Subversion Repositories sa-exim

Compare Revisions

Ignore whitespace Rev 66 → Rev 67

/trunk/debian/postinst
20,21 → 20,18
configure)
if [ ! -e /var/spool/sa-exim ] ; then
# Debian-exim should exist as we depend on exim4-base
install -d -m771 -oDebian-exim -gDebian-exim \
install -d -m770 -oDebian-exim -gDebian-exim \
/var/spool/sa-exim
elif [ -d /var/spool/sa-exim ]; then
# Fix permissions
chmod 771 /var/spool/sa-exim
chown Debian-exim:Debian-exim /var/spool/sa-exim
fi
# Support for greylisting tuplets (written as nobody by spamd)
# Support for greylisting tuplets (written by default as Debian-exim by spamd)
if [ ! -e /var/spool/sa-exim/tuplets ] ; then
install -d -m750 -onobody -gDebian-exim \
install -d -m770 -oDebian-exim -gDebian-exim \
/var/spool/sa-exim/tuplets
elif [ -d /var/spool/sa-exim/tuplets ]; then
# Fix permissions
chmod 771 /var/spool/sa-exim/tuplets
chown nobody:Debian-exim /var/spool/sa-exim/tuplets
elif [ `stat -c "%U:%G" /var/spool/sa-exim/tuplets` = "nobody:Debian-exim" ] &&
dpkg --compare-versions "$2" lt-nl "4.2.1-14"; then
# If ownership is as before 4.2.1-14, give the Debian-exim
# group write permissions. Bug 563492.
chmod g+w /var/spool/sa-exim/tuplets
fi
# clean up temporary file generated by postrm uninstall
if [ -e "${LOCALSCANCONF}.rul" ] && \
/trunk/debian/changelog
5,8 → 5,18
* Drop the defaults for SAspamcHost and SAspamcPort, deferring to spamc
as to what the defaults will be if those options are not set in
sa-exim.conf (Closes: #506571).
* The "nobody" user and "nogroup" group should not own files. Therefore,
create /var/spool/sa-exim/tuplets with Debian-exim as owner on new
installations and run greylistclean as Debian-exim by default. Don't
change ownership of already existing /var/spool/sa-exim or
/var/spool/sa-exim/tuplets, since the local admin may have different
preferences, but give the Debian-exim group the write permission it
needs if /var/spool/sa-exim/tuplets is owned by "nobody" and spamd
runs as the calling user (Closes: #563492). Add documentation to
README.Debian and remove recommendation to run spamd as "nobody" from
README and README.greylisting.
 
-- Magnus Holmgren <holmgren@debian.org> Sat, 17 Sep 2011 16:23:40 +0200
-- Magnus Holmgren <holmgren@debian.org> Sun, 18 Sep 2011 23:08:48 +0200
 
sa-exim (4.2.1-13) unstable; urgency=low
 
/trunk/debian/NEWS
1,3 → 1,17
sa-exim (4.2.1-14) unstable; urgency=low
 
If you are using sa-exim's greylisting plugin for SpamAssassin you may
want to review your setup. Previously the documentation recommended
running spamd as the "nobody" user. This is not a very good
recommendation as nobody/nogroup should be completely unprivileged and
thus not own anything. This version won't change the ownership of any
directories or files and won't try to fix your SpamAssassin
configuration, but if you haven't modified /etc/cron.d/greylistclean
it will be changed to run greylistclean as "Debian-exim", which won't
work if the greylisting data is owned by nobody:nogroup.
 
-- Magnus Holmgren <holmgren@debian.org> Sun, 18 Sep 2011 23:19:53 +0200
 
sa-exim (4.2.1-8) unstable; urgency=medium
 
* Since version 4.67-1, exim4 only exports those symbols that are part
/trunk/debian/README.Debian
103,19 → 103,72
with the unsplit configuration scheme and add the local_scan_path
setting by hand, like with the hand-crafted configuration file.
 
Next, read all about greylisting and sa-exim:
 
***************
* GREYLISTING *
***************
Notes on greylisting with sa-exim.
 
If you use SpamAssassin 3.0 or better, you do not need to patch it, you
can just use the Greylisting module shipped with sa-exim.
The only thing you need to do to enable it, is to copy the 4 lines below
loadplugin in the greylisting README, and adjust the score if you wish (see
README.Greylisting for details).
Greylisting is implemented as a SpamAssassin module. To enable it you
need to add the following five lines to your SpamAssassin
configuration:
 
loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
 
header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )")
describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender
score GREYLIST_ISWHITE -1.5
priority GREYLIST_ISWHITE 99999
 
(It is a long-standing bug that the module is installed in the wrong
directory, which is why the full path has to be specified on the
loadplugin line, but fixing it is probably not worth the disruption of
existing installations.)
 
If two messages from the same /24 network (or IP address, depending on
greylistfourthbyte), with the same sender, with the same list of
recipient, and with a score below dontgreylistthreshold are seen at
least greylistsecs apart, the triplet will be whitelisted and the
GREYLIST_ISWHITE rule will be considered to match thenceforth. That
will signal to the local_scan library to raise SAtempreject to let the
message through, in addition to the negative spam score it carries.
 
Notice that messages can be permanently rejected (score above
SApermreject) and still get a triplet whitelisted if the score is
below dontgreylistthreshold. If dontgreylistthreshold or SAtempreject
+ SAgreylistraisetempreject are less than SApermreject, some mail may
be temporarily rejected indefinitely.
 
See README.Greylisting for more details.
 
***********************
* SPAMD CONFIGURATION *
***********************
 
By default, spamd runs as root and assumes the identity of the user it
is told it is scanning mail on behalf of by whoever connects to it
(see README.spamd.gz in the spamassassin package for a discussion on
security). When SA-Exim runs spamc, this user will normally be
Debian-exim. You can set the SAspamcUser option in sa-exim.conf to
override this, but since a mail can have multiple recipients and is
only scanned once, per-user setups are problematic. Also, the
greylisting module won't work unless all users can write to the
tuplets directory.
 
Thus, when using SpamAssassin together with SA-Exim you may want to
run spamd under a specific system account by modifying the OPTIONS
variable in /etc/default/spamassassin to include a --username option.
However, if you ONLY use SpamAssassin with SA-Exim this is in practice
not strictly necessary.
 
You should NOT run spamd as the "nobody" user and/or the "nogroup"
group if you configure SpamAssassin to use sa-exim's greylisting
module, the bayesian classifier, or any helper module that needs to
write files, because nobody/nogroup should be completely unprivileged
and thus not own any files. Instead you should create a dedicated
account to run spamd under. You can then adjust the ownership of
/var/spool/sa-exim/tuplets and the username in
/etc/cron.d/greylistclean accordingly.
 
***********************************
* PROBLEMS WITH BAYES AUTO-EXPIRY *
***********************************
166,4 → 219,4
file specifies conflicting options, it will prevent SA-Exim from
working. For now, you'll have to make sure that it doesn't.
 
-- Magnus Holmgren <holmgren@debian.org>, Tue, 24 Jun 2008 14:27:59 +0200
-- Magnus Holmgren <holmgren@debian.org>, Sun, 18 Sep 2011 00:11:18 +0200
/trunk/README.greylisting
159,8 → 159,8
call greylistclean and clean up greylisted entries and whitelisted entries
that haven't been used in a while.
You can optionally modify it to tweak the cleanup times.
Note that you need to tweak greylistclean.cron to match the user spamd runs
as if you aren't using the recommended --username=nobody
Note that you may need to tweak greylistclean.cron to match the user
spamd runs as.
 
 
SA PATCH (SA 2.x)
/trunk/README
147,9 → 147,12
 
 
Important:
You want to run spamd as such:
/usr/sbin/spamd -d -u nobody -H /var/spool/spamassassin/
 
You want to run spamd as such (you have to create the spamd user
yourself):
 
/usr/sbin/spamd -d -u spamd -H /var/spool/spamassassin/
 
It may not work if you run spamd with -c (debian default),
(you shouldn't run spamassassin as root for this purpose anyway (there
is no reason to, so why take the risk)
158,7 → 161,7
/etc/sysconfig/spamassassin (redhat)
 
With SA 3.x is better, the updated syntax would look like this:
/usr/sbin/spamd --max-children 50 --daemonize --username=nobody --nouser-config --helper-home-dir=/var/spool/spamassassin/
/usr/sbin/spamd --max-children 50 --daemonize --username=spamd --nouser-config --helper-home-dir=/var/spool/spamassassin/
 
 
 
/trunk/greylistclean.cron
1,3 → 1,3
# If you don't run spamd as nobody (you should), change the user below
# be smart and don't run this as root, it doesn't need those perms
33 * * * * nobody [ -x /usr/share/sa-exim/greylistclean ] && /usr/share/sa-exim/greylistclean
# If you have configured spamd to run as a fixed user, change "Debian-exim" below.
# Be smart and don't run this as root, it doesn't need those perms
33 * * * * Debian-exim [ -x /usr/share/sa-exim/greylistclean ] && /usr/share/sa-exim/greylistclean