From marc at merlins.org Wed Mar 3 21:17:20 2004 From: marc at merlins.org (Marc MERLIN) Date: Wed Mar 3 21:46:59 2004 Subject: [SA-exim] How to save only "suspect" notspam? In-Reply-To: <288B49C9EBDEAA4286D52A5CABD38531019239@eos.suptech.com> References: <288B49C9EBDEAA4286D52A5CABD38531019239@eos.suptech.com> Message-ID: <20040304051720.GB24773@merlins.org> On Tue, Feb 24, 2004 at 11:32:44AM -0800, Balam Willemsen wrote: > Hi all, > > I'm just migrating over to sa-exim from calling spamc from the system filter in exim3 and it works great! > > One thing I was doing before though that I can't seem to figure out how to do now is to save mail that was scored as ham, but scored over some threshold. This is really useful for learning false negatives since it saves the main in the pristine form in which it was received unlike what we get back once it has been deivered to our Exchange server. > > I was doing this with: > > if ("$h_X-Spam-Status:" contains "No, ") and > ("$h_X-Spam-Level:" contains "***") > then > unseen save /var/archives/spam/probable/$message_id > endif > > > I tried > > SAnotspamSavCond: ${if and { {match {$h_X-Spam-Status:}{"No, "}} {match {$h_X-Spam-Level:}{"***"}} } {1}{0}} > > But that doesn't seem to work. I tried escaping the *s, but that didn't help. > > Is there any way to do this with sa-exim without resorting to a system filter? Nice idea, but it may not work because of exim not yet seeing the new X-Spam headers when sa-exim just added them. Did you check whether those even get defined by that time? Otherwise, off hand, your condition looks ok, even though I could be missing something by just looking at it. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From tonye at billy.demon.nl Thu Mar 4 09:34:02 2004 From: tonye at billy.demon.nl (Tony Earnshaw) Date: Thu Mar 4 01:22:19 2004 Subject: [SA-exim] How to save only "suspect" notspam? In-Reply-To: <20040304051720.GB24773@merlins.org> References: <288B49C9EBDEAA4286D52A5CABD38531019239@eos.suptech.com> <20040304051720.GB24773@merlins.org> Message-ID: <1078389238.2694.5.camel@localhost> tor, 04.03.2004 kl. 06.17 skrev Marc MERLIN: > On Tue, Feb 24, 2004 at 11:32:44AM -0800, Balam Willemsen wrote: > > Hi all, > > > > I'm just migrating over to sa-exim from calling spamc from the > system filter in exim3 and it works great! > > > > One thing I was doing before though that I can't seem to figure out > how to do now is to save mail that was scored as ham, but scored over > some threshold. This is really useful for learning false negatives > since it saves the main in the pristine form in which it was received > unlike what we get back once it has been deivered to our Exchange > server. > > > > I was doing this with: > > > > if ("$h_X-Spam-Status:" contains "No, ") and > > ("$h_X-Spam-Level:" contains "***") > > then > > unseen save /var/archives/spam/probable/$message_id > > endif > > > > > > I tried > > > > SAnotspamSavCond: ${if and { {match {$h_X-Spam-Status:}{"No, "}} > {match {$h_X-Spam-Level:}{"***"}} } {1}{0}} > > > > But that doesn't seem to work. I tried escaping the *s, but that > didn't help. > > > > Is there any way to do this with sa-exim without resorting to a > system filter? > > Nice idea, but it may not work because of exim not yet seeing the new > X-Spam headers when sa-exim just added them. > Did you check whether those even get defined by that time? Perhaps this could be done by using a procmail - or to my mind even better Courier maildrop (can also cope with mbox-style mailboxes, not just Maildir) - transport. I can't check this, unfortunately. --Tonni -- mail: billy - at - billy.demon.nl http://www.billy.demon.nl From ssmeenk at freshdot.net Fri Mar 5 10:41:07 2004 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Fri Mar 5 01:41:27 2004 Subject: [SA-exim] sa-exim cvs with greylisting support In-Reply-To: <20040225065732.GQ2347@merlins.org> References: <20040225065732.GQ2347@merlins.org> Message-ID: <20040305094107.GB31567@freshdot.net> Quoting Marc MERLIN (marc@merlins.org): > I've implemented greylisting support in sa-exim mostly via a patch to > SpamAssassin. This implementation is actually better than regular > greylisting as it only happens for messages that SA scores in the > middle (i.e. not certain it's ham or spam) I'm thinking of implementing this on my mailservers, but I have my doubts about what will happen to mail that comes in via my secmxes. 99% of the spam I receive is directed to my fallback mx'es. wont this badly affect the greylisting results? i couldn't really find any information about what happens to spam / mail received via secondary mxes. Sander. -- | My Bonnie looked into a gas tank, the height of its contents to see! | She lit a small match to assist her, oh bring back my Bonnie to me. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D From marc at merlins.org Fri Mar 5 08:55:25 2004 From: marc at merlins.org (Marc MERLIN) Date: Fri Mar 5 08:55:26 2004 Subject: [SA-exim] sa-exim cvs with greylisting support In-Reply-To: <20040305094107.GB31567@freshdot.net> References: <20040225065732.GQ2347@merlins.org> <20040305094107.GB31567@freshdot.net> Message-ID: <20040305165525.GI13377@merlins.org> On Fri, Mar 05, 2004 at 10:41:07AM +0100, Sander Smeenk wrote: > Quoting Marc MERLIN (marc@merlins.org): > > > I've implemented greylisting support in sa-exim mostly via a patch to > > SpamAssassin. This implementation is actually better than regular > > greylisting as it only happens for messages that SA scores in the > > middle (i.e. not certain it's ham or spam) > > I'm thinking of implementing this on my mailservers, but I have my > doubts about what will happen to mail that comes in via my secmxes. > > 99% of the spam I receive is directed to my fallback mx'es. > wont this badly affect the greylisting results? Yes. Even sa-exim in itself is not nearly as effective if you're not running it on all your MXes. That's even more true for greylisting I need to submit my new code though, I've added support for reading the SA flag from within SA, and increasing the tempreject score within sa-exim just for that mail (instead of lowering the SA score because the sender is whitelisted) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From ssmeenk at freshdot.net Fri Mar 5 18:14:35 2004 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Fri Mar 5 09:14:46 2004 Subject: [SA-exim] sa-exim cvs with greylisting support In-Reply-To: <20040305165525.GI13377@merlins.org> References: <20040225065732.GQ2347@merlins.org> <20040305094107.GB31567@freshdot.net> <20040305165525.GI13377@merlins.org> Message-ID: <20040305171435.GB14757@freshdot.net> Quoting Marc MERLIN (marc@merlins.org): > > 99% of the spam I receive is directed to my fallback mx'es. > > wont this badly affect the greylisting results? > Yes. Ok. Then i'll have to continue with my plans to drop my 2 current fallbacks and have my own on my DSL line. ;) > Even sa-exim in itself is not nearly as effective if you're not > running it on all your MXes. My fallbacks don't really care about huge queues of frozen mail, aparently ;) > I need to submit my new code though, I've added support for reading the SA > flag from within SA, and increasing the tempreject score within sa-exim just > for that mail (instead of lowering the SA score because the sender is > whitelisted) Looking forward to it, then. I'll set up my fallback mx, and implement greylisting, if at all possible. (I don't like patching spamasassin, did you get any feedback on your patch yet?) Sander. -- | Remember: If you shake it more than twice, you're playing with it! | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D From rick at linuxmafia.com Fri Mar 5 11:30:27 2004 From: rick at linuxmafia.com (Rick Moen) Date: Fri Mar 5 11:30:32 2004 Subject: [SA-exim] sa-exim cvs with greylisting support In-Reply-To: <20040305094107.GB31567@freshdot.net> References: <20040225065732.GQ2347@merlins.org> <20040305094107.GB31567@freshdot.net> Message-ID: <20040305193027.GR1777@linuxmafia.com> Quoting Sander Smeenk (ssmeenk@freshdot.net): > 99% of the spam I receive is directed to my fallback mx'es. > wont this badly affect the greylisting results? Funny thing about that. A bit of log analysis when I first implemented sa-exim suggested two things: (1) That spammers seemed to be preferentially delivering mail to high-numbered MX hosts. (2) That I had carelessly let sa-exim start teergrubing my main backup MX. (Oops!) My own solution, since I could not even remotely approach having the same antispam policy on all MXes, was to discontinue using backup MXes entirely: After all, if I couldn't bring mail back up within the four-day timeout common to most MTAs, I wouldn't be much of a mail admin, would I? -- Cheers, Rick Moen "vi is my shepherd; I shall not font." rick@linuxmafia.com -- Psalm 0.1 beta From baraza at africaonline.co.zw Sat Mar 6 14:50:13 2004 From: baraza at africaonline.co.zw (Bill) Date: Sat Mar 6 04:49:49 2004 Subject: [SA-exim] FW: patching localscan_dlopen_exim_4.20_or_better.patch Message-ID: <02cf01c40379$91271400$b9c468d8@baraza> Hi Marc, Thanks for your response. I am following the instructions in the install doc, I copied sa-exim.c over src/local_scan.c did make sa-exim.h and copied it in src/ and rebuild exim after modifying the variables in the definition especially the location of spamc and sa-exim.conf to what I have on my system. When I run spamd, I do not see anything in the logs even in the SAnotspam logs, though the mails are moving as per the exim mainlogs. I am not sure what step I have missed. Your assistance will be highly appreciated. Rgds, Baraza -----Original Message----- From: Marc MERLIN [mailto:marc@merlins.org] Sent: Saturday, March 06, 2004 12:52 AM To: William Baraza Subject: Re: patching localscan_dlopen_exim_4.20_or_better.patch On Sat, Mar 06, 2004 at 12:01:41AM +0200, William Baraza wrote: > Hi Marc, > I am trying to patch localscan_dlopen_exim_4.20_or_better.patch but it > keeps asking for a file yet no file is required from the documentation. > I ma using SunOS 5.8 with exim 4.30 and SA 2.6.3, please assist. I don't understand your question, please rephrase. That said, you can just patch exim with local_scan.c, as explained in the install doc (without using dynamic local scan) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.598 / Virus Database: 380 - Release Date: 2/28/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.598 / Virus Database: 380 - Release Date: 2/28/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.598 / Virus Database: 380 - Release Date: 2/28/2004 From tonye at billy.demon.nl Sat Mar 6 16:25:04 2004 From: tonye at billy.demon.nl (Tony Earnshaw) Date: Sat Mar 6 09:19:51 2004 Subject: [SA-exim] sa-exim cvs with greylisting support In-Reply-To: <20040305193027.GR1777@linuxmafia.com> References: <20040225065732.GQ2347@merlins.org> <20040305094107.GB31567@freshdot.net> <20040305193027.GR1777@linuxmafia.com> Message-ID: <1078586703.8568.49.camel@localhost> fre, 05.03.2004 kl. 20.30 skrev Rick Moen: > My own solution, since I could not even remotely approach having the > same antispam policy on all MXes, was to discontinue using backup MXes > entirely: After all, if I couldn't bring mail back up within the > four-day timeout common to most MTAs, I wouldn't be much of a mail > admin, would I? I was going to answer *exactly* the same, but didn't, because I was ashamed. The reason that I am ashamed, is that I also use Postfix to a great extent, and this is what most Postfix admins advise (and there are some pretty powerful orgs out there using Postfix) - "do not use backup MXs, unless you have full control over their configurations and can sync their anti-spam measures to your primary MX. Backup MXs are basically worthless, anyway", for the same reasons you give. Best, --Tonni -- mail: billy - at - billy.demon.nl http://www.billy.demon.nl From marc at merlins.org Sat Mar 6 17:40:50 2004 From: marc at merlins.org (Marc MERLIN) Date: Sat Mar 6 17:43:23 2004 Subject: [SA-exim] sa-exim cvs with greylisting support In-Reply-To: <20040305171435.GB14757@freshdot.net> References: <20040225065732.GQ2347@merlins.org> <20040305094107.GB31567@freshdot.net> <20040305165525.GI13377@merlins.org> <20040305171435.GB14757@freshdot.net> Message-ID: <20040307014047.GA13351@merlins.org> On Fri, Mar 05, 2004 at 06:14:35PM +0100, Sander Smeenk wrote: > > Even sa-exim in itself is not nearly as effective if you're not > > running it on all your MXes. > > My fallbacks don't really care about huge queues of frozen mail, > aparently ;) Silly them :) > Looking forward to it, then. I'll set up my fallback mx, and implement > greylisting, if at all possible. (I don't like patching spamasassin, did > you get any feedback on your patch yet?) They're not going to bother since they are concentrating on SA 3.0, which will have plugin support (I had to patch the SA logic to allow my rule to run last, which is not something SA supported in the 2.5/2.6 trees) I'll also update my patch in the CVS tree (it was for an older SA which just worked differently, and the patch doesn't apply well at all). For that matter, while I can't do CVS too well over GPRS, I'll attach the new SA patch to this mail Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key -------------- next part -------------- diff -urN SpamAssassin.orig/Conf.pm SpamAssassin/Conf.pm --- SpamAssassin.orig/Conf.pm Mon Dec 15 22:41:57 2003 +++ SpamAssassin/Conf.pm Sun Feb 29 17:42:58 2004 @@ -107,6 +107,10 @@ use constant TYPE_URI_EVALS => 0x0011; use constant TYPE_META_TESTS => 0x0012; use constant TYPE_RBL_EVALS => 0x0013; +# Need to reserve a number with the SA folks (needs to be odd as it is an +# eval test) +use constant TYPE_RES_EVALS => 0x0021; + $VERSION = 'bogus'; # avoid CPAN.pm picking up version strings later @@ -2000,12 +2004,15 @@ =cut - if (/^header\s+(\S+)\s+(?:rbl)?eval:(.*)$/) { + if (/^header\s+(\S+)\s+(?:rbl|res)?eval:(.*)$/) { my ($name, $fn) = ($1, $2); if ($fn =~ /^check_rbl/) { $self->add_test ($name, $fn, TYPE_RBL_EVALS); } + elsif (/^header\s+(\S+)\s+reseval:(.*)$/) { + $self->add_test ($name, $fn, TYPE_RES_EVALS); + } else { $self->add_test ($name, $fn, TYPE_HEAD_EVALS); } @@ -2603,6 +2610,9 @@ } elsif ($type == TYPE_RBL_EVALS) { $self->{rbl_evals}->{$name} = \@args; + } + elsif ($type == TYPE_RES_EVALS) { + $self->{res_evals}->{$name} = \@args; } elsif ($type == TYPE_RAWBODY_EVALS) { $self->{rawbody_evals}->{$name} = \@args; diff -urN SpamAssassin.orig/EvalTests.pm SpamAssassin/EvalTests.pm --- SpamAssassin.orig/EvalTests.pm Sat Jan 17 15:56:08 2004 +++ SpamAssassin/EvalTests.pm Sun Feb 29 19:02:46 2004 @@ -1941,6 +1941,202 @@ return $self->{habeas_swe}; } + +# This was originally written to implement greylisting in SA-Exim, although +# I have tried to make it more general and allow for reuse in other MTAs +# (although they will need to +# 1) be running SA at SMTP time +# 2) Provide the list of rcpt to and env from in some headers for SA to read +# 3) Provide the IP of the connecting host ) +# +# This rule should get a negative score so that if we've already seen the +# greylisting tuplet before, we lower the score, which hopefully brings us from +# a tempreject to an accept (at least that's how sa-exim does it) +# -- Marc 2004/01/19 + +sub greylisting { + # db/file/dir / pointer type / how many secs to greylist after 1st connection + # SA score after which we don't bother running / SMTP time data header names + my ($self, $dirorfileordb, $method, $greylisttime, $dontcheckscore, + $connectiphdr, $envfromhdr, $rcpttohdr) = @_; + my $dirorfile = shift @_; + + my $connectip; + my $envfrom; + my $rcptto; + my @rcptto; + my $iswhitelisted=0; + my $err; + my $mesgid = $self->get ('Message-Id')."\n"; + my $tuplet; + + # No newlines, thank you (yes, you need this twice apparently) + chomp ($mesgid); + chomp ($mesgid); + $mesgid =~ s/\012/|/g; + + # For stuff that we know is spam, don't greylist the host + # (that might help later spam with a lower score to come in) + if ($self->{hits} >= $dontcheckscore) + { + #warn "debug: skipping greylisting on $mesgid, since score is already ".$self->{hits}." and you configured greylisting to not bother with anything above $dontcheckscore\n"; + return 0; + } + + + if (not $connectip = $self->get($connectiphdr)) + { + warn "Couldn't get Connecting IP header $connectiphdr for message $mesgid, skipping greylisting call\n"; + return 0; + } + chomp($connectip); + # Clean up input (for security, if you use files/dirs) + $connectip =~ s#/#-#g; + + if (not $envfrom = $self->get($envfromhdr)) + { + warn "Couldn't get Envelope From header $envfromhdr for message $mesgid, skipping greylisting call\n"; + return 0; + } + chomp($envfrom); + # Clean up input (for security, if you use files/dirs) + $envfrom =~ s#/#-#g; + + if (not $rcptto = $self->get($rcpttohdr)) + { + warn "Couldn't get Rcpt To header $rcpttohdr for message $mesgid, skipping greylisting call\n"; + return 0; + } + chomp($rcptto); + # Clean up input (for security, if you use files/dirs) + $rcptto =~ s#/#-#g; + @rcptto = split(/, /, $rcptto); + + umask 0007; + + foreach $rcptto (@rcptto) + { + # The dir method is easy to fiddle with and expire records in (with + # a find | rm) but it's probably more I/O extensive than a real DB + # and suffers from directory size problems if a specific IP is sending + # generating tens of thousands of tuplets. -- Marc + # That said, I prefer formats I can easily tinker with, and not having to + # worry about buggy locking and so forth + if ($method eq "dir") + { + my ($ipbyte1, $ipbyte2, $ipbyte3, $ipbyte4) = split(/\./, $connectip); + my $ipdir1 = "$dirorfileordb/$ipbyte1"; + my $ipdir2 = "$ipdir1/$ipbyte2"; + my $ipdir3 = "$ipdir2/$ipbyte3"; + my $ipdir4 = "$ipdir3/$ipbyte4"; + my $tupletdir = "$ipdir4/$envfrom"; + + $tuplet = "$tupletdir/$rcptto"; + + # make directory whether it's there or not (faster than test and set) + mkdir $ipdir1; + mkdir $ipdir2; + mkdir $ipdir3; + mkdir $ipdir4; + mkdir $tupletdir; + + if (not -e $tuplet) + { + # If the tuplets aren't there, we create them and continue in + # case there are other ones (one of them might be whitelisted already) + $err="creating $tuplet"; + open (TUPLET, ">$tuplet") or goto greylisterror; + print TUPLET time."\n"; + print TUPLET "Status: Greylisted\n"; + print TUPLET "Last Message-Id: $mesgid\n"; + print TUPLET "Whitelisted Count: 0\n"; + print TUPLET "Query Count: 1\n"; + $err="closing first-written $tuplet"; + close TUPLET or goto greylisterror; + } + else + { + my $time; + my $status; + my $whitelistcount; + my $querycount; + + # Take into account race condition of expiring deletes and us running + $err="reading $tuplet"; + open (TUPLET, "<$tuplet") or goto greylisterror; + $err="Couldn't read time"; + defined ($time=) or goto greylisterror; + chomp ($time); + + $err="Couldn't read status"; + defined ($status=) or goto greylisterror; + chomp ($status); + $err="Couldn't extract Status from $status"; + $status =~ s/^Status: // or goto greylisterror; + + # Skip Mesg-Id + $err="Couldn't skip Mesg-Id"; + defined ($_=) or goto greylisterror; + + $err="Couldn't read whitelistcount"; + defined ($whitelistcount=) or goto greylisterror; + chomp ($whitelistcount); + $err="Couldn't extract Whitelisted Count from $whitelistcount"; + $whitelistcount =~ s/^Whitelisted Count: // or goto greylisterror; + + $err="Couldn't read querycount"; + defined ($querycount=) or goto greylisterror; + chomp ($querycount); + $err="Couldn't extract Query Count from $querycount"; + $querycount =~ s/^Query Count: // or goto greylisterror; + close (TUPLET); + + $querycount++; + if ((time - $time) > $greylisttime) + { + $status="Whitelisted"; + $whitelistcount++; + } + + $err="re-writing $tuplet"; + open (TUPLET, ">$tuplet") or goto greylisterror; + print TUPLET "$time\n"; + print TUPLET "Status: $status\n"; + print TUPLET "Last Message-Id: $mesgid\n"; + print TUPLET "Whitelisted Count: $whitelistcount\n"; + print TUPLET "Query Count: $querycount\n"; + $err="closing re-written $tuplet"; + close TUPLET or goto greylisterror; + + # We continue processing the other receipients, to setup or + # update their counters + if ($status eq "Whitelisted") + { + $iswhitelisted=1; + } + } + } + elsif ($method eq "file") + { + warn "codeme\n"; + } + elsif ($method eq "db") + { + warn "codeme\n"; + } + } + + return $iswhitelisted; + + greylisterror: + warn "Reached greylisterror: $err / $!"; + # delete tuplet since it apparently had issues but don't check for errors + # in case it was a permission denied on write + unlink ($tuplet); + return $iswhitelisted; +} + + ########################################################################### # BODY TESTS: ########################################################################### diff -urN SpamAssassin.orig/PerMsgStatus.pm SpamAssassin/PerMsgStatus.pm --- SpamAssassin.orig/PerMsgStatus.pm Tue Jan 20 13:40:04 2004 +++ SpamAssassin/PerMsgStatus.pm Sun Feb 29 19:01:19 2004 @@ -184,6 +184,9 @@ # add points from Bayes, before adjusting the AWL $self->{hits} += $self->{learned_hits}; + + # Now, we can run rules that have to run last + $self->do_res_eval_tests(); # Do AWL tests last, since these need the score to have already been # calculated @@ -2010,6 +2013,11 @@ } ########################################################################### + +sub do_res_eval_tests { + my ($self) = @_; + $self->run_eval_tests ($self->{conf}->{res_evals}, ''); +} sub do_head_eval_tests { my ($self) = @_; From marc at merlins.org Tue Mar 9 08:30:01 2004 From: marc at merlins.org (Marc MERLIN) Date: Tue Mar 9 08:30:06 2004 Subject: [SA-exim] FW: patching localscan_dlopen_exim_4.20_or_better.patch In-Reply-To: <02cf01c40379$91271400$b9c468d8@baraza> References: <02cf01c40379$91271400$b9c468d8@baraza> Message-ID: <20040309163001.GF1965@merlins.org> On Sat, Mar 06, 2004 at 02:50:13PM +0200, Bill wrote: > > > I am trying to patch localscan_dlopen_exim_4.20_or_better.patch but it > > > keeps asking for a file yet no file is required from the documentation. > > > I ma using SunOS 5.8 with exim 4.30 and SA 2.6.3, please assist. > > > > I don't understand your question, please rephrase. > > > > That said, you can just patch exim with local_scan.c, as explained in the > > install doc (without using dynamic local scan) > > Thanks for your response. I am following the instructions in the install > doc, I copied sa-exim.c over src/local_scan.c did make sa-exim.h and > copied it in src/ and rebuild exim after modifying the variables in the > definition especially the location of spamc and sa-exim.conf to what I > have on my system. When I run spamd, I do not see anything in the logs > even in the SAnotspam logs, though the mails are moving as per the exim > mainlogs. I am not sure what step I have missed. Your assistance will be > highly appreciated. You'll have to do a little debugging yourself, but basically try the following things: - does spamc < spammail get the spam to spamd and does it come back scanned? - do mails show up as scanned by spamd in syslog when they go through exim - etc... (use your imagination, and standard debugging techniques) SA-Exim is mostly geared for sysadmins, so the docs don't do much hand holding or go in details over standard sysadmin work (just a heads up) If you need such help, you may find it here, or not, depending on whether someone has the time to give more detailled (remote) help this day or not. However, if you have very detailled debugging info showing a breakdown between SA-Exim or SA, or an SA-Exim problem, you should of course report it with the appropriate debug info, and we'll look into it Thanks, Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From marc at merlins.org Wed Mar 10 09:54:33 2004 From: marc at merlins.org (Marc MERLIN) Date: Wed Mar 10 09:54:35 2004 Subject: [SA-exim] last sa-exim cvs before 4.0 Message-ID: <20040310175433.GC91@merlins.org> Ok, the docs are up to date and readable by mere mortals now (thanks Sander). My new greylisting code has been running on my mail server with success for a while, and all my code has been submitted in CVS. Considering how cool I think SA+greylisting is, I'm actually going to bump the next version number to 4.0 instead of 3.2 The CVS code can be downloaded from my page in the Changelog section: http://marc.merlins.org/linux/exim/sa.html http://marc.merlins.org/linux/exim/files/sa-exim-3.1+cvs.tar.gz If you have spare time in the next few days, please give it a try (especially the SA patch), but otherwise, I'll just release 4.0 this weekend I think. Thanks Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From martin.rebenstorff at web.de Mon Mar 15 22:01:59 2004 From: martin.rebenstorff at web.de (Martin Rebenstorff) Date: Mon Mar 15 13:02:40 2004 Subject: [SA-exim] Run sa-exim as a special user Message-ID: <1079384518.3649.12.camel@zeus.olymp.net> Hallo, I use exim-4.30-3, spamassassin 2.61-2 and sa-exim 3.1-2 from a debian package. Spamassassin and exim work good, but bayes does not work good. I have a spam mail. If I check is mail with "spamc -c < spam.txt", then the result is: 0.5/3.0 If I check is mail with "spamc -c -u mail < spam.txt", then the result is: 5.4/3.0 ... [score 1.0000] Is is correct, because I say spamassassin to use a system wide bayes path. In /etc/spamassassin/local.cf "bayes_path /var/mail/.spamassassin/bayes" No my problem. How can I invoke sa-exim with the "-u mail" flag or is there a other way to do this? Thanks Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: local.cf.gz Type: application/x-gzip Size: 1709 bytes Desc: not available Url : http://lists.merlins.org/archives/sa-exim/attachments/20040315/fa8e7252/local.cf.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: sa-exim.conf.gz Type: application/x-gzip Size: 4378 bytes Desc: not available Url : http://lists.merlins.org/archives/sa-exim/attachments/20040315/fa8e7252/sa-exim.conf.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: spamassassin.gz Type: application/x-gzip Size: 261 bytes Desc: not available Url : http://lists.merlins.org/archives/sa-exim/attachments/20040315/fa8e7252/spamassassin.bin From marc at merlins.org Tue Mar 16 09:57:33 2004 From: marc at merlins.org (Marc MERLIN) Date: Tue Mar 16 09:57:36 2004 Subject: [SA-exim] SA-Exim 4.0 released Message-ID: <20040316175733.GA16792@merlins.org> Get it while it's hot :) http://marc.merlins.org/linux/exim/sa.html http://sourceforge.net/projects/sa-exim/ Deb package is here: http://marc.merlins.org/linux/exim/files/debian/ (compiled against unstable, you might have to rebuild for testing, or wait for official deb packages from Sander Smeenk) Outside of the several fixes sent to me (or written by me), the big improvement, is definitely the greylisting support. You will have to patch your SpamAssassin (easy, it's perl, just patch on top and restart spamd), but you should like the results. http://marc.merlins.org/linux/exim/files/sa-exim-current/README.greylisting The spam in my inbox has now gone from one a day or so to about 0 (from about a hundred incoming every day) The changelist is here: * Added SAspamcpath (from Richard Lithvall) * Makefile fixes for version.h and dependencies * Added exim acl_m trick from Chirik in README * New code to read and pass on any X-Spam- header from SpamAssassin * Message-Id is now logged in SA log entries to allow you track down a message in other logfiles, like SA's log * Add X-SA-Exim-Connect-IP header for greylisting * Allow for tempreject on messages not flagged as spam by SA (for greylisting) * Added greylisting support (see README.greylisting) * Added the following options to sa-exim.conf: + SAspamcSockPath + SAgreylistiswhitestr + SAgreylistraisetempreject * Lots of documentation fixes and updates * Basic debian tree shipped by default (but real deb package from Sander Smeenk) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From ssmeenk at freshdot.net Tue Mar 16 20:45:58 2004 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Tue Mar 16 11:46:12 2004 Subject: [SA-exim] sa-exim_4.0-1_i386.changes ACCEPTED Message-ID: <20040316194558.GB18429@freshdot.net> Hello, SA-Exim 4.0-1 will hit the Debian mirrors tonight: Accepted: sa-exim_4.0-1.diff.gz to pool/main/s/sa-exim/sa-exim_4.0-1.diff.gz sa-exim_4.0-1.dsc to pool/main/s/sa-exim/sa-exim_4.0-1.dsc sa-exim_4.0-1_i386.deb to pool/main/s/sa-exim/sa-exim_4.0-1_i386.deb sa-exim_4.0.orig.tar.gz to pool/main/s/sa-exim/sa-exim_4.0.orig.tar.gz Kind regards, Sander Smeenk. -- | Wrap your troubles in a dream, and dream your troubles away... | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D From marc at merlins.org Tue Mar 16 11:53:19 2004 From: marc at merlins.org (Marc MERLIN) Date: Tue Mar 16 11:53:21 2004 Subject: [SA-exim] sa-exim_4.0-1_i386.changes ACCEPTED In-Reply-To: <20040316194558.GB18429@freshdot.net> References: <20040316194558.GB18429@freshdot.net> Message-ID: <20040316195319.GA9880@merlins.org> On Tue, Mar 16, 2004 at 08:45:58PM +0100, Sander Smeenk wrote: > Hello, > > SA-Exim 4.0-1 will hit the Debian mirrors tonight: > > Accepted: > sa-exim_4.0-1.diff.gz > to pool/main/s/sa-exim/sa-exim_4.0-1.diff.gz > sa-exim_4.0-1.dsc > to pool/main/s/sa-exim/sa-exim_4.0-1.dsc > sa-exim_4.0-1_i386.deb > to pool/main/s/sa-exim/sa-exim_4.0-1_i386.deb > sa-exim_4.0.orig.tar.gz > to pool/main/s/sa-exim/sa-exim_4.0.orig.tar.gz Damn, that was fast :) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From ssmeenk at freshdot.net Tue Mar 16 21:16:38 2004 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Tue Mar 16 12:16:47 2004 Subject: [SA-exim] sa-exim_4.0-1_i386.changes ACCEPTED In-Reply-To: <20040316195319.GA9880@merlins.org> References: <20040316194558.GB18429@freshdot.net> <20040316195319.GA9880@merlins.org> Message-ID: <20040316201638.GA10848@freshdot.net> Quoting Marc MERLIN (marc@merlins.org): > > SA-Exim 4.0-1 will hit the Debian mirrors tonight: > Damn, that was fast :) That's because you already did most of the work :) I could have done with just changing the name in the changelog entry. I wish the snort packages worked the same way ;) Thanks, Sander -- | Going to church doesn't make you a Christian any more than standing | in a garage makes you a car. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D From tonye at billy.demon.nl Tue Mar 16 19:39:25 2004 From: tonye at billy.demon.nl (Tony Earnshaw) Date: Tue Mar 16 12:24:27 2004 Subject: [SA-exim] SA-Exim 4.0 released In-Reply-To: <20040316175733.GA16792@merlins.org> References: <20040316175733.GA16792@merlins.org> Message-ID: <1079462364.13535.32.camel@localhost> tir, 16.03.2004 kl. 18.57 skrev Marc MERLIN: > Get it while it's hot :) U r dee bossman, bossman. Something to concentrate on for 5.0: per user local.cf, *or*, as I have with Scott Dier's amavisd-new LDAP patch, LDAP-based per user preferences outside of local.cf. Give you something to do in your extra free time ;) Best, --Tonni -- mail: billy - at - billy.demon.nl http://www.billy.demon.nl From jvanasco at mastersofbranding.com Tue Mar 16 16:24:10 2004 From: jvanasco at mastersofbranding.com (Jonathan Vanasco) Date: Tue Mar 16 13:24:21 2004 Subject: [SA-exim] SA-Exim 4.0 released In-Reply-To: <1079462364.13535.32.camel@localhost> References: <20040316175733.GA16792@merlins.org> <1079462364.13535.32.camel@localhost> Message-ID: <43BD357C-7790-11D8-A604-000393863D5E@mastersofbranding.com> On Mar 16, 2004, at 1:39 PM, Tony Earnshaw wrote: > LDAP-based per user > preferences outside this caught my attention... glancing slightly off topic for a moment, has anyone experiemented with ldap based per user prefs? From marc at merlins.org Tue Mar 16 15:43:03 2004 From: marc at merlins.org (Marc MERLIN) Date: Tue Mar 16 15:43:06 2004 Subject: [SA-exim] per user SA preferences In-Reply-To: <1079462364.13535.32.camel@localhost> References: <20040316175733.GA16792@merlins.org> <1079462364.13535.32.camel@localhost> Message-ID: <20040316234303.GE9880@merlins.org> On Tue, Mar 16, 2004 at 07:39:25PM +0100, Tony Earnshaw wrote: > tir, 16.03.2004 kl. 18.57 skrev Marc MERLIN: > > > Get it while it's hot :) > > U r dee bossman, bossman. > > Something to concentrate on for 5.0: per user local.cf, *or*, > as I have with Scott Dier's amavisd-new LDAP patch, LDAP-based per user > preferences outside of local.cf. I'll be honest, that one might be less likely because 1) it's not trivial 2) I don't have a need for it myself (although I might later, in which case, I'll revisit :) But I think it's doable within exim, is it not? http://lists.merlins.org/archives/sa-exim/2003-June/000442.html You, or someone else should give that a try. If you need a tiny bit of sa-exim glue to make it work, I should be able to help. > Give you something to do in your extra free time ;) I have so much of it, thanks much :) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From J.Horne at plymouth.ac.uk Thu Mar 18 12:14:04 2004 From: J.Horne at plymouth.ac.uk (John Horne) Date: Thu Mar 18 04:14:06 2004 Subject: [SA-exim] Installation problems Message-ID: <1079612032.19510.4.camel@jhorne.csd.plymouth.ac.uk> Hello, I've just downloaded sa-exim 4.0 and am trying to install it onto a Solaris 9 system with exim 4.30. First I see the INSTALL file says: Note that if you do this, you are responsible for modifying variables in sa-exim.c that would normally have been modified by the Makefile. What variables? I'm happy enough to install patches and the like, but do I have to go through the whole of the source to see what exim may change? How do I know if it is something that exim would normally modify? Secondly, the document says: In the sa-exim distribution directory, type make sa-exim.h, and copy it in the same place than sa-exim.c. Tried that and got: make sa-exim.h echo "char *version=\"`cat version` (built `date -R`)\";" > sa-exim.h date: illegal option -- R usage: date [-u] mmddHHMM[[cc]yy][.SS] date [-u] [+format] date -a [-]sss[.fff] *** Error code 1 make: Fatal error: Command failed for target `sa-exim.h' Okay I can remove the '-R' option but I am assuming this won't break anything that looks for the date? What is '-R' supposed to do? Thanks, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 233839 From J.Horne at plymouth.ac.uk Thu Mar 18 13:07:07 2004 From: J.Horne at plymouth.ac.uk (John Horne) Date: Thu Mar 18 05:07:07 2004 Subject: [SA-exim] Compilation warnings Message-ID: <1079615217.19510.13.camel@jhorne.csd.plymouth.ac.uk> Hello, Compiling sa-exim 4.0 on a Solaris 9 system (gcc version 2.95.3 20010315), gives two warnings: ../Local/sa-exim.c: In function `local_scan': ../Local/sa-exim.c:1100: warning: assignment makes pointer from integer without a cast ../Local/sa-exim.c:1101: warning: assignment makes pointer from integer without a cast Regards, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 233839 From marc at merlins.org Thu Mar 18 07:33:30 2004 From: marc at merlins.org (Marc MERLIN) Date: Thu Mar 18 07:33:32 2004 Subject: [SA-exim] Installation problems In-Reply-To: <1079615217.19510.13.camel@jhorne.csd.plymouth.ac.uk> <1079612032.19510.4.camel@jhorne.csd.plymouth.ac.uk> References: <1079615217.19510.13.camel@jhorne.csd.plymouth.ac.uk> <1079612032.19510.4.camel@jhorne.csd.plymouth.ac.uk> Message-ID: <20040318153330.GB32183@merlins.org> On Thu, Mar 18, 2004 at 12:13:52PM +0000, John Horne wrote: > Hello, > > I've just downloaded sa-exim 4.0 and am trying to install it onto a > Solaris 9 system with exim 4.30. > > First I see the INSTALL file says: > > Note that if you do this, you are responsible for modifying variables > in sa-exim.c that would normally have been modified by the Makefile. > > What variables? I'm happy enough to install patches and the like, but do #ifndef SPAMC_LOCATION #define SPAMC_LOCATION "/usr/bin/spamc" #endif #ifndef SPAMASSASSIN_CONF #define SPAMASSASSIN_CONF "/etc/exim4/sa-exim.conf" #endif Basically, what the makefile can override with -D > Secondly, the document says: > > In the sa-exim distribution directory, type make sa-exim.h, and copy > it in the same place than sa-exim.c. > > Tried that and got: > > make sa-exim.h > echo "char *version=\"`cat version` (built `date -R`)\";" > sa-exim.h > date: illegal option -- R > usage: date [-u] mmddHHMM[[cc]yy][.SS] > date [-u] [+format] > date -a [-]sss[.fff] > *** Error code 1 > make: Fatal error: Command failed for target `sa-exim.h' > > Okay I can remove the '-R' option but I am assuming this won't break > anything that looks for the date? What is '-R' supposed to do? Ah, yeah, I keep forgetting there are still systems with non GNU fileutils -R, --rfc-2822 output RFC-2822 compliant date string You can remove it, it's just that without it, multi-byte locales would output multibyte characters for date (without -R), making the C code unhappy after that. On Thu, Mar 18, 2004 at 01:06:57PM +0000, John Horne wrote: > Hello, > > Compiling sa-exim 4.0 on a Solaris 9 system (gcc version 2.95.3 > 20010315), gives two warnings: > > ../Local/sa-exim.c: In function `local_scan': > ../Local/sa-exim.c:1100: warning: assignment makes pointer from > integer without a cast > ../Local/sa-exim.c:1101: warning: assignment makes pointer from > integer without a cast I take it we're talking about this: char *start; char *end; char *mesgid=NULL; start=index(buffer, '<'); end=index(buffer, '>'); if (start == NULL || end == NULL) My index man page says that it's supposed to return a char * What does yours? Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From J.Horne at plymouth.ac.uk Thu Mar 18 16:58:44 2004 From: J.Horne at plymouth.ac.uk (John Horne) Date: Thu Mar 18 08:58:45 2004 Subject: [SA-exim] Too much logging? Message-ID: <1079629111.19510.53.camel@jhorne.csd.plymouth.ac.uk> Hello, Well I have sa-exim 4.0 up and running in a test environment. However, even if I set: SAEximDebug: 0 I still get two or three lines per message logged to my main log. Considering each arriving message logs about three lines anyway, this means that my log files will (approx) double in size. Is there any way to really disable logging? We receive far more mail that is received, rejected, delivered or whatever than the few that we have to trace to find out what happened. As such exim does enough logging for us. Putting log lines such as 'flagged as Spam but accepted' at a log level of 1 or more is fine, but I think a level of '0' should mean no additional logging at all. Thanks, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 233839 From marc at merlins.org Thu Mar 18 10:36:44 2004 From: marc at merlins.org (Marc MERLIN) Date: Thu Mar 18 10:36:46 2004 Subject: [SA-exim] Installation problems In-Reply-To: <20040318153330.GB32183@merlins.org> References: <1079615217.19510.13.camel@jhorne.csd.plymouth.ac.uk> <1079612032.19510.4.camel@jhorne.csd.plymouth.ac.uk> <20040318153330.GB32183@merlins.org> Message-ID: <20040318183644.GD15826@merlins.org> On Thu, Mar 18, 2004 at 07:33:30AM -0800, Marc MERLIN wrote: > > echo "char *version=\"`cat version` (built `date -R`)\";" > sa-exim.h > > date: illegal option -- R > > usage: date [-u] mmddHHMM[[cc]yy][.SS] > > date [-u] [+format] > > date -a [-]sss[.fff] > > *** Error code 1 > > make: Fatal error: Command failed for target `sa-exim.h' > > > > Okay I can remove the '-R' option but I am assuming this won't break > > anything that looks for the date? What is '-R' supposed to do? > > Ah, yeah, I keep forgetting there are still systems with non GNU fileutils Fixed in CVS if you have GNU fileutils or a single byte locale sa-exim.h: sa-exim.c version echo "char *version=\"`cat version` (built `date -R 2>/dev/null || date` )\";" > sa-exim.h Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From marc at merlins.org Thu Mar 18 15:15:23 2004 From: marc at merlins.org (Marc MERLIN) Date: Thu Mar 18 15:15:25 2004 Subject: [SA-exim] Too much logging? In-Reply-To: <1079651376.3159.19.camel@ash.trees99.org.uk> References: <1079629111.19510.53.camel@jhorne.csd.plymouth.ac.uk> <20040318181618.GC15826@merlins.org> <1079651376.3159.19.camel@ash.trees99.org.uk> Message-ID: <20040318231523.GQ15826@merlins.org> On Thu, Mar 18, 2004 at 11:09:37PM +0000, John Horne wrote: > On Thu, 2004-03-18 at 18:16, Marc MERLIN wrote: > > On Thu, Mar 18, 2004 at 04:58:32PM +0000, John Horne wrote: > > > Hello, > > > > > > Well I have sa-exim 4.0 up and running in a test environment. However, > > > even if I set: > > > > > > SAEximDebug: 0 > > > > > > I still get two or three lines per message logged to my main log. > > > > Can yo do me a favour and paste those to me, that will save me the time to > > look for them > > > Okay, the ones I have (snipped) are: > > 2004-03-18 22:32:17 1B463P-0001z8-4w SA: Action: scanned but message > isn't spam: hits=1.9 required=8.0 (scanned in 0/0 secs | Message-Id: > > 2004-03-18 22:44:06 1B46Ee-0002Yq-9y SA: Notice: SAEximRejCond > expanded to false, not applying reject rules > > 2004-03-18 22:44:06 1B46Ee-0002Yq-9y SA: Action: flagged as Spam but > accepted: hits=21.9 required=8.0 (scanned in 0/0 secs | Message-Id: > > 2004-03-18 23:04:52 1B46Yu-0003lv-7V SA: Action: Not running SA > because SAEximRunCond expanded to false (Message-Id: > > > The first one occurs for mail that is okay - not spam. The second two > occur together and happen when mail is spam but is allowed through. > (I am currently running sa-exim to have email flagged by SA but not > rejected. Rejection occurs later with an exim router.) The final one > occurs for (in our case) error messages, mail to postmaster, abuse > addresses, etc. Right. Those were actually meant to be that way, they're not for debugging, but for telling you what sa-exim is doing with your mail. I suppose I *could* put something horrid like a debuglevel of -1 which removes even those, but considering that you're compiling from source anyway, until I hear more people asking for the same, you're better off removing them from the source in your compile Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jeffc at apeirogon.org Thu Mar 18 20:53:26 2004 From: jeffc at apeirogon.org (Jeffrey D. Carter) Date: Thu Mar 18 17:54:37 2004 Subject: [SA-exim] Installation problems In-Reply-To: Your message of "Thu, 18 Mar 2004 07:33:30 PST." <20040318153330.GB32183@merlins.org> Message-ID: <22146.1079661206@apeirogon.org> Marc MERLIN writes: >-------------------------------------------------------------------------< | On Thu, Mar 18, 2004 at 12:13:52PM +0000, John Horne wrote: | On Thu, Mar 18, 2004 at 01:06:57PM +0000, John Horne wrote: | > Hello, | > | > Compiling sa-exim 4.0 on a Solaris 9 system (gcc version 2.95.3 | > 20010315), gives two warnings: | > | > ../Local/sa-exim.c: In function `local_scan': | > ../Local/sa-exim.c:1100: warning: assignment makes pointer from | > integer without a cast | > ../Local/sa-exim.c:1101: warning: assignment makes pointer from | > integer without a cast | | I take it we're talking about this: | char *start; | char *end; | char *mesgid=NULL; | | start=index(buffer, '<'); | end=index(buffer, '>'); | | if (start == NULL || end == NULL) | | My index man page says that it's supposed to return a char * | What does yours? | | Marc >-------------------------------------------------------------------------< Mine says index() and rindex() are non-standard, and should be replaced with strchr() and strrchr() (respectively), as found in . Many OS'es provide the obsolete forms in , or if you #define/-D some special macro. But in almost all cases it's just easier to fix it. Jeff Carter From j.carter at ieee.org Thu Mar 18 21:05:24 2004 From: j.carter at ieee.org (Jeff Carter) Date: Thu Mar 18 18:05:31 2004 Subject: [SA-exim] Installation problems Message-ID: <1079661924.1598.1.camel@ingot> Marc MERLIN writes: >-------------------------------------------------------------------------< | On Thu, Mar 18, 2004 at 12:13:52PM +0000, John Horne wrote: | On Thu, Mar 18, 2004 at 01:06:57PM +0000, John Horne wrote: | > Hello, | > | > Compiling sa-exim 4.0 on a Solaris 9 system (gcc version 2.95.3 | > 20010315), gives two warnings: | > | > ../Local/sa-exim.c: In function `local_scan': | > ../Local/sa-exim.c:1100: warning: assignment makes pointer from | > integer without a cast | > ../Local/sa-exim.c:1101: warning: assignment makes pointer from | > integer without a cast | | I take it we're talking about this: | char *start; | char *end; | char *mesgid=NULL; | | start=index(buffer, '<'); | end=index(buffer, '>'); | | if (start == NULL || end == NULL) | | My index man page says that it's supposed to return a char * | What does yours? | | Marc >-------------------------------------------------------------------------< Mine says index() and rindex() are non-standard, and should be replaced with strchr() and strrchr() (respectively), as found in . Many OS'es provide the obsolete forms in , or if you #define/-D some special macro. But in almost all cases it's just easier to fix it. Jeff CarterRe: [SA-exim] Installation problems From marc at merlins.org Thu Mar 18 18:56:06 2004 From: marc at merlins.org (Marc MERLIN) Date: Thu Mar 18 18:56:07 2004 Subject: [SA-exim] Installation problems In-Reply-To: <22146.1079661206@apeirogon.org> References: <20040318153330.GB32183@merlins.org> <22146.1079661206@apeirogon.org> Message-ID: <20040319025606.GT15826@merlins.org> On Thu, Mar 18, 2004 at 08:53:26PM -0500, Jeffrey D. Carter wrote: > Mine says index() and rindex() are non-standard, and should be replaced > with strchr() and strrchr() (respectively), as found in . Many > OS'es provide the obsolete forms in , or if you #define/-D > some special macro. But in almost all cases it's just easier to fix it. I'll look at that in my CVS tree when I get a little bored :) Thanks Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From jerry at cheesymouse.com Thu Mar 25 12:28:37 2004 From: jerry at cheesymouse.com (Jerry Rasmussen) Date: Thu Mar 25 09:27:54 2004 Subject: [SA-exim] Reporting tools for SA-Exim Message-ID: <217D777D3789FC4591199BA41FB0617AB0C3@nemo.scriptthis.net> Does anyone know of any tools that can be used to generate the following reports using SA-Exim. Report the number of messages blocked by SPAM detection, Policy Compliance (Content Filtering) and Anti-Virus. Report the number of attachments blocked by attachment type. Report the Top 10 Domains blocked for SPAM, Policy Compliance (Content Filtering) and Anti-Virus. Or if you know of any other tools that generate reports for SpamAssassin that would be great. From sdickenson at keyschool.org Thu Mar 25 12:42:19 2004 From: sdickenson at keyschool.org (Dickenson, Steven) Date: Thu Mar 25 09:43:04 2004 Subject: [SA-exim] Reporting tools for SA-Exim Message-ID: <1DBA7B491604E94BBCCE5133069A5BB20DE519@mail.keyschool.org> Jerry Rasmussen wrote: > Does anyone know of any tools that can be used to generate the > following reports using SA-Exim. SA-Exim-Stats can do some of this... http://nossie.addicts.nl/projects/sa-exim-stats/ Note: You mentioned attachments and antivirus statistics. SA-Exim doesn't do this. Perhaps you're thinking of exiscan? In which case, you may be able to use existats' custom pattern matching. If you're using ClamAV, Vexira, or RAV, this may help you with AV stats... http://pandaemail.sourceforge.net/av-tools/ SpamAssassin also has it's own statistics script, sa-stats.pl. Get it here: http://www.cynistar.net/~apthorpe/code/sa-contrib/ Steven --- Steven Dickenson Network Administrator The Key School, Annapolis Maryland From J.Horne at plymouth.ac.uk Fri Mar 26 10:40:40 2004 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri Mar 26 02:40:42 2004 Subject: [SA-exim] SA-exim 4.0 crashes on discard Message-ID: <1080297627.24286.34.camel@jhorne.csd.plymouth.ac.uk> Hello, I noticed on our mailhubs that some mail was being delivered to userids beginning with a hyphen. We have no such userids so I modified exim to discard these. This was before installing sa-exim 4.0 - and it worked okay. I have now installed sa-exim onto our second mailhub and in testing that mail sent to '-03@plym.ac.uk' was discarded/rejected I got the following error in the main and reject logs, there is no panic log: ============================================ 2004-03-26 10:22:13 H=(jhorne.csd.plymouth.ac.uk) [141.163.60.243] F= rejected RCPT <-03@plym.ac.uk>: discarded by RCPT ACL: Prohibited: Invalid local part being received. 2004-03-26 10:22:13 1B6oTd-00066Y-Lr local_scan() function crashed with signal 11 - message temporarily rejected (size 736) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ P Received: from [141.163.60.243] (helo=jhorne.csd.plymouth.ac.uk) by tracy.csd.plymouth.ac.uk with esmtp (Exim 4.30) id 1B6oTd-00066Y-Lr; Fri, 26 Mar 2004 10:22:13 +0000 P Received: from john by jhorne.csd.plymouth.ac.uk with local (Exim 4.309) id 1B6oQI-0007tS-Qc for -03@plym.ac.uk; Fri, 26 Mar 2004 10:18:46 +0000 Subject: rej1 to jh F From: John Horne * To: -03@plym.ac.uk T To: -03@plymouth.ac.uk Content-Type: text/plain Content-Transfer-Encoding: 7bit Organization: University of Plymouth I Message-Id: <1080296326.24286.5.camel@jhorne.csd.plymouth.ac.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) Date: 26 Mar 2004 10:18:46 +0000 S Sender: john@jhorne.csd.plymouth.ac.uk ============================================================= In our configure file for the RCPT ACL we 'discard' invalid local parts. If I change this to 'drop' then it works okay - no crash. Regards, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 233839 From J.Horne at plymouth.ac.uk Fri Mar 26 12:44:03 2004 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri Mar 26 04:44:05 2004 Subject: [SA-exim] SA-exim 4.0 crashes on discard In-Reply-To: <1080297627.24286.34.camel@jhorne.csd.plymouth.ac.uk> References: <1080297627.24286.34.camel@jhorne.csd.plymouth.ac.uk> Message-ID: <1080305034.24286.44.camel@jhorne.csd.plymouth.ac.uk> On Fri, 2004-03-26 at 10:40, John Horne wrote: > > I noticed on our mailhubs that some mail was being delivered to userids > beginning with a hyphen. We have no such userids so I modified exim to > discard these. This was before installing sa-exim 4.0 - and it worked > okay. I have now installed sa-exim onto our second mailhub and in > testing that mail sent to '-03@plym.ac.uk' was discarded/rejected I got > the following error in the main and reject logs, there is no panic log: > > ============================================ > 2004-03-26 10:22:13 H=(jhorne.csd.plymouth.ac.uk) [141.163.60.243] > F= rejected RCPT <-03@plym.ac.uk>: discarded by > RCPT ACL: Prohibited: Invalid local part being received. > 2004-03-26 10:22:13 1B6oTd-00066Y-Lr local_scan() function crashed with > signal 11 - message temporarily rejected (size 736) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > The problem seems to stem from the fact that by discarding the recipient(s) the local_scan function can be called with no recipients left. However, there is no check for this. I modified sa-exim. to simply say (at line 721): /* Initialize the list of recipients here */ if (recipients_count == 0) { return LOCAL_SCAN_ACCEPT; } rcptlist=string_copy(recipients_list[0].address); and this seems to work fine. If there are no recipients then exim blackholes the message after local_scan has run. Regards, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 233839 From ssmeenk at freshdot.net Fri Mar 26 14:18:28 2004 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Fri Mar 26 05:18:38 2004 Subject: [SA-exim] SA-exim 4.0 crashes on discard In-Reply-To: <1080305034.24286.44.camel@jhorne.csd.plymouth.ac.uk> References: <1080297627.24286.34.camel@jhorne.csd.plymouth.ac.uk> <1080305034.24286.44.camel@jhorne.csd.plymouth.ac.uk> Message-ID: <20040326131828.GB15309@freshdot.net> Quoting John Horne (J.Horne@plymouth.ac.uk): > > 2004-03-26 10:22:13 1B6oTd-00066Y-Lr local_scan() function crashed with > > signal 11 - message temporarily rejected (size 736) > I modified sa-exim. to simply say (at line 721): > /* Initialize the list of recipients here */ > if (recipients_count == 0) { > return LOCAL_SCAN_ACCEPT; Hmm. Isn't this an exim bug, rather than a sa-exim bug? I mean, if the message has been disgarded, what is the use of passing it to local_scan() in the first place? Sander. -- | What are the little plastic endings on your shoelaces called? | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D From J.Horne at plymouth.ac.uk Fri Mar 26 13:38:25 2004 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri Mar 26 05:38:26 2004 Subject: [SA-exim] SA-exim 4.0 crashes on discard In-Reply-To: <20040326131828.GB15309@freshdot.net> References: <1080297627.24286.34.camel@jhorne.csd.plymouth.ac.uk> <1080305034.24286.44.camel@jhorne.csd.plymouth.ac.uk> <20040326131828.GB15309@freshdot.net> Message-ID: <1080308301.24286.55.camel@jhorne.csd.plymouth.ac.uk> On Fri, 2004-03-26 at 13:18, Sander Smeenk wrote: > Quoting John Horne (J.Horne@plymouth.ac.uk): > > > > 2004-03-26 10:22:13 1B6oTd-00066Y-Lr local_scan() function crashed with > > > signal 11 - message temporarily rejected (size 736) > > I modified sa-exim. to simply say (at line 721): > > /* Initialize the list of recipients here */ > > if (recipients_count == 0) { > > return LOCAL_SCAN_ACCEPT; > > Hmm. Isn't this an exim bug, rather than a sa-exim bug? > > I mean, if the message has been disgarded, what is the use of passing it > to local_scan() in the first place? > Because local_scan may create recipients. However, in our case we don't so the patch above works, but it obviously won't work for everyone. The point is that some check needs to occur because it is valid to send a message to local_scan with no recipients on the basis that it may create some. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 233839 From marc at merlins.org Fri Mar 26 08:40:20 2004 From: marc at merlins.org (Marc MERLIN) Date: Fri Mar 26 08:40:22 2004 Subject: [SA-exim] SA-exim 4.0 crashes on discard In-Reply-To: <1080308301.24286.55.camel@jhorne.csd.plymouth.ac.uk> References: <1080297627.24286.34.camel@jhorne.csd.plymouth.ac.uk> <1080305034.24286.44.camel@jhorne.csd.plymouth.ac.uk> <20040326131828.GB15309@freshdot.net> <1080308301.24286.55.camel@jhorne.csd.plymouth.ac.uk> Message-ID: <20040326164020.GI18563@merlins.org> On Fri, Mar 26, 2004 at 01:38:21PM +0000, John Horne wrote: > On Fri, 2004-03-26 at 13:18, Sander Smeenk wrote: > > Quoting John Horne (J.Horne@plymouth.ac.uk): > > > > > > 2004-03-26 10:22:13 1B6oTd-00066Y-Lr local_scan() function crashed with > > > > signal 11 - message temporarily rejected (size 736) > > > I modified sa-exim. to simply say (at line 721): > > > /* Initialize the list of recipients here */ > > > if (recipients_count == 0) { > > > return LOCAL_SCAN_ACCEPT; > > > > Hmm. Isn't this an exim bug, rather than a sa-exim bug? > > > > I mean, if the message has been disgarded, what is the use of passing it > > to local_scan() in the first place? > > > Because local_scan may create recipients. However, in our case we don't > so the patch above works, but it obviously won't work for everyone. The > point is that some check needs to occur because it is valid to send a > message to local_scan with no recipients on the basis that it may create > some. This did not even occur to me, thanks for the report, and especially for finding the reason. I'm wondering how many people this can affect and whether it warrants a 4.0.1 or not. I'm guessing that the occurrence is not common enough to have affected anyone else in the 1y+ since that piece of code has been there, but there's definitely potential for this to happen to others. I think I'll give it a few more weeks to see if there are other bugs or problems reported by other folks, and make a new release with all the fixes then. I'll put a note on the web site in the meantime Thanks Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key