<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML ><HEAD ><TITLE >Adding SpamAssassin</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Spam Filtering for Mail Exchangers" HREF="index.html"><LINK REL="UP" TITLE="Exim Implementation" HREF="exim.html"><LINK REL="PREVIOUS" TITLE="Adding Anti-Virus Software" HREF="exim-av.html"><LINK REL="NEXT" TITLE="Adding Envelope Sender Signatures" HREF="exim-sign.html"></HEAD ><BODY CLASS="section" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Spam Filtering for Mail Exchangers: </TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="exim-av.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Appendix A. Exim Implementation</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="exim-sign.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="section" ><H1 CLASS="section" ><A NAME="exim-sa" ></A >A.10. Adding SpamAssassin</H1 ><P > Invoking SpamAssassin at SMTP-time is commonly done in either of two ways in Exim: </P ><P ></P ><UL ><LI ><P > Via the <TT CLASS="option" >spam</TT > condition offered by <TT CLASS="option" >Exiscan-ACL</TT >. This is the mechanism we will cover here. </P ></LI ><LI ><P > Via <TT CLASS="option" >SA-Exim</TT >, another utility written by Marc Merlins (<TT CLASS="email" ><<A HREF="mailto:marc (at) merlins.org" >marc (at) merlins.org</A >></TT >), specifically for running SpamAssassin at SMTP time in Exim. This program operates through Exim's <TT CLASS="option" >local_scan()</TT > interface, either patched directly into the Exim source code, or via Marc's own <TT CLASS="option" >dlopen()</TT > plugin (which, by the way, is included in Debian's <TT CLASS="option" >exim4-daemon-light</TT > and <TT CLASS="option" >exim4-daemon-heavy</TT > packages). </P ><P > <TT CLASS="option" >SA-Exim</TT > offers some other features as well, namely <EM >greylisting</EM > and <EM >teergrubing</EM >. However, because the scan happens after the message data has been received, neither of these two features may be as useful as they would be earlier in the SMTP transaction. </P ><P > <TT CLASS="option" >SA-Exim</TT > can be found at: <A HREF="http://marc.merlins.org/linux/exim/sa.html" TARGET="_top" >http://marc.merlins.org/linux/exim/sa.html</A >. </P ></LI ></UL ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="exim-sa-exiscan" ></A >A.10.1. Invoke SpamAssassin via Exiscan</H2 ><P > <TT CLASS="option" >Exiscan-ACL</TT >'s <SPAN CLASS="QUOTE" >"<TT CLASS="option" >spam</TT >"</SPAN > condition passes the message through either SpamAssassin or Brightmail, and triggers if these indicate that the message is junk. By default, it connects to a SpamAssassin daemon (<TT CLASS="option" >spamd</TT >) running on <TT CLASS="option" >localhost</TT >. The host address and port can be changed by adding a <TT CLASS="option" >spamd_address</TT > setting in the <EM >main</EM > section of the Exim configuration file. For more information, see the <TT CLASS="option" >exiscan-acl-spect.txt</TT > file included with the patch. </P ><P > In our implementation, we are going to reject messages classified as spam. However, we would like to keep a copy of such messages in a separate mail folder, at least for the time being. This is so that the user can periodically scan for <A HREF="gloss.html#falsepos" ><I CLASS="glossterm" >False Positive</I ></A >s. </P ><P > Exim offers <EM >controls</EM > that can be applied to a message that is accepted, such as <TT CLASS="option" >freeze</TT >. The Exiscan-ACL patch adds one more of these controls, namely <TT CLASS="option" >fakereject</TT >. This causes the following SMTP response: <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > 550-FAKEREJECT id=<TT CLASS="parameter" ><I >message-id</I ></TT > 550-Your message has been rejected but is being kept for evaluation. 550 If it was a legit message, it may still be delivered to the target recipient(s). </PRE ></FONT ></TD ></TR ></TABLE > </P ><P > We can incorporate this feature into our implementation, by inserting the following snippet in <A HREF="exim-firstpass.html#acl_data_1" >acl_data</A >, prior to the final <TT CLASS="option" >accept</TT > statement: <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > # Invoke SpamAssassin to obtain $spam_score and $spam_report. # Depending on the classification, $acl_m9 is set to "ham" or "spam". # # If the message is classified as spam, pretend to reject it. # warn set acl_m9 = ham spam = mail set acl_m9 = spam control = fakereject logwrite = :reject: Rejected spam (score $spam_score): $spam_report # Add an appropriate X-Spam-Status: header to the message. # warn message = X-Spam-Status: \ ${if eq {$acl_m9}{spam}{Yes}{No}} (score $spam_score)\ ${if def:spam_report {: $spam_report}} logwrite = :main: Classified as $acl_m9 (score $spam_score) </PRE ></FONT ></TD ></TR ></TABLE > </P ><P > In this example, <TT CLASS="varname" >$acl_m9</TT > is initially set to <SPAN CLASS="QUOTE" >"ham"</SPAN >. Then SpamAssassin is invoked as the user <TT CLASS="option" >mail</TT >. If the message is classified as spam, then <TT CLASS="varname" >$acl_m9</TT > is set to <SPAN CLASS="QUOTE" >"spam"</SPAN >, and the <TT CLASS="option" >FAKEREJECT</TT > response above is issued. Finally, an <TT CLASS="option" >X-Spam-Status:</TT > header is added to the message. The idea is that the <A HREF="gloss.html#mda" ><I CLASS="glossterm" >Mail Delivery Agent</I ></A > or the recipient's <A HREF="gloss.html#mua" ><I CLASS="glossterm" >Mail User Agent</I ></A > can use this header to filter junk mail into a separate folder. </P ></DIV ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="exim-sa-config" ></A >A.10.2. Configure SpamAssassin</H2 ><P > By default, SpamAssassin presents its report in a verbose, table-like format, mainly suitable for inclusion in or attachment to the message body. In our case, we want a terse report, suitable for the <TT CLASS="option" >X-Spam-Status:</TT > header in the example above. To do this, we add the following snippet in its site specific configuration file (<TT CLASS="option" >/etc/spamassassin/local.cf</TT >, <TT CLASS="option" >/etc/mail/spamassassin/local.cf</TT >, or similar): <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > ### Report template clear_report_template report "_TESTSSCORES(, )_" </PRE ></FONT ></TD ></TR ></TABLE > </P ><P > Also, a <A HREF="gloss.html#bayesian" >Bayesian</A > scoring feature is built in, and is turned on by default. We normally want to turn this off, because it requires training that will be specific to each user, and thus is not suitable for system-wide SMTP time filtering: <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > ### Disable Bayesian scoring use_bayes 0 </PRE ></FONT ></TD ></TR ></TABLE > </P ><P > For these changes to take effect, you have to restart the SpamAssassin daemon (<B CLASS="command" >spamd</B >). </P ></DIV ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="exim-per-user" ></A >A.10.3. User Settings and Data</H2 ><P > Say you have a number of users that want to specify their individual SpamAssassin preferences, such as the spam threshold, acceptable languages and character sets, white/blacklisted senders, and so on. Or perhaps they really want to be able to make use of SpamAssassin's native Bayesian scoring (though I don't see why<A NAME="AEN1828" HREF="#FTN.AEN1828" ><SPAN CLASS="footnote" >[1]</SPAN ></A >). </P ><P > As discussed in the <A HREF="usersettings.html" >User Settings and Data</A > section earlier in the document, there is a way for this to happen. We need to limit the number of recipients we accept per incoming mail delivery to one. We accept the first <B CLASS="command" >RCPT TO:</B > command issued by the caller, then defer subsequent ones using a <B CLASS="command" >451</B > SMTP response. As with <A HREF="exim-greylisting.html" >greylisting</A >, if the caller is a well-behaved MTA it will know how to interpret this response, and retry later. </P ><DIV CLASS="section" ><H3 CLASS="section" ><A NAME="exim-limit-one-user" ></A >A.10.3.1. Tell Exim to accept only one recipient per delivery</H3 ><P > In the <A HREF="exim-final.html#acl_rcpt_to_final" >acl_rcpt_to</A >, we insert the following statement after validating the recipient address, but before any <TT CLASS="option" >accept</TT > statements pertaining to unauthenticated deliveries from remote hosts to local users (i.e. before any greylist checks, envelope signature checks, etc): <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > # Limit the number of recipients in each incoming message to one # to support per-user settings and data (e.g. for SpamAssassin). # # NOTE: Every mail sent to several users at your site will be # delayed for 30 minutes or more per recipient. This # significantly slow down the pace of discussion threads # involving several internal and external parties. # defer message = We only accept one recipient at a time - please try later. condition = $recipients_count </PRE ></FONT ></TD ></TR ></TABLE > </P ></DIV ><DIV CLASS="section" ><H3 CLASS="section" ><A NAME="exim-sa-as-user" ></A >A.10.3.2. Pass the recipient username to SpamAssassin</H3 ><P > In <A HREF="exim-final.html#acl_data_final" >acl_data</A >, we modify the <TT CLASS="option" >spam</TT > condition given in the previous section, so that it passes on to SpamAssassin the username specified in the local part of the recipient address. <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > # Invoke SpamAssassin to obtain $spam_score and $spam_report. # Depending on the classification, $acl_m9 is set to "ham" or "spam". # # We pass on the username specified in the recipient address, # i.e. the portion before any '=' or '@' character, converted # to lowercase. Multiple recipients should not occur, since # we previously limited delivery to one recipient at a time. # # If the message is classified as spam, pretend to reject it. # warn set acl_m9 = ham spam = ${lc:${extract{1}{=@}{$recipients}{$value}{mail}}} set acl_m9 = spam control = fakereject logwrite = :reject: Rejected spam (score $spam_score): $spam_report </PRE ></FONT ></TD ></TR ></TABLE > </P ><P > Note that instead of using Exim's <TT CLASS="option" >${local_part:...}</TT > function to get the username, we manually extracted the portion before any <SPAN CLASS="QUOTE" >"@"</SPAN > or <SPAN CLASS="QUOTE" >"="</SPAN > character. This is because we will use the latter character in our <A HREF="exim-sign.html" >envelope signature</A > scheme, to follow. </P ></DIV ><DIV CLASS="section" ><H3 CLASS="section" ><A NAME="exim-per-user-sa" ></A >A.10.3.3. Enable per-user settings in SpamAssassin</H3 ><P > Let us now again look at SpamAssassin. First of all, you may choose to remove the <TT CLASS="option" >use_bayes 0</TT > setting that we previously added in its site-wide configuration file. In any case, each user will now have the ability to decide whether to override this setting for themselves. </P ><P > If mailboxes on your system map directly to local UNIX accounts with home directories, you are done. By default, the SpamAssassin daemon (<B CLASS="command" >spamd</B >) performs a <TT CLASS="option" >setuid()</TT > to the username we pass to it, and stores user data and settings in that user's home directory. </P ><P > If this is not the case (for instance, if your mail accounts are managed by Cyrus SASL or by another server), you need to tell SpamAssassin where to find each user's preferences and data files. Also, <B CLASS="command" >spamd</B > needs to keep running as a specific local user instead of attempting to <TT CLASS="option" >setuid()</TT > to a non-existing user. </P ><P > We do these things by specifying the options passed to <B CLASS="command" >spamd</B > at startup: </P ><P ></P ><UL ><LI ><P > On a Debian system, edit the <TT CLASS="option" >OPTIONS=</TT > setting in <TT CLASS="option" >/etc/default/spamassassin</TT >. </P ></LI ><LI ><P > On a RedHat system, edit the <TT CLASS="option" >SPAMDOPTIONS=</TT > setting in <TT CLASS="option" >/etc/sysconfig/spamassassin</TT >. </P ></LI ><LI ><P > Others, figure it out. </P ></LI ></UL ><P > The options you need are: </P ><P ></P ><UL ><LI ><P > <TT CLASS="option" >-u</TT > <TT CLASS="parameter" ><I >username</I ></TT > - specify the user under which <B CLASS="command" >spamd</B > will run (e.g. <TT CLASS="option" >mail</TT >) </P ></LI ><LI ><P > <TT CLASS="option" >-x</TT > - disable configuration files in user's home directory. </P ></LI ><LI ><P > <TT CLASS="option" >--virtual-config-dir=/var/lib/spamassassin/%u</TT > - specify where per-user settings and data are stored. <SPAN CLASS="QUOTE" >"%u"</SPAN > is replaced with the calling username. <B CLASS="command" >spamd</B > must be able to create or modify this directory: <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > # mkdir /var/lib/spamassassin # chown -R mail:mail /var/lib/spamassassin </PRE ></FONT ></TD ></TR ></TABLE > </P ></LI ></UL ><P > Needless to say, after making these changes, you need to restart <B CLASS="command" >spamd</B >. </P ></DIV ></DIV ></DIV ><H3 CLASS="FOOTNOTES" >Notes</H3 ><TABLE BORDER="0" CLASS="FOOTNOTES" WIDTH="100%" ><TR ><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="5%" ><A NAME="FTN.AEN1828" HREF="exim-sa.html#AEN1828" ><SPAN CLASS="footnote" >[1]</SPAN ></A ></TD ><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="95%" ><P > Although it is true that Bayesian training is specific to each user, it should be noted that SpamAssassin's Bayesian classifier is, IMHO, not that stellar in any case. Especially I find this to be the case since spammers have learned to defeat such systems by seeding random dictionary words or stories in their mail (e.g. in the metadata of HTML messages). </P ></TD ></TR ></TABLE ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="exim-av.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="exim-sign.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Adding Anti-Virus Software</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="exim.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Adding Envelope Sender Signatures</TD ></TR ></TABLE ></DIV ></BODY ></HTML >