1# Options for spamassassin running in exim's local_scan (SA Exim)
2# By Marc MERLIN <marc_soft@merlins.org> - Initial version: April 2002
3# Sander Smeenk <ssmeenk@freshdot.net> - Improvements: March 2004
4#
5# Sample file version 1.16 for SA-Exim 4.1 - 2005/01/10
6#
7# The parse routine is minimalistic. It expects "option: value" (exactly
8# one space after the colon, and none before). You should put long lines
9# on one line. The parser isn't capable of parsing multiline values.
10#
11# SA threshold values are parsed as floats and other numerical options
12# are ints. String options have to be set. To unset them, comment out the
13# variable, don't set it to nothing.
14#
15# READ THIS:
16# ---------
17# Watch your logs, you will get errors and your messages will get
18# temporarily bounced if expansions fail. Watch your logs!
19#
20# If you are afraid that spammers might use a header that is used here
21# as a default, have exim set it to another value than 'Yes' and check
22# here for that other value.
23#
24# For every expansion, anything that doesn't expand to "" or "0"
25# (without quotes) will be considered true. If you set the string to 1,
26# it will be true without going through exim's condition evaluator (and
27# if you leave it unset, it will default to 0)
28#
29# You should not put double quotes around expressions!
30# --- snip ---
31
32# Enable basic verbose output by default. Watch your logs!
33SAEximDebug: 1
34
35
36# Default path is /usr/bin/spamc, but you can change it here
37SAspamcpath: /usr/bin/spamc
38
39# Which characters are retained from a Message-Id header (for safety, we
40# remove characters that might cause problems with shell parsing)
41# Change the default at your own risk (you also have to change this in
42# the SA greylisting patch if you use that)
43#SAsafemesgidchars: !#%( )*+,-.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~
44
45# If SAspamcSockPath is set spamc uses socket to connect to spamd,
46# use --socketpath pathname as argument to spamd (new in SA 2.60).
47# Leave it unset if you want spamc to connect(AF_INET) to spamd at
48# 127.0.0.1 (this is the default shown in the options below), but if
49# you set it, it will override the two TCP connect options below
50#SAspamcSockPath: /var/run/spamd.sock
51
52# SAspamcHost / SAspamcPort: TCP socket where your spamd is listening
53# Shown below are the defaults:
54SAspamcHost: 127.0.0.1
55SAspamcPort: 783
56
57
58# Exim configuration string to run before running SA against the message
59# This decides whether SA gets run against the message or not.  This
60# default will not reject messages if the message had SA headers but
61# they weren't added by us.
62SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}}
63# Remove or comment out the following line to enable sa-exim
64SAEximRunCond: 0
65
66# If and only if SAEximRunCond was true, and we did run SA, this
67# expression decides whether we actually consider acting upon SAdevnull,
68# SApermreject, and SAtempreject if you have them set.
69#
70# Use this to tag messages that you shouldn't reject (messages sent to
71# abuse or postmaster for instance).
72#
73# X-SA-Do-Not-Rej should be set as a warn header if mail is sent to
74# postmaster and abuse (in the RCPT ACL), this way you're not bouncing
75# spam abuse reports sent to you. This is a RFC guideline.
76SAEximRejCond: ${if !eq {$h_X-SA-Do-Not-Rej:}{Yes} {1}{0}}
77
78
79# How much of the body we feed to spamassassin (in bytes)
80# Default is 250KB
81SAmaxbody: 256000
82
83# Do you want to feed SAmaxbody's worth of the message body if it is too big?
84# Either, you skip messages that are too big and not scan them, or you can
85# truncate the body and feed that to SA.
86# Note that SA will sometimes raise the spam score if it can't parse
87# the message correctly (since the end is missing, decoding will fail)
88# Default is 0: do not scan messages that are too big
89# (note that this is parsed as a condition)
90SATruncBodyCond: 0
91
92# If you want SA to report_safe you need sa-exim to rewrite the body of
93# the message since SA encapsulates the spam as a mime attachment.
94# You probably want SATruncBodyCond to be 0 or else you'll end up with a
95# partial message if it's larger than SAmaxbody and it's spam
96#
97# Also note that if you enable this option, any saved message will be saved
98# after the body has been modified by SA.
99# (this is not a condition as SA's report_safe is not conditional)
100SARewriteBody: 0
101
102# Prepend saved messages with an fake From-header to make the file look like a
103# valid mbox file
104SAPrependArchiveWithFrom: 1
105
106# If you are archiving messages that are rejected, how much do you want
107# to archive? Default is 20MB.
108SAmaxarchivebody: 20971520
109
110# On errors, if you are saving messages, you probably want the entire message
111# Default size saved (if you are saving errors) is 1GB
112SAerrmaxarchivebody: 1073741824
113
114# You can have SA-Exim add a X-SA-Exim-Rcpt-To header, which will list all
115# the recipients for the Email, unless the list gets bigger than
116# SAmaxrcptlistlength bytes.
117# The default value of 0 disables the header for privacy reasons (the header
118# exposes Bcced recipients)
119# Any value bigger than 8000 will be ignored because there is a limit on the
120# size of headers that you can have and exim's string_sprintf
121# Note that if you are planning to use greylisting, you should set this
122# value to 8000 since SA's greylisting code needs the recipients.
123SAmaxrcptlistlength: 0
124
125# Add X-SA-Exim-Rcpt-To and X-SA-Exim-Mail-From headers before SA scans
126# the message.
127# If this option is enabled, SARewiteBody is true, and safe_mode is
128# enabled in SA, you end up with the X-SA-Exim-Rcpt-To/X-SA-Exim-Mail-From in
129# the attatched message as well without the ability to remove them later in an
130# exim transport (think privacy).
131# In real life this is usually not a problem because the message is spam anyway,
132# and if you turn this off, you lose the option to use those headers to score
133# the message with SA.
134SAaddSAEheaderBeforeSA: 1
135
136# How many seconds you want to allow spamc to run. Exim 4.04 and better will
137# kill us after a default of 5 minutes. This however is not great, because the
138# mail gets temporarily rejected
139# You should set this and have SA Exim handle the timeout itself and accept the
140# message if spamc takes too long (instead of timing out)
141# A value of 0 means no timeout, and we run until exim stops us.
142# I know of at least one mail server (nanog's merit.edu) that will not
143# wait a full 5mn (which causes tempreject and resends), so the default is 4mn
144#SAtimeout: 240
145
146# Do you want to save mails that were accepted because spamc timed out?
147# Specify a directory to enable the feature.
148# SA-Exim will try to create the directory if it has the permissions to do so,
149# check your maillog for failures (or create the directory yourself and make it
150# writeable by exim)
151SAtimeoutsave: /var/spool/exim/SAtimeoutsave
152
153# You can optionally save or not save messages that matched the above rule
154SAtimeoutSavCond: 1
155
156
157# You should really create this directory for local_scan to save messages that
158# created an error. If you don't want this, comment out this variable
159# Make sure all these directories are owned by the exim user
160# SA-Exim will try to  create the directory if it has  the permissions to do
161# so, check your maillog for failures  (or create the directory yourself and
162# make it writeable by exim)
163SAerrorsave: /var/spool/exim/SAerrorsave
164
165# You can optionally save or not save messages that matched the above rule
166# You should not put double quotes around the expression
167SAerrorSavCond: 1
168
169# If you set to 1, SA will temporarily reject messages that generated an error
170# while they were processed (they'll still be saved if SAerrorsave is set).
171# Otherwise (0 = false), the messages are just accepted, which seems like a
172# more sensible default
173SAtemprejectonerror: 0
174
175
176###############################################################################
177# NOTE: Spamd needs to tell sa-exim that the message SA-Exim gave spamd
178# is spam before sa-exim will consider the SA tresholds.
179# In other words, you cannot reject mails on SA scores if you set that
180# threshold to a lower threshold than SA's required_hits value.
181# The one exception to this rule is SAtempreject (in order to let you
182# temporarily reject mail when you are doing greylisting, see
183# README.greylisting in the documentation for details)
184###############################################################################
185
186# SA score when you start stalling the sender by sending many continuation
187# lines for up to SAteergrubetime
188# This is now a string (without quotes) that gets evaluated at runtime by exim
189# but you can still assign a simple float value to it
190# Note that this is an obvious abuse of SMTP, but eh, they started it :-)
191# Of course, this means that each incoming spam with the right score threshold
192# will keep an exim process busy on your machine. Make sure you can afford it.
193# Default value is 2^20, which should disable the behavior
194
195# Please, don't teergrube people who relay for you or your own MXes :-)
196# This option is left behind for backward compatibility, but you can now
197# get the same result by putting a condition string in SAteergrube
198# The trick is to list your score if the condition succeeds, and a really
199# high score otherwise.
200#SAteergrube: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {25}{1048576}}
201
202# SAteergrubecond is deprecated (replaced by SAteergrube)
203# You used to be say whether you would apply the teergrubing score with this
204# condition, but now that scores are conditions, it is obsolete
205#SAteergrubecond: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {1}{0}}
206
207# How long do you want to stall the sender (in seconds)
208# If you set the value too high, you might get too many exim processes running
209# and run out of process slots
210# Remember, don't come crying if playing with this "feature" causes your mail
211# server to catch fire :-)
212SAteergrubetime: 900
213
214# You can optionally save or not save messages that matched the above rule
215SAteergrubeSavCond: 1
216
217# Do you want to save mails that you stalled for later analysis?
218# Specify a directory to enable the feature.
219# SA-Exim will try to create the directory if it has the permissions to do so,
220# check your maillog for failures (or create the directory yourself and make it
221# writeable by exim)
222SAteergrubesave: /var/spool/exim/SAteergrube
223
224# When you stall the sender, you will probably get the mail again.
225# By default, we'll  only save messages by message ID so  that we don't save
226# multiple copies every time the sender tries again.
227# Of course, this means someone could fake someone else's message ID to
228# overwrite the saved copy of another spam. Such is life :-)
229SAteergrubeoverwrite: 1
230
231
232
233# If you reach this score, the mail is accepted and tossed (/dev/nulled).
234# The default value is 2^20 which should ensure this never happens.
235# This is now a string (without quotes) that gets evaluated at runtime by exim
236# but you can still assign a simple float value to it
237# You should be really sure that the message is spam because the sender will
238# get no notification
239#SAdevnull: 20.0
240
241# You can optionally save or not save messages that matched the above rule
242SAdevnullSavCond: 1
243
244# Do you want to save mails that are tossed?
245# Specify a directory to enable the feature.
246# This is just in case you do want to keep a copy of the alledge spams somewhere
247# Messages are saved by unixdate_Message-Id or just unix date if there is no
248# Message-Id.
249# SA-Exim will try to create the directory if it has the permissions to do so,
250# check your maillog for failures (or create the directory yourself and make it
251# writeable by exim)
252SAdevnullsave: /var/spool/exim/SAdevnull
253
254
255
256# SA score when you start rejecting Emails (this is better than the above as
257# it can notify the sender in case you reject non-spam by mistake)
258# This is now a string (without quotes) that gets evaluated at runtime by exim
259# but you can still assign a simple float value to it
260# Default value is 2^20, which should disable the behavior if you comment out
261# the line below
262SApermreject: 12.0
263
264# You can optionally save or not save messages that matched the above rule
265SApermrejectSavCond: 1
266
267# Do you want to save mails that are rejected?
268# Specify a directory to enable the feature.
269# SA-Exim will try to create the directory if it has the permissions to do so,
270# check your maillog for failures (or create the directory yourself and make it
271# writeable by exim)
272SApermrejectsave: /var/spool/exim/SApermreject
273
274
275
276# SA score when you start returning a temporary reject.
277# There are few reasons to use this, except if you're reading your tempreject
278# save folder (see below) and ajusting scores on the fly, or if you are using
279# greylisting
280# This is now a string (without quotes) that gets evaluated at runtime by exim
281# but you can still assign a simple float value to it
282# Default value is 2^20, which should disable the behavior
283SAtempreject: 9.0
284
285# You can optionally save or not save messages that matched the above rule
286SAtemprejectSavCond: 1
287
288# Do you want to save mails that are temporarily rejected?
289# Specify a directory to enable the feature.
290# You could use this to analyse what SA is bouncing and adding an allow rule
291# to accept the mail next time it is sent back to you
292# SA-Exim will try to create the directory if it has the permissions to do so,
293# check your maillog for failures (or create the directory yourself and make it
294# writeable by exim)
295SAtemprejectsave: /var/spool/exim/SAtempreject
296
297# When you send back a temp reject code, you will get the mail again.
298# By default, we'll only save messages by message ID so that we don't save
299# multiple copies every time the sender tries again.
300# Of course, this means someone could fake someone else's message ID to
301# overwrite the saved copy of another spam. Such is life :-)
302SAtemprejectoverwrite: 1
303
304# See README.greylisting in the documentation for the following options
305# This is the string that SpamAssassin adds if the message is whitelisted
306# We use this to optionally increase the score needed for a tempreject
307# (in order to let a message through when it would otherwise have been
308# temprejected)
309# Default value is "GREYLIST_ISWHITE" (as used in the patch provided by SA-Exim)
310SAgreylistiswhitestr: GREYLIST_ISWHITE
311
312# By how much do we temporarly raise tempreject to allow a mail in when it
313# would otherwise have been temp rejected (because SA flagged it was whitelisted
314# by the greylisting code provided as a patch to SA in the SA-Exim distro)
315# Note that greylisting will not work in until you patch SA with the greylist
316# function
317# Note that you most likely want
318# SAtempreject + SAgreylistraisetempreject <= SApermreject
319# Default value is 3.0 but you'd probably to lower the tempreject score and
320# increase this one (see README.greylisting)
321SAgreylistraisetempreject: 3.0
322
323
324# Do you want to save mails that are flagged as spam by SA, but not rejected by
325# any of the above thresholds?  Specify a directory to enable the feature.
326# That's one way to track mails thare are going through even though they were
327# flagged by SA (note that you could also save them in exim's system_filter,
328# although copies saved here happen before exim makes modification to the
329# message like rewriting)
330# SA-Exim will try to create the directory if it has the permissions to do so,
331# check your maillog for failures (or create the directory yourself and make it
332# writeable by exim)
333SAspamacceptsave: /var/spool/exim/SAspamaccept
334
335# You can control which messages you want saved if you only want a subset
336SAspamacceptSavCond: 0
337
338
339# Do you want to save mails that are not flagged as spam by SA
340# Specify a directory to enable the feature.
341# This is only here for completeness, if you want to save all messages not
342# flagged as spam by SA (you could also do this in system_filter)
343# SA-Exim will try to create the directory if it has the permissions to do so,
344# check your maillog for failures (or create the directory yourself and make it
345# writeable by exim)
346SAnotspamsave: /var/spool/exim/SAnotspam
347
348# You can control which messages you want saved if you only want a subset
349SAnotspamSavCond: 0
350
351# All the following strings can take one '%s' which will be replaced by
352# spamstatus: "SA score, trigger score"
353SAmsgteergrubewait: Wait for more output
354SAmsgteergruberej: Please try again later
355SAmsgpermrej: Rejected
356SAmsgtemprej: Please try again later
357# This string is a static string, do not include "%s"
358SAmsgerror: Temporary local error while processing message, please contact postmaster.
359