103,19 → 103,72 |
with the unsplit configuration scheme and add the local_scan_path |
setting by hand, like with the hand-crafted configuration file. |
|
Next, read all about greylisting and sa-exim: |
|
*************** |
* GREYLISTING * |
*************** |
Notes on greylisting with sa-exim. |
|
If you use SpamAssassin 3.0 or better, you do not need to patch it, you |
can just use the Greylisting module shipped with sa-exim. |
The only thing you need to do to enable it, is to copy the 4 lines below |
loadplugin in the greylisting README, and adjust the score if you wish (see |
README.Greylisting for details). |
Greylisting is implemented as a SpamAssassin module. To enable it you |
need to add the following five lines to your SpamAssassin |
configuration: |
|
loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm |
|
header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )") |
describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender |
score GREYLIST_ISWHITE -1.5 |
priority GREYLIST_ISWHITE 99999 |
|
(It is a long-standing bug that the module is installed in the wrong |
directory, which is why the full path has to be specified on the |
loadplugin line, but fixing it is probably not worth the disruption of |
existing installations.) |
|
If two messages from the same /24 network (or IP address, depending on |
greylistfourthbyte), with the same sender, with the same list of |
recipient, and with a score below dontgreylistthreshold are seen at |
least greylistsecs apart, the triplet will be whitelisted and the |
GREYLIST_ISWHITE rule will be considered to match thenceforth. That |
will signal to the local_scan library to raise SAtempreject to let the |
message through, in addition to the negative spam score it carries. |
|
Notice that messages can be permanently rejected (score above |
SApermreject) and still get a triplet whitelisted if the score is |
below dontgreylistthreshold. If dontgreylistthreshold or SAtempreject |
+ SAgreylistraisetempreject are less than SApermreject, some mail may |
be temporarily rejected indefinitely. |
|
See README.Greylisting for more details. |
|
*********************** |
* SPAMD CONFIGURATION * |
*********************** |
|
By default, spamd runs as root and assumes the identity of the user it |
is told it is scanning mail on behalf of by whoever connects to it |
(see README.spamd.gz in the spamassassin package for a discussion on |
security). When SA-Exim runs spamc, this user will normally be |
Debian-exim. You can set the SAspamcUser option in sa-exim.conf to |
override this, but since a mail can have multiple recipients and is |
only scanned once, per-user setups are problematic. Also, the |
greylisting module won't work unless all users can write to the |
tuplets directory. |
|
Thus, when using SpamAssassin together with SA-Exim you may want to |
run spamd under a specific system account by modifying the OPTIONS |
variable in /etc/default/spamassassin to include a --username option. |
However, if you ONLY use SpamAssassin with SA-Exim this is in practice |
not strictly necessary. |
|
You should NOT run spamd as the "nobody" user and/or the "nogroup" |
group if you configure SpamAssassin to use sa-exim's greylisting |
module, the bayesian classifier, or any helper module that needs to |
write files, because nobody/nogroup should be completely unprivileged |
and thus not own any files. Instead you should create a dedicated |
account to run spamd under. You can then adjust the ownership of |
/var/spool/sa-exim/tuplets and the username in |
/etc/cron.d/greylistclean accordingly. |
|
*********************************** |
* PROBLEMS WITH BAYES AUTO-EXPIRY * |
*********************************** |
166,4 → 219,4 |
file specifies conflicting options, it will prevent SA-Exim from |
working. For now, you'll have to make sure that it doesn't. |
|
-- Magnus Holmgren <holmgren@debian.org>, Tue, 24 Jun 2008 14:27:59 +0200 |
-- Magnus Holmgren <holmgren@debian.org>, Sun, 18 Sep 2011 00:11:18 +0200 |