Subversion Repositories

?revision_form?Rev ?revision_input??revision_submit??revision_endform?

Rev 46 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed

Rev 46 Rev 67
Line 101... Line 101...
101
restart' or '/etc/init.d/exim4 restart' as root. If you *have*
101
restart' or '/etc/init.d/exim4 restart' as root. If you *have*
102
customized /etc/exim4/exim4.conf.template, then you'd better stick
102
customized /etc/exim4/exim4.conf.template, then you'd better stick
103
with the unsplit configuration scheme and add the local_scan_path
103
with the unsplit configuration scheme and add the local_scan_path
104
setting by hand, like with the hand-crafted configuration file.
104
setting by hand, like with the hand-crafted configuration file.
105
105
106
Next, read all about greylisting and sa-exim:
-
 
107
106
108
***************
107
***************
109
* GREYLISTING *
108
* GREYLISTING *
110
***************
109
***************
111
Notes on greylisting with sa-exim.
-
 
112
110
113
If you use SpamAssassin 3.0 or better, you do not need to patch it, you
111
Greylisting is implemented as a SpamAssassin module. To enable it you
114
can just use the Greylisting module shipped with sa-exim. 
112
need to add the following five lines to your SpamAssassin
-
 
113
configuration:
-
 
114
-
 
115
loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
-
 
116
115
The only thing you need to do to enable it, is to copy the 4 lines below
117
header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )")
-
 
118
describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender
-
 
119
score GREYLIST_ISWHITE  -1.5
-
 
120
priority GREYLIST_ISWHITE 99999
-
 
121
-
 
122
(It is a long-standing bug that the module is installed in the wrong
-
 
123
directory, which is why the full path has to be specified on the
116
loadplugin in the greylisting README, and adjust the score if you wish (see
124
loadplugin line, but fixing it is probably not worth the disruption of
-
 
125
existing installations.)
-
 
126
-
 
127
If two messages from the same /24 network (or IP address, depending on
-
 
128
greylistfourthbyte), with the same sender, with the same list of
-
 
129
recipient, and with a score below dontgreylistthreshold are seen at
-
 
130
least greylistsecs apart, the triplet will be whitelisted and the
-
 
131
GREYLIST_ISWHITE rule will be considered to match thenceforth. That
-
 
132
will signal to the local_scan library to raise SAtempreject to let the
-
 
133
message through, in addition to the negative spam score it carries.
-
 
134
-
 
135
Notice that messages can be permanently rejected (score above
-
 
136
SApermreject) and still get a triplet whitelisted if the score is
-
 
137
below dontgreylistthreshold. If dontgreylistthreshold or SAtempreject
-
 
138
+ SAgreylistraisetempreject are less than SApermreject, some mail may
-
 
139
be temporarily rejected indefinitely.
-
 
140
117
README.Greylisting for details).
141
See README.Greylisting for more details.
-
 
142
-
 
143
***********************
-
 
144
* SPAMD CONFIGURATION *
-
 
145
***********************
-
 
146
-
 
147
By default, spamd runs as root and assumes the identity of the user it
-
 
148
is told it is scanning mail on behalf of by whoever connects to it
-
 
149
(see README.spamd.gz in the spamassassin package for a discussion on
-
 
150
security). When SA-Exim runs spamc, this user will normally be
-
 
151
Debian-exim. You can set the SAspamcUser option in sa-exim.conf to
-
 
152
override this, but since a mail can have multiple recipients and is
-
 
153
only scanned once, per-user setups are problematic. Also, the
-
 
154
greylisting module won't work unless all users can write to the
-
 
155
tuplets directory.
-
 
156
-
 
157
Thus, when using SpamAssassin together with SA-Exim you may want to
-
 
158
run spamd under a specific system account by modifying the OPTIONS
-
 
159
variable in /etc/default/spamassassin to include a --username option.
-
 
160
However, if you ONLY use SpamAssassin with SA-Exim this is in practice
-
 
161
not strictly necessary.
-
 
162
-
 
163
You should NOT run spamd as the "nobody" user and/or the "nogroup"
-
 
164
group if you configure SpamAssassin to use sa-exim's greylisting
-
 
165
module, the bayesian classifier, or any helper module that needs to
-
 
166
write files, because nobody/nogroup should be completely unprivileged
-
 
167
and thus not own any files. Instead you should create a dedicated
-
 
168
account to run spamd under. You can then adjust the ownership of
-
 
169
/var/spool/sa-exim/tuplets and the username in
-
 
170
/etc/cron.d/greylistclean accordingly.
118
171
119
***********************************
172
***********************************
120
* PROBLEMS WITH BAYES AUTO-EXPIRY *
173
* PROBLEMS WITH BAYES AUTO-EXPIRY *
121
***********************************
174
***********************************
122
175
Line 164... Line 217...
164
Recent versions of spamc can read command-line parameters and switches
217
Recent versions of spamc can read command-line parameters and switches
165
from a configuration file called /etc/spamassassin/spamc.conf. If that
218
from a configuration file called /etc/spamassassin/spamc.conf. If that
166
file specifies conflicting options, it will prevent SA-Exim from 
219
file specifies conflicting options, it will prevent SA-Exim from 
167
working. For now, you'll have to make sure that it doesn't.
220
working. For now, you'll have to make sure that it doesn't.
168
221
169
 -- Magnus Holmgren <holmgren@debian.org>, Tue, 24 Jun 2008 14:27:59 +0200
222
 -- Magnus Holmgren <holmgren@debian.org>, Sun, 18 Sep 2011 00:11:18 +0200