Chris PeBenito 3c4e9f
policy_module(milter, 1.2.1)
Chris PeBenito b9e523
Chris PeBenito b9e523
########################################
Chris PeBenito b9e523
#
Chris PeBenito b9e523
# Declarations
Chris PeBenito b9e523
#
Chris PeBenito b9e523
Chris PeBenito b9e523
# attributes common to all milters
Chris PeBenito b9e523
attribute milter_domains;
Chris PeBenito b9e523
attribute milter_data_type;
Chris PeBenito b9e523
Dan Walsh dfe675
# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
Dan Walsh dfe675
milter_template(dkim)
Dan Walsh dfe675
Dan Walsh dfe675
# type for the private key of dkim-milter
Dan Walsh dfe675
type dkim_milter_private_key_t;
Dan Walsh dfe675
files_type(dkim_milter_private_key_t)
Dan Walsh dfe675
Chris PeBenito c9c0d8
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
Chris PeBenito c9c0d8
milter_template(greylist)
Chris PeBenito b9e523
milter_template(regex)
Chris PeBenito b9e523
milter_template(spamass)
Chris PeBenito b9e523
Chris PeBenito 0cf1d5
# Type for the spamass-milter home directory, under which spamassassin will
Chris PeBenito 0cf1d5
# store system-wide preferences, bayes databases etc. if not configured to
Chris PeBenito 0cf1d5
# use per-user configuration
Chris PeBenito 0cf1d5
type spamass_milter_state_t;
Chris PeBenito 0cf1d5
files_type(spamass_milter_state_t)
Chris PeBenito 0cf1d5
Dan Walsh dfe675
#######################################
Dan Walsh dfe675
#
Dan Walsh dfe675
# dkim-milter local policy
Dan Walsh dfe675
#
Dan Walsh dfe675
Dan Walsh dfe675
allow dkim_milter_t self:capability { kill setgid setuid };
Dan Walsh dfe675
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh dfe675
Dan Walsh dfe675
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
Dan Walsh dfe675
Dan Walsh dfe675
auth_use_nsswitch(dkim_milter_t)
Dan Walsh dfe675
Dan Walsh dfe675
sysnet_dns_name_resolve(dkim_milter_t)
Dan Walsh dfe675
Dan Walsh dfe675
mta_read_config(dkim_milter_t)
Dan Walsh dfe675
Chris PeBenito b9e523
########################################
Chris PeBenito b9e523
#
Chris PeBenito c9c0d8
# milter-greylist local policy
Dominick Grift 68ac47
#	ensure smtp clients retry mail like real MTAs and not spamware
Dominick Grift 68ac47
#	http://hcpnet.free.fr/milter-greylist/
Chris PeBenito c9c0d8
#
Chris PeBenito c9c0d8
Chris PeBenito c9c0d8
# It removes any existing socket (not owned by root) whilst running as root,
Chris PeBenito c9c0d8
# fixes permissions, renices itself and then calls setgid() and setuid() to
Chris PeBenito c9c0d8
# drop privileges
Chris PeBenito c9c0d8
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
Chris PeBenito c9c0d8
allow greylist_milter_t self:process { setsched getsched };
Chris PeBenito c9c0d8
Chris PeBenito c9c0d8
# It creates a pid file /var/run/milter-greylist.pid
Chris PeBenito c9c0d8
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
Chris PeBenito c9c0d8
Chris PeBenito c9c0d8
kernel_read_kernel_sysctls(greylist_milter_t)
Chris PeBenito c9c0d8
Chris PeBenito c9c0d8
# Allow the milter to read a GeoIP database in /usr/share
Chris PeBenito c9c0d8
files_read_usr_files(greylist_milter_t)
Chris PeBenito c9c0d8
# The milter runs from /var/lib/milter-greylist and maintains files there
Chris PeBenito 26410d
files_search_var_lib(greylist_milter_t)
Chris PeBenito c9c0d8
Chris PeBenito c9c0d8
# Look up username for dropping privs
Chris PeBenito c9c0d8
auth_use_nsswitch(greylist_milter_t)
Chris PeBenito c9c0d8
Chris PeBenito c9c0d8
# Config is in /etc/mail/greylist.conf
Chris PeBenito c9c0d8
mta_read_config(greylist_milter_t)
Chris PeBenito c9c0d8
Chris PeBenito c9c0d8
########################################
Chris PeBenito c9c0d8
#
Chris PeBenito b9e523
# milter-regex local policy
Dominick Grift 68ac47
#	filter emails using regular expressions
Dominick Grift 68ac47
#	http://www.benzedrine.cx/milter-regex.html
Chris PeBenito b9e523
#
Chris PeBenito b9e523
Chris PeBenito b9e523
# It removes any existing socket (not owned by root) whilst running as root
Chris PeBenito b9e523
# and then calls setgid() and setuid() to drop privileges
Chris PeBenito b9e523
allow regex_milter_t self:capability { setuid setgid dac_override };
Chris PeBenito b9e523
Chris PeBenito b9e523
# The milter's socket directory lives under /var/spool
Chris PeBenito b9e523
files_search_spool(regex_milter_t)
Chris PeBenito b9e523
Chris PeBenito b9e523
# Look up username for dropping privs
Chris PeBenito b9e523
auth_use_nsswitch(regex_milter_t)
Chris PeBenito b9e523
Chris PeBenito b9e523
# Config is in /etc/mail/milter-regex.conf
Chris PeBenito b9e523
mta_read_config(regex_milter_t)
Chris PeBenito b9e523
Chris PeBenito b9e523
########################################
Chris PeBenito b9e523
#
Chris PeBenito b9e523
# spamass-milter local policy
Dominick Grift 68ac47
#	pipe emails through SpamAssassin
Dominick Grift 68ac47
#	http://savannah.nongnu.org/projects/spamass-milt/
Chris PeBenito b9e523
#
Chris PeBenito b9e523
Chris PeBenito 0cf1d5
# The milter runs from /var/lib/spamass-milter
Chris PeBenito 0cf1d5
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
Chris PeBenito 0cf1d5
files_search_var_lib(spamass_milter_t)
Chris PeBenito 0cf1d5
Chris PeBenito b9e523
kernel_read_system_state(spamass_milter_t)
Chris PeBenito b9e523
Chris PeBenito b9e523
# When used with -b or -B options, the milter invokes sendmail to send mail
Chris PeBenito b9e523
# to a spamtrap address, using popen()
Chris PeBenito b9e523
corecmd_exec_shell(spamass_milter_t)
Chris PeBenito b9e523
corecmd_read_bin_symlinks(spamass_milter_t)
Chris PeBenito b9e523
corecmd_search_bin(spamass_milter_t)
Chris PeBenito b9e523
Chris PeBenito b9e523
mta_send_mail(spamass_milter_t)
Chris PeBenito b9e523
Chris PeBenito b9e523
# The main job of the milter is to pipe spam through spamc and act on the result
Chris PeBenito 3c4e9f
optional_policy(`
Chris PeBenito 3c4e9f
	spamassassin_domtrans_client(spamass_milter_t)
Chris PeBenito 3c4e9f
')