RE: [exim] ignore spam scanning of outgoing mail

Top Page
Delete this message
Reply to this message
Author: Peter Savitch
Date:  
To: exim-users
Subject: RE: [exim] ignore spam scanning of outgoing mail
Hi.

> is it not possible to simply say all mail eminating from machine x do
> not scan for spam??


Sure possible, no tricks ;) Simply add host conditions to your ACLs.
If your hubs are the only spam-scanner-enabled entities, then put the
logic onto them. Declare static host lists like this:

hostlist hosts_not_to_scan = 192.168.0.0/24 : 10.0.1.0/24

Then, in the SMTP DATA ACL:

warn    message = X-Spam-Score: $spam_score
    spam = nobody:true
    !hosts = +hosts_not_to_scan


And that's almost all. The scanner will be skipped if the mail being
originated from list `hosts_not_to_scan'. Usually, if you are not ISP,
you can only scan mail from the outside (world). What to do next, is
your choice, you can even reject the mail at the SMTP time. Verb `warn'
adds headers, while `deny' rejects mail with 55x. See specs. I do not
recommend 55x because of possible fault-positives. But, in general, I do
not recommend bouncing the message in any way other than 55x at the
front-end server. If you accept the message, then pass it or just
discard, but do not generate bounce.

As an alternative, you can use more complex approach (system routes the
message in a special way based on spam score, and does not use own
headers at all):

begin acl
# This is a sub-ACL
acl_spam_test:
  warn          set acl_m0 = unchecked
  deny          hosts = +hosts_not_to_scan
  accept        spam = nobody:true/defer_ok
                set acl_m0 = $spam_score_int
  deny


# Somewhere in the DATA ACL
acl_data:

#...

 warn           message = X-Spam-Score: $spam_score
            acl = acl_spam_test


# ...

begin routers
# Somewhere in the routers
spam_trap:
driver = redirect
no_verify
domains = ...
condition = ${if and{{!eq{$acl_m0}{unchecked}}{>{$acl_m0}{50}}}
{yes}{no}}
data = junk-folder-address@???
# ...

As you can see, $acl_m0 contains $spam_score_int or `unchecked'. Don't
be confused with `deny' in a sub-ACL: it has different meaning there.

Router `spam_trap' does not use any headers. That is good because you do
not care about header forging/collision - many systems use X-Spam-XXX
headers. Any defers with spamd are marked by `unchecked' (introduced by
"Andrew - Supernews" for callout defer check). But be advised, if the
scanner skipped due to hosts_not_to_scan, $acl_m0 contains the same
string `unchecked'. This could be changed to `skipped' like this:

acl_spam_test:
  warn          set acl_m0 = skipped
  deny          hosts = +hosts_not_to_scan
  warn          set acl_m0 = defer
  accept        spam = nobody:true/defer_ok
                set acl_m0 = $spam_score_int
  deny


The above samples can help you to glue the spam scanning results to the
routing logic more safely and tightly.

> Things get worse if you remember that DATA ACL does
> > not allow you to perform recipient-based (per-domain) logic. Assume

that
> > a message originated from one of the internals have two RCPT: one

should
> > go to the world, and one should go to the internal.
> >
> > Well, are the above assumptions correct?
> > There are still some tricky things you can do ;-)
> im intrigued about these tricky things you speak of.... :D


These tricks are useful for some complex environments and are based on
secure headers. If you have a distributed SMTP processing group, you can
mark the message with a special header (that uses SHA1). All members of
the group share the same secret. No matter how message passes the group,
every member has a way to determine if the message is being scanned
already by some other member. If you really need this, I'll try to
figure this out.
Though no need for this if you do not have any hub-to-hub traffic.

I hope, the information was useful to you ;-)

Take care.