[SA-exim] PermReject

Patrice Fournier pfournier at loups.net
Wed, 29 May 2002 21:10:56 -0400 

Quoting Marc MERLIN <marc@merlins.org>:

> Yep, although you'll probably want this:
> SAEximRunCond: ${if and {{def:sender_host_address} {!eq
> {$sender_host_address}{127.0.0.1}} {! def:h_X-Spam-Flag:} } {1}{0} 
> {${lookup {$local_part} lsearch {/etc/exim/sa_skip} {0}{1}}}}
> 
> This will save you from:
> 1) scanning messages that are generated locally on your machine
> 2) Not scan messages that were already scanned elsewhere (unless you
> decide not to trust the header)

If you leave the X-Spam-Flag: check there, it also means that a spam tagged
as such by another system won't be rejected by sa-exim even if it scored
200, right?

hmmm.. is $local_part really available there? What's in there when the
message is destined to multiple recipients? Why don't we use this to check
for postmaster instead of the X-SA-Disable header?

While were at it, as anyone configured sa-exim to scan/reject messages to
some users while accepting it to others?

I was thinking about something like this using the rcpt ACL:
if (first recipient)
  set a variable/header to indicate if SA must run for that recipient
else
  if (current_recipient SA setting != first recipient SA setting)
    temp reject

Now, if SA setting is a boolean value sometimes some recipients will
receive temp reject thus permiting us to still reject the message at SMTP
time for those users who don't want it. Of course, this is best if no other
ACL can produce temp reject (or at least, will not do so most of the time)

I believe this would work correctly for connections from MTAs, I'm not sure
how MUAs would react to this... Oh well, as I don't scan messages coming
through authenticated connections and MUAs sending directly to a remote mx
are sending spam most of the time (or is it always?) I don't care that much
about how those MUAs will behave.

How does yahoo does rejections of only some of the recipients? (it's yahoo
that only rejects after DATA, right?) Fail the message and tell in the
failure that some addresses did actually go through? I'm not sure I'd like
this...

Thanks,

-- 
Patrice Fournier
pfournier@loups.net