policy_module(milter, 1.0.2) ######################################## # # Declarations # # attributes common to all milters attribute milter_domains; attribute milter_data_type; # currently-supported milters are milter-greylist, milter-regex and spamass-milter milter_template(greylist) milter_template(regex) milter_template(spamass) # Type for the spamass-milter home directory, under which spamassassin will # store system-wide preferences, bayes databases etc. if not configured to # use per-user configuration type spamass_milter_state_t; files_type(spamass_milter_state_t) ######################################## # # milter-greylist local policy # ensure smtp clients retry mail like real MTAs and not spamware # http://hcpnet.free.fr/milter-greylist/ # # It removes any existing socket (not owned by root) whilst running as root, # fixes permissions, renices itself and then calls setgid() and setuid() to # drop privileges allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; allow greylist_milter_t self:process { setsched getsched }; # It creates a pid file /var/run/milter-greylist.pid files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) kernel_read_kernel_sysctls(greylist_milter_t) # Allow the milter to read a GeoIP database in /usr/share files_read_usr_files(greylist_milter_t) # The milter runs from /var/lib/milter-greylist and maintains files there files_search_var_lib(greylist_milter_t); # Look up username for dropping privs auth_use_nsswitch(greylist_milter_t) # Config is in /etc/mail/greylist.conf mta_read_config(greylist_milter_t) ######################################## # # milter-regex local policy # filter emails using regular expressions # http://www.benzedrine.cx/milter-regex.html # # It removes any existing socket (not owned by root) whilst running as root # and then calls setgid() and setuid() to drop privileges allow regex_milter_t self:capability { setuid setgid dac_override }; # The milter's socket directory lives under /var/spool files_search_spool(regex_milter_t) # Look up username for dropping privs auth_use_nsswitch(regex_milter_t) # Config is in /etc/mail/milter-regex.conf mta_read_config(regex_milter_t) ######################################## # # spamass-milter local policy # pipe emails through SpamAssassin # http://savannah.nongnu.org/projects/spamass-milt/ # # The milter runs from /var/lib/spamass-milter allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; files_search_var_lib(spamass_milter_t) kernel_read_system_state(spamass_milter_t) # When used with -b or -B options, the milter invokes sendmail to send mail # to a spamtrap address, using popen() corecmd_exec_shell(spamass_milter_t) corecmd_read_bin_symlinks(spamass_milter_t) corecmd_search_bin(spamass_milter_t) mta_send_mail(spamass_milter_t) # The main job of the milter is to pipe spam through spamc and act on the result spamassassin_domtrans_client(spamass_milter_t)