORM 1.0
-score MPART_ALT_DIFF 1.5
-score URIBL_JP_SURBL 2.0
-score RCVD_IN_BRBL_LASTEXT 1.5
-score T_REMOTE_IMAGE 0.5
-score HTML_FONT_SIZE_LARGE 0.3
-score MISSING_MID 0.5
-score T_FILL_THIS_FORM_SHORT 1.0
-score BAYES_50 1.5
-score KHOP_BIG_TO_CC 1.5
-score FSL_HELO_FIREWALL 0.5

root/etc/e-smith/templates/etc/mail/spamassassin/local.cf/95Blacklists

@@ -0,0 +1,129 @@
+# Check someblacklists
+
+header      RCVD_IN_GBUDB               eval:check_rbl('gbudb', 'truncate.gbudb.net.', '127.0.0.2')
+describe    RCVD_IN_GBUDB               Listed in truncate.gbudb.net
+tflags      RCVD_IN_GBUDB               net
+score       RCVD_IN_GBUDB               1.0
+
+header      RCVD_IN_IMP_SPAMLIST        eval:check_rbl('spamrbl-lastexternal','spamrbl.imp.ch.','127.0.1.5')
+describe    RCVD_IN_IMP_SPAMLIST        Listed in spamrbl.imp.ch
+tflags      RCVD_IN_IMP_SPAMLIST        net
+score       RCVD_IN_IMP_SPAMLIST        1.0
+
+header      RCVD_IN_INPS                eval:check_rbl('inps-de-lastexternal','dnsbl.inps.de.')
+describe    RCVD_IN_INPS                Received via a relay in inps.de DNSBL
+tflags      RCVD_IN_INPS                net
+score       RCVD_IN_INPS                1.0
+
+header      RCVD_IN_JMF_BL              eval:check_rbl_sub('JMF-lastexternal','hostkarma.junkemailfilter.com','127.0.0.2')
+describe    RCVD_IN_JMF_BL              Sender listed in JMF-BLACK
+tflags      RCVD_IN_JMF_BL              net
+score       RCVD_IN_JMF_BL              1.0
+
+header      RCVD_IN_NIX_SPAM            eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
+describe    RCVD_IN_NIX_SPAM            Listed in NIX-SPAM DNSBL (heise.de)
+tflags      RCVD_IN_NIX_SPAM            net
+score       RCVD_IN_NIX_SPAM            1.0
+
+header      RCVD_IN_SORBS               eval:check_rbl('sorbscombined','dnsbl.sorbs.net.')
+describe    RCVD_IN_SORBS               Sender listed at http://www.sorbs.net
+tflags      RCVD_IN_SORBS               net
+score       RCVD_IN_SORBS               1.0
+
+header      RCVD_IN_SEM_BLACK           eval:check_rbl('semblack-lastexternal','bl.spameatingmonkey.net')
+tflags      RCVD_IN_SEM_BLACK           net
+describe    RCVD_IN_SEM_BLACK           Received from an IP listed by SEM-BLACK
+score       RCVD_IN_SEM_BLACK           1.0
+
+header      RCVD_IN_SEMNETBLACK         eval:check_rbl('semnetblack-lastexternal', 'netbl.spameatingmonkey.net')
+tflags      RCVD_IN_SEMNETBLACK         net
+describe    RCVD_IN_SEMNETBLACK         Received from an IP listed by SEM-NETBLACK
+score       RCVD_IN_SEMNETBLACK         1.0
+
+urirhssub   SEM_URIRED                  urired.spameatingmonkey.net. A 2
+body        SEM_URIRED                  eval:check_uridnsbl('SEM_URIRED')
+describe    SEM_URIRED                  Contains a URI listed by SEM-URIRED
+tflags      SEM_URIRED                  net
+score       SEM_URIRED                  1.0
+
+urirhssub   SEM_FRESH                   fresh.spameatingmonkey.net. A 2
+body        SEM_FRESH                   eval:check_uridnsbl('SEM_FRESH')
+describe    SEM_FRESH                   Contains a domain registered less than 5 days ago
+tflags      SEM_FRESH                   net
+score       SEM_FRESH                   1.0
+
+header      RCVD_IN_SPAMRATS_DYNA       eval:check_rbl('spamratsdyna-lastexternal','dyna.spamrats.com.')
+describe    RCVD_IN_SPAMRATS_DYNA       Sender listed in spamratsdyna
+tflags      RCVD_IN_SPAMRATS_DYNA       net
+score       RCVD_IN_SPAMRATS_DYNA       1.0
+
+header      RCVD_IN_SPAMRATS_NOPTR      eval:check_rbl('spamratsnoptr-lastexternal','noptr.spamrats.com.')
+describe    RCVD_IN_SPAMRATS_NOPTR      Sender listed in spamratsnoptr
+tflags      RCVD_IN_SPAMRATS_NOPTR      net
+score       RCVD_IN_SPAMRATS_NOPTR      1.0
+
+urirhsbl    URIBL_SC_SWINOG             uribl.swinog.ch.   A
+body        URIBL_SC_SWINOG             eval:check_uridnsbl('URIBL_SC_SWINOG')
+describe    URIBL_SC_SWINOG             URI's listed in uribl.swinog.ch.
+tflags      URIBL_SC_SWINOG             net
+score       URIBL_SC_SWINOG             1.0
+
+header      RCVD_IN_UCEPROTECT1         eval:check_rbl_txt('uceprotect1-lastexternal','dnsbl-1.uceprotect.net.')
+describe    RCVD_IN_UCEPROTECT1         Listed in dnsbl-1.uceprotect.net (open relay/proxy/dialup)
+tflags      RCVD_IN_UCEPROTECT1         net
+score       RCVD_IN_UCEPROTECT1         1.0
+
+header      RCVD_IN_UNSUBSCORE          eval:check_rbl('unsubscore-lastexternal','ubl.unsubscore.com.')
+describe    RCVD_IN_UNSUBSCORE          Listed in Lashback unsubscore.com
+tflags      RCVD_IN_UNSUBSCORE          net
+score       RCVD_IN_UNSUBSCORE          1.0
+
+header      RCVD_IN_WPBL                eval:check_rbl('wpbl-lastexternal','db.wpbl.info.','127.0.0.2')
+describe    RCVD_IN_WPBL                Listed in wpbl
+tflags      RCVD_IN_WPBL                net
+score       RCVD_IN_WPBL                1.0
+
+header      RCVD_IN_S5HBL               eval:check_rbl_txt('s5hbl', 'all.s5h.net')
+describe    RCVD_IN_S5HBL               Listed in all.s5h.net
+tflags      RCVD_IN_S5HBL               net
+score       RCVD_IN_S5HBL               1.0
+
+header      RCVD_IN_SPAMCANNIBAL        eval:check_rbl('spamcannibal', 'bl.spamcannibal.org')
+describe    RCVD_IN_SPAMCANNIBAL        Listed in bl.spamcannibal.org
+tflags      RCVD_IN_SPAMCANNIBAL        net
+score       RCVD_IN_SPAMCANNIBAL        1.0
+
+header      RCVD_IN_BACKSCATTERER       eval:check_rbl('backscatterer', 'ips.backscatterer.org')
+describe    RCVD_IN_BACKSCATTERER       Listed in ips.backscatterer.org
+tflags      RCVD_IN_BACKSCATTERER       net
+score       RCVD_IN_BACKSCATTERER       1.0
+
+header      RCVD_IN_FABEL               eval:check_rbl('fabel', 'spamsources.fabel.dk.')
+describe    RCVD_IN_FABEL               Received via a relay in spamsources.fabel.dk
+tflags      RCVD_IN_FABEL               net
+score       RCVD_IN_FABEL               1.0
+
+header      RCVD_IN_DRONEBL             eval:check_rbl('dronebl', 'dnsbl.dronebl.org')
+describe    RCVD_IN_DRONEBL             Listed in dnsbl.dronebl.org
+tflags      RCVD_IN_DRONEBL             net
+score       RCVD_IN_DRONEBL             1.0
+
+header      RCVD_IN_MANITU              eval:check_rbl('manitu', 'ix.dnsbl.manitu.net')
+describe    RCVD_IN_MANITU              Listed in ix.dnsbl.manitu.net
+tflags      RCVD_IN_MANITU              net
+score       RCVD_IN_MANITU              1.0
+
+header      RCVD_IN_SINGULAR            eval:check_rbl('singular', 'singular.ttk.pte.hu')
+describe    RCVD_IN_SINGULAR            Listed in singular.ttk.pte.hu
+tflags      RCVD_IN_SINGULAR            net
+score       RCVD_IN_SINGULAR            1.0
+
+header      RCVD_IN_SPAMBOT_DIGIBASE    eval:check_rbl('spambot-digibase', 'spambot.bls.digibase.ca')
+describe    RCVD_IN_SPAMBOT_DIGIBASE    Listed in spambot.bls.digibase.ca
+tflags      RCVD_IN_SPAMBOT_DIGIBASE    net
+score       RCVD_IN_SPAMBOT_DIGIBASE    1.0
+
+header      RCVD_IN_OPENPROXY_DIGIBASE  eval:check_rbl('openproxy-digibase', 'openproxy.bls.digibase.ca')
+describe    RCVD_IN_OPENPROXY_DIGIBASE  Listed in openproxy.bls.digibase.ca
+tflags      RCVD_IN_OPENPROXY_DIGIBASE  net
+score       RCVD_IN_OPENPROXY_DIGIBASE  1.0

root/etc/e-smith/templates/etc/rsyslog.conf/45smbAudit

@@ -0,0 +1,3 @@
+local5.notice						/var/log/smb_audit.log
+local5.notice ~
+

root/etc/e-smith/templates/etc/squid/squid.conf/96xForwardedFor

@@ -6,7 +6,7 @@ unless ($fwd =~ m/^yes|enabled|on|1$/i){
     $OUT .=<<"EOF";
 
 forwarded_for off
-header_access X-Forwarded-For deny all
+request_header_access X-Forwarded-For deny all
 
 EOF
 }

root/etc/e-smith/templates/home/e-smith/files/public/dovecot-acl/20Admins

@@ -0,0 +1 @@
+group=admins lrswtipekxa