RE: [Exim] Using Spam Assassin with Exim for remote addresse…

Top Page
Delete this message
Reply to this message
Author: Patrice Fournier
Date:  
To: Rice, Kevin
CC: exim-users, a.gohr
Subject: RE: [Exim] Using Spam Assassin with Exim for remote addresses
Quoting "Rice, Kevin" <krice@???>:

> I'm thinking
> there's probably a way to use spamassassin's -P option as part of the
> transport to bypass the problem of spamcheck being an exploitable shell
> script. If you have any suggestions along those lines, that would be
> great!


You could look at the transport_filter command, it probably does what you
want. Or if you want, I've put a copy of my version of the script at the
end of this email as it's not really big. I do believe this script is now
secure but this was done rapidly, I may have missed something. I'll check
it again sometime next week.

> I just need to take some time and read the Exim docs. I'll eventually
> understand it as well as sendmail ;)


This is always a good idea! :)

===== start of script =====
#!/usr/bin/perl
# This is an small wrapper script around Mail::SpamAssassin for the use
# with the exim MTA
# It is released under the Terms of GNU General Public License (GPL) so
# use at your own risk!
#
# Original by Andreas Gohr <a.gohr@???>
#
# Modified 2002-01-04 by Patrice Fournier <pfournier@???>
#     to use a direct pipe instead of $mail->pipe which uses a shell
#     and can thus be exploited.


use Mail::Audit;
use Mail::SpamAssassin;

$exim     = '/usr/sbin/exim';       #Full path to exim
$params   = '-oMr spam-scanned -i'; #Additional params no need to change
                                    #This variable is not used presently
                                    #see the push(@parms..) if you need
                                    #to change the params.
$savespam = 1;                      #1/0 should spam be saved somewhere?
$spamfile = '/var/spool/spam';      #If you said 1 above - where to put
                                    #that nasty spam? Be sure this mailbox
                                    #is writable by the user who runs this
                                    #script (e.g. mail)
$sendspamback = 1;                  #1/0 should spam be sent back to Exim?


#These are given as command line arguments by exim:
$sender = shift(@ARGV);
$sender = '<>' if $sender eq '';
@recpt = @ARGV;

####### Main script
###########################################################

$mail = Mail::Audit->new(); #Read Mail from STDIN
$mail->{noexit} = 1; #Do not exit after $mail->accept()

$spamtest = Mail::SpamAssassin->new();
$status = $spamtest->check ($mail);

#Add the X-Spam Headers:
$status->rewrite_mail ();

if ($status->is_spam ()) {
$mail->accept($spamfile) if ($savespam);
exit(0) if (!$sendspamback);
}

# Feed the message back to exim:
# Can't use $mail->pipe as it uses a shell and is thus insecure
# Also, $mail->pipe will save to the default mail file if the open fails.
#$mail->pipe("$exim $params -f $sender $recpt");

push(@parms, "-oMr");
push(@parms, "spam-scanned");
push(@parms, "-i");
push(@parms, "-f");
push(@parms, "$sender");
push(@parms, @recpt);

open (PIPE, "|-") || exec($exim, @parms);
$mail->{obj}->print(\*PIPE);
close(PIPE);
# Send back Exim's return code
exit $? >> 8;

====== end of script ======

--
Patrice Fournier
pfournier@???