Subversion Repositories

# Options for spamassassin running in exim's local_scan (SA Exim)

# By Marc MERLIN <marc_soft@merlins.org> - Initial version: April 2002

# Sander Smeenk <ssmeenk@freshdot.net> - Improvements: March 2004

#

# Sample file version 1.16 for SA-Exim 4.1 - 2005/01/10

#

# The parse routine is minimalistic. It expects "option: value" (exactly

# one space after the colon, and none before). You should put long lines

# on one line. The parser isn't capable of parsing multiline values.

#

# SA threshold values are parsed as floats and other numerical options

# are ints. String options have to be set. To unset them, comment out the

# variable, don't set it to nothing.

#

# READ THIS:

# ---------

# Watch your logs, you will get errors and your messages will get

# temporarily bounced if expansions fail. Watch your logs!

#

# If you are afraid that spammers might use a header that is used here

# as a default, have exim set it to another value than 'Yes' and check

# here for that other value.

#

# For every expansion, anything that doesn't expand to "" or "0"

# (without quotes) will be considered true. If you set the string to 1,

# it will be true without going through exim's condition evaluator (and

# if you leave it unset, it will default to 0)

#

# You should not put double quotes around expressions!

# --- snip ---

# Enable basic verbose output by default. Watch your logs!

SAEximDebug: 1

# Default path is /usr/bin/spamc, but you can change it here

SAspamcpath: /usr/bin/spamc

# Which characters are retained from a Message-Id header (for safety, we

# remove characters that might cause problems with shell parsing)

# Change the default at your own risk (you also have to change this in

# the SA greylisting patch if you use that)

#SAsafemesgidchars: !#%( )*+,-.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~

# If SAspamcSockPath is set spamc uses socket to connect to spamd,

# use --socketpath pathname as argument to spamd (new in SA 2.60).

# Leave it unset if you want spamc to connect(AF_INET) to spamd at

# 127.0.0.1 (this is the default shown in the options below), but if

# you set it, it will override the two TCP connect options below

#SAspamcSockPath: /var/run/spamd.sock

# SAspamcHost / SAspamcPort: TCP socket where your spamd is listening

# Shown below are the defaults:

SAspamcHost: 127.0.0.1

SAspamcPort: 783

# SAspamcUser: The username passed to spamc. Some tricks are needed to

# decide on one user when there are many recipients. This string is of

# course expanded. If unset or empty, spamc will use the user Exim

# runs as. We suggest that you decide what username to use in the ACLs

# and set an ACL variable.

#SAspamcUser: $acl_m2

# Exim configuration string to run before running SA against the message

# This decides whether SA gets run against the message or not.  This

# default will not reject messages if the message had SA headers but

# they weren't added by us.

SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{::1}}}}

# If you want more detailed control over when to run SA, it's recommended

# that you set an ACL variable indicating this from the acl section of

# your Exim configuration file. The current maintainer sets acl_m0 to

# "noscan" if the sending host is localhost or has authenticated.

#SAEximRunCond: ${if !eq{$acl_m0}{noscan}}

# (This means exactly the same as ${if !eq{$acl_m0}{noscan} {true}{}},

# where the empty string is considered false.)

#----------------------------------------------------------------------

# Remove or comment out the following line to enable sa-exim

SAEximRunCond: 0

#----------------------------------------------------------------------

# If and only if SAEximRunCond was true, and we did run SA, this

# expression decides whether we actually consider acting upon SAdevnull,

# SApermreject, and SAtempreject if you have them set.

#

# Use this to tag messages that you shouldn't reject (messages sent to

# abuse or postmaster for instance).

#

# As an example, set acl_m0 to "canreject" if a recipient other than

# postmaster or abuse is encountered (and the sender isn't local). That

# way, spammers can't circumvent blocking by sending to postmaster and

# 99 other recipients. (If acl_m0 is taken, you'll of course have to use

# a different variable.

#SAEximRejCond: ${if eq{$acl_m0}{canreject}}

# How much of the body we feed to spamassassin (in bytes)

# Default is 250KB

SAmaxbody: 256000

# Do you want to feed SAmaxbody's worth of the message body if it is too big?

# Either, you skip messages that are too big and not scan them, or you can

# truncate the body and feed that to SA.

# Note that SA will sometimes raise the spam score if it can't parse

# the message correctly (since the end is missing, decoding will fail)

# Default is 0: do not scan messages that are too big

# (note that this is parsed as a condition)

SATruncBodyCond: 0

# If you want SA to report_safe you need sa-exim to rewrite the body of

# the message since SA encapsulates the spam as a mime attachment.

# You probably want SATruncBodyCond to be 0 or else you'll end up with a

# partial message if it's larger than SAmaxbody and it's spam

#

# Also note that if you enable this option, any saved message will be saved

# after the body has been modified by SA.

# (this is not a condition as SA's report_safe is not conditional)

SARewriteBody: 0

# Prepend saved messages with an fake From-header to make the file look like a

# valid mbox file

SAPrependArchiveWithFrom: 1

# If you are archiving messages that are rejected, how much do you want

# to archive? Default is 20MB.

SAmaxarchivebody: 20971520

# On errors, if you are saving messages, you probably want the entire message

# Default size saved (if you are saving errors) is 1GB

SAerrmaxarchivebody: 1073741824

# You can have SA-Exim add a X-SA-Exim-Rcpt-To header, which will list all

# the recipients for the Email, unless the list gets bigger than

# SAmaxrcptlistlength bytes.

# The default value of 0 disables the header for privacy reasons (the header

# exposes Bcced recipients)

# Any value bigger than 8000 will be ignored because there is a limit on the

# size of headers that you can have and exim's string_sprintf

# Note that if you are planning to use greylisting, you should set this

# value to 8000 since SA's greylisting code needs the recipients.

SAmaxrcptlistlength: 0

# Add X-SA-Exim-Rcpt-To and X-SA-Exim-Mail-From headers before SA scans

# the message.

# If this option is enabled, SARewiteBody is true, and safe_mode is

# enabled in SA, you end up with the X-SA-Exim-Rcpt-To/X-SA-Exim-Mail-From in

# the attatched message as well without the ability to remove them later in an

# exim transport (think privacy).

# In real life this is usually not a problem because the message is spam anyway,

# and if you turn this off, you lose the option to use those headers to score

# the message with SA.

SAaddSAEheaderBeforeSA: 1

# How many seconds you want to allow spamc to run. Exim 4.04 and better will

# kill us after a default of 5 minutes. This however is not great, because the

# mail gets temporarily rejected

# You should set this and have SA Exim handle the timeout itself and accept the

# message if spamc takes too long (instead of timing out)

# A value of 0 means no timeout, and we run until exim stops us.

# I know of at least one mail server (nanog's merit.edu) that will not

# wait a full 5mn (which causes tempreject and resends), so the default is 4mn

#SAtimeout: 240

# Do you want to save mails that were accepted because spamc timed out?

# Specify a directory to enable the feature.

# SA-Exim will try to create the directory if it has the permissions to do so,

# check your maillog for failures (or create the directory yourself and make it

# writeable by exim)

SAtimeoutsave: /var/spool/exim/SAtimeoutsave

# You can optionally save or not save messages that matched the above rule

SAtimeoutSavCond: 1

# You should really create this directory for local_scan to save messages that

# created an error. If you don't want this, comment out this variable

# Make sure all these directories are owned by the exim user

# SA-Exim will try to  create the directory if it has  the permissions to do

# so, check your maillog for failures  (or create the directory yourself and

# make it writeable by exim)

SAerrorsave: /var/spool/exim/SAerrorsave

# You can optionally save or not save messages that matched the above rule

# You should not put double quotes around the expression

SAerrorSavCond: 1

# If you set to 1, SA will temporarily reject messages that generated an error

# while they were processed (they'll still be saved if SAerrorsave is set).

# Otherwise (0 = false), the messages are just accepted, which seems like a

# more sensible default

SAtemprejectonerror: 0

###############################################################################

# NOTE: Spamd needs to tell sa-exim that the message SA-Exim gave spamd

# is spam before sa-exim will consider the SA tresholds.

# In other words, you cannot reject mails on SA scores if you set that

# threshold to a lower threshold than SA's required_hits value.

# The one exception to this rule is SAtempreject (in order to let you

# temporarily reject mail when you are doing greylisting, see

# README.greylisting in the documentation for details)

###############################################################################

# SA score when you start stalling the sender by sending many continuation

# lines for up to SAteergrubetime

# This is now a string (without quotes) that gets evaluated at runtime by exim

# but you can still assign a simple float value to it

# Note that this is an obvious abuse of SMTP, but eh, they started it :-)

# Of course, this means that each incoming spam with the right score threshold

# will keep an exim process busy on your machine. Make sure you can afford it.

# Default value is 2^20, which should disable the behavior

# Please, don't teergrube people who relay for you or your own MXes :-)

# This option is left behind for backward compatibility, but you can now

# get the same result by putting a condition string in SAteergrube

# The trick is to list your score if the condition succeeds, and a really

# high score otherwise.

#SAteergrube: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {25}{1048576}}

# SAteergrubecond is deprecated (replaced by SAteergrube)

# You used to be say whether you would apply the teergrubing score with this

# condition, but now that scores are conditions, it is obsolete

#SAteergrubecond: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {1}{0}}

# How long do you want to stall the sender (in seconds)

# If you set the value too high, you might get too many exim processes running

# and run out of process slots

# Remember, don't come crying if playing with this "feature" causes your mail

# server to catch fire :-)

SAteergrubetime: 900

# You can optionally save or not save messages that matched the above rule

SAteergrubeSavCond: 1

# Do you want to save mails that you stalled for later analysis?

# Specify a directory to enable the feature.

# SA-Exim will try to create the directory if it has the permissions to do so,

# check your maillog for failures (or create the directory yourself and make it

# writeable by exim)

SAteergrubesave: /var/spool/exim/SAteergrube

# When you stall the sender, you will probably get the mail again.

# By default, we'll  only save messages by message ID so  that we don't save

# multiple copies every time the sender tries again.

# Of course, this means someone could fake someone else's message ID to

# overwrite the saved copy of another spam. Such is life :-)

SAteergrubeoverwrite: 1

# If you reach this score, the mail is accepted and tossed (/dev/nulled).

# The default value is 2^20 which should ensure this never happens.

# This is now a string (without quotes) that gets evaluated at runtime by exim

# but you can still assign a simple float value to it

# You should be really sure that the message is spam because the sender will

# get no notification

#SAdevnull: 20.0

# You can optionally save or not save messages that matched the above rule

SAdevnullSavCond: 1

# Do you want to save mails that are tossed?

# Specify a directory to enable the feature.

# This is just in case you do want to keep a copy of the alledge spams somewhere

# Messages are saved by unixdate_Message-Id or just unix date if there is no

# Message-Id.

# SA-Exim will try to create the directory if it has the permissions to do so,

# check your maillog for failures (or create the directory yourself and make it

# writeable by exim)

SAdevnullsave: /var/spool/exim/SAdevnull

# SA score when you start rejecting Emails (this is better than the above as

# it can notify the sender in case you reject non-spam by mistake)

# This is now a string (without quotes) that gets evaluated at runtime by exim

# but you can still assign a simple float value to it

# Default value is 2^20, which should disable the behavior if you comment out

# the line below

SApermreject: 12.0

# You can optionally save or not save messages that matched the above rule

SApermrejectSavCond: 1

# Do you want to save mails that are rejected?

# Specify a directory to enable the feature.

# SA-Exim will try to create the directory if it has the permissions to do so,

# check your maillog for failures (or create the directory yourself and make it

# writeable by exim)

SApermrejectsave: /var/spool/exim/SApermreject

# SA score when you start returning a temporary reject.

# There are few reasons to use this, except if you're reading your tempreject

# save folder (see below) and ajusting scores on the fly, or if you are using

# greylisting

# This is now a string (without quotes) that gets evaluated at runtime by exim

# but you can still assign a simple float value to it

# Default value is 2^20, which should disable the behavior

#SAtempreject: 9.0

# You can optionally save or not save messages that matched the above rule

SAtemprejectSavCond: 1

# Do you want to save mails that are temporarily rejected?

# Specify a directory to enable the feature.

# You could use this to analyse what SA is bouncing and adding an allow rule

# to accept the mail next time it is sent back to you

# SA-Exim will try to create the directory if it has the permissions to do so,

# check your maillog for failures (or create the directory yourself and make it

# writeable by exim)

SAtemprejectsave: /var/spool/exim/SAtempreject

# When you send back a temp reject code, you will get the mail again.

# By default, we'll only save messages by message ID so that we don't save

# multiple copies every time the sender tries again.

# Of course, this means someone could fake someone else's message ID to

# overwrite the saved copy of another spam. Such is life :-)

SAtemprejectoverwrite: 1

# See README.greylisting in the documentation for the following options

# This is the string that SpamAssassin adds if the message is whitelisted

# We use this to optionally increase the score needed for a tempreject

# (in order to let a message through when it would otherwise have been

# temprejected)

# Default value is "GREYLIST_ISWHITE" (as used in the patch provided by SA-Exim)

SAgreylistiswhitestr: GREYLIST_ISWHITE

# By how much do we temporarly raise tempreject to allow a mail in when it

# would otherwise have been temp rejected (because SA flagged it was whitelisted

# by the greylisting code provided as a patch to SA in the SA-Exim distro)

# Note that greylisting will not work in until you patch SA with the greylist

# function

# Note that you most likely want

# SAtempreject + SAgreylistraisetempreject <= SApermreject

# Default value is 3.0 but you'd probably to lower the tempreject score and

# increase this one (see README.greylisting)

SAgreylistraisetempreject: 3.0

# Do you want to save mails that are flagged as spam by SA, but not rejected by

# any of the above thresholds?  Specify a directory to enable the feature.

# That's one way to track mails thare are going through even though they were

# flagged by SA (note that you could also save them in exim's system_filter,

# although copies saved here happen before exim makes modification to the

# message like rewriting)

# SA-Exim will try to create the directory if it has the permissions to do so,

# check your maillog for failures (or create the directory yourself and make it

# writeable by exim)

SAspamacceptsave: /var/spool/exim/SAspamaccept

# You can control which messages you want saved if you only want a subset

SAspamacceptSavCond: 0

# Do you want to save mails that are not flagged as spam by SA

# Specify a directory to enable the feature.

# This is only here for completeness, if you want to save all messages not

# flagged as spam by SA (you could also do this in system_filter)

# SA-Exim will try to create the directory if it has the permissions to do so,

# check your maillog for failures (or create the directory yourself and make it

# writeable by exim)

SAnotspamsave: /var/spool/exim/SAnotspam

# You can control which messages you want saved if you only want a subset

SAnotspamSavCond: 0

# All the following strings can take one '%s' which will be replaced by

# spamstatus: "SA score, trigger score"

SAmsgteergrubewait: Wait for more output

SAmsgteergruberej: Please try again later

SAmsgpermrej: Rejected

SAmsgtemprej: Please try again later

# This string is a static string, do not include "%s"

SAmsgerror: Temporary local error while processing message, please contact postmaster.