/trunk/debian/patches/api-limitations.patch |
---|
0,0 → 1,94 |
Description: Changes needed because Exim now exports only the symbols |
that are part of the official API. |
Author: Magnus Holmgren <holmgren@debian.org> |
Bug-Debian: http://bugs.debian.org/420443 |
Bug-Debian: http://bugs.debian.org/420555 |
Bug-Debian: http://bugs.debian.org/420736 |
--- sa-exim-4.2.1.orig/sa-exim.c |
+++ sa-exim-4.2.1/sa-exim.c |
@@ -29,10 +29,8 @@ http://lists.merlins.org/lists/listinfo/ |
#include "sa-exim.h" |
/* Exim includes */ |
-#include "local_scan.h" |
-extern FILE *smtp_out; /* Exim's incoming SMTP output file */ |
-extern int body_linecount; /* Line count in body */ |
-extern uschar *primary_hostname; |
+#include <local_scan.h> |
+//extern int body_linecount; /* Line count in body */ |
#ifdef DLOPEN_LOCAL_SCAN |
@@ -602,6 +602,15 @@ int local_scan(volatile int fd, uschar * |
/* Do not put a %s in there, or you'll segfault */ |
static char *SAmsgerror="Temporary local error while processing message, please contact postmaster"; |
+ /* This needs to be retrieved through expand_string in order |
+ not to violate the API. */ |
+ static uschar *primary_hostname; |
+ if (!primary_hostname) { |
+ store_pool = POOL_PERM; |
+ primary_hostname = expand_string("$primary_hostname"); |
+ store_pool = POOL_MAIN; |
+ } |
+ |
/* New values we read from spamassassin */ |
char *xspamstatus=NULL; |
char *xspamflag=NULL; |
@@ -1229,18 +1268,19 @@ restart: |
} |
} |
- if (SAEximDebug > 1) |
+/* if (SAEximDebug > 1) |
{ |
log_write(0, LOG_MAIN, "SA: Debug2: body_linecount before SA: %d", body_linecount); |
} |
- |
+*/ |
/* update global variable $body_linecount to reflect the new body size*/ |
- body_linecount = (line - 1); |
+/* body_linecount = (line - 1); |
if (SAEximDebug > 1) |
{ |
log_write(0, LOG_MAIN, "SA: Debug2: body_linecount after SA: %d", body_linecount); |
} |
+*/ |
} |
fclose((FILE *)readfh); |
@@ -1331,6 +1371,9 @@ restart: |
if (dorej && doteergrube) |
{ |
+ char *teergrubewaitstr; |
+ teergrubewaitstr=string_sprintf(SAmsgteergrubewait, spamstatus); |
+ |
/* By default, we'll only save temp bounces by message ID so |
* that when the same message is submitted several times, we |
* overwrite the same file on disk and not create a brand new |
@@ -1353,20 +1396,8 @@ restart: |
for (i=0;i<SAteergrubetime/10;i++) |
{ |
- char *str; |
- |
- /* Unfortunately, we can't use exim's smtp_printf because it |
- * doesn't return an error code if the write gets an EPIPE. |
- * So, we write ourselves, but this won't work if you have a |
- * TLS connection opened (that said, if you are teergrubing |
- * a TLS connection, it's probably a relay host, not a |
- * spammer, and in this case you should not teergrube a |
- * friendly relay, so basically we should be ok). |
- * If you do teergrube an SSL connection with the current |
- * code, you will break it, but that's acceptable */ |
- str=string_sprintf(string_sprintf("451- %s\r\n",SAmsgteergrubewait), spamstatus); |
- fprintf(smtp_out, str); |
- ret=fflush(smtp_out); |
+ smtp_printf("451-%s\r\n", teergrubewaitstr); |
+ ret=smtp_fflush(); |
if (ret != 0) |
{ |
log_write(0, LOG_MAIN | LOG_REJECT, "SA: Action: teergrubed sender for %d secs until it closed the connection: %s (scanned in %d/%d secs | Message-Id: %s). %s", i*10, spamstatus, scantime, fulltime, safemesgid, mailinfo); |
/trunk/debian/patches/grey-clean-sender.patch |
---|
0,0 → 1,16 |
Description: Simplify the sender address so that senders using VERP, |
SRS, etc. hopefully won't be greylisted each and every time |
Author: Magnus Holmgren <holmgren@debian.org> |
Bug-Debian: http://bugs.debian.org/347590 |
--- sa-exim-4.2.1.orig/Greylisting.pm |
+++ sa-exim-4.2.1/Greylisting.pm |
@@ -160,6 +160,8 @@ sub greylisting |
# work around bug in perl untaint in perl 5.8 |
$envfrom=undef; |
$envfrom=$tmpvar; |
+ $envfrom =~ s/^([a-z0-9._]*)[^@]*/$1/i; |
+ |
$rcptto =~ tr/!#%()*+,-.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~/_/c; |
$rcptto =~ /(.+)/; |
$tmpvar = ($1 or ""); |
/trunk/debian/patches/grey-only-ipv4.patch |
---|
0,0 → 1,33 |
Description: Bail out if a non-IPv4 address is encountered |
Author: Magnus Holmgren <holmgren@debian.org> |
Bug-Debian: http://bugs.debian.org/300103 |
Bug-Debian: http://bugs.debian.org/479955 |
--- sa-exim-4.2.1.orig/Greylisting.pm |
+++ sa-exim-4.2.1/Greylisting.pm |
@@ -170,16 +172,19 @@ sub greylisting |
# connectip is supposed to be untainted now, but I was still getting |
# some insecure dependecy error messages sometimes (perl 5.8 problem apparently) |
- $connectip =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/; |
- my ($ipbyte1, $ipbyte2, $ipbyte3, $ipbyte4) = ($1, $2, $3, $4); |
- my $ipdir1 = "$option{'dir'}/$ipbyte1"; |
- my $ipdir2 = "$ipdir1/$ipbyte2"; |
- my $ipdir3 = "$ipdir2/$ipbyte3"; |
+ unless ($connectip =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/) { |
+ warn "Can only handle IPv4 addresses; skipping greylisting call for message $mesgid\n"; |
+ return 0; |
+ } |
+ |
+ my $ipdir1 = "$option{'dir'}/$1"; |
+ my $ipdir2 = "$ipdir1/$2"; |
+ my $ipdir3 = "$ipdir2/$3"; |
my $ipdir4; |
my $tupletdir; |
$ipdir4 = "$ipdir3"; |
- $ipdir4 .= "/$ipbyte4" if ($option{'greylistfourthbyte'}); |
+ $ipdir4 .= "/$4" if ($option{'greylistfourthbyte'}); |
$tupletdir = "$ipdir4/$envfrom"; |
$tuplet = "$tupletdir/$rcptto"; |
/trunk/debian/patches/save-path.patch |
---|
0,0 → 1,76 |
Description: Put saved mail in /var/spool/sa-exim instead of /var/spool/exim. |
--- sa-exim-4.2.1.orig/sa-exim.conf |
+++ sa-exim-4.2.1/sa-exim.conf |
@@ -148,7 +166,7 @@ SAaddSAEheaderBeforeSA: 1 |
# SA-Exim will try to create the directory if it has the permissions to do so, |
# check your maillog for failures (or create the directory yourself and make it |
# writeable by exim) |
-SAtimeoutsave: /var/spool/exim/SAtimeoutsave |
+SAtimeoutsave: /var/spool/sa-exim/SAtimeoutsave |
# You can optionally save or not save messages that matched the above rule |
SAtimeoutSavCond: 1 |
@@ -160,7 +178,7 @@ SAtimeoutSavCond: 1 |
# SA-Exim will try to create the directory if it has the permissions to do |
# so, check your maillog for failures (or create the directory yourself and |
# make it writeable by exim) |
-SAerrorsave: /var/spool/exim/SAerrorsave |
+SAerrorsave: /var/spool/sa-exim/SAerrorsave |
# You can optionally save or not save messages that matched the above rule |
# You should not put double quotes around the expression |
@@ -219,7 +237,7 @@ SAteergrubeSavCond: 1 |
# SA-Exim will try to create the directory if it has the permissions to do so, |
# check your maillog for failures (or create the directory yourself and make it |
# writeable by exim) |
-SAteergrubesave: /var/spool/exim/SAteergrube |
+SAteergrubesave: /var/spool/sa-exim/SAteergrube |
# When you stall the sender, you will probably get the mail again. |
# By default, we'll only save messages by message ID so that we don't save |
@@ -249,7 +267,7 @@ SAdevnullSavCond: 1 |
# SA-Exim will try to create the directory if it has the permissions to do so, |
# check your maillog for failures (or create the directory yourself and make it |
# writeable by exim) |
-SAdevnullsave: /var/spool/exim/SAdevnull |
+SAdevnullsave: /var/spool/sa-exim/SAdevnull |
@@ -269,7 +287,7 @@ SApermrejectSavCond: 1 |
# SA-Exim will try to create the directory if it has the permissions to do so, |
# check your maillog for failures (or create the directory yourself and make it |
# writeable by exim) |
-SApermrejectsave: /var/spool/exim/SApermreject |
+SApermrejectsave: /var/spool/sa-exim/SApermreject |
@@ -292,7 +310,7 @@ SAtemprejectSavCond: 1 |
# SA-Exim will try to create the directory if it has the permissions to do so, |
# check your maillog for failures (or create the directory yourself and make it |
# writeable by exim) |
-SAtemprejectsave: /var/spool/exim/SAtempreject |
+SAtemprejectsave: /var/spool/sa-exim/SAtempreject |
# When you send back a temp reject code, you will get the mail again. |
# By default, we'll only save messages by message ID so that we don't save |
@@ -330,7 +348,7 @@ SAgreylistraisetempreject: 3.0 |
# SA-Exim will try to create the directory if it has the permissions to do so, |
# check your maillog for failures (or create the directory yourself and make it |
# writeable by exim) |
-SAspamacceptsave: /var/spool/exim/SAspamaccept |
+SAspamacceptsave: /var/spool/sa-exim/SAspamaccept |
# You can control which messages you want saved if you only want a subset |
SAspamacceptSavCond: 0 |
@@ -343,7 +361,7 @@ SAspamacceptSavCond: 0 |
# SA-Exim will try to create the directory if it has the permissions to do so, |
# check your maillog for failures (or create the directory yourself and make it |
# writeable by exim) |
-SAnotspamsave: /var/spool/exim/SAnotspam |
+SAnotspamsave: /var/spool/sa-exim/SAnotspam |
# You can control which messages you want saved if you only want a subset |
SAnotspamSavCond: 0 |
/trunk/debian/patches/improved-default-conf.patch |
---|
0,0 → 1,52 |
Description: Improvements (in my opinion) of the default sa-exim.conf |
Author: Magnus Holmgren <holmgren@debian.org> |
--- sa-exim-4.2.1.orig/sa-exim.conf |
+++ sa-exim-4.2.1/sa-exim.conf |
@@ -49,9 +49,19 @@ SAspamcpath: /usr/bin/spamc |
# This decides whether SA gets run against the message or not. This |
# default will not reject messages if the message had SA headers but |
# they weren't added by us. |
-SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}} |
+SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{::1}}}} |
+# If you want more detailed control over when to run SA, it's recommended |
+# that you set an ACL variable indicating this from the acl section of |
+# your Exim configuration file. The current maintainer sets acl_m0 to |
+# "noscan" if the sending host is localhost or has authenticated. |
+#SAEximRunCond: ${if !eq{$acl_m0}{noscan}} |
+# (This means exactly the same as ${if !eq{$acl_m0}{noscan} {true}{}}, |
+# where the empty string is considered false.) |
+ |
+#---------------------------------------------------------------------- |
# Remove or comment out the following line to enable sa-exim |
SAEximRunCond: 0 |
+#---------------------------------------------------------------------- |
# If and only if SAEximRunCond was true, and we did run SA, this |
# expression decides whether we actually consider acting upon SAdevnull, |
@@ -70,10 +86,12 @@ SAEximRunCond: 0 |
# Use this to tag messages that you shouldn't reject (messages sent to |
# abuse or postmaster for instance). |
# |
-# X-SA-Do-Not-Rej should be set as a warn header if mail is sent to |
-# postmaster and abuse (in the RCPT ACL), this way you're not bouncing |
-# spam abuse reports sent to you. This is a RFC guideline. |
-SAEximRejCond: ${if !eq {$h_X-SA-Do-Not-Rej:}{Yes} {1}{0}} |
+# As an example, set acl_m0 to "canreject" if a recipient other than |
+# postmaster or abuse is encountered (and the sender isn't local). That |
+# way, spammers can't circumvent blocking by sending to postmaster and |
+# 99 other recipients. (If acl_m0 is taken, you'll of course have to use |
+# a different variable. |
+#SAEximRejCond: ${if eq{$acl_m0}{canreject}} |
# How much of the body we feed to spamassassin (in bytes) |
@@ -280,7 +298,7 @@ SApermrejectsave: /var/spool/exim/SAperm |
# This is now a string (without quotes) that gets evaluated at runtime by exim |
# but you can still assign a simple float value to it |
# Default value is 2^20, which should disable the behavior |
-SAtempreject: 9.0 |
+#SAtempreject: 9.0 |
# You can optionally save or not save messages that matched the above rule |
SAtemprejectSavCond: 1 |
/trunk/debian/patches/spamd-not-nobody.patch |
---|
0,0 → 1,52 |
Description: Don't recommend that spamd runs as nobody |
Author: Magnus Holmgren <holmgren@debian.org> |
--- sa-exim-4.2.1.orig/README |
+++ sa-exim-4.2.1/README |
@@ -147,8 +147,11 @@ anything, you may not want to use SARewr |
Important: |
-You want to run spamd as such: |
-/usr/sbin/spamd -d -u nobody -H /var/spool/spamassassin/ |
+ |
+You want to run spamd as such (you have to create the spamd user |
+yourself): |
+ |
+/usr/sbin/spamd -d -u spamd -H /var/spool/spamassassin/ |
It may not work if you run spamd with -c (debian default), |
(you shouldn't run spamassassin as root for this purpose anyway (there |
@@ -158,7 +161,7 @@ You can edit this in /etc/default/spamas |
/etc/sysconfig/spamassassin (redhat) |
With SA 3.x is better, the updated syntax would look like this: |
-/usr/sbin/spamd --max-children 50 --daemonize --username=nobody --nouser-config --helper-home-dir=/var/spool/spamassassin/ |
+/usr/sbin/spamd --max-children 50 --daemonize --username=spamd --nouser-config --helper-home-dir=/var/spool/spamassassin/ |
--- sa-exim-4.2.1.orig/README.greylisting |
+++ sa-exim-4.2.1/README.greylisting |
@@ -139,8 +139,8 @@ let in" range. |
FILE SETUP |
---------- |
-Make very sure that uid nobody can traverse /var/spool/sa-exim and |
-create tuplets writeable by nobody (or whoever you run SA as) |
+Make very sure that the user that spamd runs as can traverse and write |
+to /var/spool/sa-exim. |
Then, setup a cron job to delete tuplets that are older than 14 days for |
whitelisted entries, and 2 days for greylisted entries (or whatever |
@@ -159,8 +159,8 @@ You should install greylistclean.cron in |
call greylistclean and clean up greylisted entries and whitelisted entries |
that haven't been used in a while. |
You can optionally modify it to tweak the cleanup times. |
-Note that you need to tweak greylistclean.cron to match the user spamd runs |
-as if you aren't using the recommended --username=nobody |
+Note that you may need to tweak greylistclean.cron to match the user |
+spamd runs as. |
SA PATCH (SA 2.x) |
/trunk/debian/patches/series |
---|
0,0 → 1,8 |
api-limitations.patch |
spamc-args.patch |
grey-only-ipv4.patch |
grey-clean-sender.patch |
save-path.patch |
improved-default-conf.patch |
spamd-not-nobody.patch |
readme.patch |
/trunk/debian/patches/readme.patch |
---|
0,0 → 1,16 |
Description: Other additions to README file(s) |
Author: Sander Smeenk <ssmeenk@debian.org> |
Bug-Debian: http://bugs.debian.org/276080 |
--- sa-exim-4.2.1.orig/README |
+++ sa-exim-4.2.1/README |
@@ -194,6 +197,9 @@ SAEximRunCond: ${if and{ \ |
{1}{0} \ |
} |
+PLEASE NOTE: This conditional statement must be on one line. SA-Exim's |
+configfile parser does not support \-lineconitunation!! |
+ |
You may also want to look at my exim4.conf config if you haven't done so yet: |
http://marc.merlins.org/linux/exim/#conf |
/trunk/debian/patches/spamc-args.patch |
---|
0,0 → 1,120 |
Description: Changes related to the arguments sent to spamc, namely thst |
we don't pass -d (SAspamcHost), -p (SAspamcPort), or -U (SAspamcSockPath) |
if those options aren't set, as well as the new parameter -u (SAspamcUser). |
Author: Magnus Holmgren <holmgren@debian.org> |
Bug-Debian: http://bugs.debian.org/506571 |
--- sa-exim-4.2.1.orig/sa-exim.c |
+++ sa-exim-4.2.1/sa-exim.c |
@@ -515,6 +513,7 @@ int local_scan(volatile int fd, uschar * |
int pid; |
int writefd[2]; |
int readfd[2]; |
+ char *spamc_argv[10]; |
int i; |
/* These are the only values that we want working after the longjmp |
* The automatic ones can be clobbered, but we don't really care */ |
@@ -550,8 +549,9 @@ int local_scan(volatile int fd, uschar * |
static char *SAspamcpath=SPAMC_LOCATION; |
static char *SAsafemesgidchars=SAFEMESGIDCHARS |
static char *SAspamcSockPath=NULL; |
- static char *SAspamcPort="783"; |
- static char *SAspamcHost="127.0.0.1"; |
+ static char *SAspamcPort=NULL; |
+ static char *SAspamcHost=NULL; |
+ static char *SAspamcUser=NULL; |
static char *SAEximRunCond="0"; |
static char *SAEximRejCond="1"; |
static int SAmaxbody=250*1024; |
@@ -712,6 +721,7 @@ int local_scan(volatile int fd, uschar * |
M_CHECKFORSTR(SAspamcSockPath); |
M_CHECKFORSTR(SAspamcPort); |
M_CHECKFORSTR(SAspamcHost); |
+ M_CHECKFORSTR(SAspamcUser); |
M_CHECKFORSTR(SAEximRunCond); |
M_CHECKFORSTR(SAEximRejCond); |
M_CHECKFORVAR(SAmaxbody, "%d"); |
@@ -914,6 +924,22 @@ int local_scan(volatile int fd, uschar * |
ret=dup2(readfd[1],2); |
CHECKERR(ret,"dup2 stderr",__LINE__); |
+ i = 0; |
+ spamc_argv[i++] = "spamc"; |
+ if (SAspamcUser && SAspamcUser[0]) |
+ { |
+ expand=expand_string(SAspamcUser); |
+ if (expand == NULL) |
+ { |
+ log_write(0, LOG_MAIN | LOG_PANIC, "SA: SAspamcUser expansion failure on %s, will run as Exim user instead.", SAspamcUser); |
+ } |
+ else if (expand[0] != '\0') |
+ { |
+ spamc_argv[i++] = "-u"; |
+ spamc_argv[i++] = expand; |
+ } |
+ } |
+ |
/* |
* I could implement the spamc protocol and talk to spamd directly |
* instead of forking spamc, but considering the overhead spent |
@@ -924,17 +950,30 @@ int local_scan(volatile int fd, uschar * |
/* Ok, we cheat, spamc cares about how big the whole message is and |
* we only know about the body size, so I'll give an extra 16K |
* to account for any headers that can accompany the message */ |
+ |
+ spamc_argv[i++] = "-s"; |
+ spamc_argv[i++] = string_sprintf("%d", SAmaxbody+16384); |
+ |
if(SAspamcSockPath) |
{ |
- ret=execl(SAspamcpath, "spamc", "-s", string_sprintf("%d", SAmaxbody+16384), "-U", SAspamcSockPath, NULL); |
- CHECKERR(ret,string_sprintf("exec %s", SAspamcpath),__LINE__); |
+ spamc_argv[i++] = "-U"; |
+ spamc_argv[i++] = SAspamcSockPath; |
} |
else |
{ |
- ret=execl(SAspamcpath, "spamc", "-s", string_sprintf("%d", SAmaxbody+16384), "-d", SAspamcHost, "-p", SAspamcPort, NULL); |
- CHECKERR(ret,string_sprintf("exec %s", SAspamcpath),__LINE__); |
+ if (SAspamcHost) { |
+ spamc_argv[i++] = "-d"; |
+ spamc_argv[i++] = SAspamcHost; |
+ } |
+ if (SAspamcPort) { |
+ spamc_argv[i++] = "-p"; |
+ spamc_argv[i++] = SAspamcPort; |
+ } |
} |
- |
+ spamc_argv[i++] = NULL; |
+ |
+ ret=execv(SAspamcpath, spamc_argv); |
+ CHECKERR(ret,string_sprintf("exec %s", SAspamcpath),__LINE__); |
} |
if (SAEximDebug > 8) |
--- sa-exim-4.2.1.orig/sa-exim.conf |
+++ sa-exim-4.2.1/sa-exim.conf |
@@ -49,11 +49,17 @@ SAspamcpath: /usr/bin/spamc |
# you set it, it will override the two TCP connect options below |
#SAspamcSockPath: /var/run/spamd.sock |
-# SAspamcHost / SAspamcPort: TCP socket where your spamd is listening |
-# Shown below are the defaults: |
-SAspamcHost: 127.0.0.1 |
-SAspamcPort: 783 |
- |
+# SAspamcHost / SAspamcPort: TCP socket where your spamd is listening. |
+# Default is to let spamc use any settings in spamc.conf. |
+#SAspamcHost: 127.0.0.1 |
+#SAspamcPort: 783 |
+ |
+# SAspamcUser: The username passed to spamc. Some tricks are needed to |
+# decide on one user when there are many recipients. This string is of |
+# course expanded. If unset or empty, spamc will use the user Exim |
+# runs as. We suggest that you decide what username to use in the ACLs |
+# and set an ACL variable. |
+#SAspamcUser: $acl_m2 |
# Exim configuration string to run before running SA against the message |
# This decides whether SA gets run against the message or not. This |
/trunk/debian/changelog |
---|
28,6 → 28,22 |
and install it using dh_installcron. |
* Upgrade to Debhelper compat level 7. Replace dh_clean -k with |
dh_prep. |
* Switch to source package format 3.0 (quilt), splitting the Debian |
patch as follows: |
* api-limitations.patch: Changes needed because Exim exports only the |
symbols that are part of the official API. |
* spamc-args.patch: Changes related to the arguments sent to spamc. |
* grey-clean-sender.patch: Simplify the sender address so that senders |
using VERP, SRS, etc. hopefully won't be greylisted each and every |
time. |
* grey-only-ipv4.patch: Bail out if a non-IPv4 address is encountered. |
* improved-default-conf.patch: General improvements (in my opinion) of |
the default sa-exim.conf. |
* spamd-not-nobody.patch: Strike the recommendation that spamd run as |
nobody. |
* save-path.patch: Put saved mail in /var/spool/sa-exim instead of |
/var/spool/exim. |
* readme.patch: Other additions to the README file(s). |
-- Magnus Holmgren <holmgren@debian.org> Sat, 24 Sep 2011 21:26:25 +0200 |
/trunk/debian/source/format |
---|
0,0 → 1,0 |
3.0 (quilt) |