Rev 46 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 46 | Rev 67 | ||
|---|---|---|---|
| Line 101... | Line 101... | ||
| 101 | restart' or '/etc/init.d/exim4 restart' as root. If you *have* |
101 | restart' or '/etc/init.d/exim4 restart' as root. If you *have* |
| 102 | customized /etc/exim4/exim4.conf.template, then you'd better stick |
102 | customized /etc/exim4/exim4.conf.template, then you'd better stick |
| 103 | with the unsplit configuration scheme and add the local_scan_path |
103 | with the unsplit configuration scheme and add the local_scan_path |
| 104 | setting by hand, like with the hand-crafted configuration file. |
104 | setting by hand, like with the hand-crafted configuration file. |
| 105 | 105 | ||
| 106 | Next, read all about greylisting and sa-exim: |
- | |
| 107 | 106 | ||
| 108 | *************** |
107 | *************** |
| 109 | * GREYLISTING * |
108 | * GREYLISTING * |
| 110 | *************** |
109 | *************** |
| 111 | Notes on greylisting with sa-exim. |
- | |
| 112 | 110 | ||
| 113 | If you use SpamAssassin 3.0 or better, you do not need to patch it, you |
111 | Greylisting is implemented as a SpamAssassin module. To enable it you |
| 114 | can just use the Greylisting module shipped with sa-exim. |
112 | need to add the following five lines to your SpamAssassin |
| - | 113 | configuration: |
|
| - | 114 | ||
| - | 115 | loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm |
|
| - | 116 | ||
| 115 | The only thing you need to do to enable it, is to copy the 4 lines below |
117 | header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )")
|
| - | 118 | describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender |
|
| - | 119 | score GREYLIST_ISWHITE -1.5 |
|
| - | 120 | priority GREYLIST_ISWHITE 99999 |
|
| - | 121 | ||
| - | 122 | (It is a long-standing bug that the module is installed in the wrong |
|
| - | 123 | directory, which is why the full path has to be specified on the |
|
| 116 | loadplugin in the greylisting README, and adjust the score if you wish (see |
124 | loadplugin line, but fixing it is probably not worth the disruption of |
| - | 125 | existing installations.) |
|
| - | 126 | ||
| - | 127 | If two messages from the same /24 network (or IP address, depending on |
|
| - | 128 | greylistfourthbyte), with the same sender, with the same list of |
|
| - | 129 | recipient, and with a score below dontgreylistthreshold are seen at |
|
| - | 130 | least greylistsecs apart, the triplet will be whitelisted and the |
|
| - | 131 | GREYLIST_ISWHITE rule will be considered to match thenceforth. That |
|
| - | 132 | will signal to the local_scan library to raise SAtempreject to let the |
|
| - | 133 | message through, in addition to the negative spam score it carries. |
|
| - | 134 | ||
| - | 135 | Notice that messages can be permanently rejected (score above |
|
| - | 136 | SApermreject) and still get a triplet whitelisted if the score is |
|
| - | 137 | below dontgreylistthreshold. If dontgreylistthreshold or SAtempreject |
|
| - | 138 | + SAgreylistraisetempreject are less than SApermreject, some mail may |
|
| - | 139 | be temporarily rejected indefinitely. |
|
| - | 140 | ||
| 117 | README.Greylisting for details). |
141 | See README.Greylisting for more details. |
| - | 142 | ||
| - | 143 | *********************** |
|
| - | 144 | * SPAMD CONFIGURATION * |
|
| - | 145 | *********************** |
|
| - | 146 | ||
| - | 147 | By default, spamd runs as root and assumes the identity of the user it |
|
| - | 148 | is told it is scanning mail on behalf of by whoever connects to it |
|
| - | 149 | (see README.spamd.gz in the spamassassin package for a discussion on |
|
| - | 150 | security). When SA-Exim runs spamc, this user will normally be |
|
| - | 151 | Debian-exim. You can set the SAspamcUser option in sa-exim.conf to |
|
| - | 152 | override this, but since a mail can have multiple recipients and is |
|
| - | 153 | only scanned once, per-user setups are problematic. Also, the |
|
| - | 154 | greylisting module won't work unless all users can write to the |
|
| - | 155 | tuplets directory. |
|
| - | 156 | ||
| - | 157 | Thus, when using SpamAssassin together with SA-Exim you may want to |
|
| - | 158 | run spamd under a specific system account by modifying the OPTIONS |
|
| - | 159 | variable in /etc/default/spamassassin to include a --username option. |
|
| - | 160 | However, if you ONLY use SpamAssassin with SA-Exim this is in practice |
|
| - | 161 | not strictly necessary. |
|
| - | 162 | ||
| - | 163 | You should NOT run spamd as the "nobody" user and/or the "nogroup" |
|
| - | 164 | group if you configure SpamAssassin to use sa-exim's greylisting |
|
| - | 165 | module, the bayesian classifier, or any helper module that needs to |
|
| - | 166 | write files, because nobody/nogroup should be completely unprivileged |
|
| - | 167 | and thus not own any files. Instead you should create a dedicated |
|
| - | 168 | account to run spamd under. You can then adjust the ownership of |
|
| - | 169 | /var/spool/sa-exim/tuplets and the username in |
|
| - | 170 | /etc/cron.d/greylistclean accordingly. |
|
| 118 | 171 | ||
| 119 | *********************************** |
172 | *********************************** |
| 120 | * PROBLEMS WITH BAYES AUTO-EXPIRY * |
173 | * PROBLEMS WITH BAYES AUTO-EXPIRY * |
| 121 | *********************************** |
174 | *********************************** |
| 122 | 175 | ||
| Line 164... | Line 217... | ||
| 164 | Recent versions of spamc can read command-line parameters and switches |
217 | Recent versions of spamc can read command-line parameters and switches |
| 165 | from a configuration file called /etc/spamassassin/spamc.conf. If that |
218 | from a configuration file called /etc/spamassassin/spamc.conf. If that |
| 166 | file specifies conflicting options, it will prevent SA-Exim from |
219 | file specifies conflicting options, it will prevent SA-Exim from |
| 167 | working. For now, you'll have to make sure that it doesn't. |
220 | working. For now, you'll have to make sure that it doesn't. |
| 168 | 221 | ||
| 169 | -- Magnus Holmgren <holmgren@debian.org>, Tue, 24 Jun 2008 14:27:59 +0200 |
222 | -- Magnus Holmgren <holmgren@debian.org>, Sun, 18 Sep 2011 00:11:18 +0200 |