Rev 67 | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 67 | Rev 76 | ||
---|---|---|---|
1 | ******************************** |
1 | ******************************** |
2 | * SHOULD YOU USE THIS PACKAGE? * |
2 | * SHOULD YOU USE THIS PACKAGE? * |
3 | ******************************** |
3 | ******************************** |
4 | 4 | ||
5 | Since version 4.50, Exim has the content-scanning extension formerly |
5 | Since version 4.50, Exim has the content-scanning extension formerly |
6 | known as "exiscan" built-in. It has a number of advantages and |
6 | known as "exiscan" built-in. It has a number of advantages and |
7 | disadvantages compared to SA-Exim. |
7 | disadvantages compared to SA-Exim. |
8 | 8 | ||
9 | Advantages of built-in content-scanning interface: |
9 | Advantages of built-in content-scanning interface: |
10 | 10 | ||
11 | * One less configuration file to edit. |
11 | * One less configuration file to edit. |
12 | * Spam control policy integrates better with Exim's ACL system. |
12 | * Spam control policy integrates better with Exim's ACL system. |
13 | * It's possible to tell SA which user to scan for (the -u parameter of |
13 | * It's possible to tell SA which user to scan for (the -u parameter of |
14 | spamc). SA-Exim can't do that (yet). |
14 | spamc). SA-Exim can't do that (yet). |
15 | * Finer control over the mail header is possible, but not in a clean |
15 | * Finer control over the mail header is possible, but not in a clean |
16 | way (it involves putting all header fields you might possibly want |
16 | way (it involves putting all header fields you might possibly want |
17 | to add in the report template, and using rather complicated |
17 | to add in the report template, and using rather complicated |
18 | expansion expressions to extract the wanted ones from |
18 | expansion expressions to extract the wanted ones from |
19 | $spam_report). At any rate, you can choose a prefix different from |
19 | $spam_report). At any rate, you can choose a prefix different from |
20 | "X-Spam-". |
20 | "X-Spam-". |
21 | 21 | ||
22 | Advantages of SA-Exim: |
22 | Advantages of SA-Exim: |
23 | 23 | ||
24 | * It is possible to use the report_safe feature, which turns mail |
24 | * It is possible to use the report_safe feature, which turns mail |
25 | deemed to be spam into a message/rfc822 attachment of a report |
25 | deemed to be spam into a message/rfc822 attachment of a report |
26 | message. (Note however that if you do, then any X-SA-* fields added |
26 | message. (Note however that if you do, then any X-SA-* fields added |
27 | to help the greylisting module can't be removed.) |
27 | to help the greylisting module can't be removed.) |
28 | * All the add_header and rewrite_header options in |
28 | * All the add_header and rewrite_header options in |
29 | /etc/spamassassin/local.cf will be obeyed. In other words, |
29 | /etc/spamassassin/local.cf will be obeyed. In other words, |
30 | everything will be *almost* as if you filtered the mail through |
30 | everything will be *almost* as if you filtered the mail through |
31 | spamassassin on the command line. |
31 | spamassassin on the command line. |
32 | * So-called teergrubing ("tarpitting") is possible in a way that |
32 | * So-called teergrubing ("tarpitting") is possible in a way that |
33 | isn't possible with exiscan (I'm not in any way saying that it |
33 | isn't possible with exiscan (I'm not in any way saying that it |
34 | works as a counterattack against spammers). |
34 | works as a counterattack against spammers). |
35 | * You can simply add the sa-exim package to a standard exim4 |
35 | * You can simply add the sa-exim package to a standard exim4 |
36 | installation and it should, in principle, instantly work (except |
36 | installation and it should, in principle, instantly work (except |
37 | you have to uncomment one line in sa-exim.conf). |
37 | you have to uncomment one line in sa-exim.conf). |
38 | 38 | ||
39 | Both alternatives enable you to defer, greylist, reject, and blackhole |
39 | Both alternatives enable you to defer, greylist, reject, and blackhole |
40 | mail, optionally saving copies, at configurable score levels. |
40 | mail, optionally saving copies, at configurable score levels. |
41 | 41 | ||
42 | ***************** |
42 | ***************** |
43 | * CONFIGURATION * |
43 | * CONFIGURATION * |
44 | ***************** |
44 | ***************** |
45 | 45 | ||
46 | This version of the sa-exim package defaults to placing a configuration |
46 | This version of the sa-exim package defaults to placing a configuration |
47 | sniplet in /etc/exim4/conf.d/. Depending on what you have answered to the |
47 | sniplet in /etc/exim4/conf.d/. Depending on what you have answered to the |
48 | DebConf questions while configuring Exim4, the module will be loaded |
48 | DebConf questions while configuring Exim4, the module will be loaded |
49 | automatically, or human intervention is required. |
49 | automatically, or human intervention is required. |
50 | 50 | ||
51 | To find out what configuration file Exim4 is using, issue: |
51 | To find out what configuration file Exim4 is using, issue: |
52 | 52 | ||
53 | $ exim4 -bV | tail -1 |
53 | $ exim4 -bV | tail -1 |
54 | Configuration file is /path/to/configfile |
54 | Configuration file is /path/to/configfile |
55 | 55 | ||
56 | If /path/to/configfile shows: |
56 | If /path/to/configfile shows: |
57 | 57 | ||
58 | - /etc/exim4/exim4.conf |
58 | - /etc/exim4/exim4.conf |
59 | You are using the hand-crafted configuration file. |
59 | You are using the hand-crafted configuration file. |
60 | See the 'HAND-CRAFTED' section below. |
60 | See the 'HAND-CRAFTED' section below. |
61 | 61 | ||
62 | - /var/lib/exim4/config.autogenerated |
62 | - /var/lib/exim4/config.autogenerated |
63 | You are using the debianized configuration scheme - with either |
63 | You are using the debianized configuration scheme - with either |
64 | 'split' or 'unsplit' configuration file. |
64 | 'split' or 'unsplit' configuration file. |
65 | See the 'DEBIANIZED' section below. |
65 | See the 'DEBIANIZED' section below. |
66 | 66 | ||
67 | 67 | ||
68 | HAND-CRAFTED |
68 | HAND-CRAFTED |
69 | ------------ |
69 | ------------ |
70 | 70 | ||
71 | Use 'grep "local_scan_path" /etc/exim4/exim4.conf" to see if the sa-exim |
71 | Use 'grep "local_scan_path" /etc/exim4/exim4.conf" to see if the sa-exim |
72 | line is included in the configuration. If grep returns something, check |
72 | line is included in the configuration. If grep returns something, check |
73 | if it matches the following line. If grep returns nothing, you have to |
73 | if it matches the following line. If grep returns nothing, you have to |
74 | manually add the following line to the exim4.conf file and restart exim4. |
74 | manually add the following line to the exim4.conf file and restart exim4. |
75 | 75 | ||
76 | local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so |
76 | local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so |
77 | 77 | ||
78 | Change or add the line above and manually restart exim4 by issuing |
78 | Change or add the line above and manually restart exim4 by issuing |
79 | 'invoke-rc.d exim4 reload' or '/etc/init.d/exim4 reload' as root. |
79 | 'invoke-rc.d exim4 reload' or '/etc/init.d/exim4 reload' as root. |
80 | 80 | ||
81 | 81 | ||
82 | DEBIANIZED |
82 | DEBIANIZED |
83 | ---------- |
83 | ---------- |
84 | 84 | ||
85 | Use 'grep "local_scan_path" /var/lib/exim4/config.autogenerated' to |
85 | Use 'grep "local_scan_path" /var/lib/exim4/config.autogenerated' to |
86 | see if the sa-exim line is included in the configuration. If grep |
86 | see if the sa-exim line is included in the configuration. If grep |
87 | returns something, you're set and already using the sa-exim module. If |
87 | returns something, you're set and already using the sa-exim module. If |
88 | grep returns nothing, we need to figure out a few things: |
88 | grep returns nothing, we need to figure out a few things: |
89 | 89 | ||
90 | Issue: |
90 | Issue: |
91 | $ grep "use_split_config" /etc/exim4/update-exim4.conf.conf |
91 | $ grep "use_split_config" /etc/exim4/update-exim4.conf.conf |
92 | dc_use_split_config='true' |
92 | dc_use_split_config='true' |
93 | 93 | ||
94 | If your result shows 'false' where mine shows 'true', then you're |
94 | If your result shows 'false' where mine shows 'true', then you're |
95 | using the unsplit configuration, generated from |
95 | using the unsplit configuration, generated from |
96 | /etc/exim4/exim4.conf.template. If you haven't customized that file |
96 | /etc/exim4/exim4.conf.template. If you haven't customized that file |
97 | you could edit /etc/exim4/update-exim4.conf.conf by hand, change the |
97 | you could edit /etc/exim4/update-exim4.conf.conf by hand, change the |
98 | 'false' to 'true' and issue 'update-exim4.conf' as root. Then, check |
98 | 'false' to 'true' and issue 'update-exim4.conf' as root. Then, check |
99 | again if the sa-exim module line is included. It should. If it still |
99 | again if the sa-exim module line is included. It should. If it still |
100 | isn't: mail me. If it is, restart exim4 by issuing 'invoke-rc.d exim4 |
100 | isn't: mail me. If it is, restart exim4 by issuing 'invoke-rc.d exim4 |
101 | restart' or '/etc/init.d/exim4 restart' as root. If you *have* |
101 | restart' or '/etc/init.d/exim4 restart' as root. If you *have* |
102 | customized /etc/exim4/exim4.conf.template, then you'd better stick |
102 | customized /etc/exim4/exim4.conf.template, then you'd better stick |
103 | with the unsplit configuration scheme and add the local_scan_path |
103 | with the unsplit configuration scheme and add the local_scan_path |
104 | setting by hand, like with the hand-crafted configuration file. |
104 | setting by hand, like with the hand-crafted configuration file. |
105 | 105 | ||
106 | 106 | ||
107 | *************** |
107 | *************** |
108 | * GREYLISTING * |
108 | * GREYLISTING * |
109 | *************** |
109 | *************** |
110 | 110 | ||
111 | Greylisting is implemented as a SpamAssassin module. To enable it you |
111 | Greylisting is implemented as a SpamAssassin module. To enable it you |
112 | need to add the following five lines to your SpamAssassin |
112 | need to add the following five lines to your SpamAssassin |
113 | configuration: |
113 | configuration: |
114 | 114 | ||
115 | loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm |
115 | loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm |
116 | 116 | ||
117 | header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )") |
117 | header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )") |
118 | describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender |
118 | describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender |
119 | score GREYLIST_ISWHITE -1.5 |
119 | score GREYLIST_ISWHITE -1.5 |
120 | priority GREYLIST_ISWHITE 99999 |
120 | priority GREYLIST_ISWHITE 99999 |
121 | 121 | ||
122 | (It is a long-standing bug that the module is installed in the wrong |
122 | (It is a long-standing bug that the module is installed in the wrong |
123 | directory, which is why the full path has to be specified on the |
123 | directory, which is why the full path has to be specified on the |
124 | loadplugin line, but fixing it is probably not worth the disruption of |
124 | loadplugin line, but fixing it is probably not worth the disruption of |
125 | existing installations.) |
125 | existing installations.) |
126 | 126 | ||
127 | If two messages from the same /24 network (or IP address, depending on |
127 | If two messages from the same /24 IPv4 network or /64 IPv6 network (or |
128 | greylistfourthbyte), with the same sender, with the same list of |
128 | individual IP address, depending on greylistfourthbyte), with the same |
129 | recipient, and with a score below dontgreylistthreshold are seen at |
129 | sender, with the same list of recipient, and with a score below |
130 | least greylistsecs apart, the triplet will be whitelisted and the |
130 | dontgreylistthreshold are seen at least greylistsecs apart, the |
- | 131 | triplet will be whitelisted and the GREYLIST_ISWHITE rule will be |
|
131 | GREYLIST_ISWHITE rule will be considered to match thenceforth. That |
132 | considered to match thenceforth. That will signal to the local_scan |
132 | will signal to the local_scan library to raise SAtempreject to let the |
133 | library to raise SAtempreject to let the message through, in addition |
133 | message through, in addition to the negative spam score it carries. |
134 | to the negative spam score it carries. |
134 | 135 | ||
135 | Notice that messages can be permanently rejected (score above |
136 | Notice that messages can be permanently rejected (score above |
136 | SApermreject) and still get a triplet whitelisted if the score is |
137 | SApermreject) and still get a triplet whitelisted if the score is |
137 | below dontgreylistthreshold. If dontgreylistthreshold or SAtempreject |
138 | below dontgreylistthreshold. If dontgreylistthreshold or SAtempreject |
138 | + SAgreylistraisetempreject are less than SApermreject, some mail may |
139 | + SAgreylistraisetempreject are less than SApermreject, some mail may |
139 | be temporarily rejected indefinitely. |
140 | be temporarily rejected indefinitely. |
140 | 141 | ||
141 | See README.Greylisting for more details. |
142 | See README.Greylisting for more details. |
142 | 143 | ||
143 | *********************** |
144 | *********************** |
144 | * SPAMD CONFIGURATION * |
145 | * SPAMD CONFIGURATION * |
145 | *********************** |
146 | *********************** |
146 | 147 | ||
147 | By default, spamd runs as root and assumes the identity of the user it |
148 | By default, spamd runs as root and assumes the identity of the user it |
148 | is told it is scanning mail on behalf of by whoever connects to it |
149 | is told it is scanning mail on behalf of by whoever connects to it |
149 | (see README.spamd.gz in the spamassassin package for a discussion on |
150 | (see README.spamd.gz in the spamassassin package for a discussion on |
150 | security). When SA-Exim runs spamc, this user will normally be |
151 | security). When SA-Exim runs spamc, this user will normally be |
151 | Debian-exim. You can set the SAspamcUser option in sa-exim.conf to |
152 | Debian-exim. You can set the SAspamcUser option in sa-exim.conf to |
152 | override this, but since a mail can have multiple recipients and is |
153 | override this, but since a mail can have multiple recipients and is |
153 | only scanned once, per-user setups are problematic. Also, the |
154 | only scanned once, per-user setups are problematic. Also, the |
154 | greylisting module won't work unless all users can write to the |
155 | greylisting module won't work unless all users can write to the |
155 | tuplets directory. |
156 | tuplets directory. |
156 | 157 | ||
157 | Thus, when using SpamAssassin together with SA-Exim you may want to |
158 | Thus, when using SpamAssassin together with SA-Exim you may want to |
158 | run spamd under a specific system account by modifying the OPTIONS |
159 | run spamd under a specific system account by modifying the OPTIONS |
159 | variable in /etc/default/spamassassin to include a --username option. |
160 | variable in /etc/default/spamassassin to include a --username option. |
160 | However, if you ONLY use SpamAssassin with SA-Exim this is in practice |
161 | However, if you ONLY use SpamAssassin with SA-Exim this is in practice |
161 | not strictly necessary. |
162 | not strictly necessary. |
162 | 163 | ||
163 | You should NOT run spamd as the "nobody" user and/or the "nogroup" |
164 | You should NOT run spamd as the "nobody" user and/or the "nogroup" |
164 | group if you configure SpamAssassin to use sa-exim's greylisting |
165 | group if you configure SpamAssassin to use sa-exim's greylisting |
165 | module, the bayesian classifier, or any helper module that needs to |
166 | module, the bayesian classifier, or any helper module that needs to |
166 | write files, because nobody/nogroup should be completely unprivileged |
167 | write files, because nobody/nogroup should be completely unprivileged |
167 | and thus not own any files. Instead you should create a dedicated |
168 | and thus not own any files. Instead you should create a dedicated |
168 | account to run spamd under. You can then adjust the ownership of |
169 | account to run spamd under. You can then adjust the ownership of |
169 | /var/spool/sa-exim/tuplets and the username in |
170 | /var/spool/sa-exim/tuplets and the username in |
170 | /etc/cron.d/greylistclean accordingly. |
171 | /etc/cron.d/greylistclean accordingly. |
171 | 172 | ||
172 | *********************************** |
173 | *********************************** |
173 | * PROBLEMS WITH BAYES AUTO-EXPIRY * |
174 | * PROBLEMS WITH BAYES AUTO-EXPIRY * |
174 | *********************************** |
175 | *********************************** |
175 | 176 | ||
176 | When scanning mail during the SMTP dialogue there is somewhat limited |
177 | When scanning mail during the SMTP dialogue there is somewhat limited |
177 | time before the remote host gives up, even if they should wait for at |
178 | time before the remote host gives up, even if they should wait for at |
178 | least ten minutes. To avoid Exim returning a temporary error status, |
179 | least ten minutes. To avoid Exim returning a temporary error status, |
179 | or the remote host giving up prematurely and in some cases for good, |
180 | or the remote host giving up prematurely and in some cases for good, |
180 | SA-Exim overrides Exim's timeout handler and accepts the message if |
181 | SA-Exim overrides Exim's timeout handler and accepts the message if |
181 | SpamAssassin takes too long, by default 240 seconds. |
182 | SpamAssassin takes too long, by default 240 seconds. |
182 | 183 | ||
183 | Using SpamAssassin's Bayesian learning module means that it will |
184 | Using SpamAssassin's Bayesian learning module means that it will |
184 | automatically expire old tokens when its database has grown too large. |
185 | automatically expire old tokens when its database has grown too large. |
185 | That can take several minutes. If it takes too long, SA-Exim will |
186 | That can take several minutes. If it takes too long, SA-Exim will |
186 | abort it, meaning that SpamAssassin will run auto-expiry again next |
187 | abort it, meaning that SpamAssassin will run auto-expiry again next |
187 | time, and be aborted, and so on... |
188 | time, and be aborted, and so on... |
188 | 189 | ||
189 | If this happens, you have a few remedies: |
190 | If this happens, you have a few remedies: |
190 | 191 | ||
191 | 1) Set SAtimeout to a higher value in /etc/exim4/sa-exim.conf. |
192 | 1) Set SAtimeout to a higher value in /etc/exim4/sa-exim.conf. |
192 | 193 | ||
193 | 2) Run sa-learn --force-expire periodically. How you run it depends on |
194 | 2) Run sa-learn --force-expire periodically. How you run it depends on |
194 | how you've configured SpamAssassin. Running it as Debian-exim may |
195 | how you've configured SpamAssassin. Running it as Debian-exim may |
195 | be sufficient. |
196 | be sufficient. |
196 | 197 | ||
197 | 2 a) In addition, you can add |
198 | 2 a) In addition, you can add |
198 | 199 | ||
199 | bayes_auto_expire 0 |
200 | bayes_auto_expire 0 |
200 | 201 | ||
201 | to /etc/spamassassin/local.cf. This may not be a good idea if |
202 | to /etc/spamassassin/local.cf. This may not be a good idea if |
202 | SpamAssassin, for whatever reason, is also used as a more |
203 | SpamAssassin, for whatever reason, is also used as a more |
203 | traditional filter from e.g. .procmailrc, as all users will need to |
204 | traditional filter from e.g. .procmailrc, as all users will need to |
204 | run sa-learn --force-expire then. |
205 | run sa-learn --force-expire then. |
205 | 206 | ||
206 | 2 b) If you get a lot of mail, consider adding |
207 | 2 b) If you get a lot of mail, consider adding |
207 | 208 | ||
208 | bayes_learn_to_journal 1 |
209 | bayes_learn_to_journal 1 |
209 | 210 | ||
210 | to local.cf. See the Mail::SpamAssassin::Conf(3) manual page for |
211 | to local.cf. See the Mail::SpamAssassin::Conf(3) manual page for |
211 | more information. |
212 | more information. |
212 | 213 | ||
213 | ********************************** |
214 | ********************************** |
214 | * NOTICE ABOUT SPAMC CONFIG FILE * |
215 | * NOTICE ABOUT SPAMC CONFIG FILE * |
215 | ********************************** |
216 | ********************************** |
216 | 217 | ||
217 | Recent versions of spamc can read command-line parameters and switches |
218 | Recent versions of spamc can read command-line parameters and switches |
218 | from a configuration file called /etc/spamassassin/spamc.conf. If that |
219 | from a configuration file called /etc/spamassassin/spamc.conf. If that |
219 | file specifies conflicting options, it will prevent SA-Exim from |
220 | file specifies conflicting options, it will prevent SA-Exim from |
220 | working. For now, you'll have to make sure that it doesn't. |
221 | working. For now, you'll have to make sure that it doesn't. |
221 | 222 | ||
222 | -- Magnus Holmgren <holmgren@debian.org>, Sun, 18 Sep 2011 00:11:18 +0200 |
223 | -- Magnus Holmgren <holmgren@debian.org>, Fri, 22 Jul 2016 09:58:32 +0200 |