Rev 3 | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 3 | Rev 29 | ||
---|---|---|---|
1 | GREYLISTING with SA-Exim |
1 | GREYLISTING with SA-Exim |
2 | ------------------------ |
2 | ------------------------ |
3 | 3 | ||
4 | 4 | ||
5 | INTRODUCTION |
5 | INTRODUCTION |
6 | ------------ |
6 | ------------ |
7 | SA-Exim allows for intelligent greylisting by combining the idea of greylisting |
7 | SA-Exim allows for intelligent greylisting by combining the idea of greylisting |
8 | with Spam scores from SpamAssassin |
8 | with Spam scores from SpamAssassin |
9 | 9 | ||
10 | If you don't know what greylisting is, you should probably go read up there: |
10 | If you don't know what greylisting is, you should probably go read up there: |
11 | http://projects.puremagic.com/greylisting/ |
11 | http://projects.puremagic.com/greylisting/ |
12 | (note that this implementation works differently than the one described there) |
12 | (note that this implementation works differently than the one described there) |
13 | 13 | ||
14 | So, SA-Exim isn't just yet another greylisting implementation. By tying it |
14 | So, SA-Exim isn't just yet another greylisting implementation. By tying it |
15 | into SA-Exim, and especially by running SA at SMTP time, you can do the |
15 | into SA-Exim, and especially by running SA at SMTP time, you can do the |
16 | following things: |
16 | following things: |
17 | - do not bother greylisting people who send messages detected as spam by SA |
17 | - do not bother greylisting people who send messages detected as spam by SA |
18 | (indeed, regular greylisting will accept mail from a spammer if he retries |
18 | (indeed, regular greylisting will accept mail from a spammer if he retries |
19 | or sends it from an open relay) |
19 | or sends it from an open relay) |
20 | SA-Exim will never greylist, or whitelist a sender based on a mail clearly |
20 | SA-Exim will never greylist, or whitelist a sender based on a mail clearly |
21 | marked as spam by SA. |
21 | marked as spam by SA. |
22 | 22 | ||
23 | - do not delay mail from people who aren't spamming you (this one is the most |
23 | - do not delay mail from people who aren't spamming you (this one is the most |
24 | important feature of SA-Exim greylisting, as it removes the biggest |
24 | important feature of SA-Exim greylisting, as it removes the biggest |
25 | disadvantage linkes to greylisting) |
25 | disadvantage linkes to greylisting) |
26 | 26 | ||
27 | - only greylist (and maybe later whitelist) hosts that send you mail with |
27 | - only greylist (and maybe later whitelist) hosts that send you mail with |
28 | a certain SA score. |
28 | a certain SA score. |
29 | 29 | ||
30 | 30 | ||
31 | IMPLEMENTATION |
31 | IMPLEMENTATION |
32 | -------------- |
32 | -------------- |
33 | So how does this all work? |
33 | So how does this all work? |
34 | SA comes with a patch for SA 2.x (and a module for SA 3.x) that does the |
34 | SA comes with a patch for SA 2.x (and a module for SA 3.x) that does the |
35 | following things: |
35 | following things: |
36 | - add a greylisting rule which gets run at the very end, and where if |
36 | - add a greylisting rule which gets run at the very end, and where if |
37 | the score is already higher than a configured value, we do not bother |
37 | the score is already higher than a configured value, we do not bother |
38 | greylisting the host. We just return a rule failure, which doesn't |
38 | greylisting the host. We just return a rule failure, which doesn't |
39 | change the score and lets SA-Exim reject the mail as usual |
39 | change the score and lets SA-Exim reject the mail as usual |
40 | - if the score is lower than the "surely spam" threshold (shown as 11 in the |
40 | - if the score is lower than the "surely spam" threshold (shown as 11 in the |
41 | example below), check for a file in |
41 | example below), check for a file in |
42 | /var/spool/sa-exim/messageids/co/nn/ect/ip/envfrom/envto |
42 | /var/spool/sa-exim/messageids/co/nn/ect/ip/envfrom/envto |
43 | - if it's there, check if it was written more than x seconds ago (1800s/30mn |
43 | - if it's there, check if it was written more than x seconds ago (1800s/30mn |
44 | in the example below) |
44 | in the example below) |
45 | - if so, change the status to whitelisted and return true so that SA applies |
45 | - if so, change the status to whitelisted and return true so that SA applies |
46 | the whitelist negative score |
46 | the whitelist negative score |
47 | - if not, simply increase counters, host is still greylisted |
47 | - if not, simply increase counters, host is still greylisted |
48 | - if the file is not there, create it |
48 | - if the file is not there, create it |
49 | - every x time (like 4 hours or two days), remove all greylist entries that |
49 | - every x time (like 4 hours or two days), remove all greylist entries that |
50 | only saw one mail (i.e. still greylisted, not whitelisted yet). |
50 | only saw one mail (i.e. still greylisted, not whitelisted yet). |
51 | This is done with a find cron job |
51 | This is done with a find cron job |
52 | - every y time (like 1 week), remove whitelisted entries so that your filesystem |
52 | - every y time (like 1 week), remove whitelisted entries so that your filesystem |
53 | doesn't clutter up with hosts you're not going to hear from again in a while |
53 | doesn't clutter up with hosts you're not going to hear from again in a while |
54 | 54 | ||
55 | 55 | ||
56 | Then, you call the greylisting rule with this (in SA's local.cf) |
56 | Then, you call the greylisting rule with this (in SA's local.cf) |
57 | # reseval is a special eval which only runs after you have the result from |
57 | # reseval is a special eval which only runs after you have the result from |
58 | # everything else (lets us not greylist a host that is sending spam, otherwise |
58 | # everything else (lets us not greylist a host that is sending spam, otherwise |
59 | # this rule might set a sufficiently negative score that the next spam would |
59 | # this rule might set a sufficiently negative score that the next spam would |
60 | # be allowed in) |
60 | # be allowed in) |
61 | # Note the 'key' -> 'value'; syntax. It's a special hack to go through SA's |
61 | # Note the 'key' -> 'value'; syntax. It's a special hack to go through SA's |
62 | # config parser. You need to keep that exact syntax |
62 | # config parser. You need to keep that exact syntax |
63 | # greylistsecs: how long you greylist a tuplet because whitelisting it |
63 | # greylistsecs: how long you greylist a tuplet because whitelisting it |
64 | # greylistnullfrom: set to 1 to also greylist mail with a null env from |
64 | # greylistnullfrom: set to 1 to also greylist mail with a null env from |
65 | # greylistfourthbyte: keep the 4 bytes of the connecting host instead of 3 |
65 | # greylistfourthbyte: keep the 4 bytes of the connecting host instead of 3 |
66 | header GREYLIST_ISWHITE reseval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 0; 'greylistfourthbyte' => 0 )") |
66 | header GREYLIST_ISWHITE reseval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 0; 'greylistfourthbyte' => 0 )") |
67 | describe GREYLIST_ISWHITE The incoming server has been whitelisted for this rece |
67 | describe GREYLIST_ISWHITE The incoming server has been whitelisted for this rece |
68 | ipient and sender |
68 | ipient and sender |
69 | score GREYLIST_ISWHITE -1.5 |
69 | score GREYLIST_ISWHITE -1.5 |
70 | 70 | ||
71 | Note that SA greylisting depends on X-SA-Exim-Rcpt-To, so you have to ensure |
71 | Note that SA greylisting depends on X-SA-Exim-Rcpt-To, so you have to ensure |
72 | that SAmaxrcptlistlength is set to a reasonably high value (up to 8000) instead |
72 | that SAmaxrcptlistlength is set to a reasonably high value (up to 8000) instead |
73 | of the current default of 0 (you can remove the header in exim's system_filter |
73 | of the current default of 0 (you can remove the header in exim's system_filter |
74 | or a transport if you don't want it to show in user's mails, see "privacy |
74 | or a transport if you don't want it to show in user's mails, see "privacy |
75 | warning" in README) |
75 | warning" in README) |
76 | 76 | ||
77 | 77 | ||
78 | Now, in case you aren't confused yet, you get even more knobs to play with :) |
78 | Now, in case you aren't confused yet, you get even more knobs to play with :) |
79 | If a spammer resends you a spam until it gets whitelisted (or typically, it |
79 | If a spammer resends you a spam until it gets whitelisted (or typically, it |
80 | gets sent to a relay that resends it to you), even if you are setup to |
80 | gets sent to a relay that resends it to you), even if you are setup to |
81 | accept the spam at the point, you don't want to lower the SA score too much |
81 | accept the spam at the point, you don't want to lower the SA score too much |
82 | just because the mail was resent to you several times (i.e. a rather negative |
82 | just because the mail was resent to you several times (i.e. a rather negative |
83 | score for GREYLIST_ISWHITE). So, you can actually configure SA-Exim to temp |
83 | score for GREYLIST_ISWHITE). So, you can actually configure SA-Exim to temp |
84 | reject messages on a much higher score than usual, if they don't have the |
84 | reject messages on a much higher score than usual, if they don't have the |
85 | GREYLIST_ISWHITE tag. |
85 | GREYLIST_ISWHITE tag. |
86 | 86 | ||
87 | In other words, let's say you have this in sa-exim.conf: |
87 | In other words, let's say you have this in sa-exim.conf: |
88 | SApermreject: 11.0 |
88 | SApermreject: 11.0 |
89 | SAtempreject: 3.0 |
89 | SAtempreject: 3.0 |
90 | SAgreylistraisetempreject: 6.5 |
90 | SAgreylistraisetempreject: 6.5 |
91 | 91 | ||
92 | If a mail comes in at less than 3.0, the SA patch/module remembers the sending |
92 | If a mail comes in at less than 3.0, the SA patch/module remembers the sending |
93 | server's connecting IP, the env from, and the rcpt to(s), and whitelists those. |
93 | server's connecting IP, the env from, and the rcpt to(s), and whitelists those. |
94 | (those will be referred to as tuplets, one for each rcpt to) |
94 | (those will be referred to as tuplets, one for each rcpt to) |
95 | 95 | ||
96 | If the score is between 3.0 and 11.0, |
96 | If the score is between 3.0 and 11.0, |
97 | - if at least one of the tuplets is already whitelisted, SA applies the -1.5 |
97 | - if at least one of the tuplets is already whitelisted, SA applies the -1.5 |
98 | score and yields an end score below 9.5, Now, at the same time, SAtempreject |
98 | score and yields an end score below 9.5, Now, at the same time, SAtempreject |
99 | is temporarily raised by 6.5, so everything under 9.5 is accepted, which |
99 | is temporarily raised by 6.5, so everything under 9.5 is accepted, which |
100 | basically means that the mail goes through. |
100 | basically means that the mail goes through. |
101 | - if none of the tuplets are whitelisted, they get greylisted |
101 | - if none of the tuplets are whitelisted, they get greylisted |
102 | - if they are greylisted, they can get upgraded to whitelisted status if the |
102 | - if they are greylisted, they can get upgraded to whitelisted status if the |
103 | sending server has been trying for long enough (1800secs in the example given |
103 | sending server has been trying for long enough (1800secs in the example given |
104 | above). At this point the same thing happens as in case #1 and the mail is |
104 | above). At this point the same thing happens as in case #1 and the mail is |
105 | accepted |
105 | accepted |
106 | 106 | ||
107 | If a tuplet that is going to be whitelisted or greylisted, already is, SA |
107 | If a tuplet that is going to be whitelisted or greylisted, already is, SA |
108 | updates counters to let you run reports and anything else you want, like |
108 | updates counters to let you run reports and anything else you want, like |
109 | deciding if or when you'd like to expire the entry |
109 | deciding if or when you'd like to expire the entry |
110 | 110 | ||
111 | If by now you wonder why you would want to both decrease the SA score and |
111 | If by now you wonder why you would want to both decrease the SA score and |
112 | increase the maximum score you'll accept mails on, the reason is as follows: |
112 | increase the maximum score you'll accept mails on, the reason is as follows: |
113 | You probably don't want to lower the SA score by 8 just because the tuplet |
113 | You probably don't want to lower the SA score by 8 just because the tuplet |
114 | is whitelisted (not only does it mess with the SA scoring of messages that used |
114 | is whitelisted (not only does it mess with the SA scoring of messages that used |
115 | to be flagged as spam, but a spam with a score of 13.5 would then be lowered |
115 | to be flagged as spam, but a spam with a score of 13.5 would then be lowered |
116 | to 5.5, be temprejected, and be close to the accept range). |
116 | to 5.5, be temprejected, and be close to the accept range). |
117 | Instead, giving an SA score of -1.5, a message with 13.5 becomes 12.0 and still |
117 | Instead, giving an SA score of -1.5, a message with 13.5 becomes 12.0 and still |
118 | gets rejected right away. You also do not overly (and artifically) lower the |
118 | gets rejected right away. You also do not overly (and artifically) lower the |
119 | score of a message, just for SA-Exim's sake |
119 | score of a message, just for SA-Exim's sake |
120 | 120 | ||
121 | If you so wish, you can also give the SA rule a score of -0.1, and only |
121 | If you so wish, you can also give the SA rule a score of -0.1, and only |
122 | dynamically raise the tempreject score for messages that are whitelisted. |
122 | dynamically raise the tempreject score for messages that are whitelisted. |
123 | 123 | ||
124 | 124 | ||
125 | SCORE SETUP |
125 | SCORE SETUP |
126 | ----------- |
126 | ----------- |
127 | It makes little sense to have |
127 | It makes little sense to have |
128 | SAtempreject + SAgreylistraisetempreject + SA GREYLIST_ISWHITE > SApermreject |
128 | SAtempreject + SAgreylistraisetempreject + SA GREYLIST_ISWHITE > SApermreject |
129 | as there is little point to raise SAtempreject if the message that's |
129 | as there is little point to raise SAtempreject if the message that's |
130 | whitelisted still gets refused by the SApermreject score |
130 | whitelisted still gets refused by the SApermreject score |
131 | 131 | ||
132 | As to whether you want to put more points into SA GREYLIST_ISWHITE or |
132 | As to whether you want to put more points into SA GREYLIST_ISWHITE or |
133 | SAgreylistraisetempreject, this is your call, but as a general rule, you only |
133 | SAgreylistraisetempreject, this is your call, but as a general rule, you only |
134 | want to change the SA score in a way that makes sense for spam scoring, |
134 | want to change the SA score in a way that makes sense for spam scoring, |
135 | as it similarly affects the score of all messages, whether SA-Exim sees them |
135 | as it similarly affects the score of all messages, whether SA-Exim sees them |
136 | in the non spam range, tempreject range, or "this is spam that I would never |
136 | in the non spam range, tempreject range, or "this is spam that I would never |
137 | let in" range. |
137 | let in" range. |
138 | 138 | ||
139 | 139 | ||
140 | FILE SETUP |
140 | FILE SETUP |
141 | ---------- |
141 | ---------- |
142 | Make very sure that uid nobody can traverse /var/spool/sa-exim and |
142 | Make very sure that uid nobody can traverse /var/spool/sa-exim and |
143 | create tuplets writeable by nobody (or whoever you run SA as) |
143 | create tuplets writeable by nobody (or whoever you run SA as) |
144 | 144 | ||
145 | Then, setup a cron job to delete tuplets that are older than 14 days for |
145 | Then, setup a cron job to delete tuplets that are older than 14 days for |
146 | whitelisted entries, and 2 days for greylisted entries (or whatever |
146 | whitelisted entries, and 2 days for greylisted entries (or whatever |
147 | values you fancy). |
147 | values you fancy). |
148 | Note that because this implementation does not systematically force the senders to resend you mail, unless they sent something that looks too much like spam, |
148 | Note that because this implementation does not systematically force the senders to resend you mail, unless they sent something that looks too much like spam, |
149 | you will typically see few whitelisted entries, and those will either be |
149 | you will typically see few whitelisted entries, and those will either be |
150 | potential spam that was actually resent to you at least 30mn after the |
150 | potential spam that was actually resent to you at least 30mn after the |
151 | initial copy (or whatever value you setup in "header GREYLIST_ISWHITE"), or |
151 | initial copy (or whatever value you setup in "header GREYLIST_ISWHITE"), or |
152 | people who sent you several Emails (where the second Email will just happen to |
152 | people who sent you several Emails (where the second Email will just happen to |
153 | trigger a whitelisting). |
153 | trigger a whitelisting). |
154 | 154 | ||
155 | 155 | ||
156 | FILE SETUP |
156 | FILE SETUP |
157 | ---------- |
157 | ---------- |
158 | You should install greylistclean.cron in /etc/cron.d/ on your system to |
158 | You should install greylistclean.cron in /etc/cron.d/ on your system to |
159 | call greylistclean and clean up greylisted entries and whitelisted entries |
159 | call greylistclean and clean up greylisted entries and whitelisted entries |
160 | that haven't been used in a while. |
160 | that haven't been used in a while. |
161 | You can optionally modify it to tweak the cleanup times. |
161 | You can optionally modify it to tweak the cleanup times. |
162 | Note that you need to tweak greylistclean.cron to match the user spamd runs |
162 | Note that you need to tweak greylistclean.cron to match the user spamd runs |
163 | as if you aren't using the recommended --username=nobody |
163 | as if you aren't using the recommended --username=nobody |
164 | 164 | ||
165 | 165 | ||
166 | SA PATCH (SA 2.x) |
166 | SA PATCH (SA 2.x) |
167 | ----------------- |
167 | ----------------- |
168 | For all this to work, you also need to patch SA with SA-greylist.diff |
168 | For all this to work, you also need to patch SA with SA-greylist.diff |
169 | from the source tar (or /usr/share/doc/sa-exim*/ for a precompiled package). |
169 | from the source tar (or /usr/share/doc/sa-exim*/ for a precompiled package). |
170 | This patch never made it to the main SA 2.x branch as the developers had mostly |
170 | This patch never made it to the main SA 2.x branch as the developers had mostly |
171 | switched to 3.x where you can use plugins. |
171 | switched to 3.x where you can use plugins. |
172 | If you still use SA 3.x, you can go to /usr/share/perl5/Mail (or wherever |
172 | If you still use SA 3.x, you can go to /usr/share/perl5/Mail (or wherever |
173 | appropriate on your system), and run |
173 | appropriate on your system), and run |
174 | patch -p0 -s < /path/to/sa-exim/SA-greylisting.diff |
174 | patch -p0 -s < /path/to/sa-exim/SA-greylisting.diff |
175 | Note that while the patch works, it will not be maintained anymore since |
175 | Note that while the patch works, it will not be maintained anymore since |
176 | it is deprecated for the SA 3.x plugin |
176 | it is deprecated for the SA 3.x plugin |
177 | 177 | ||
178 | 178 | ||
179 | SA PLUGIN (SA 3.x) |
179 | SA PLUGIN (SA 3.x) |
180 | ------------------ |
180 | ------------------ |
181 | Newer versions of SpamAssassin support plugins, so there is no need to |
181 | Newer versions of SpamAssassin support plugins, so there is no need to |
182 | patch SA anymore, you can just install the Greylisting.pm module on your |
182 | patch SA anymore, you can just install the Greylisting.pm module on your |
183 | system and get SA to use it |
183 | system and get SA to use it |
184 | This is how you call the module in SA 3.x (i.e. put this in your |
184 | This is how you call the module in SA 3.x (i.e. put this in your |
185 | /etc/spamassassin/local.cf) |
185 | /etc/spamassassin/local.cf) |
186 | 186 | ||
187 | # Note the 'key' -> 'value'; syntax. It's a special hack to go through SA's |
187 | # Note the 'key' -> 'value'; syntax. It's a special hack to go through SA's |
188 | # config parser. You need to keep that exact syntax |
188 | # config parser. You need to keep that exact syntax |
189 | # greylistsecs: how long you greylist a tuplet because whitelisting it |
189 | # greylistsecs: how long you greylist a tuplet because whitelisting it |
190 | # greylistnullfrom: set to 1 to also greylist mail with a null env from |
190 | # greylistnullfrom: set to 1 to also greylist mail with a null env from |
191 | # greylistfourthbyte: keep the 4 bytes of the connecting host instead of 3 |
191 | # greylistfourthbyte: keep the 4 bytes of the connecting host instead of 3 |
192 | loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm |
192 | loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm |
193 | header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )") |
193 | header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )") |
194 | describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender |
194 | describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender |
195 | score GREYLIST_ISWHITE -1.5 |
195 | score GREYLIST_ISWHITE -1.5 |
196 | # Run SpamAssassin last, after all other rules. |
196 | # Run SpamAssassin last, after all other rules. |
197 | # (lets us not greylist a host that is sending spam, otherwise this rule might |
197 | # (lets us not greylist a host that is sending spam, otherwise this rule might |
198 | # set a sufficiently negative score that the next spam would be allowed in) |
198 | # set a sufficiently negative score that the next spam would be allowed in) |
199 | priority GREYLIST_ISWHITE 99999 |
199 | priority GREYLIST_ISWHITE 99999 |
200 | 200 | ||
201 | 201 | ||
202 | SA-EXIM NEW BEHAVIOR CONCERNS |
202 | SA-EXIM NEW BEHAVIOR CONCERNS |
203 | ----------------------------- |
203 | ----------------------------- |
204 | What greylisting changes as far as spam accepting or rejection is concerned: |
204 | What greylisting changes as far as spam accepting or rejection is concerned: |
205 | Once a tuplet has been whitelisted, spam from that host is more likely |
205 | Once a tuplet has been whitelisted, spam from that host is more likely |
206 | to be accepted until the tuplet expires. In the case of a mailing list, |
206 | to be accepted until the tuplet expires. In the case of a mailing list, |
207 | unless you run a find / rm based on the creation time and not the last |
207 | unless you run a find / rm based on the creation time and not the last |
208 | modified time, you will then be a bit more likely to accept spam from |
208 | modified time, you will then be a bit more likely to accept spam from |
209 | that list. |
209 | that list. |
210 | If this turns out to not be acceptable in your case, there isn't a whole |
210 | If this turns out to not be acceptable in your case, there isn't a whole |
211 | lot you can do about this, except deleting greylist entries for the host |
211 | lot you can do about this, except deleting greylist entries for the host |
212 | from cron before they get promoted to whitelist. |
212 | from cron before they get promoted to whitelist. |
213 | 213 | ||
214 | What you can do on top of the existing greylisting code: |
214 | What you can do on top of the existing greylisting code: |
215 | Parse the SA-Exim logs and if you get spam from an IP, you can decide |
215 | Parse the SA-Exim logs and if you get spam from an IP, you can decide |
216 | to delete greylist entries in /var/spool/sa-exim/tuplets/IP or just |
216 | to delete greylist entries in /var/spool/sa-exim/tuplets/IP or just |
217 | /var/spool/sa-exim/tuplets/IP/envfrom |
217 | /var/spool/sa-exim/tuplets/IP/envfrom |
218 | This may not may not be a good thing if you receive the occasional spam |
218 | This may not may not be a good thing if you receive the occasional spam |
219 | from a mailing list as you'll then re-delay mail for that list, but then |
219 | from a mailing list as you'll then re-delay mail for that list, but then |
220 | again, it will also remove whitelisting for a host that spammed you once |
220 | again, it will also remove whitelisting for a host that spammed you once |
221 | with an Email that managed to get under the SA scoring radar |
221 | with an Email that managed to get under the SA scoring radar |
222 | 222 | ||
223 | 223 | ||
224 | GREYLISTING AND MXES |
224 | GREYLISTING AND MXES |
225 | -------------------- |
225 | -------------------- |
226 | Depending on your configuration, you may have realized that SA-Exim doesn't |
226 | Depending on your configuration, you may have realized that SA-Exim doesn't |
227 | play very well with secondary MXes for your domain if they don't run SA-Exim |
227 | play very well with secondary MXes for your domain if they don't run SA-Exim |
228 | too (for instance, you'd send a tempreject on spam and clog up your |
228 | too (for instance, you'd send a tempreject on spam and clog up your |
229 | secondary, or maybe even teergrube it if you forgot to add your MX's IP |
229 | secondary, or maybe even teergrube it if you forgot to add your MX's IP |
230 | in the do not teergrube list. |
230 | in the do not teergrube list. |
231 | For greylisting, it's even more simple: |
231 | For greylisting, it's even more simple: |
232 | If your secondary MXes aren't running SA-Exim with greylisting, then |
232 | If your secondary MXes aren't running SA-Exim with greylisting, then |
233 | greylisting's efficiency will be greatly reduced as most spammers will send |
233 | greylisting's efficiency will be greatly reduced as most spammers will send |
234 | their spams to your secondary MXes which will accept the mail for you, |
234 | their spams to your secondary MXes which will accept the mail for you, |
235 | even if it's sent only once, and then your MXes will resend the spam to you |
235 | even if it's sent only once, and then your MXes will resend the spam to you |
236 | until you accept it (rendering greylisting useless) |
236 | until you accept it (rendering greylisting useless) |
237 | 237 | ||
238 | Now, if your secondaries are running greylisting too, most mail will flow |
238 | Now, if your secondaries are running greylisting too, most mail will flow |
239 | through with no delay whatsoever. However, in the worst case scenario, a mail |
239 | through with no delay whatsoever. However, in the worst case scenario, a mail |
240 | that isn't spam, but triggers greylisting because its score is high enough to |
240 | that isn't spam, but triggers greylisting because its score is high enough to |
241 | generate a tempreject, could be delayed up to twice the whitelisting time |
241 | generate a tempreject, could be delayed up to twice the whitelisting time |
242 | if it were to go to your secondary MX first (assuming your primary is |
242 | if it were to go to your secondary MX first (assuming your primary is |
243 | unreachable or temporarily overloaded), and then be resent to your primary |
243 | unreachable or temporarily overloaded), and then be resent to your primary |
244 | MX, which would trigger a second greylisting delay |
244 | MX, which would trigger a second greylisting delay |
245 | FIXME: implement a whitelist of sending IPs so that greylisting returns |
245 | FIXME: implement a whitelist of sending IPs so that greylisting returns |
246 | whitelisted right away |
246 | whitelisted right away |
247 | 247 | ||
248 | 248 | ||
249 | SECURITY |
249 | SECURITY |
250 | -------- |
250 | -------- |
251 | The greylisting function works around the SA parser by sending all the options |
251 | The greylisting function works around the SA parser by sending all the options |
252 | as a hash inside a string. In turn, greylisting evals the said string. |
252 | as a hash inside a string. In turn, greylisting evals the said string. |
253 | This is a security problem if you allow your users to run custom rules and it |
253 | This is a security problem if you allow your users to run custom rules and it |
254 | gives them access to run spamassassin as a user different from their own, or |
254 | gives them access to run spamassassin as a user different from their own, or |
255 | in a way that they otherwise wouldn't be able to. |
255 | in a way that they otherwise wouldn't be able to. |
256 | Do not run greylisting if this a problem for you (in the default SA/SA-Exim |
256 | Do not run greylisting if this a problem for you (in the default SA/SA-Exim |
257 | setup, this shouldn't be a concern since it doesn't even parse users' config |
257 | setup, this shouldn't be a concern since it doesn't even parse users' config |
258 | files) |
258 | files) |