[exim] Quarantine selected mails - Any thoughts?

Top Page
Delete this message
Reply to this message
Author: Andreas Pettersson
Date:  
To: exim users
Subject: [exim] Quarantine selected mails - Any thoughts?
Hi list.

I've been thinking alot lately about a nice way to quarantine some mails
passing my server.
Today I relay all mails from Exim through a MAILsweeper box, which scans
for some headers (X-Spam-Flag and X-Virus-Flag) and puts it in quarantine.
One important note: I quarantine all clean mail as well, in parallell to
deliver them to their receipients.

Though MAILsweeper is really easy to use, I don't want that extra hop
any more, so the other day I started experimenting. :)
This is what I'm thinking:


- Exim accepts incoming mail, scans for spam and sets the appropriate
header.


- A: It's not spam. A system filter looking like this saves the message 
in a quarantine store ('clean'):
     if $h_x-spam-flag does not contain "YES"
        then
        unseen save /var/mail/quarantine/clean/$message_id
     endif


     The transport taking care of the saving is here:
     quarantine_clean_mail:
        driver = appendfile
        delivery_date_add
        envelope_to_add
        return_path_add
        group = www
        user = mailnull
        mode = 0660
        no_mode_fail_narrower
        batch_max = 1000
        use_bsmtp



- B: It's spam. This router captures is:
     spamflagged_director:
        driver = accept
        condition = ${if and { {def:h_X-Spam-Flag:} {!eq 
{$received_protocol}{local}} } {1}{0}}
        transport = spamflagged_delivery


     And this transport stores it in quarantine store named 'blocked':
     spamflagged_delivery:
        driver = appendfile
        file = /var/mail/quarantine/blocked/$message_id



I then have some cgi scripts to view/process the contents of the
quarantine, but we can take that later..


Issue 1: Spam mails with multiple recipients gets written multiple times
to the same file (named $message_id). I think I could fix that by using
filter save instead of a router, but I haven't looked into it yet.
(deliver to file?)

Issue 2: I need to preserve MAIL FROM and RCPT TO, which use_smtp takes
care of, but RCPT TO only contains <system-filter>. Solution might be to
have the filter add an extra header ( "Q-Envelope-to: $recipients" ) for
later parsing, but I'm not into modifying the mail files for that
purpose. But if there's no other way, then.. As for now, I'm reading
the contents of the latest Received header, but that only works for
single-addressed mails.

Issue 3: When releasing mail from quarantine, what do I have to think
about regarding From and Reply-to headers? I don't want it to look like
it came from the www user on the quarantine box.


Some words about the cgi. A perl script regularly indexes the mails in
quarantine ans removes mails older than x days, and another script
presents the contents for a web user, which has options as Release,
Whitelist, Train as ham/spam, Test SA scoring, Report, Forward to new
address and Delete. I'm thinking of another option; Inject in MTA, but
I'm not sure how to accomplish that.

To prevent one folder to be flooded with 300.000 files, the indexing
also distributes them over several subfolders.


So, before you start bombarding with "why invent the wheel, use this and
that instead", what's your thoughts? What are others doing/using?

And then, let the bombing begin ;)


Best regards,
Andreas