/trunk/debian/postinst |
---|
20,21 → 20,18 |
configure) |
if [ ! -e /var/spool/sa-exim ] ; then |
# Debian-exim should exist as we depend on exim4-base |
install -d -m771 -oDebian-exim -gDebian-exim \ |
install -d -m770 -oDebian-exim -gDebian-exim \ |
/var/spool/sa-exim |
elif [ -d /var/spool/sa-exim ]; then |
# Fix permissions |
chmod 771 /var/spool/sa-exim |
chown Debian-exim:Debian-exim /var/spool/sa-exim |
fi |
# Support for greylisting tuplets (written as nobody by spamd) |
# Support for greylisting tuplets (written by default as Debian-exim by spamd) |
if [ ! -e /var/spool/sa-exim/tuplets ] ; then |
install -d -m750 -onobody -gDebian-exim \ |
install -d -m770 -oDebian-exim -gDebian-exim \ |
/var/spool/sa-exim/tuplets |
elif [ -d /var/spool/sa-exim/tuplets ]; then |
# Fix permissions |
chmod 771 /var/spool/sa-exim/tuplets |
chown nobody:Debian-exim /var/spool/sa-exim/tuplets |
elif [ `stat -c "%U:%G" /var/spool/sa-exim/tuplets` = "nobody:Debian-exim" ] && |
dpkg --compare-versions "$2" lt-nl "4.2.1-14"; then |
# If ownership is as before 4.2.1-14, give the Debian-exim |
# group write permissions. Bug 563492. |
chmod g+w /var/spool/sa-exim/tuplets |
fi |
# clean up temporary file generated by postrm uninstall |
if [ -e "${LOCALSCANCONF}.rul" ] && \ |
/trunk/debian/changelog |
---|
5,8 → 5,18 |
* Drop the defaults for SAspamcHost and SAspamcPort, deferring to spamc |
as to what the defaults will be if those options are not set in |
sa-exim.conf (Closes: #506571). |
* The "nobody" user and "nogroup" group should not own files. Therefore, |
create /var/spool/sa-exim/tuplets with Debian-exim as owner on new |
installations and run greylistclean as Debian-exim by default. Don't |
change ownership of already existing /var/spool/sa-exim or |
/var/spool/sa-exim/tuplets, since the local admin may have different |
preferences, but give the Debian-exim group the write permission it |
needs if /var/spool/sa-exim/tuplets is owned by "nobody" and spamd |
runs as the calling user (Closes: #563492). Add documentation to |
README.Debian and remove recommendation to run spamd as "nobody" from |
README and README.greylisting. |
-- Magnus Holmgren <holmgren@debian.org> Sat, 17 Sep 2011 16:23:40 +0200 |
-- Magnus Holmgren <holmgren@debian.org> Sun, 18 Sep 2011 23:08:48 +0200 |
sa-exim (4.2.1-13) unstable; urgency=low |
/trunk/debian/NEWS |
---|
1,3 → 1,17 |
sa-exim (4.2.1-14) unstable; urgency=low |
If you are using sa-exim's greylisting plugin for SpamAssassin you may |
want to review your setup. Previously the documentation recommended |
running spamd as the "nobody" user. This is not a very good |
recommendation as nobody/nogroup should be completely unprivileged and |
thus not own anything. This version won't change the ownership of any |
directories or files and won't try to fix your SpamAssassin |
configuration, but if you haven't modified /etc/cron.d/greylistclean |
it will be changed to run greylistclean as "Debian-exim", which won't |
work if the greylisting data is owned by nobody:nogroup. |
-- Magnus Holmgren <holmgren@debian.org> Sun, 18 Sep 2011 23:19:53 +0200 |
sa-exim (4.2.1-8) unstable; urgency=medium |
* Since version 4.67-1, exim4 only exports those symbols that are part |
/trunk/debian/README.Debian |
---|
103,19 → 103,72 |
with the unsplit configuration scheme and add the local_scan_path |
setting by hand, like with the hand-crafted configuration file. |
Next, read all about greylisting and sa-exim: |
*************** |
* GREYLISTING * |
*************** |
Notes on greylisting with sa-exim. |
If you use SpamAssassin 3.0 or better, you do not need to patch it, you |
can just use the Greylisting module shipped with sa-exim. |
The only thing you need to do to enable it, is to copy the 4 lines below |
loadplugin in the greylisting README, and adjust the score if you wish (see |
README.Greylisting for details). |
Greylisting is implemented as a SpamAssassin module. To enable it you |
need to add the following five lines to your SpamAssassin |
configuration: |
loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm |
header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )") |
describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender |
score GREYLIST_ISWHITE -1.5 |
priority GREYLIST_ISWHITE 99999 |
(It is a long-standing bug that the module is installed in the wrong |
directory, which is why the full path has to be specified on the |
loadplugin line, but fixing it is probably not worth the disruption of |
existing installations.) |
If two messages from the same /24 network (or IP address, depending on |
greylistfourthbyte), with the same sender, with the same list of |
recipient, and with a score below dontgreylistthreshold are seen at |
least greylistsecs apart, the triplet will be whitelisted and the |
GREYLIST_ISWHITE rule will be considered to match thenceforth. That |
will signal to the local_scan library to raise SAtempreject to let the |
message through, in addition to the negative spam score it carries. |
Notice that messages can be permanently rejected (score above |
SApermreject) and still get a triplet whitelisted if the score is |
below dontgreylistthreshold. If dontgreylistthreshold or SAtempreject |
+ SAgreylistraisetempreject are less than SApermreject, some mail may |
be temporarily rejected indefinitely. |
See README.Greylisting for more details. |
*********************** |
* SPAMD CONFIGURATION * |
*********************** |
By default, spamd runs as root and assumes the identity of the user it |
is told it is scanning mail on behalf of by whoever connects to it |
(see README.spamd.gz in the spamassassin package for a discussion on |
security). When SA-Exim runs spamc, this user will normally be |
Debian-exim. You can set the SAspamcUser option in sa-exim.conf to |
override this, but since a mail can have multiple recipients and is |
only scanned once, per-user setups are problematic. Also, the |
greylisting module won't work unless all users can write to the |
tuplets directory. |
Thus, when using SpamAssassin together with SA-Exim you may want to |
run spamd under a specific system account by modifying the OPTIONS |
variable in /etc/default/spamassassin to include a --username option. |
However, if you ONLY use SpamAssassin with SA-Exim this is in practice |
not strictly necessary. |
You should NOT run spamd as the "nobody" user and/or the "nogroup" |
group if you configure SpamAssassin to use sa-exim's greylisting |
module, the bayesian classifier, or any helper module that needs to |
write files, because nobody/nogroup should be completely unprivileged |
and thus not own any files. Instead you should create a dedicated |
account to run spamd under. You can then adjust the ownership of |
/var/spool/sa-exim/tuplets and the username in |
/etc/cron.d/greylistclean accordingly. |
*********************************** |
* PROBLEMS WITH BAYES AUTO-EXPIRY * |
*********************************** |
166,4 → 219,4 |
file specifies conflicting options, it will prevent SA-Exim from |
working. For now, you'll have to make sure that it doesn't. |
-- Magnus Holmgren <holmgren@debian.org>, Tue, 24 Jun 2008 14:27:59 +0200 |
-- Magnus Holmgren <holmgren@debian.org>, Sun, 18 Sep 2011 00:11:18 +0200 |
/trunk/README.greylisting |
---|
159,8 → 159,8 |
call greylistclean and clean up greylisted entries and whitelisted entries |
that haven't been used in a while. |
You can optionally modify it to tweak the cleanup times. |
Note that you need to tweak greylistclean.cron to match the user spamd runs |
as if you aren't using the recommended --username=nobody |
Note that you may need to tweak greylistclean.cron to match the user |
spamd runs as. |
SA PATCH (SA 2.x) |
/trunk/README |
---|
147,9 → 147,12 |
Important: |
You want to run spamd as such: |
/usr/sbin/spamd -d -u nobody -H /var/spool/spamassassin/ |
You want to run spamd as such (you have to create the spamd user |
yourself): |
/usr/sbin/spamd -d -u spamd -H /var/spool/spamassassin/ |
It may not work if you run spamd with -c (debian default), |
(you shouldn't run spamassassin as root for this purpose anyway (there |
is no reason to, so why take the risk) |
158,7 → 161,7 |
/etc/sysconfig/spamassassin (redhat) |
With SA 3.x is better, the updated syntax would look like this: |
/usr/sbin/spamd --max-children 50 --daemonize --username=nobody --nouser-config --helper-home-dir=/var/spool/spamassassin/ |
/usr/sbin/spamd --max-children 50 --daemonize --username=spamd --nouser-config --helper-home-dir=/var/spool/spamassassin/ |
/trunk/greylistclean.cron |
---|
1,3 → 1,3 |
# If you don't run spamd as nobody (you should), change the user below |
# be smart and don't run this as root, it doesn't need those perms |
33 * * * * nobody [ -x /usr/share/sa-exim/greylistclean ] && /usr/share/sa-exim/greylistclean |
# If you have configured spamd to run as a fixed user, change "Debian-exim" below. |
# Be smart and don't run this as root, it doesn't need those perms |
33 * * * * Debian-exim [ -x /usr/share/sa-exim/greylistclean ] && /usr/share/sa-exim/greylistclean |