Rev 3 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed
COPYRIGHTS----------SA-Exim was written by Marc MERLIN <marc_soft@merlins.org>You can find the latest version here:http://sa-exim.sf.net/or here:http://marc.merlins.org/linux/exim/sa.htmlgreylisting was written by and is copyright Mark Lawrence <nomad@null.net>INSTALL-------See the file named INSTALL for installations instructions (either compiledin exim, or as a stand-alone shared library)If you got sa-exim prepackaged (like on debian), you have to make sure thatyour exim supports a dynamically loadable local_scan (which is true on debianand probably on other distros too if they shipped sa-exim as a package), andthat your exim4.conf file contains the following:local_scan_path = /usr/lib/exim4/local_scan/sa-exim.soIf you are using the split configuration file on debian with the sa-exim debpackage, you'll be fine. If you're using the monolithic file, you are on yourown until/unless the sa-exim packages try to do an in place edit (i.e. you haveto add the above configuration line yourself)UPGRADING---------Deleting greylisting tuplets pre-4.2.1:If you are installing this package yourself, and ever installed the oldgreylistclean.cron which contained the complicated shell commands to cleanold tuplets, you should stop using those commands and upgrade to greylistclean.Upgrading Greylisting.pm should also create safer tuplets without whitespace,but it's better to get rid of the old shell cron jobs either wayPRIVACY WARNING---------------SA-Exim can add a header with the list of recipients in an Email (includingBcced folks).X-SA-Exim-Rcpt-To is used to allow you to see who a spam went to easily (i.e.without scanning the exim logs), and to write SpamAssassin rules on the envelopeTo (like adding a score if there were too many recipients or a recipient who youknow only receives spam)X-SA-Exim-Rcpt-To is not added anymore by default, you need to enable it bysetting SAmaxrcptlistlength to a value up to 8000, but if you do add it,you should consider removing it in exim's system_filter or in a transport.If SARewriteBody is true you should also consider settingSAaddSAEheaderBeforeSA to false (see the config) as all the recipientswill be visible in the attached spam, note that this disables theability to write SpamAssassin rules based on X-SA-Exim-Rcpt-From/To.In real life, who a spam was sent to isn't really a problem, but it could be ifa private message is mis-categorized as spamNote however that if you disable X-SA-Exim-Rcpt-To by settingSAmaxrcptlistlength to 0, you will not be able to use greylisting, whichdepends on this header (however you'd still be welcome to remove the header insystem_filter)CONFIGURATION-------------You should read sa-exim.conf, all the options there should be welldocumented.Note that the code will not act on any mail before it is flagged as SPAM by SA.Having SA flag the mail however doesn't mean the code rejects it or throwsthe alleged spam away, you control what you want to do depending on the score.The only restriction is that things happen in this order (for increasing SAscores)- Save in SAnotspamsave if enabled- Save in SAspamacceptsave if enabled- Temporarily reject and optionally save if enabled- Permanently reject and optionally save if enabled- Accept, drop the mail, and optionally save if enabled- Teergrube (i.e. stall) the sender to waste his resources (and yours)Note that you cannot set a teergrube threshold of 12, and a permrejectthreshold of 20 (not that it would make much sense anyway).Threshold scores should decrease as you apply the highest to the lowest penalty(i.e. the rules are run in this order: teergrube, devnull, permreject,tempreject)Now, as of SA-Exim 4.2, things get slightly more complicated as scores areactually full exim conditions, and therefore you could have:SAteergrube: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {25}{1048576}}This means that if your condition succeeds, the teergrube score is set to 25,and if the condition fails, the teergrube score is set to 2^20, which for allintents and purposes, disables teergrubing.Regardless of what your scores end up being after the conditions are evaluated,sa-exim still tests them in this order: teergrube, devnull, permreject,tempreject)CONFIGURING SPAMASSASSIN------------------------A good example of spamassassin configuration would be:report_safe 0use_terse_report 1 # for SA < 3.xThis will put a non-verbose SPAM-report in the headers, but leave themessage itself intact for easy analyzing and for easy feeding tosa-learn when mis-flagged as spam or ham. The only way to see themessage is spam, is by looking in the headers.If you have an older version of SpamAssassin (<= 2.50), you'd probablywant to add 'report_header 1' to that list. But this is default andun-needed in new versions of SA)If you set 'report_safe' to a true value, you might also want to setuse_terse_report to a false value, in case you'll get the long headerwhich might be friendlier to your users.For SA before 3.x, add 'always_add_report 1' to always have a spamcheck reportput in the message. This might be useful to test rules.For SA 3.x onward, the syntax you'd want, is:add_header all Report _REPORT_Since SA is usually configured to pass messages on that are beyond the SAspam threshold, it can make sense to rewrite the subject line.To achieve this, you would use this for SA 2.x:rewrite_subject 1subject_tag SPAM: _HITS_:For SA 3.x, the syntax is:rewrite_header Subject SPAM: _HITS_:If you are using SA 2.50 or better, by default, you should probably set:report_safe 0Now, if you are willing to take a small speed and I/O hit, you can havesa-exim read the body back from SA, and replace the original mail withthe new body.You would use this if you want to set SA's report_safe to 1 or 2 (inwhich case you also have to set SARewriteBody: 1 in SA-Exim's config)Note that if you do so, unfortunately archived messages will have thebody modified by SA. This is not very trivial to fix, so if you archiveanything, you may not want to use SARewriteBodyImportant:You want to run spamd as such:/usr/sbin/spamd -d -u nobody -H /var/spool/spamassassin/It may not work if you run spamd with -c (debian default),(you shouldn't run spamassassin as root for this purpose anyway (thereis no reason to, so why take the risk)You can edit this in /etc/default/spamassassin (debian) and probably/etc/sysconfig/spamassassin (redhat)With SA 3.x is better, the updated syntax would look like this:/usr/sbin/spamd --max-children 50 --daemonize --username=nobody --nouser-config --helper-home-dir=/var/spool/spamassassin/CONFIGURING EXIM4.CONF----------------------This code works without anything in the exim conf, but you probably want to usesome knobs to disable scanning for some users (like setting X-SA-Do-Not-Rejor X-SA-Do-Not-Run in the rcpt ACL and removing those headers in the rightplaces)See http://marc.merlins.org/linux/exim/#conf and more specificallyhttp://marc.merlins.org/linux/exim/exim4-conf/exim4.confNote that obviously if you set those headers, spammers can set them too, soif you are concerned about this, you can either change the header name, or setit to something else than 'Yes' and check for that value in sa-exim.conf(or as a 3rd option, you can use exim ACL variables to pass values to SA-Eximwithout generating headers; see the section contributed by Chirik, lower inthis file)EXIM4 INTEGRATION / NOT SCANNING YOUR OWN MAILS-----------------------------------------------For a very complete exim4 config, including settings for SA, you shouldlook at sa-exim.conf and play with:SAEximRunCond: ${if and{ \{def:sender_host_address} \{!eq {$sender_host_address}{127.0.0.1}} \{!eq {$h_X-SA-Do-Not-Run:}{Yes}} \} \{1}{0} \}PLEASE NOTE: This conditional statement must be on one line. SA-Exim'sconfigfile parser does not support \-lineconitunation!!You may also want to look at my exim4.conf config if you haven't done so yet:http://marc.merlins.org/linux/exim/#confThe check_rcpt ACL has:warn message = X-SA-Do-Not-Rej: Yeslocal_parts = +nosarej:postmaster:abusewarn message = X-SA-Do-Not-Run: Yeshosts = +relay_from_hostswarn message = X-SA-Do-Not-Run: Yesauthenticated = *Then, you'll want to strip SA headers for messages that aren't localThis means you should strip them at least in the remote_smtp transportwith this configuration snippet:# This is generally set on messages originating from local users and it tells# SA-Exim not to scan the message or that the message was scanned.# Let's remove these headers if the message is sent remotelyheaders_remove = "X-SA-Do-Not-Run:X-SA-Exim-Scanned:X-SA-Exim-Mail-From:X-SA-Exim-Rcpt-To:X-SA-Exim-Connect-IP"You can also use another option, which can't be spoofed by a spammer, butwon't show you why a mail didn't get scanned if it was sent to multiplepeople (which is why I personally prefer the above, even if it's spoofable)Contributed by Chirik <chirik@castlefur.com>:----------------------------------------------------------------------------I have the following:SAEximRunCond: ${if !eq {$acl_m0}{do-not-scan} {1} {0}}SAEximRejCond: ${if !eq {$acl_m0}{do-not-reject} {1} {0}}Then, in my recipient ACL, I have:##### Checks for postmaster or abuse - we'll scan, still, but not reject##### Don't reject for certain userswarn local_parts = postmaster : abuseset acl_m0 = do-not-reject##### Check for situations we don't even scan (local mail)##### Don't scan if hosts we relay for (probably dumb MUAs),warn hosts = +relay_from_hosts:127.0.0.1/8set acl_m0 = do-not-scan##### Don't scan non-smtp connections (empty host list)warn hosts = :set acl_m0 = do-not-scan##### Don't scan if authenticatedwarn authenticated = *set acl_m0 = do-not-scan----------------------------------------------------------------------------TEERGRUBING: SAteergrube------------------------The idea is for mail that you know for sure is spam (I use a threshold of 25),you can stall the spammer for as long as possible by sending a continuationline every 10 seconds:451- wait for more output451- wait for more output451- wait for more output(...)You can go there for details:http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.htmlWhat should you know?1) This is obviously going to use up some of your resources2) You should not teergrube SMTP servers that relay mail for you, becourteous (set a condition in SAteergrube like in the exampleprovided). Besides they are real mail relays, so they will diligentlytry to send you the spam over and over for days)(note that you should probably not teergrube mailling lists you subscribedto either, or you risk getting unsubscribed)See a sample in sa-exim.conf for example syntax.3) Because of limitations in the current exim code, teergrubing will not workover TLS.This shouldn't be a problem since real spammers should not be using TLS,and you shouldn't teergrube relays that do TLS with you.If you do teergrube a TLS connection, it will break the connection and youwill see this in your logs:18640m-0000Vb-00 SSL_write error 5TLS error (SSL_write): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version numberThis is not ideal, but in real life, that's ok.GREYLISTING-----------See README.greylistingREADING ARCHIVED SPAMS----------------------Spams are optionally saved in individual files in a 'new' subdirectoryof some place like /var/spool/sa-exim/SAteergrube.There are two ways to read them:1) cat new/* > /tmp/mailbox, and use the resulting file as a standardmbox file with any mail client (if SAPrependArchiveWithFrom is true)2) Use a maildir capable mail client, like mutt, and run something like'mutt -f /var/spool/sa-exim/SAteergrube'. This will read the messages inplace, since what sa-exim creates looks like a valid Maildir spool.If you configured SA-Exim to set X-SA-Exim-Rcpt-To, you can even resendarchived refused messages to the users they were meant forNote that sa-exim runs with the same uid/gid than the exim daemon (somethinglike mail, exim, or Debian-Exim), so /var/spool/sa-exim/SAteergrube must existand be writeable by exim.SA-Exim will then create (sub-)directories with the permissions 0770 asneeded (those permissions aren't a configuration option, but you can changethem after the fact or pre-create the directories with the permissions of yourchoice)Files are created with 0664 permissions so that anyone who has directory accesscan read (and maybe write) the files.If you chgrp the parent 'new' directory to a group of your choice, and give itpermissions 2770 or 2775, the files will be created with that group instead ofthe default exim groupLOG AND SMTP OUTPUT-------------------As of SA-Exim 3.0, SMTP output does not contain the spam score anymore,and you can change the messages or re-add the score by changing theruntime SAmsg* variablesAll SA-Exim log now looks like this:- "SA: PANIC: " -> severe errors- "SA: Warning: " -> config file parsing errors- "SA: Notice: " -> misc info on what SA-Exim is doing or not doing- "SA: Action: " -> what action SA-Exim took on a mail after scanning- "SA: Debug[X]: " -> misc debug info if enabledMarin Balvers has written a nice log parser here:http://nossie.addicts.nl/projects/sa-exim-stats/FAQ---Why do I get this in my exim logs?2004-05-15 12:43:57 1BP54T-0002gV-Nu TLS send error on connection from internalmx1.company.tld (internalmx.company.tld) [192.168.1.1]:51552: Error in the push function.2004-05-15 12:43:57 TLS recv error on connection from internalmx1.company.tld (internalmx.company.tld)[192.168.1.1]:51552: The specified session has been invalidated for some reason.This is because you are teergrubing a host that is doing TLS. Teergrubing doesnot work with TLS, and people doing TLS with you are probably known relays whichyou should exclude from your teergrube list (SAteergrubecond)