Add SpamAssassin KAM (#2418)

Dockerfile

@@ -133,7 +133,11 @@ COPY \
 # hadolint ignore=SC2016
 RUN \
   sedfile -i -r 's/^(CRON)=0/\1=1/g' /etc/default/spamassassin && \
-  sedfile -i -r 's/^\$INIT restart/supervisorctl restart amavis/g' /etc/spamassassin/sa-update-hooks.d/amavisd-new
+  sedfile -i -r 's/^\$INIT restart/supervisorctl restart amavis/g' \
+    /etc/spamassassin/sa-update-hooks.d/amavisd-new && \
+  mkdir -p /etc/spamassassin/kam/ && \
+  curl -sSfLo /etc/spamassassin/kam/kam.sa-channels.mcgrail.com.key \
+    https://mcgrail.com/downloads/kam.sa-channels.mcgrail.com.key
 
 # -----------------------------------------------
 # --- PostSRSD, Postgrey & Amavis ---------------

docs/content/config/environment.md

@@ -345,16 +345,24 @@ Finally the logrotate interval **may** affect the period for generated reports.
 
 ##### SPAMASSASSIN_SPAM_TO_INBOX
 
-- **1** => Spam messages will be delivered to the inbox and tagged as spam using `SA_SPAM_SUBJECT`.
 - 0 => Spam messages will be bounced (_rejected_) without any notification (_dangerous_).
+- **1** => Spam messages will be delivered to the inbox and tagged as spam using `SA_SPAM_SUBJECT`.
+
+##### ENABLE_SPAMASSASSIN_KAM
+
+[KAM](https://mcgrail.com/template/projects#KAM1) is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation. If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
+
+- **0** => KAM disabled
+- 1 => KAM enabled
 
 ##### MOVE_SPAM_TO_JUNK
 
-- **1** => Spam messages will be delivered in the `Junk` folder.
-- 0 => Spam messages will be delivered in the mailbox.
-
+Spam messages can be moved in the Junk folder.
 Note: this setting needs `SPAMASSASSIN_SPAM_TO_INBOX=1`
 
+- 0 => Spam messages will be delivered in the mailbox.
+- **1** => Spam messages will be delivered in the `Junk` folder.
+
 ##### SA_TAG
 
 - **2.0** => add spam info headers if at, or above that level

mailserver.env

@@ -260,7 +260,15 @@ ENABLE_SPAMASSASSIN=0
 # deliver spam messages in the inbox (eventually tagged using SA_SPAM_SUBJECT)
 SPAMASSASSIN_SPAM_TO_INBOX=1
 
-# spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
+# KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
+# If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
+# - **0** => KAM disabled
+# - 1 => KAM enabled
+#
+# Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
+ENABLE_SPAMASSASSIN_KAM=0
+
+# this setting needs `SPAMASSASSIN_SPAM_TO_INBOX=1`
 MOVE_SPAM_TO_JUNK=1
 
 # add spam info headers if at, or above that level:

target/scripts/start-mailserver.sh

@@ -34,6 +34,7 @@ VARS[ENABLE_POSTGREY]="${ENABLE_POSTGREY:=0}"
 VARS[ENABLE_QUOTAS]="${ENABLE_QUOTAS:=1}"
 VARS[ENABLE_SASLAUTHD]="${ENABLE_SASLAUTHD:=0}"
 VARS[ENABLE_SPAMASSASSIN]="${ENABLE_SPAMASSASSIN:=0}"
+VARS[ENABLE_SPAMASSASSIN_KAM]="${ENABLE_SPAMASSASSIN_KAM:=0}"
 VARS[ENABLE_SRS]="${ENABLE_SRS:=0}"
 VARS[ENABLE_UPDATE_CHECK]="${ENABLE_UPDATE_CHECK:=1}"
 VARS[FAIL2BAN_BLOCKTYPE]="${FAIL2BAN_BLOCKTYPE:=drop}"

target/scripts/startup/setup-stack.sh

@@ -960,6 +960,23 @@ function _setup_security_stack
       sed -i "s|\$final_spam_destiny.*=.*$|\$final_spam_destiny = D_BOUNCE;|g" /etc/amavis/conf.d/49-docker-mailserver
       sed -i "s|\$final_bad_header_destiny.*=.*$|\$final_bad_header_destiny = D_BOUNCE;|g" /etc/amavis/conf.d/49-docker-mailserver
     fi
+
+    if [[ ${ENABLE_SPAMASSASSIN_KAM} -eq 1 ]]
+    then
+      _notify 'inf' 'Configuring Spamassassin KAM'
+      local SPAMASSASSIN_KAM_CRON_FILE=/etc/cron.daily/spamassassin_kam
+
+      sa-update --import /etc/spamassassin/kam/kam.sa-channels.mcgrail.com.key
+      cat >"${SPAMASSASSIN_KAM_CRON_FILE}" <<"EOM"
+#! /bin/bash
+
+sa-update --gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com && \
+/etc/init.d/spamassassin reload
+
+EOM
+
+      chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}"
+    fi
   fi
 
   # Clamav