Differences between version 4 and predecessor to the previous major change of EximMailFilter.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 4 | Last edited on Friday, December 17, 2004 10:07:03 am | by CraigBox | Revert |
Older page: | version 2 | Last edited on Tuesday, December 14, 2004 2:23:25 pm | by CraigBox | Revert |
@@ -1,24 +1,28 @@
-!!How to make your Debian Woody machine an exim4
mail filter
+!
!!How to make your Debian Woody machine an amazing [Exim] 4
mail filter
-This should
all be in one place, but isn
't yet
.
+This is how I've set up a new exim4 installation to do
all the filtering I used to do with MailScanner or amavis. It
's much less CPU intensive to use the daemon mode of SpamAssassin and have your MTA do all the work instead of a big perl script
.
-!Get exim4
+There are a number of changes that aren't immediately apparent between using exim3 and exim4 on Debian: the configuration system is completely different. You either have a large configuration template file or a number of small files, but either way, the live config isn't updated until you run __update-exim4.conf__. Running an /etc/init.d/exim4 restart will run this command for you.
+
+!
!Get exim4
Add these lines to your apt sources.list:
<pre>
deb http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/ woody/
deb http://www.linux.org.au/backports.org/debian woody gnutls11
</pre>
-apt-get install exim4-daemon-heavy. At this point I assume you're running clamav-daemon, spamassassin 3.01 and have recent versions of libnet-perl-dns etc, but I'll deal to those later.
+apt-get install exim4-daemon-heavy. You might like to purge exim3 at this point too else your ex<tab> completion will pick exim instead of exim4.
At this point I assume you're running clamav-daemon, spamassassin 3.01 and have recent versions of libnet-perl-dns etc, but I'll deal to those later.
Configure exim4 to use the small config files.
Note: I use '[itp|ItPartners]' to signify my changes. You will want to use your own tag.
-!Get clamav
working
+Most of the snippets below go into the 'acl_smtp_data' [ACL], which has the potential to accept or deny a message at [SMTP] DATA time. When putting them in, realise that the order of 'warn' entries is irrelevant, but if you hit a 'deny' the message is denied and further processing is stopped. Therefore the 'drop messages that are obviously spam' sits nicely before the 'redirect messages that -might- be spam' rule. Don't accidentally lose the 'accept' at the bottom of the file either.
+
+!
!Get [ClamAV]
working
Change into /etc/exim4/conf.d/main. Copy 02_exim4-config_options to 02_exim4-config_options.rul and add these lines:
<pre>
@@ -59,25 +63,30 @@
.
550 This message contains malware (Eicar-Test-Signature)
</verbatim>
-!Get spamassasin working
+!
!Get spamassasin working
-To your main/02_exim4-config_options.rul, add:
+Get spamassassin 3.0 from backports.org. Edit /etc/default/spamassassin to enable spamd, but make sure you're happy with the risks.
+
+We need to teach Exim how to talk to spamd.
To your main/02_exim4-config_options.rul, add:
<pre>
# itp: set SpamAssassin path
#
spamd_address = 127.0.0.1 783
</pre>
-To your acl/40_exim4-config_check_data.rul, add:
+!Really spammy stuff
+
+Now, we'll add an ACL to automatically drop anything that scores over a certain threshold that is obviously spam.
To your acl/40_exim4-config_check_data.rul, add:
<pre>
- # itp: reject spam at high scores (> 12
)
- deny message = This message
scored $spam_score spam points.
+ # itp: reject spam at high scores (> 15
)
+ deny message = Message
scored $spam_score spam points.
spam = nobody:true
- condition = ${if >{$spam_score_int}{120
}{1}{}}
+ condition = ${if <{$message_size}{100k}{1}{}}
+
condition = ${if >{$spam_score_int}{150
}{1}{}}
</pre>
Restart and test like so:
@@ -92,4 +101,76 @@
.
550 This message scored 998.8 spam points.
QUIT
</verbatim>
+
+!Less spammy stuff
+
+In a corporate mail filter I don't want to send users any spam - there is a body that exists to filter what little spam is left after the above rule, but we need to get it to another mailbox. We do this by adding an X- header to any messages that are over the spam level as defined in spamassassin's local.cf (if you don't set it there, it defaults to 5), and use a router to rewrite them to that address.
+
+Drop a file called 050_exim4-config_spam_redirect in /etc/exim4/conf.d/router, containing something very much like this:
+
+<pre>
+# itp: Spam redirection router
+# Modified from http://duncanthrax.net/exiscan-acl/exiscan-acl-examples.txt,
+# this router takes any message with X-Redirect-To and redirects it to that
+# user.
+
+spam_redirect:
+ debug_print = "R: scan_redirect for $domain"
+ driver = redirect
+ condition = ${if def:h_X-Redirect-To: {1}{0}}
+ headers_add = X-Original-Recipient: $local_part@$domain
+ data = $h_X-Redirect-To:
+ headers_remove = X-Redirect-To
+ redirect_router = hubbed_hosts
+</pre>
+
+This sits just before the hubbed_hosts router, which was previously the first router in the queue. Set the redirect router to whichever router you want to process your message next.
+
+Now, to have the redirect headers written on your messages, in our acl/40_exim4-config_check_data.rul:
+
+<pre>
+ # itp: put a spam warning on all messages
+ # and redirect messages over the SA threshold to quarantine
+ warn message = X-Spam-Score: $spam_score {$spam_bar}
+ condition = ${if <{$message_size}{100k}{1}{0}}
+ spam = nobody:true
+
+ warn message = X-Spam-Report: $spam_report
+ condition = ${if <{$message_size}{100k}{1}{0}}
+ spam = nobody:true
+
+ warn message = X-Redirect-To: quarantine@itpartners.co.nz
+ spam = nobody
+</pre>
+
+"nobody:true" matches everyone (the nobody is the user to call SpamAssassin as; as we're always using the same one the result is cached per message).
+
+In order to get a small sensible spam report instead of the huge default SpamAssassin one, put this in your /etc/spamassassin/local.cf:
+
+<pre>
+clear_report_template
+report "_YESNO_, hits=_HITS_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_
+ version=_VERSION_"
+</pre>
+
+!!MIME errors & file attachments
+
+Noone wants to receive executable file attachments: in acl/40_exim4-config_check_data.rul
+
+<pre>
+ # itp: Unpack MIME containers and reject file extensions used by worms.
+ # This calls the demime condition again, but it will return cached results.
+ deny message = We do not accept ".$found_extension" attachments here. If you \
+ legitimately need to send these files please zip them first.
+ demime = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url
+</pre>
+
+And for MIME errors:
+
+<pre>
+ # itp: Reject messages that have serious MIME errors.
+ deny message = Serious MIME defect detected ($demime_reason)
+ demime = *
+ condition = ${if >{$demime_errorlevel}{2}{1}{0}}
+</pre>