Difference between revisions of "Spamassassin"
m (Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen) |
|||
| (4 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
==sa-exim== |
==sa-exim== |
||
Dans /etc/exim4/sa-exim.conf chercher SAEximRunCond et soit l'activer toujours (=1) ou seulement s'il n'y a pas déjà de headers sa-exim dans le message (commenter alors la ligne avec =0) |
Dans /etc/exim4/sa-exim.conf chercher SAEximRunCond et soit l'activer toujours (=1) ou seulement s'il n'y a pas déjà de headers sa-exim dans le message (commenter alors la ligne avec =0) |
||
| + | ===Tuning SAEximRunCond=== |
||
| + | In /etc/exim4/sa-exim.conf there is a variable SAEximRunCond which is expansed for every message travelling to know if it should be sent to Spamassassin or not. |
||
| + | |||
| + | You can tune it e.g. to avoid to scan mails coming from trusted computers or even IP ranges: |
||
| + | SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{1.2.3.4}} {!eq {${mask:${sender_host_address}/24}}{10.20.30.0/24}}} } |
||
| + | |||
| + | You can also rely on existing Exim ACLs: |
||
| + | SAEximRunCond: ${if and {{def:sender_host_address}{!eq{$acl_m0}{noscan}}}} |
||
| + | So mails from localhost, from hosts we accept to relay and from authenticated connections are not scanned anymore. |
||
| + | |||
| + | This requires $acl_m0 to be defined in the ACL rules, which was apparently the case in the past but not anymore in Debian config, so here is how to restore them again (you can download [{{#file: exim4-config-acl_m0.diff}} the patch here]): |
||
| + | <source lang=diff> |
||
| + | --- /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt 2008-03-23 15:46:20.000000000 +0100 |
||
| + | +++ /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt 2008-11-14 12:21:41.000000000 +0100 |
||
| + | @@ -12,7 +12,7 @@ |
||
| + | # testing for an empty sending host field. |
||
| + | accept |
||
| + | hosts = : |
||
| + | - |
||
| + | + set acl_m0 = noscan |
||
| + | |||
| + | # The following section of the ACL is concerned with local parts that contain |
||
| + | # certain non-alphanumeric characters. Dots in unusual places are |
||
| + | @@ -146,7 +146,7 @@ |
||
| + | accept |
||
| + | hosts = +relay_from_hosts |
||
| + | control = submission/sender_retain |
||
| + | - |
||
| + | + set acl_m0 = noscan |
||
| + | |||
| + | # Accept if the message arrived over an authenticated connection, from |
||
| + | # any host. Again, these messages are usually from MUAs, so recipient |
||
| + | @@ -155,7 +155,7 @@ |
||
| + | accept |
||
| + | authenticated = * |
||
| + | control = submission/sender_retain |
||
| + | - |
||
| + | + set acl_m0 = noscan |
||
| + | |||
| + | # Insist that any other recipient address that we accept is either in one of |
||
| + | # our local domains, or is in a domain for which we explicitly allow |
||
| + | </source> |
||
==Option: Greylisting== |
==Option: Greylisting== |
||
| Line 19: | Line 61: | ||
<br>['''UPDATE'''] |
<br>['''UPDATE'''] |
||
<br>Apparemment fetchmail subit encore des refus, j'essaye maintenant avec: |
<br>Apparemment fetchmail subit encore des refus, j'essaye maintenant avec: |
||
| − | SAtempreject: ${if |
+ | SAtempreject: ${if and {{!eq {$sender_ident}{fetchmail}} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{85.234.207.100}} } {3.0}{10000.0}} |
| + | |||
On peut ajouter d'autres IPs mais il faut veiller à ce que tout tienne sur la même ligne |
On peut ajouter d'autres IPs mais il faut veiller à ce que tout tienne sur la même ligne |
||
| Line 67: | Line 110: | ||
==Learning new spam== |
==Learning new spam== |
||
Here is a script to save in e.g. /usr/local/sbin/sa-learn-from-md |
Here is a script to save in e.g. /usr/local/sbin/sa-learn-from-md |
||
| + | <source lang=bash> |
||
| − | <pre> |
||
#! /bin/sh |
#! /bin/sh |
||
| Line 106: | Line 149: | ||
exit 0 |
exit 0 |
||
| − | </ |
+ | </source> |
And you can schedule cron to call it e.g. hourly: |
And you can schedule cron to call it e.g. hourly: |
||
mx:/etc/cron.hourly# ln -s /usr/local/sbin/sa-learn-from-md |
mx:/etc/cron.hourly# ln -s /usr/local/sbin/sa-learn-from-md |
||
| Line 114: | Line 157: | ||
<br>Every hour the mails will be used to train the global spamassassin DB and then will be moved to the SPAM dir or just deleted, depending on what you've chosen. |
<br>Every hour the mails will be used to train the global spamassassin DB and then will be moved to the SPAM dir or just deleted, depending on what you've chosen. |
||
<br>If you want you can also create a "learn-ham" sub-dir and drop the false positives flagged as spam into the SPAM/learn-ham. |
<br>If you want you can also create a "learn-ham" sub-dir and drop the false positives flagged as spam into the SPAM/learn-ham. |
||
| + | ---- |
||
| + | ''Converted with [[MediaWiki#HTML-WikiConverter|HTML::WikiConverter::MediaWiki]] from my old phpwiki site'' |
||
| + | ---- |
||
| + | |||
| + | To add a sender in the blacklist: |
||
| + | |||
| + | spamassassin --add-addr-to-blacklist <email spammeur> |
||
| + | |||
| + | To add a sender in the whitelist: |
||
| + | |||
| + | spamassassin --add-addr-to-whitelist <email ami fana de HTML ;-)> |
||
Latest revision as of 22:33, 24 November 2010
Très facile à intégrer à exim4
Installation
apt-get install spamassassin sa-exim
Activer le démon spamassassin
Dans /etc/default/spamassassin mettre ENABLED à 1
sa-exim
Dans /etc/exim4/sa-exim.conf chercher SAEximRunCond et soit l'activer toujours (=1) ou seulement s'il n'y a pas déjà de headers sa-exim dans le message (commenter alors la ligne avec =0)
Tuning SAEximRunCond
In /etc/exim4/sa-exim.conf there is a variable SAEximRunCond which is expansed for every message travelling to know if it should be sent to Spamassassin or not.
You can tune it e.g. to avoid to scan mails coming from trusted computers or even IP ranges:
SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{1.2.3.4}} {!eq {${mask:${sender_host_address}/24}}{10.20.30.0/24}}} }
You can also rely on existing Exim ACLs:
SAEximRunCond: ${if and {{def:sender_host_address}{!eq{$acl_m0}{noscan}}}}
So mails from localhost, from hosts we accept to relay and from authenticated connections are not scanned anymore.
This requires $acl_m0 to be defined in the ACL rules, which was apparently the case in the past but not anymore in Debian config, so here is how to restore them again (you can download [{{#file: exim4-config-acl_m0.diff}} the patch here]):
--- /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt 2008-03-23 15:46:20.000000000 +0100
+++ /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt 2008-11-14 12:21:41.000000000 +0100
@@ -12,7 +12,7 @@
# testing for an empty sending host field.
accept
hosts = :
-
+ set acl_m0 = noscan
# The following section of the ACL is concerned with local parts that contain
# certain non-alphanumeric characters. Dots in unusual places are
@@ -146,7 +146,7 @@
accept
hosts = +relay_from_hosts
control = submission/sender_retain
-
+ set acl_m0 = noscan
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
@@ -155,7 +155,7 @@
accept
authenticated = *
control = submission/sender_retain
-
+ set acl_m0 = noscan
# Insist that any other recipient address that we accept is either in one of
# our local domains, or is in a domain for which we explicitly allow
Option: Greylisting
/etc/spamassassmin/local.cf: recopier les 4 lignes mentionées dans /usr/share/doc/sa-exim/README.greylisting.gz à partir de loadplugin...
/etc/exim4/sa-exim.conf: mettre
SAtempreject: 9.0 (ou 3.0 pour un greylisting plus aggressif) SAgreylistraisetempreject: 3.0 (or 9.0)
Le total doit être <= SAPermreject!
Apparemment il faut mettre SAmaxrcptlistlength à 8000
Problème: mon fetchmail subit aussi le greylisting. Solution: rendre la valeur du threshold dépendante de l'IP d'origine, fetchmail tournant en local. Rem: la seconde IP est l'IP du vserveur mx
SAtempreject: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{85.234.207.100}} } {3.0}{10000.0}}
[UPDATE]
Apparemment fetchmail subit encore des refus, j'essaye maintenant avec:
SAtempreject: ${if and {{!eq {$sender_ident}{fetchmail}} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{85.234.207.100}} } {3.0}{10000.0}}
On peut ajouter d'autres IPs mais il faut veiller à ce que tout tienne sur la même ligne
J'ignore pourquoi mais j'avais des erreurs du style:
spamd[22130]: Reached greylisterror: creating /var/spool/sa-exim/tuplets/158/64/60/... / No such file or directory at /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 287.
J'ai résolu ce problème de permissions:
chown Debian-exim:Debian-exim /var/spool/sa-exim/tuplets
Mais maintenant le cron de nettoyage greylistclean se plaint... je l'exécute donc en tant que Debian-exim plutôt que nobody.
/etc/cron.d/greylistclean 33 * * * * Debian-exim [ -x /usr/sbin/greylistclean ] && /usr/sbin/greylistclean
Option: DNS Sender Policy Framework (SPF)
apt-get install libmail-spf-query-perl
À tester davantage...
Upside-down
If we want we can also add a SPF string in our TXT record to help others to identify forgeries with our domain name.
The wizard tells me to add the following:
teuwen.org. IN TXT "v=spf1 mx ~all" mx.yobi.be. IN TXT "v=spf1 a -all"
You can check your headers when sending a mail to an address handled by an external SMTP server, it looks like this.
- Exim server:
Received: from zeus.yobi.be ([85.234.207.98] helo=mx.yobi.be)
by xxxxxxxxx with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.60)
(envelope-from <xxxxxxxxx>)
id xxxxxxxxx
for xxxxxxxxx; Wed, 06 Dec:15:45 +0100
- Postfix server:
Received: from mx.yobi.be (zeus.yobi.be [85.234.207.98])
(using TLSv1 with cipher AES256-SHA (256/256 bits))
(No client certificate requested)
by xxxxxxxxx (Postfix) with ESMTP id xxxxxxxxx
for <xxxxxxxxx>; Wed, 6 Dec:21:24 +0100 (CET)
Here we can see a disruptance because I was masquerading the output traffic with the host IP (85.234.207.98), removing the masquerading solves the problem and the headers look like:
Received: from mx.yobi.be (mx.yobi.be [85.234.207.100])
Learning new spam
Here is a script to save in e.g. /usr/local/sbin/sa-learn-from-md
#! /bin/sh
[ -x /usr/bin/sa-learn ] || exit 0
# For every existing user who has his homedir under /home and has a Maildir
for i in $(cut -f6 -d: /etc/passwd|grep /home);
do
if [ -d $i/Maildir/.*SPAM.learn-spam/cur ];
then
# Get the mails to train spamassassin
for f in $i/Maildir/.*SPAM.learn-spam/cur/*; do
if [ -e $f ]; then
# Debian-exim does not have read access to the mails so we pipe them
cat $f|su - -s /bin/bash Debian-exim -c "sa-learn --spam" |grep -v "Learned tokens from"
# Move files to the Spam dir
#mv $f $i/Maildir/.*SPAM/cur/
# Or just delete it
rm -f $f
fi
done
fi;
if [ -d $i/Maildir/.*SPAM.learn-ham/cur ];
then
# Get the mails to train spamassassin
for f in $i/Maildir/.*SPAM.learn-ham/cur/*; do
if [ -e $f ]; then
# Debian-exim does not have read access to the mails so we pipe them
cat $f|su - -s /bin/bash Debian-exim -c "sa-learn --ham" |grep -v "Learned tokens from"
# Move files to the Inbox dir
mv $f $i/Maildir/cur/
# Or just delete it
#rm -f $f
fi
done
fi;
done
exit 0
And you can schedule cron to call it e.g. hourly:
mx:/etc/cron.hourly# ln -s /usr/local/sbin/sa-learn-from-md
So, what does it do?
To use it, create a "SPAM" directory with a "learn-spam" sub-dir in your Maildir via e.g. IMAP.
Drop the non-filtered spam you got into the SPAM/learn-spam.
Every hour the mails will be used to train the global spamassassin DB and then will be moved to the SPAM dir or just deleted, depending on what you've chosen.
If you want you can also create a "learn-ham" sub-dir and drop the false positives flagged as spam into the SPAM/learn-ham.
Converted with HTML::WikiConverter::MediaWiki from my old phpwiki site
To add a sender in the blacklist:
spamassassin --add-addr-to-blacklist <email spammeur>
To add a sender in the whitelist:
spamassassin --add-addr-to-whitelist <email ami fana de HTML ;-)>