On Wed, 2007-02-28 at 20:15 +0100, Renaud Allard wrote:
>
> For the moment, you are using routers and transports to scan for spam.
> This means you cannot deny mails at SMTP time. It is much better to use
> the built in spam and antivirus scan functions.
The problem with not using routers at all is that different recipients
have different definitions of spam, and it seems quite tough to set up
something that allows for scanning at SMTP time, while still allowing
individual users' whitelists and special considerations.
The best I've come up with is far from perfect:
...
acl_smtp-rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
spamd_address = 127.0.0.1 783
...
begin acl
acl_check_rcpt:
...
accept domains = +local_domains
endpass
verify = recipient
# Allow for user-anything@ addresses
set acl_m0 = ${sg{$local_part}{-.*}{}}
set acl_m0 = ${lookup{$acl_m0}dbm{/etc/aliases.db}}
set acl_m0 = ${if eq {}{$acl_m0}{nobody}{$acl_m0}}
accept domains = +relay_to_domains
endpass
verify = recipient
set acl_m0 = nobody
...
acl_check_data:
...
# Reject spam messages with score over 15
deny message = Spam is not wanted here
spam = $acl_m0:true
condition = ${if >{$spam_score_int}{150}{1}{0}}
warn spam = $acl_m0
message = X-Spam-Flag: YES\n\
X-Spam-Score: $spam_score ($spam_bar)\n\
X-Spam-Report: $spam_report\n\
X-Spam-Scanned-By: $acl_m0
...
(router section)
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
headers_remove =
X-Spam-Status:X-Spam-Flag:X-Spam-Score:X-Spam-Report:X-Spam-Scanned-By:X-Is-A-Bounce
no_more
The idea is that local incoming mail gets scanned by the recipient,
while relayed mail or mail where the recipient can't be determined gets
scanned by the "nobody" user.
This is far from perfect, as it will not handle aliases pointing to
other aliases. The main problem is that when there /is/ a local
recipient, but the above acl_m0 rules fail to determine it, the uid will
be incorrect, and spamassassin fails to access the user's rules:
Feb 27 23:55:11 myhost spamd[2382]: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp
lockfile /home/username/.spamassassin/auto-whitelist.lock.myhost.mydomain.com.2382 for /home/username/.spamassassin/auto-whitelist.lock: Permission denied
Anyone know how to fix this, or better yet, have an alternative approach
that does allow for per-user scanning before the mail is accepted?
I already know that there is a logistical problem when there's more than
one local recipient. It would be acceptable, but far from perfect, to
have that kind of email scanned by just one of the users (as is what
happens with the above) or "nobody".
Regards,
--
*Art
