actually calculate day when it is given

[pmg-api.git] / PMG / Config.pm

diff --git a/PMG/Config.pm b/PMG/Config.pm
index 62f5f2e6be202b2d39e6070bdb96ba5258f3d8f9..107cea50d3819bc1e84f4b87b389b433b783a556 100755 (executable)
--- a/PMG/Config.pm
+++ b/PMG/Config.pm
@@ -2,6 +2,7 @@ package PMG::Config::Base;
 
 use strict;
 use warnings;
+use URI;
 use Data::Dumper;
 
 use PVE::Tools;
@@ -60,6 +61,11 @@ sub type {
 
 sub properties {
     return {
+       advfilter => {
+           description => "Use advanced filters for statistic.",
+           type => 'boolean',
+           default => 1,
+       },
        dailyreport => {
            description => "Send daily reports.",
            type => 'boolean',
@@ -81,37 +87,34 @@ sub properties {
            type => 'string', format => 'email',
            default => 'admin@domain.tld',
        },
-       proxyport => {
-           description => "HTTP proxy port.",
-           type => 'integer',
-           minimum => 1,
-           default => 8080,
-       },
-       proxyserver => {
-           description => "HTTP proxy server address.",
+       http_proxy => {
+           description => "Specify external http proxy which is used for downloads (example: 'http://username:password\@host:port/')",
            type => 'string',
+           pattern => "http://.*",
        },
-       proxyuser => {
-           description => "HTTP proxy user name.",
-           type => 'string',
+       avast => {
+           description => "Use Avast Virus Scanner (/bin/scan). You need to buy and install 'Avast Core Security' before you can enable this feature.",
+           type => 'boolean',
+           default => 0,
        },
-       proxypassword => {
-           description => "HTTP proxy password.",
-           type => 'string',
+       clamav => {
+           description => "Use ClamAV Virus Scanner. This is the default virus scanner and is enabled by default.",
+           type => 'boolean',
+           default => 1,
        },
     };
 }
 
 sub options {
     return {
+       advfilter => { optional => 1 },
+       avast => { optional => 1 },
+       clamav => { optional => 1 },
        statlifetime => { optional => 1 },
        dailyreport => { optional => 1 },
        demo => { optional => 1 },
        email => { optional => 1 },
-       proxyport => { optional => 1 },
-       proxyserver => { optional => 1 },
-       proxyuser => { optional => 1 },
-       proxypassword => { optional => 1 },
+       http_proxy => { optional => 1 },
     };
 }
 
@@ -153,6 +156,13 @@ sub properties {
            description => "Whitelist legitimate bounce relays.",
            type => 'string',
        },
+       clamav_heuristic_score => {
+           description => "Score for ClamaAV heuristics (Google Safe Browsing database, PhishingScanURLs, ...).",
+           type => 'integer',
+           minimum => 0,
+           maximum => 1000,
+           default => 3,
+       },
        bounce_score => {
            description => "Additional score for bounce mails.",
            type => 'integer',
@@ -169,7 +179,7 @@ sub properties {
            description => "Maximum size of spam messages in bytes.",
            type => 'integer',
            minimum => 64,
-           default => 200*1024,
+           default => 256*1024,
        },
     };
 }
@@ -181,6 +191,7 @@ sub options {
        wl_bounce_relays => { optional => 1 },
        languages => { optional => 1 },
        use_bayes => { optional => 1 },
+       clamav_heuristic_score => { optional => 1 },
        bounce_score => { optional => 1 },
        rbl_checks => { optional => 1 },
        maxspamsize => { optional => 1 },
@@ -229,9 +240,22 @@ sub properties {
            default => 1,
        },
        hostname => {
-           description => "Quarantine Host. Usefule if you run a Cluster and want users to connect to a specific host.",
+           description => "Quarantine Host. Useful if you run a Cluster and want users to connect to a specific host.",
            type => 'string', format => 'address',
        },
+       port => {
+           description => "Quarantine Port. Useful if you have a reverse proxy or port forwarding for the webinterface. Only used for the generated Spam report.",
+           type => 'integer',
+           minimum => 1,
+           maximum => 65535,
+           default => 8006,
+       },
+       protocol => {
+           description => "Quarantine Webinterface Protocol. Useful if you have a reverse proxy for the webinterface. Only used for the generated Spam report.",
+           type => 'string',
+           enum => [qw(http https)],
+           default => 'https',
+       },
        mailfrom => {
            description => "Text for 'From' header in daily spam report mails.",
            type => 'string',
@@ -248,6 +272,8 @@ sub options {
        reportstyle => { optional => 1 },
        viewimages => { optional => 1 },
        allowhrefs => { optional => 1 },
+       port => { optional => 1 },
+       protocol => { optional => 1 },
     };
 }
 
@@ -412,14 +438,14 @@ sub properties {
            type => 'integer',
            minimum => 1,
            maximum => 65535,
-           default => 25,
+           default => 26,
        },
        ext_port => {
            description => "SMTP port number for incoming mail (untrusted). This must be a different number than 'int_port'.",
            type => 'integer',
            minimum => 1,
            maximum => 65535,
-           default => 26,
+           default => 25,
        },
        relay => {
            description => "The default mail delivery transport (incoming mails).",
@@ -510,11 +536,6 @@ sub properties {
            minimum => 0,
            default => 4,
        },
-       use_rbl => {
-           description => "Use Realtime Blacklists.",
-           type => 'boolean',
-           default => 1,
-       },
        tls => {
            description => "Enable TLS.",
            type => 'boolean',
@@ -562,7 +583,13 @@ sub properties {
        },
        dnsbl_sites => {
            description => "Optional list of DNS white/blacklist domains (see postscreen_dnsbl_sites parameter).",
-           type => 'string',
+           type => 'string', format => 'dnsbl-entry-list',
+       },
+       dnsbl_threshold => {
+           description => "The inclusive lower bound for blocking a remote SMTP client, based on its combined DNSBL score (see postscreen_dnsbl_threshold parameter).",
+           type => 'integer',
+           minimum => 0,
+           default => 1
        },
     };
 }
@@ -580,7 +607,6 @@ sub options {
        max_smtpd_out => { optional => 1 },
        greylist => { optional => 1 },
        helotests => { optional => 1 },
-       use_rbl => { optional => 1 },
        tls => { optional => 1 },
        tlslog => { optional => 1 },
        tlsheader => { optional => 1 },
@@ -597,8 +623,10 @@ sub options {
        message_rate_limit => { optional => 1 },
        verifyreceivers => { optional => 1 },
        dnsbl_sites => { optional => 1 },
+       dnsbl_threshold => { optional => 1 },
     };
 }
+
 package PMG::Config;
 
 use strict;
@@ -612,6 +640,8 @@ use PVE::Tools qw($IPV4RE $IPV6RE);
 use PVE::INotify;
 use PVE::JSONSchema;
 
+use PMG::Cluster;
+
 PMG::Config::Admin->register();
 PMG::Config::Mail->register();
 PMG::Config::SpamQuarantine->register();
@@ -624,6 +654,7 @@ PMG::Config::Base->init();
 
 PVE::JSONSchema::register_format(
     'transport-domain', \&pmg_verify_transport_domain);
+
 sub pmg_verify_transport_domain {
     my ($name, $noerr) = @_;
 
@@ -637,6 +668,43 @@ sub pmg_verify_transport_domain {
     return $name;
 }
 
+PVE::JSONSchema::register_format(
+    'transport-domain-or-email', \&pmg_verify_transport_domain_or_email);
+
+sub pmg_verify_transport_domain_or_email {
+    my ($name, $noerr) = @_;
+
+    my $namere = "([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)";
+
+    # email address
+    if ($name =~ m/^(?:[^\s\/\@]+\@)(${namere}\.)*${namere}$/) {
+       return $name;
+    }
+
+    # like dns-name, but can contain leading dot
+    if ($name !~ /^\.?(${namere}\.)*${namere}$/) {
+          return undef if $noerr;
+          die "value does not look like a valid transport domain or email address\n";
+    }
+    return $name;
+}
+
+PVE::JSONSchema::register_format(
+    'dnsbl-entry', \&pmg_verify_dnsbl_entry);
+
+sub pmg_verify_dnsbl_entry {
+    my ($name, $noerr) = @_;
+
+    # like dns-name, but can contain trailing weight: 'domain*<WEIGHT>'
+    my $namere = "([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)";
+
+    if ($name !~ /^(${namere}\.)*${namere}(\*\-?\d+)?$/) {
+          return undef if $noerr;
+          die "value '$name' does not look like a valid dnsbl entry\n";
+    }
+    return $name;
+}
+
 sub new {
     my ($type) = @_;
 
@@ -688,7 +756,7 @@ sub set {
 
 # get section value or default
 sub get {
-    my ($self, $section, $key) = @_;
+    my ($self, $section, $key, $nodefault) = @_;
 
     my $pdata = PMG::Config::Base->private();
     my $pdesc = $pdata->{propertyList}->{$key};
@@ -701,6 +769,8 @@ sub get {
        return $value;
     }
 
+    return undef if $nodefault;
+
     return $pdesc->{default};
 }
 
@@ -823,10 +893,6 @@ PVE::INotify::register_file('domains', $domainsfilename,
 
 my $mynetworks_filename = "/etc/pmg/mynetworks";
 
-sub postmap_pmg_mynetworks {
-    PMG::Utils::run_postmap($mynetworks_filename);
-}
-
 sub read_pmg_mynetworks {
     my ($filename, $fh) = @_;
 
@@ -870,6 +936,12 @@ PVE::INotify::register_file('mynetworks', $mynetworks_filename,
                            \&write_pmg_mynetworks,
                            undef, always_call_parser => 1);
 
+my $tls_policy_map_filename = "/etc/pmg/tls_policy";
+
+sub postmap_tls_policy {
+    PMG::Utils::run_postmap($tls_policy_map_filename);
+}
+
 my $transport_map_filename = "/etc/pmg/transport";
 
 sub postmap_pmg_transport {
@@ -902,7 +974,7 @@ sub read_transport_map {
        if ($line =~ m/^(\S+)\s+smtp:(\S+):(\d+)\s*$/) {
            my ($domain, $host, $port) = ($1, $2, $3);
 
-           eval { pmg_verify_transport_domain($domain); };
+           eval { pmg_verify_transport_domain_or_email($domain); };
            if (my $err = $@) {
                $parse_error->($err);
                next;
@@ -975,31 +1047,51 @@ sub get_template_vars {
 
     my $nodename = PVE::INotify::nodename();
     my $int_ip = PMG::Cluster::remote_node_ip($nodename);
-    my $int_net_cidr = PMG::Utils::find_local_network_for_ip($int_ip);
     $vars->{ipconfig}->{int_ip} = $int_ip;
-    # $vars->{ipconfig}->{int_net_cidr} = $int_net_cidr;
 
     my $transportnets = [];
 
-    my $tmap = PVE::INotify::read_file('transport');
-    foreach my $domain (sort keys %$tmap) {
-       my $data = $tmap->{$domain};
-       my $host = $data->{host};
-       if ($host =~ m/^$IPV4RE$/) {
-           push @$transportnets, "$host/32";
-       } elsif ($host =~ m/^$IPV6RE$/) {
-           push @$transportnets, "[$host]/128";
+    if (my $tmap = PVE::INotify::read_file('transport')) {
+       foreach my $domain (sort keys %$tmap) {
+           my $data = $tmap->{$domain};
+           my $host = $data->{host};
+           if ($host =~ m/^$IPV4RE$/) {
+               push @$transportnets, "$host/32";
+           } elsif ($host =~ m/^$IPV6RE$/) {
+               push @$transportnets, "[$host]/128";
+           }
        }
     }
 
     $vars->{postfix}->{transportnets} = join(' ', @$transportnets);
 
     my $mynetworks = [ '127.0.0.0/8', '[::1]/128' ];
-    push @$mynetworks, @$transportnets;
-    push @$mynetworks, $int_net_cidr;
-    push @$mynetworks, 'hash:/etc/pmg/mynetworks';
+
+    if (my $int_net_cidr = PMG::Utils::find_local_network_for_ip($int_ip, 1)) {
+       if ($int_net_cidr =~ m/^($IPV6RE)\/(\d+)$/) {
+           push @$mynetworks, "[$1]/$2";
+       } else {
+           push @$mynetworks, $int_net_cidr;
+       }
+    } else {
+       if ($int_ip =~ m/^$IPV6RE$/) {
+           push @$mynetworks, "[$int_ip]/128";
+       } else {
+           push @$mynetworks, "$int_ip/32";
+       }
+    }
 
     my $netlist = PVE::INotify::read_file('mynetworks');
+    foreach my $cidr (keys %$netlist) {
+       if ($cidr =~ m/^($IPV6RE)\/(\d+)$/) {
+           push @$mynetworks, "[$1]/$2";
+       } else {
+           push @$mynetworks, $cidr;
+       }
+    }
+
+    push @$mynetworks, @$transportnets;
+
     # add default relay to mynetworks
     if (my $relay = $self->get('mail', 'relay')) {
        if ($relay =~ m/^$IPV4RE$/) {
@@ -1013,14 +1105,54 @@ sub get_template_vars {
 
     $vars->{postfix}->{mynetworks} = join(' ', @$mynetworks);
 
+    # normalize dnsbl_sites
+    my @dnsbl_sites = PVE::Tools::split_list($vars->{pmg}->{mail}->{dnsbl_sites});
+    if (scalar(@dnsbl_sites)) {
+       $vars->{postfix}->{dnsbl_sites} = join(',', @dnsbl_sites);
+    }
+
+    $vars->{postfix}->{dnsbl_threshold} = $self->get('mail', 'dnsbl_threshold');
+
     my $usepolicy = 0;
     $usepolicy = 1 if $self->get('mail', 'greylist') ||
-       $self->get('mail', 'spf') ||  $self->get('mail', 'use_rbl');
+       $self->get('mail', 'spf');
     $vars->{postfix}->{usepolicy} = $usepolicy;
 
+    if ($int_ip =~ m/^$IPV6RE$/) {
+        $vars->{postfix}->{int_ip} = "[$int_ip]";
+    } else {
+        $vars->{postfix}->{int_ip} = $int_ip;
+    }
+
     my $resolv = PVE::INotify::read_file('resolvconf');
     $vars->{dns}->{hostname} = $nodename;
-    $vars->{dns}->{domain} = $resolv->{search};
+
+    my $domain = $resolv->{search} // 'localdomain';
+    $vars->{dns}->{domain} = $domain;
+
+    my $wlbr = "$nodename.$domain";
+    foreach my $r (PVE::Tools::split_list($vars->{pmg}->{spam}->{wl_bounce_relays})) {
+       $wlbr .= " $r"
+    }
+    $vars->{composed}->{wl_bounce_relays} = $wlbr;
+
+    if (my $proxy = $vars->{pmg}->{admin}->{http_proxy}) {
+       eval {
+           my $uri = URI->new($proxy);
+           my $host = $uri->host;
+           my $port = $uri->port // 8080;
+           if ($host) {
+               my $data = { host => $host, port => $port };
+               if (my $ui = $uri->userinfo) {
+                   my ($username, $pw) = split(/:/, $ui, 2);
+                   $data->{username} = $username;
+                   $data->{password} = $pw if defined($pw);
+               }
+               $vars->{proxy} = $data;
+           }
+       };
+       warn "parse http_proxy failed - $@" if $@;
+    }
 
     return $vars;
 }
@@ -1053,10 +1185,7 @@ sub rewrite_config_file {
 
     my ($perm, $uid, $gid);
 
-    if ($dstfn eq '/etc/fetchmailrc') {
-       (undef, undef, $uid, $gid) = getpwnam('fetchmail');
-       $perm = 0600;
-    } elsif ($dstfn eq '/etc/clamav/freshclam.conf') {
+    if ($dstfn eq '/etc/clamav/freshclam.conf') {
        # needed if file contains a HTTPProxyPasswort
 
        $uid = getpwnam('clamav');
@@ -1219,7 +1348,7 @@ my $write_smtp_whitelist = sub {
     return 1;
 };
 
-my $rewrite_config_whitelist = sub {
+sub rewrite_postfix_whitelist {
     my ($rulecache) = @_;
 
     # see man page for regexp_table for postfix regex table format
@@ -1275,10 +1404,6 @@ sub rewrite_config_postfix {
     my ($self, $rulecache) = @_;
 
     # make sure we have required files (else postfix start fails)
-    postmap_pmg_domains();
-    postmap_pmg_transport();
-    postmap_pmg_mynetworks();
-
     IO::File->new($transport_map_filename, 'a', 0644);
 
     my $changes = 0;
@@ -1296,9 +1421,13 @@ sub rewrite_config_postfix {
     $changes = 1 if $self->rewrite_config_file(
        'master.cf.in', '/etc/postfix/master.cf');
 
-    $rewrite_config_whitelist->($rulecache);
+    # make sure we have required files (else postfix start fails)
+    # Note: postmap need a valid /etc/postfix/main.cf configuration
+    postmap_pmg_domains();
+    postmap_pmg_transport();
+    postmap_tls_policy();
 
-    # fixme: rewrite_config_tls_policy ($class);
+    rewrite_postfix_whitelist($rulecache) if $rulecache;
 
     # make sure aliases.db is up to date
     system('/usr/bin/newaliases');