From aed4b4fadfbc812ac2c84513d158c9319ef2761f Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sun, 17 May 2020 19:51:29 +0200
Subject: [PATCH] [sqlgrey] Deploy sqlgrey on redisdead

---
 postfix.yml                                   |   4 +
 roles/sqlgrey/tasks/main.yml                  |  19 ++
 .../sqlgrey/clients_fqdn_whitelist.local.j2   |   4 +
 .../sqlgrey/clients_ip_whitelist.local.j2     |   4 +
 .../sqlgrey/templates/sqlgrey/sqlgrey.conf.j2 | 189 ++++++++++++++++++
 5 files changed, 220 insertions(+)
 create mode 100644 roles/sqlgrey/tasks/main.yml
 create mode 100644 roles/sqlgrey/templates/sqlgrey/clients_fqdn_whitelist.local.j2
 create mode 100644 roles/sqlgrey/templates/sqlgrey/clients_ip_whitelist.local.j2
 create mode 100644 roles/sqlgrey/templates/sqlgrey/sqlgrey.conf.j2

diff --git a/postfix.yml b/postfix.yml
index 3487bc2d..e4fd36ff 100755
--- a/postfix.yml
+++ b/postfix.yml
@@ -17,3 +17,7 @@
     - certbot
     - postfix
     - opendkim
+
+- hosts: redisdead.adm.crans.org
+  roles:
+    - sqlgrey
diff --git a/roles/sqlgrey/tasks/main.yml b/roles/sqlgrey/tasks/main.yml
new file mode 100644
index 00000000..04fb5e75
--- /dev/null
+++ b/roles/sqlgrey/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+- name: Install sqlgrey
+  apt:
+    update_cache: true
+    name:
+      - sqlgrey
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Deploy sqlgrey configuration
+  template:
+    src: sqlgrey/{{ item }}.j2
+    dest: /etc/sqlgrey/{{ item }}
+    mode: 0644
+  loop:
+    - sqlgrey.conf
+    - clients_fqdn_whitelist.local
+    - clients_ip_whitelist.local
diff --git a/roles/sqlgrey/templates/sqlgrey/clients_fqdn_whitelist.local.j2 b/roles/sqlgrey/templates/sqlgrey/clients_fqdn_whitelist.local.j2
new file mode 100644
index 00000000..b0fc5b1d
--- /dev/null
+++ b/roles/sqlgrey/templates/sqlgrey/clients_fqdn_whitelist.local.j2
@@ -0,0 +1,4 @@
+{{ ansible_header | comment }}
+
+# Gandi
+*.mail.gandi.net
diff --git a/roles/sqlgrey/templates/sqlgrey/clients_ip_whitelist.local.j2 b/roles/sqlgrey/templates/sqlgrey/clients_ip_whitelist.local.j2
new file mode 100644
index 00000000..3a5fd979
--- /dev/null
+++ b/roles/sqlgrey/templates/sqlgrey/clients_ip_whitelist.local.j2
@@ -0,0 +1,4 @@
+{{ ansible_header | comment }}
+
+# Bouygues Télécom... les MX ne rententent pas la délivrance des mails.
+62.201.140
diff --git a/roles/sqlgrey/templates/sqlgrey/sqlgrey.conf.j2 b/roles/sqlgrey/templates/sqlgrey/sqlgrey.conf.j2
new file mode 100644
index 00000000..173f149a
--- /dev/null
+++ b/roles/sqlgrey/templates/sqlgrey/sqlgrey.conf.j2
@@ -0,0 +1,189 @@
+{{ ansible_header | comment }}
+
+#########################
+## SQLgrey config file ##
+#########################
+
+# Notes:
+# - Unless specified otherwise commented settings are SQLgrey's defaults
+# - SQLgrey uses a specific config file when called with -f <conf_file>
+
+## Configuration files
+# conf_dir = /etc/sqlgrey
+
+## Log level
+# Uncomment to change the log level (default is normal: 2)
+# nothing: O, errors only: 0, warnings: 1, normal: 2, verbose: 3, debug: 4
+loglevel = 2
+
+## log categories can be fine-tuned,
+# here are the log messages sorted by types and levels,
+# (anything over the loglevel is discarded):
+#
+# grey     : (0) internal errors,
+#	     (2) initial connections, early reconnections,
+#	         awl matches, successful reconnections, AWL additions,
+#	     (3) smart decision process debug,
+# whitelist: (2) whitelisted connections,
+#	     (3) actual whitelist hit,
+#	     (4) whitelists reloads,
+# optin:     (3) optin/optout global result
+#	     (4) optin/optout SQL query results
+# spam     : (2) attempts never retried,
+# mail     : (1) error sending mails,
+#	     (4) rate-limiter debug,
+# dbaccess : (0) DB errors,
+#            (1) DB upgrade,
+#	     (2) DB upgrade details,
+# martians : (2) invalid e-mail addresses,
+# perf     : (2) cleanup time,
+# system   : (0) error forking,
+#	     (3) forked children PIDs, children exits,
+# conf     : (0) errors in config files, missing required file,
+# 	     (1) warnings in config files,
+#	         missing optional configuration files,
+#	     (2) reloading configuration files,
+# other    : (4) Startup cleanup
+# you can set a level to O (capital o) to disable logs completely,
+# but be aware that then SQLgrey can come back to haunt you...
+
+# Provide a coma-separated "logtype:loglevel" string
+# For example if you set the loglevel to 3 (verbose) but want SQLgrey to be:
+# . quiet for whitelists
+# . normal for greylisting
+# uncomment the following line.
+# log_override = whitelist:1,grey:2
+# By default, log_override is empty
+
+## Log identification
+# by default this is the process name. If you define the following variable
+# SQLgrey will use whatever you set it to
+# log_ident =
+
+## username and groupname the daemon runs as
+user = sqlgrey
+group = nogroup
+
+## Socket
+# On which socket do SQLgrey wait for queries
+# use the following if you need to bind on a public IP address
+# inet = <public ip>:port
+# default :
+# inet = 2501    # bind to localhost:2501
+
+## PID
+# where to store the process PID
+# pidfile = /var/run/sqlgrey.pid
+
+## Config directory
+# where to look for other configuration files (whitelists)
+# confdir = /etc/sqlgrey
+
+## Greylisting delays
+# If you want to be really strict (RFC-wise) use these
+# This is *not* recommended, you'll have false positives
+# reconnect_delay = 15    # don't allow a reconnection before 15 minutes
+# max_connect_age = 2     # don't allow a reconnection after 2 hours
+
+# default: (based on real-life experience)
+reconnect_delay = 6
+max_connect_age = 24
+
+## Throttling too many new entries from new host
+# Setting this optional parameter will refuse an excessive number of
+# new entries in the connect table from the same host, in the following
+# manner:
+# - If there are already "connect_src_throttle" entries in the connect
+#   table from the same host (e-mails which have not been retried yet)
+# - And there is NO entry for this host in domain_awl
+# - And there are LESS than "connect_src_throttle" entries in the
+#   from_awl table for this host
+# THEN further incoming connections from this host will be (temporarily)
+# refused without new entries being created in the connect table (until
+# some already waiting entries have been successfully retried).
+# This feature may prevent the connect table from growing too big and
+# being polluted by spambots, viruses, zombie machines and the like.
+# If set to "0" (default), this feature won't be used.
+connect_src_throttle = 5
+
+
+## Auto whitelists settings
+# default is tailored for small sites
+# awl_age = 60
+# group_domain_level = 2
+
+# For bigger sites you may want
+# a smaller awl_age and a bigger group_domain_level
+# AWL must be renewed at least once a month
+# 32 > 31 (max delay between monthly newsletters)
+awl_age = 33
+# wait for 10 validated adresses to add a whole
+# domain in AWL
+group_domain_level = 10
+
+## Database settings
+# instead of Pg below use "mysql" for MySQL, "SQLite" for SQLite
+# any DBD driver is allowed, but only the previous 3 have been tested
+db_type = Pg
+db_name = sqlgrey
+# Note: the following are not used with SQLite
+# On laisse pgsql meme pour ovh, sqlgrey sait detecter s'il perd le
+# lien avec la base.
+db_host = pgsql.adm.crans.org
+
+db_user = sqlgrey
+# db_pass = spaces_are_not_supported
+# db_cleandelay = 1800 # in seconds, how much time between database cleanups
+# clean_method = sync # sync : cleanup is done in the main process,
+		      #        delaying other operations
+                      # async: cleanup is done in a forked process,
+		      #        it won't delay mail processing
+                      #        BEWARE: lockups have been reported
+		      #        and are still investigated
+
+## X-Greylist header added?
+# This adds delay, whitelist and autowhitelist information in the headers
+prepend = 1
+
+## Greylisting method:
+# - full   : greylist by IP address
+# - classc : greylist by class C network. eg:
+#            2.3.4.6 connection accepted if 2.3.4.145 did connect earlier
+# - smart  : greylist by class C network unless there is no reverse lookup
+#            or it looks like a home-user address
+# Default is smart
+greymethod = smart
+
+## Optin/Optout (see README.OPTINOUT for details)
+# - none   : everyone is greylisted (default)
+# - optin  : one must optin to have its (incoming) messages being greylisted
+# - optout : one must optout to not have its messages being greylisted
+optmethod = optout
+
+## SQLgrey return value.
+# SQLgrey can tell Postfix to:
+# - immediately reject a message with a temporary reject code
+# - only do so if following rules would allow the message to pass
+# The first choice will prevent Postfix from spending time evaluating
+# potentially expensive rules.
+# In some cases you may want following rules to be aware of the connection
+# this.
+#
+# We can specify a different rejection strategy for the first connection
+# attempt, and for early reconnections. 'immed' chooses immediate rejection
+# 'delay' choose delayed rejection
+#
+# By default we use delay on first attempt
+# reject_first_attempt = delay
+# Default for early reconnection is the value affected to reject_first_attempt
+# reject_early_reconnect = delay
+
+## Update server
+# where to get updates for whitelists
+# whitelists_host = sqlgrey.bouton.name
+
+## Postmaster address
+# who gets urgent notifications (DB is down for example)
+# default or empty: don't send mail notifications
+admin_mail = roots@crans.org
+