1# Options for spamassassin running in exim's local_scan (SA Exim) 2# By Marc MERLIN <marc_soft@merlins.org> - Initial version: April 2002 3# Sander Smeenk <ssmeenk@freshdot.net> - Improvements: March 2004 4# 5# Sample file version 1.16 for SA-Exim 4.1 - 2005/01/10 6# 7# The parse routine is minimalistic. It expects "option: value" (exactly 8# one space after the colon, and none before). You should put long lines 9# on one line. The parser isn't capable of parsing multiline values. 10# 11# SA threshold values are parsed as floats and other numerical options 12# are ints. String options have to be set. To unset them, comment out the 13# variable, don't set it to nothing. 14# 15# READ THIS: 16# --------- 17# Watch your logs, you will get errors and your messages will get 18# temporarily bounced if expansions fail. Watch your logs! 19# 20# If you are afraid that spammers might use a header that is used here 21# as a default, have exim set it to another value than 'Yes' and check 22# here for that other value. 23# 24# For every expansion, anything that doesn't expand to "" or "0" 25# (without quotes) will be considered true. If you set the string to 1, 26# it will be true without going through exim's condition evaluator (and 27# if you leave it unset, it will default to 0) 28# 29# You should not put double quotes around expressions! 30# --- snip --- 31 32# Enable basic verbose output by default. Watch your logs! 33SAEximDebug: 1 34 35 36# Default path is /usr/bin/spamc, but you can change it here 37SAspamcpath: /usr/bin/spamc 38 39# Which characters are retained from a Message-Id header (for safety, we 40# remove characters that might cause problems with shell parsing) 41# Change the default at your own risk (you also have to change this in 42# the SA greylisting patch if you use that) 43#SAsafemesgidchars: !#%( )*+,-.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~ 44 45# If SAspamcSockPath is set spamc uses socket to connect to spamd, 46# use --socketpath pathname as argument to spamd (new in SA 2.60). 47# Leave it unset if you want spamc to connect(AF_INET) to spamd at 48# 127.0.0.1 (this is the default shown in the options below), but if 49# you set it, it will override the two TCP connect options below 50#SAspamcSockPath: /var/run/spamd.sock 51 52# SAspamcHost / SAspamcPort: TCP socket where your spamd is listening 53# Shown below are the defaults: 54SAspamcHost: 127.0.0.1 55SAspamcPort: 783 56 57 58# Exim configuration string to run before running SA against the message 59# This decides whether SA gets run against the message or not. This 60# default will not reject messages if the message had SA headers but 61# they weren't added by us. 62SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}} 63# Remove or comment out the following line to enable sa-exim 64SAEximRunCond: 0 65 66# If and only if SAEximRunCond was true, and we did run SA, this 67# expression decides whether we actually consider acting upon SAdevnull, 68# SApermreject, and SAtempreject if you have them set. 69# 70# Use this to tag messages that you shouldn't reject (messages sent to 71# abuse or postmaster for instance). 72# 73# X-SA-Do-Not-Rej should be set as a warn header if mail is sent to 74# postmaster and abuse (in the RCPT ACL), this way you're not bouncing 75# spam abuse reports sent to you. This is a RFC guideline. 76SAEximRejCond: ${if !eq {$h_X-SA-Do-Not-Rej:}{Yes} {1}{0}} 77 78 79# How much of the body we feed to spamassassin (in bytes) 80# Default is 250KB 81SAmaxbody: 256000 82 83# Do you want to feed SAmaxbody's worth of the message body if it is too big? 84# Either, you skip messages that are too big and not scan them, or you can 85# truncate the body and feed that to SA. 86# Note that SA will sometimes raise the spam score if it can't parse 87# the message correctly (since the end is missing, decoding will fail) 88# Default is 0: do not scan messages that are too big 89# (note that this is parsed as a condition) 90SATruncBodyCond: 0 91 92# If you want SA to report_safe you need sa-exim to rewrite the body of 93# the message since SA encapsulates the spam as a mime attachment. 94# You probably want SATruncBodyCond to be 0 or else you'll end up with a 95# partial message if it's larger than SAmaxbody and it's spam 96# 97# Also note that if you enable this option, any saved message will be saved 98# after the body has been modified by SA. 99# (this is not a condition as SA's report_safe is not conditional) 100SARewriteBody: 0 101 102# Prepend saved messages with an fake From-header to make the file look like a 103# valid mbox file 104SAPrependArchiveWithFrom: 1 105 106# If you are archiving messages that are rejected, how much do you want 107# to archive? Default is 20MB. 108SAmaxarchivebody: 20971520 109 110# On errors, if you are saving messages, you probably want the entire message 111# Default size saved (if you are saving errors) is 1GB 112SAerrmaxarchivebody: 1073741824 113 114# You can have SA-Exim add a X-SA-Exim-Rcpt-To header, which will list all 115# the recipients for the Email, unless the list gets bigger than 116# SAmaxrcptlistlength bytes. 117# The default value of 0 disables the header for privacy reasons (the header 118# exposes Bcced recipients) 119# Any value bigger than 8000 will be ignored because there is a limit on the 120# size of headers that you can have and exim's string_sprintf 121# Note that if you are planning to use greylisting, you should set this 122# value to 8000 since SA's greylisting code needs the recipients. 123SAmaxrcptlistlength: 0 124 125# Add X-SA-Exim-Rcpt-To and X-SA-Exim-Mail-From headers before SA scans 126# the message. 127# If this option is enabled, SARewiteBody is true, and safe_mode is 128# enabled in SA, you end up with the X-SA-Exim-Rcpt-To/X-SA-Exim-Mail-From in 129# the attatched message as well without the ability to remove them later in an 130# exim transport (think privacy). 131# In real life this is usually not a problem because the message is spam anyway, 132# and if you turn this off, you lose the option to use those headers to score 133# the message with SA. 134SAaddSAEheaderBeforeSA: 1 135 136# How many seconds you want to allow spamc to run. Exim 4.04 and better will 137# kill us after a default of 5 minutes. This however is not great, because the 138# mail gets temporarily rejected 139# You should set this and have SA Exim handle the timeout itself and accept the 140# message if spamc takes too long (instead of timing out) 141# A value of 0 means no timeout, and we run until exim stops us. 142# I know of at least one mail server (nanog's merit.edu) that will not 143# wait a full 5mn (which causes tempreject and resends), so the default is 4mn 144#SAtimeout: 240 145 146# Do you want to save mails that were accepted because spamc timed out? 147# Specify a directory to enable the feature. 148# SA-Exim will try to create the directory if it has the permissions to do so, 149# check your maillog for failures (or create the directory yourself and make it 150# writeable by exim) 151SAtimeoutsave: /var/spool/exim/SAtimeoutsave 152 153# You can optionally save or not save messages that matched the above rule 154SAtimeoutSavCond: 1 155 156 157# You should really create this directory for local_scan to save messages that 158# created an error. If you don't want this, comment out this variable 159# Make sure all these directories are owned by the exim user 160# SA-Exim will try to create the directory if it has the permissions to do 161# so, check your maillog for failures (or create the directory yourself and 162# make it writeable by exim) 163SAerrorsave: /var/spool/exim/SAerrorsave 164 165# You can optionally save or not save messages that matched the above rule 166# You should not put double quotes around the expression 167SAerrorSavCond: 1 168 169# If you set to 1, SA will temporarily reject messages that generated an error 170# while they were processed (they'll still be saved if SAerrorsave is set). 171# Otherwise (0 = false), the messages are just accepted, which seems like a 172# more sensible default 173SAtemprejectonerror: 0 174 175 176############################################################################### 177# NOTE: Spamd needs to tell sa-exim that the message SA-Exim gave spamd 178# is spam before sa-exim will consider the SA tresholds. 179# In other words, you cannot reject mails on SA scores if you set that 180# threshold to a lower threshold than SA's required_hits value. 181# The one exception to this rule is SAtempreject (in order to let you 182# temporarily reject mail when you are doing greylisting, see 183# README.greylisting in the documentation for details) 184############################################################################### 185 186# SA score when you start stalling the sender by sending many continuation 187# lines for up to SAteergrubetime 188# This is now a string (without quotes) that gets evaluated at runtime by exim 189# but you can still assign a simple float value to it 190# Note that this is an obvious abuse of SMTP, but eh, they started it :-) 191# Of course, this means that each incoming spam with the right score threshold 192# will keep an exim process busy on your machine. Make sure you can afford it. 193# Default value is 2^20, which should disable the behavior 194 195# Please, don't teergrube people who relay for you or your own MXes :-) 196# This option is left behind for backward compatibility, but you can now 197# get the same result by putting a condition string in SAteergrube 198# The trick is to list your score if the condition succeeds, and a really 199# high score otherwise. 200#SAteergrube: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {25}{1048576}} 201 202# SAteergrubecond is deprecated (replaced by SAteergrube) 203# You used to be say whether you would apply the teergrubing score with this 204# condition, but now that scores are conditions, it is obsolete 205#SAteergrubecond: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {1}{0}} 206 207# How long do you want to stall the sender (in seconds) 208# If you set the value too high, you might get too many exim processes running 209# and run out of process slots 210# Remember, don't come crying if playing with this "feature" causes your mail 211# server to catch fire :-) 212SAteergrubetime: 900 213 214# You can optionally save or not save messages that matched the above rule 215SAteergrubeSavCond: 1 216 217# Do you want to save mails that you stalled for later analysis? 218# Specify a directory to enable the feature. 219# SA-Exim will try to create the directory if it has the permissions to do so, 220# check your maillog for failures (or create the directory yourself and make it 221# writeable by exim) 222SAteergrubesave: /var/spool/exim/SAteergrube 223 224# When you stall the sender, you will probably get the mail again. 225# By default, we'll only save messages by message ID so that we don't save 226# multiple copies every time the sender tries again. 227# Of course, this means someone could fake someone else's message ID to 228# overwrite the saved copy of another spam. Such is life :-) 229SAteergrubeoverwrite: 1 230 231 232 233# If you reach this score, the mail is accepted and tossed (/dev/nulled). 234# The default value is 2^20 which should ensure this never happens. 235# This is now a string (without quotes) that gets evaluated at runtime by exim 236# but you can still assign a simple float value to it 237# You should be really sure that the message is spam because the sender will 238# get no notification 239#SAdevnull: 20.0 240 241# You can optionally save or not save messages that matched the above rule 242SAdevnullSavCond: 1 243 244# Do you want to save mails that are tossed? 245# Specify a directory to enable the feature. 246# This is just in case you do want to keep a copy of the alledge spams somewhere 247# Messages are saved by unixdate_Message-Id or just unix date if there is no 248# Message-Id. 249# SA-Exim will try to create the directory if it has the permissions to do so, 250# check your maillog for failures (or create the directory yourself and make it 251# writeable by exim) 252SAdevnullsave: /var/spool/exim/SAdevnull 253 254 255 256# SA score when you start rejecting Emails (this is better than the above as 257# it can notify the sender in case you reject non-spam by mistake) 258# This is now a string (without quotes) that gets evaluated at runtime by exim 259# but you can still assign a simple float value to it 260# Default value is 2^20, which should disable the behavior if you comment out 261# the line below 262SApermreject: 12.0 263 264# You can optionally save or not save messages that matched the above rule 265SApermrejectSavCond: 1 266 267# Do you want to save mails that are rejected? 268# Specify a directory to enable the feature. 269# SA-Exim will try to create the directory if it has the permissions to do so, 270# check your maillog for failures (or create the directory yourself and make it 271# writeable by exim) 272SApermrejectsave: /var/spool/exim/SApermreject 273 274 275 276# SA score when you start returning a temporary reject. 277# There are few reasons to use this, except if you're reading your tempreject 278# save folder (see below) and ajusting scores on the fly, or if you are using 279# greylisting 280# This is now a string (without quotes) that gets evaluated at runtime by exim 281# but you can still assign a simple float value to it 282# Default value is 2^20, which should disable the behavior 283SAtempreject: 9.0 284 285# You can optionally save or not save messages that matched the above rule 286SAtemprejectSavCond: 1 287 288# Do you want to save mails that are temporarily rejected? 289# Specify a directory to enable the feature. 290# You could use this to analyse what SA is bouncing and adding an allow rule 291# to accept the mail next time it is sent back to you 292# SA-Exim will try to create the directory if it has the permissions to do so, 293# check your maillog for failures (or create the directory yourself and make it 294# writeable by exim) 295SAtemprejectsave: /var/spool/exim/SAtempreject 296 297# When you send back a temp reject code, you will get the mail again. 298# By default, we'll only save messages by message ID so that we don't save 299# multiple copies every time the sender tries again. 300# Of course, this means someone could fake someone else's message ID to 301# overwrite the saved copy of another spam. Such is life :-) 302SAtemprejectoverwrite: 1 303 304# See README.greylisting in the documentation for the following options 305# This is the string that SpamAssassin adds if the message is whitelisted 306# We use this to optionally increase the score needed for a tempreject 307# (in order to let a message through when it would otherwise have been 308# temprejected) 309# Default value is "GREYLIST_ISWHITE" (as used in the patch provided by SA-Exim) 310SAgreylistiswhitestr: GREYLIST_ISWHITE 311 312# By how much do we temporarly raise tempreject to allow a mail in when it 313# would otherwise have been temp rejected (because SA flagged it was whitelisted 314# by the greylisting code provided as a patch to SA in the SA-Exim distro) 315# Note that greylisting will not work in until you patch SA with the greylist 316# function 317# Note that you most likely want 318# SAtempreject + SAgreylistraisetempreject <= SApermreject 319# Default value is 3.0 but you'd probably to lower the tempreject score and 320# increase this one (see README.greylisting) 321SAgreylistraisetempreject: 3.0 322 323 324# Do you want to save mails that are flagged as spam by SA, but not rejected by 325# any of the above thresholds? Specify a directory to enable the feature. 326# That's one way to track mails thare are going through even though they were 327# flagged by SA (note that you could also save them in exim's system_filter, 328# although copies saved here happen before exim makes modification to the 329# message like rewriting) 330# SA-Exim will try to create the directory if it has the permissions to do so, 331# check your maillog for failures (or create the directory yourself and make it 332# writeable by exim) 333SAspamacceptsave: /var/spool/exim/SAspamaccept 334 335# You can control which messages you want saved if you only want a subset 336SAspamacceptSavCond: 0 337 338 339# Do you want to save mails that are not flagged as spam by SA 340# Specify a directory to enable the feature. 341# This is only here for completeness, if you want to save all messages not 342# flagged as spam by SA (you could also do this in system_filter) 343# SA-Exim will try to create the directory if it has the permissions to do so, 344# check your maillog for failures (or create the directory yourself and make it 345# writeable by exim) 346SAnotspamsave: /var/spool/exim/SAnotspam 347 348# You can control which messages you want saved if you only want a subset 349SAnotspamSavCond: 0 350 351# All the following strings can take one '%s' which will be replaced by 352# spamstatus: "SA score, trigger score" 353SAmsgteergrubewait: Wait for more output 354SAmsgteergruberej: Please try again later 355SAmsgpermrej: Rejected 356SAmsgtemprej: Please try again later 357# This string is a static string, do not include "%s" 358SAmsgerror: Temporary local error while processing message, please contact postmaster. 359