Configuration for running SpamAssassin, including milter, on Debian Stretch (meant for use in conjunction with Postfix, but Postfix configuration not included)

0001-Add-SpamAssassin-configuration.patch

From 14d01236fdd0f7869096db4376ed6c4f2fd95199 Mon Sep 17 00:00:00 2001
From: Lucas Werkmeister <[email protected]>
Date: Mon, 10 Jul 2017 00:26:34 +0200
Subject: [PATCH] Add SpamAssassin configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Debian ships services for SpamAssassin, but they’re so weak (short unit
file for spamassassin, unmigrated SysV service for spamass-milter) that
I’d rather start over with my own unit files.

The sandbox is copied from dehydrated.service (with the ReadWritePaths
tweaked), and so it still contains settings that aren’t necessary for a
non-root service, but don’t hurt to have either.

The spamass-milter setup differs slightly from the Ars article [1]:
instead of chmoding and chowning the socket after spamass-milter
launches (which the init script does), we add postfix to the
spamass-milter group and make the socket group-accessible by tweaking
the umask. This is analogous to the opendkim and opendmarc setup, down
to the umask trick (which for those services is found in their
respective configuration files). (You can also do the chmod+chown in
ExecStartPost, but then you can’t use PrivateUsers=yes, since that hides
the postfix group even from commands prefixed with ‘+’.)

[1]: https://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/
---
 systemd/system/spamass-milter.service | 37 +++++++++++++++++++++++++++++++++++
 systemd/system/spamassassin.service   | 33 +++++++++++++++++++++++++++++++
 sysusers.d/spamassassin.conf          |  5 +++++
 tmpfiles.d/spamassassin.conf          |  4 ++++
 4 files changed, 79 insertions(+)
 create mode 100644 systemd/system/spamass-milter.service
 create mode 100644 systemd/system/spamassassin.service
 create mode 100644 sysusers.d/spamassassin.conf
 create mode 100644 tmpfiles.d/spamassassin.conf

diff --git a/systemd/system/spamass-milter.service b/systemd/system/spamass-milter.service
new file mode 100644
index 0000000..e32be8f
--- /dev/null
+++ b/systemd/system/spamass-milter.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=SpamAssassin mail filter
+Documentation=man:spamass-milter(1)
+Wants=spamassassin.service
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/spamass-milter -f -p /var/spool/postfix/spamass/spamass.sock -P /run/spamass-milter/spamass-milter.pid -u spamass-milter -i 127.0.0.1 -I -m -- --socket=/var/spool/postfix/spamassassin/spamd.sock
+PIDFile=/run/spamass-milter/spamass-milter.pid
+# directory for spamass-milter to place the PIDFile in
+RuntimeDirectory=spamass-milter
+User=spamass-milter
+# /etc/init.d/spamass-milter stop sends signal 3, which is SIGQUIT according to kill -l
+KillSignal=SIGQUIT
+# make sure the socket spamass-milter creates (/var/spool/postfix/spamass/spamass.sock) is also accessible to postfix (member of spamass-milter group) via g+rwx
+UMask=0007
+
+CapabilityBoundingSet=
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProtectSystem=strict
+ReadWritePaths=/run/spamass-milter/ /var/spool/postfix/spamass/
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+MountFlags=slave
+NoNewPrivileges=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @privileged @raw-io @resources
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/systemd/system/spamassassin.service b/systemd/system/spamassassin.service
new file mode 100644
index 0000000..83e7ea7
--- /dev/null
+++ b/systemd/system/spamassassin.service
@@ -0,0 +1,33 @@
+[Unit]
+Description=SpamAssassin spam filter daemon
+Documentation=man:spamd(8p) man:spamassassin(1p)
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/spamd --daemonize --pidfile /run/spamassassin/spamassassin.pid --nouser-config --max-children 5 --helper-home-dir /var/lib/spamassassin --siteconfigpath /etc/spamassassin --listen /var/spool/postfix/spamassassin/spamd.sock --socketmode 0660
+ExecReload=/bin/kill -HUP $MAINPID
+# directory for spamassassin to place the PIDFile in
+RuntimeDirectory=spamassassin
+PIDFile=/run/spamassassin/spamassassin.pid
+User=spamd
+
+CapabilityBoundingSet=
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProtectSystem=strict
+ReadWritePaths=/run/spamassassin/ /var/spool/postfix/spamassassin/ /var/lib/spamassassin/.spamassassin/
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+MountFlags=slave
+NoNewPrivileges=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @privileged @raw-io @resources
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sysusers.d/spamassassin.conf b/sysusers.d/spamassassin.conf
new file mode 100644
index 0000000..8362624
--- /dev/null
+++ b/sysusers.d/spamassassin.conf
@@ -0,0 +1,5 @@
+u spamass-milter - "SpamAssassin mail filter user"
+u spamd - "SpamAssassin daemon"
+m spamass-milter spamd
+# add postfix to spamass-milter group so it can write to /var/spool/postfix/spamass/spamass.sock
+m postfix spamass-milter
diff --git a/tmpfiles.d/spamassassin.conf b/tmpfiles.d/spamassassin.conf
new file mode 100644
index 0000000..c457fe7
--- /dev/null
+++ b/tmpfiles.d/spamassassin.conf
@@ -0,0 +1,4 @@
+d /var/spool/postfix/spamassassin - spamd root -
+d /var/lib/spamassassin/.spamassassin - spamd spamd -
+d /var/lib/spamassassin/.razor - spamd spamd -
+d /var/lib/spamassassin/.pyzor - spamd spamd -
-- 
2.11.0