Rev 67 | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 67 | Rev 73 | ||
---|---|---|---|
1 | COPYRIGHTS |
1 | COPYRIGHTS |
2 | ---------- |
2 | ---------- |
3 | SA-Exim was written by Marc MERLIN <marc_soft@merlins.org> |
3 | SA-Exim was written by Marc MERLIN <marc_soft@merlins.org> |
4 | You can find the latest version here: |
4 | You can find the latest version here: |
5 | http://sa-exim.sf.net/ |
5 | http://sa-exim.sf.net/ |
6 | or here: |
6 | or here: |
7 | http://marc.merlins.org/linux/exim/sa.html |
7 | http://marc.merlins.org/linux/exim/sa.html |
8 | 8 | ||
9 | greylisting was written by and is copyright Mark Lawrence <nomad@null.net> |
9 | greylisting was written by and is copyright Mark Lawrence <nomad@null.net> |
10 | 10 | ||
11 | 11 | ||
12 | INSTALL |
12 | INSTALL |
13 | ------- |
13 | ------- |
14 | See the file named INSTALL for installations instructions (either compiled |
14 | See the file named INSTALL for installations instructions (either compiled |
15 | in exim, or as a stand-alone shared library) |
15 | in exim, or as a stand-alone shared library) |
16 | 16 | ||
17 | If you got sa-exim prepackaged (like on debian), you have to make sure that |
17 | If you got sa-exim prepackaged (like on debian), you have to make sure that |
18 | your exim supports a dynamically loadable local_scan (which is true on debian |
18 | your exim supports a dynamically loadable local_scan (which is true on debian |
19 | and probably on other distros too if they shipped sa-exim as a package), and |
19 | and probably on other distros too if they shipped sa-exim as a package), and |
20 | that your exim4.conf file contains the following: |
20 | that your exim4.conf file contains the following: |
21 | local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so |
21 | local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so |
22 | If you are using the split configuration file on debian with the sa-exim deb |
22 | If you are using the split configuration file on debian with the sa-exim deb |
23 | package, you'll be fine. If you're using the monolithic file, you are on your |
23 | package, you'll be fine. If you're using the monolithic file, you are on your |
24 | own until/unless the sa-exim packages try to do an in place edit (i.e. you have |
24 | own until/unless the sa-exim packages try to do an in place edit (i.e. you have |
25 | to add the above configuration line yourself) |
25 | to add the above configuration line yourself) |
26 | 26 | ||
27 | 27 | ||
28 | UPGRADING |
28 | UPGRADING |
29 | --------- |
29 | --------- |
30 | Deleting greylisting tuplets pre-4.2.1: |
30 | Deleting greylisting tuplets pre-4.2.1: |
31 | If you are installing this package yourself, and ever installed the old |
31 | If you are installing this package yourself, and ever installed the old |
32 | greylistclean.cron which contained the complicated shell commands to clean |
32 | greylistclean.cron which contained the complicated shell commands to clean |
33 | old tuplets, you should stop using those commands and upgrade to greylistclean. |
33 | old tuplets, you should stop using those commands and upgrade to greylistclean. |
34 | Upgrading Greylisting.pm should also create safer tuplets without whitespace, |
34 | Upgrading Greylisting.pm should also create safer tuplets without whitespace, |
35 | but it's better to get rid of the old shell cron jobs either way |
35 | but it's better to get rid of the old shell cron jobs either way |
36 | 36 | ||
37 | 37 | ||
38 | PRIVACY WARNING |
38 | PRIVACY WARNING |
39 | --------------- |
39 | --------------- |
40 | SA-Exim can add a header with the list of recipients in an Email (including |
40 | SA-Exim can add a header with the list of recipients in an Email (including |
41 | Bcced folks). |
41 | Bcced folks). |
42 | X-SA-Exim-Rcpt-To is used to allow you to see who a spam went to easily (i.e. |
42 | X-SA-Exim-Rcpt-To is used to allow you to see who a spam went to easily (i.e. |
43 | without scanning the exim logs), and to write SpamAssassin rules on the envelope |
43 | without scanning the exim logs), and to write SpamAssassin rules on the envelope |
44 | To (like adding a score if there were too many recipients or a recipient who you |
44 | To (like adding a score if there were too many recipients or a recipient who you |
45 | know only receives spam) |
45 | know only receives spam) |
46 | X-SA-Exim-Rcpt-To is not added anymore by default, you need to enable it by |
46 | X-SA-Exim-Rcpt-To is not added anymore by default, you need to enable it by |
47 | setting SAmaxrcptlistlength to a value up to 8000, but if you do add it, |
47 | setting SAmaxrcptlistlength to a value up to 8000, but if you do add it, |
48 | you should consider removing it in exim's system_filter or in a transport. |
48 | you should consider removing it in exim's system_filter or in a transport. |
49 | If SARewriteBody is true you should also consider setting |
49 | If SARewriteBody is true you should also consider setting |
50 | SAaddSAEheaderBeforeSA to false (see the config) as all the recipients |
50 | SAaddSAEheaderBeforeSA to false (see the config) as all the recipients |
51 | will be visible in the attached spam, note that this disables the |
51 | will be visible in the attached spam, note that this disables the |
52 | ability to write SpamAssassin rules based on X-SA-Exim-Rcpt-From/To. |
52 | ability to write SpamAssassin rules based on X-SA-Exim-Rcpt-From/To. |
53 | In real life, who a spam was sent to isn't really a problem, but it could be if |
53 | In real life, who a spam was sent to isn't really a problem, but it could be if |
54 | a private message is mis-categorized as spam |
54 | a private message is mis-categorized as spam |
55 | Note however that if you disable X-SA-Exim-Rcpt-To by setting |
55 | Note however that if you disable X-SA-Exim-Rcpt-To by setting |
56 | SAmaxrcptlistlength to 0, you will not be able to use greylisting, which |
56 | SAmaxrcptlistlength to 0, you will not be able to use greylisting, which |
57 | depends on this header (however you'd still be welcome to remove the header in |
57 | depends on this header (however you'd still be welcome to remove the header in |
58 | system_filter) |
58 | system_filter) |
59 | 59 | ||
60 | 60 | ||
61 | CONFIGURATION |
61 | CONFIGURATION |
62 | ------------- |
62 | ------------- |
63 | You should read sa-exim.conf, all the options there should be well |
63 | You should read sa-exim.conf, all the options there should be well |
64 | documented. |
64 | documented. |
65 | 65 | ||
66 | Note that the code will not act on any mail before it is flagged as SPAM by SA. |
66 | Note that the code will not act on any mail before it is flagged as SPAM by SA. |
67 | 67 | ||
68 | Having SA flag the mail however doesn't mean the code rejects it or throws |
68 | Having SA flag the mail however doesn't mean the code rejects it or throws |
69 | the alleged spam away, you control what you want to do depending on the score. |
69 | the alleged spam away, you control what you want to do depending on the score. |
70 | The only restriction is that things happen in this order (for increasing SA |
70 | The only restriction is that things happen in this order (for increasing SA |
71 | scores) |
71 | scores) |
72 | 72 | ||
73 | - Save in SAnotspamsave if enabled |
73 | - Save in SAnotspamsave if enabled |
74 | - Save in SAspamacceptsave if enabled |
74 | - Save in SAspamacceptsave if enabled |
75 | - Temporarily reject and optionally save if enabled |
75 | - Temporarily reject and optionally save if enabled |
76 | - Permanently reject and optionally save if enabled |
76 | - Permanently reject and optionally save if enabled |
77 | - Accept, drop the mail, and optionally save if enabled |
77 | - Accept, drop the mail, and optionally save if enabled |
78 | - Teergrube (i.e. stall) the sender to waste his resources (and yours) |
78 | - Teergrube (i.e. stall) the sender to waste his resources (and yours) |
79 | 79 | ||
80 | Note that you cannot set a teergrube threshold of 12, and a permreject |
80 | Note that you cannot set a teergrube threshold of 12, and a permreject |
81 | threshold of 20 (not that it would make much sense anyway). |
81 | threshold of 20 (not that it would make much sense anyway). |
82 | Threshold scores should decrease as you apply the highest to the lowest penalty |
82 | Threshold scores should decrease as you apply the highest to the lowest penalty |
83 | (i.e. the rules are run in this order: teergrube, devnull, permreject, |
83 | (i.e. the rules are run in this order: teergrube, devnull, permreject, |
84 | tempreject) |
84 | tempreject) |
85 | 85 | ||
86 | Now, as of SA-Exim 4.2, things get slightly more complicated as scores are |
86 | Now, as of SA-Exim 4.2, things get slightly more complicated as scores are |
87 | actually full exim conditions, and therefore you could have: |
87 | actually full exim conditions, and therefore you could have: |
88 | SAteergrube: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {25}{1048576}} |
88 | SAteergrube: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {25}{1048576}} |
89 | This means that if your condition succeeds, the teergrube score is set to 25, |
89 | This means that if your condition succeeds, the teergrube score is set to 25, |
90 | and if the condition fails, the teergrube score is set to 2^20, which for all |
90 | and if the condition fails, the teergrube score is set to 2^20, which for all |
91 | intents and purposes, disables teergrubing. |
91 | intents and purposes, disables teergrubing. |
92 | Regardless of what your scores end up being after the conditions are evaluated, |
92 | Regardless of what your scores end up being after the conditions are evaluated, |
93 | sa-exim still tests them in this order: teergrube, devnull, permreject, |
93 | sa-exim still tests them in this order: teergrube, devnull, permreject, |
94 | tempreject) |
94 | tempreject) |
95 | 95 | ||
96 | 96 | ||
97 | 97 | ||
98 | 98 | ||
99 | CONFIGURING SPAMASSASSIN |
99 | CONFIGURING SPAMASSASSIN |
100 | ------------------------ |
100 | ------------------------ |
101 | A good example of spamassassin configuration would be: |
101 | A good example of spamassassin configuration would be: |
102 | 102 | ||
103 | report_safe 0 |
103 | report_safe 0 |
104 | use_terse_report 1 # for SA < 3.x |
104 | use_terse_report 1 # for SA < 3.x |
105 | 105 | ||
106 | This will put a non-verbose SPAM-report in the headers, but leave the |
106 | This will put a non-verbose SPAM-report in the headers, but leave the |
107 | message itself intact for easy analyzing and for easy feeding to |
107 | message itself intact for easy analyzing and for easy feeding to |
108 | sa-learn when mis-flagged as spam or ham. The only way to see the |
108 | sa-learn when mis-flagged as spam or ham. The only way to see the |
109 | message is spam, is by looking in the headers. |
109 | message is spam, is by looking in the headers. |
110 | 110 | ||
111 | If you have an older version of SpamAssassin (<= 2.50), you'd probably |
111 | If you have an older version of SpamAssassin (<= 2.50), you'd probably |
112 | want to add 'report_header 1' to that list. But this is default and |
112 | want to add 'report_header 1' to that list. But this is default and |
113 | un-needed in new versions of SA) |
113 | un-needed in new versions of SA) |
114 | 114 | ||
115 | If you set 'report_safe' to a true value, you might also want to set |
115 | If you set 'report_safe' to a true value, you might also want to set |
116 | use_terse_report to a false value, in case you'll get the long header |
116 | use_terse_report to a false value, in case you'll get the long header |
117 | which might be friendlier to your users. |
117 | which might be friendlier to your users. |
118 | 118 | ||
119 | For SA before 3.x, add 'always_add_report 1' to always have a spamcheck report |
119 | For SA before 3.x, add 'always_add_report 1' to always have a spamcheck report |
120 | put in the message. This might be useful to test rules. |
120 | put in the message. This might be useful to test rules. |
121 | For SA 3.x onward, the syntax you'd want, is: |
121 | For SA 3.x onward, the syntax you'd want, is: |
122 | add_header all Report _REPORT_ |
122 | add_header all Report _REPORT_ |
123 | 123 | ||
124 | Since SA is usually configured to pass messages on that are beyond the SA |
124 | Since SA is usually configured to pass messages on that are beyond the SA |
125 | spam threshold, it can make sense to rewrite the subject line. |
125 | spam threshold, it can make sense to rewrite the subject line. |
126 | To achieve this, you would use this for SA 2.x: |
126 | To achieve this, you would use this for SA 2.x: |
127 | rewrite_subject 1 |
127 | rewrite_subject 1 |
128 | subject_tag SPAM: _HITS_: |
128 | subject_tag SPAM: _HITS_: |
129 | 129 | ||
130 | For SA 3.x, the syntax is: |
130 | For SA 3.x, the syntax is: |
131 | rewrite_header Subject SPAM: _HITS_: |
131 | rewrite_header Subject SPAM: _HITS_: |
132 | 132 | ||
133 | 133 | ||
134 | If you are using SA 2.50 or better, by default, you should probably set: |
134 | If you are using SA 2.50 or better, by default, you should probably set: |
135 | report_safe 0 |
135 | report_safe 0 |
136 | 136 | ||
137 | Now, if you are willing to take a small speed and I/O hit, you can have |
137 | Now, if you are willing to take a small speed and I/O hit, you can have |
138 | sa-exim read the body back from SA, and replace the original mail with |
138 | sa-exim read the body back from SA, and replace the original mail with |
139 | the new body. |
139 | the new body. |
140 | 140 | ||
141 | You would use this if you want to set SA's report_safe to 1 or 2 (in |
141 | You would use this if you want to set SA's report_safe to 1 or 2 (in |
142 | which case you also have to set SARewriteBody: 1 in SA-Exim's config) |
142 | which case you also have to set SARewriteBody: 1 in SA-Exim's config) |
143 | 143 | ||
144 | Note that if you do so, unfortunately archived messages will have the |
144 | Note that if you do so, unfortunately archived messages will have the |
145 | body modified by SA. This is not very trivial to fix, so if you archive |
145 | body modified by SA. This is not very trivial to fix, so if you archive |
146 | anything, you may not want to use SARewriteBody |
146 | anything, you may not want to use SARewriteBody |
147 | 147 | ||
148 | 148 | ||
149 | Important: |
149 | Important: |
150 | 150 | ||
151 | You want to run spamd as such (you have to create the spamd user |
151 | You want to run spamd as such (you have to create the spamd user |
152 | yourself): |
152 | yourself): |
153 | 153 | ||
154 | /usr/sbin/spamd -d -u spamd -H /var/spool/spamassassin/ |
154 | /usr/sbin/spamd -d -u spamd -H /var/spool/spamassassin/ |
155 | 155 | ||
156 | It may not work if you run spamd with -c (debian default), |
156 | It may not work if you run spamd with -c (debian default), |
157 | (you shouldn't run spamassassin as root for this purpose anyway (there |
157 | (you shouldn't run spamassassin as root for this purpose anyway (there |
158 | is no reason to, so why take the risk) |
158 | is no reason to, so why take the risk) |
159 | 159 | ||
160 | You can edit this in /etc/default/spamassassin (debian) and probably |
160 | You can edit this in /etc/default/spamassassin (debian) and probably |
161 | /etc/sysconfig/spamassassin (redhat) |
161 | /etc/sysconfig/spamassassin (redhat) |
162 | 162 | ||
163 | With SA 3.x is better, the updated syntax would look like this: |
163 | With SA 3.x is better, the updated syntax would look like this: |
164 | /usr/sbin/spamd --max-children 50 --daemonize --username=spamd --nouser-config --helper-home-dir=/var/spool/spamassassin/ |
164 | /usr/sbin/spamd --max-children 50 --daemonize --username=spamd --nouser-config --helper-home-dir=/var/spool/spamassassin/ |
165 | 165 | ||
166 | 166 | ||
167 | 167 | ||
168 | CONFIGURING EXIM4.CONF |
168 | CONFIGURING EXIM4.CONF |
169 | ---------------------- |
169 | ---------------------- |
170 | This code works without anything in the exim conf, but you probably want to use |
170 | This code works without anything in the exim conf, but you probably want to use |
171 | some knobs to disable scanning for some users (like setting X-SA-Do-Not-Rej |
171 | some knobs to disable scanning for some users (like setting X-SA-Do-Not-Rej |
172 | or X-SA-Do-Not-Run in the rcpt ACL and removing those headers in the right |
172 | or X-SA-Do-Not-Run in the rcpt ACL and removing those headers in the right |
173 | places) |
173 | places) |
174 | 174 | ||
175 | See http://marc.merlins.org/linux/exim/#conf and more specifically |
175 | See http://marc.merlins.org/linux/exim/#conf and more specifically |
176 | http://marc.merlins.org/linux/exim/exim4-conf/exim4.conf |
176 | http://marc.merlins.org/linux/exim/exim4-conf/exim4.conf |
177 | 177 | ||
178 | Note that obviously if you set those headers, spammers can set them too, so |
178 | Note that obviously if you set those headers, spammers can set them too, so |
179 | if you are concerned about this, you can either change the header name, or set |
179 | if you are concerned about this, you can either change the header name, or set |
180 | it to something else than 'Yes' and check for that value in sa-exim.conf |
180 | it to something else than 'Yes' and check for that value in sa-exim.conf |
181 | (or as a 3rd option, you can use exim ACL variables to pass values to SA-Exim |
181 | (or as a 3rd option, you can use exim ACL variables to pass values to SA-Exim |
182 | without generating headers; see the section contributed by Chirik, lower in |
182 | without generating headers; see the section contributed by Chirik, lower in |
183 | this file) |
183 | this file) |
184 | 184 | ||
185 | 185 | ||
186 | 186 | ||
187 | EXIM4 INTEGRATION / NOT SCANNING YOUR OWN MAILS |
187 | EXIM4 INTEGRATION / NOT SCANNING YOUR OWN MAILS |
188 | ----------------------------------------------- |
188 | ----------------------------------------------- |
189 | For a very complete exim4 config, including settings for SA, you should |
189 | For a very complete exim4 config, including settings for SA, you should |
190 | look at sa-exim.conf and play with: |
190 | look at sa-exim.conf and play with: |
191 | 191 | ||
192 | SAEximRunCond: ${if and{ \ |
192 | SAEximRunCond: ${if and{ \ |
193 | {def:sender_host_address} \ |
193 | {def:sender_host_address} \ |
194 | {!eq {$sender_host_address}{127.0.0.1}} \ |
194 | {!eq {$sender_host_address}{127.0.0.1}} \ |
195 | {!eq {$h_X-SA-Do-Not-Run:}{Yes}} \ |
195 | {!eq {$h_X-SA-Do-Not-Run:}{Yes}} \ |
196 | } \ |
196 | } \ |
197 | {1}{0} \ |
197 | {1}{0} \ |
198 | } |
198 | } |
199 | 199 | ||
200 | PLEASE NOTE: This conditional statement must be on one line. SA-Exim's |
200 | PLEASE NOTE: This conditional statement must be on one line. SA-Exim's |
201 | configfile parser does not support \-lineconitunation!! |
201 | configfile parser does not support \-lineconitunation!! |
202 | 202 | ||
203 | You may also want to look at my exim4.conf config if you haven't done so yet: |
203 | You may also want to look at my exim4.conf config if you haven't done so yet: |
204 | http://marc.merlins.org/linux/exim/#conf |
204 | http://marc.merlins.org/linux/exim/#conf |
205 | 205 | ||
206 | The check_rcpt ACL has: |
206 | The check_rcpt ACL has: |
207 | warn message = X-SA-Do-Not-Rej: Yes |
207 | warn message = X-SA-Do-Not-Rej: Yes |
208 | local_parts = +nosarej:postmaster:abuse |
208 | local_parts = +nosarej:postmaster:abuse |
209 | 209 | ||
210 | warn message = X-SA-Do-Not-Run: Yes |
210 | warn message = X-SA-Do-Not-Run: Yes |
211 | hosts = +relay_from_hosts |
211 | hosts = +relay_from_hosts |
212 | 212 | ||
213 | warn message = X-SA-Do-Not-Run: Yes |
213 | warn message = X-SA-Do-Not-Run: Yes |
214 | authenticated = * |
214 | authenticated = * |
215 | 215 | ||
216 | Then, you'll want to strip SA headers for messages that aren't local |
216 | Then, you'll want to strip SA headers for messages that aren't local |
217 | This means you should strip them at least in the remote_smtp transport |
217 | This means you should strip them at least in the remote_smtp transport |
218 | with this configuration snippet: |
218 | with this configuration snippet: |
219 | 219 | ||
220 | # This is generally set on messages originating from local users and it tells |
220 | # This is generally set on messages originating from local users and it tells |
221 | # SA-Exim not to scan the message or that the message was scanned. |
221 | # SA-Exim not to scan the message or that the message was scanned. |
222 | # Let's remove these headers if the message is sent remotely |
222 | # Let's remove these headers if the message is sent remotely |
223 | headers_remove = "X-SA-Do-Not-Run:X-SA-Exim-Scanned:X-SA-Exim-Mail-From:X-SA-Exim-Rcpt-To:X-SA-Exim-Connect-IP" |
223 | headers_remove = "X-SA-Do-Not-Run:X-SA-Exim-Scanned:X-SA-Exim-Mail-From:X-SA-Exim-Rcpt-To:X-SA-Exim-Connect-IP" |
224 | 224 | ||
225 | 225 | ||
226 | You can also use another option, which can't be spoofed by a spammer, but |
226 | You can also use another option, which can't be spoofed by a spammer, but |
227 | won't show you why a mail didn't get scanned if it was sent to multiple |
227 | won't show you why a mail didn't get scanned if it was sent to multiple |
228 | people (which is why I personally prefer the above, even if it's spoofable) |
228 | people (which is why I personally prefer the above, even if it's spoofable) |
229 | 229 | ||
230 | Contributed by Chirik <chirik@castlefur.com>: |
230 | Contributed by Chirik <chirik@castlefur.com>: |
231 | ---------------------------------------------------------------------------- |
231 | ---------------------------------------------------------------------------- |
232 | I have the following: |
232 | I have the following: |
233 | 233 | ||
234 | SAEximRunCond: ${if !eq {$acl_m0}{do-not-scan} {1} {0}} |
234 | SAEximRunCond: ${if !eq {$acl_m0}{do-not-scan} {1} {0}} |
235 | SAEximRejCond: ${if !eq {$acl_m0}{do-not-reject} {1} {0}} |
235 | SAEximRejCond: ${if !eq {$acl_m0}{do-not-reject} {1} {0}} |
236 | 236 | ||
237 | Then, in my recipient ACL, I have: |
237 | Then, in my recipient ACL, I have: |
238 | 238 | ||
239 | ##### Checks for postmaster or abuse - we'll scan, still, but not reject |
239 | ##### Checks for postmaster or abuse - we'll scan, still, but not reject |
240 | ##### Don't reject for certain users |
240 | ##### Don't reject for certain users |
241 | warn local_parts = postmaster : abuse |
241 | warn local_parts = postmaster : abuse |
242 | set acl_m0 = do-not-reject |
242 | set acl_m0 = do-not-reject |
243 | 243 | ||
244 | ##### Check for situations we don't even scan (local mail) |
244 | ##### Check for situations we don't even scan (local mail) |
245 | ##### Don't scan if hosts we relay for (probably dumb MUAs), |
245 | ##### Don't scan if hosts we relay for (probably dumb MUAs), |
246 | warn hosts = +relay_from_hosts:127.0.0.1/8 |
246 | warn hosts = +relay_from_hosts:127.0.0.1/8 |
247 | set acl_m0 = do-not-scan |
247 | set acl_m0 = do-not-scan |
248 | 248 | ||
249 | ##### Don't scan non-smtp connections (empty host list) |
249 | ##### Don't scan non-smtp connections (empty host list) |
250 | warn hosts = : |
250 | warn hosts = : |
251 | set acl_m0 = do-not-scan |
251 | set acl_m0 = do-not-scan |
252 | 252 | ||
253 | ##### Don't scan if authenticated |
253 | ##### Don't scan if authenticated |
254 | warn authenticated = * |
254 | warn authenticated = * |
255 | set acl_m0 = do-not-scan |
255 | set acl_m0 = do-not-scan |
256 | ---------------------------------------------------------------------------- |
256 | ---------------------------------------------------------------------------- |
257 | 257 | ||
258 | 258 | ||
259 | 259 | ||
260 | TEERGRUBING: SAteergrube |
260 | TEERGRUBING: SAteergrube |
261 | ------------------------ |
261 | ------------------------ |
262 | The idea is for mail that you know for sure is spam (I use a threshold of 25), |
262 | The idea is for mail that you know for sure is spam (I use a threshold of 25), |
263 | you can stall the spammer for as long as possible by sending a continuation |
263 | you can stall the spammer for as long as possible by sending a continuation |
264 | line every 10 seconds: |
264 | line every 10 seconds: |
265 | 451- wait for more output |
265 | 451- wait for more output |
266 | 451- wait for more output |
266 | 451- wait for more output |
267 | 451- wait for more output |
267 | 451- wait for more output |
268 | (...) |
268 | (...) |
269 | 269 | ||
270 | You can go there for details: |
270 | You can go there for details: |
271 | http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html |
271 | http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html |
272 | 272 | ||
273 | What should you know? |
273 | What should you know? |
274 | 1) This is obviously going to use up some of your resources |
274 | 1) This is obviously going to use up some of your resources |
275 | 2) You should not teergrube SMTP servers that relay mail for you, be |
275 | 2) You should not teergrube SMTP servers that relay mail for you, be |
276 | courteous (set a condition in SAteergrube like in the example |
276 | courteous (set a condition in SAteergrube like in the example |
277 | provided). Besides they are real mail relays, so they will diligently |
277 | provided). Besides they are real mail relays, so they will diligently |
278 | try to send you the spam over and over for days) |
278 | try to send you the spam over and over for days) |
279 | (note that you should probably not teergrube mailling lists you subscribed |
279 | (note that you should probably not teergrube mailling lists you subscribed |
280 | to either, or you risk getting unsubscribed) |
280 | to either, or you risk getting unsubscribed) |
281 | See a sample in sa-exim.conf for example syntax. |
281 | See a sample in sa-exim.conf for example syntax. |
282 | 3) Because of limitations in the current exim code, teergrubing will not work |
282 | 3) Because of limitations in the current exim code, teergrubing will not work |
283 | over TLS. |
283 | over TLS. |
284 | This shouldn't be a problem since real spammers should not be using TLS, |
284 | This shouldn't be a problem since real spammers should not be using TLS, |
285 | and you shouldn't teergrube relays that do TLS with you. |
285 | and you shouldn't teergrube relays that do TLS with you. |
286 | If you do teergrube a TLS connection, it will break the connection and you |
286 | If you do teergrube a TLS connection, it will break the connection and you |
287 | will see this in your logs: |
287 | will see this in your logs: |
288 | 18640m-0000Vb-00 SSL_write error 5 |
288 | 18640m-0000Vb-00 SSL_write error 5 |
289 | TLS error (SSL_write): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number |
289 | TLS error (SSL_write): error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number |
290 | This is not ideal, but in real life, that's ok. |
290 | This is not ideal, but in real life, that's ok. |
291 | 291 | ||
292 | 292 | ||
293 | 293 | ||
294 | GREYLISTING |
294 | GREYLISTING |
295 | ----------- |
295 | ----------- |
296 | See README.greylisting |
296 | See README.greylisting |
297 | 297 | ||
298 | 298 | ||
299 | 299 | ||
300 | READING ARCHIVED SPAMS |
300 | READING ARCHIVED SPAMS |
301 | ---------------------- |
301 | ---------------------- |
302 | Spams are optionally saved in individual files in a 'new' subdirectory |
302 | Spams are optionally saved in individual files in a 'new' subdirectory |
303 | of some place like /var/spool/sa-exim/SAteergrube. |
303 | of some place like /var/spool/sa-exim/SAteergrube. |
304 | 304 | ||
305 | There are two ways to read them: |
305 | There are two ways to read them: |
306 | 1) cat new/* > /tmp/mailbox, and use the resulting file as a standard |
306 | 1) cat new/* > /tmp/mailbox, and use the resulting file as a standard |
307 | mbox file with any mail client (if SAPrependArchiveWithFrom is true) |
307 | mbox file with any mail client (if SAPrependArchiveWithFrom is true) |
308 | 2) Use a maildir capable mail client, like mutt, and run something like |
308 | 2) Use a maildir capable mail client, like mutt, and run something like |
309 | 'mutt -f /var/spool/sa-exim/SAteergrube'. This will read the messages in |
309 | 'mutt -f /var/spool/sa-exim/SAteergrube'. This will read the messages in |
310 | place, since what sa-exim creates looks like a valid Maildir spool. |
310 | place, since what sa-exim creates looks like a valid Maildir spool. |
311 | 311 | ||
312 | If you configured SA-Exim to set X-SA-Exim-Rcpt-To, you can even resend |
312 | If you configured SA-Exim to set X-SA-Exim-Rcpt-To, you can even resend |
313 | archived refused messages to the users they were meant for |
313 | archived refused messages to the users they were meant for |
314 | 314 | ||
315 | Note that sa-exim runs with the same uid/gid than the exim daemon (something |
315 | Note that sa-exim runs with the same uid/gid than the exim daemon (something |
316 | like mail, exim, or Debian-Exim), so /var/spool/sa-exim/SAteergrube must exist |
316 | like mail, exim, or Debian-Exim), so /var/spool/sa-exim/SAteergrube must exist |
317 | and be writeable by exim. |
317 | and be writeable by exim. |
318 | SA-Exim will then create (sub-)directories with the permissions 0770 as |
318 | SA-Exim will then create (sub-)directories with the permissions 0770 as |
319 | needed (those permissions aren't a configuration option, but you can change |
319 | needed (those permissions aren't a configuration option, but you can change |
320 | them after the fact or pre-create the directories with the permissions of your |
320 | them after the fact or pre-create the directories with the permissions of your |
321 | choice) |
321 | choice) |
322 | Files are created with 0664 permissions so that anyone who has directory access |
322 | Files are created with 0664 permissions so that anyone who has directory access |
323 | can read (and maybe write) the files. |
323 | can read (and maybe write) the files. |
324 | If you chgrp the parent 'new' directory to a group of your choice, and give it |
324 | If you chgrp the parent 'new' directory to a group of your choice, and give it |
325 | permissions 2770 or 2775, the files will be created with that group instead of |
325 | permissions 2770 or 2775, the files will be created with that group instead of |
326 | the default exim group |
326 | the default exim group |
327 | 327 | ||
328 | 328 | ||
329 | 329 | ||
330 | LOG AND SMTP OUTPUT |
330 | LOG AND SMTP OUTPUT |
331 | ------------------- |
331 | ------------------- |
332 | As of SA-Exim 3.0, SMTP output does not contain the spam score anymore, |
332 | As of SA-Exim 3.0, SMTP output does not contain the spam score anymore, |
333 | and you can change the messages or re-add the score by changing the |
333 | and you can change the messages or re-add the score by changing the |
334 | runtime SAmsg* variables |
334 | runtime SAmsg* variables |
335 | 335 | ||
336 | All SA-Exim log now looks like this: |
336 | All SA-Exim log now looks like this: |
337 | - "SA: PANIC: " -> severe errors |
337 | - "SA: PANIC: " -> severe errors |
338 | - "SA: Warning: " -> config file parsing errors |
338 | - "SA: Warning: " -> config file parsing errors |
339 | - "SA: Notice: " -> misc info on what SA-Exim is doing or not doing |
339 | - "SA: Notice: " -> misc info on what SA-Exim is doing or not doing |
340 | - "SA: Action: " -> what action SA-Exim took on a mail after scanning |
340 | - "SA: Action: " -> what action SA-Exim took on a mail after scanning |
341 | - "SA: Debug[X]: " -> misc debug info if enabled |
341 | - "SA: Debug[X]: " -> misc debug info if enabled |
342 | 342 | ||
343 | Marin Balvers has written a nice log parser here: |
343 | Marin Balvers has written a nice log parser here: |
344 | http://nossie.addicts.nl/projects/sa-exim-stats/ |
344 | http://nossie.addicts.nl/projects/sa-exim-stats/ |
345 | 345 | ||
346 | 346 | ||
347 | 347 | ||
348 | FAQ |
348 | FAQ |
349 | --- |
349 | --- |
350 | Why do I get this in my exim logs? |
350 | Why do I get this in my exim logs? |
351 | 351 | ||
352 | 2004-05-15 12:43:57 1BP54T-0002gV-Nu TLS send error on connection from internalmx1.company.tld (internalmx.company.tld) [192.168.1.1]:51552: Error in the push function. |
352 | 2004-05-15 12:43:57 1BP54T-0002gV-Nu TLS send error on connection from internalmx1.company.tld (internalmx.company.tld) [192.168.1.1]:51552: Error in the push function. |
353 | 2004-05-15 12:43:57 TLS recv error on connection from internalmx1.company.tld (internalmx.company.tld) |
353 | 2004-05-15 12:43:57 TLS recv error on connection from internalmx1.company.tld (internalmx.company.tld) |
354 | [192.168.1.1]:51552: The specified session has been invalidated for some reason. |
354 | [192.168.1.1]:51552: The specified session has been invalidated for some reason. |
355 | 355 | ||
356 | This is because you are teergrubing a host that is doing TLS. Teergrubing does |
356 | This is because you are teergrubing a host that is doing TLS. Teergrubing does |
357 | not work with TLS, and people doing TLS with you are probably known relays which |
357 | not work with TLS, and people doing TLS with you are probably known relays which |
358 | you should exclude from your teergrube list (SAteergrubecond) |
358 | you should exclude from your teergrube list (SAteergrubecond) |