I'm trying to have the ACL skip running spamd in some cases, by
pre-empting it with "accept", but it's always launching the spam check.
The relevant ACL is below, with example log message.
The log shows the "certified connection" rule is matched, yet the spam
check is still launched. Whereas I'd expect the "spam =" line to never be
acted upon.
Do I have some fundamental misunderstanding about how ACLs actually work?
This means that even as SMTP smarthost, I'm getting bogus spam check
headers added to outbound mail.
What's curious is I don't remember it being like this before. Old test
messages send from 2015/2016 don't show these headers, implying that it
used to work. There could be a number of reasons here that it'll take me
some time to test, but if you know of an Exim change that may have done
this then it would be helpful to know.
This is from Exim version 4.87_1 on FreeBSD.
Any advice appreciated -- thanks
--
Mark
acl_check_data:
# There are several relay conditions under which we don't do any scanning
accept hosts = :
logwrite = accepting message content from local host
accept hosts = +relay_from_hosts
logwrite = accepting message content from trusted host
accept verify = certificate
condition = ${if inlist{${sha256:$tls_in_peercert}}{RELAY_FROM_CERTS}}
logwrite = accepting message content from certified connection
accept authenticated = *
logwrite = accepting message content from authenticated connection
# Spam checking takes a long time on large messages
accept condition = ${if >={$message_size}{500k}{yes}{no}}
add_header = X-Spam: check bypassed due to message size
logwrite = skipping spam check on large message
# Scan the body of the message for spam and add the information
# to the headers
warn spam = nobody:true
add_header = X-Spam-Score: $spam_score
add_header = X-Spam-Level: $spam_bar
add_header = X-Spam-Report: $spam_report
# Introduce a small delay to slow down spammers
warn condition = ${if >{$spam_score_int}{20}{true}{false}}
delay = 60s
log_message = delaying spammer by 60s
warn condition = ${if >{$spam_score_int}{40}{true}{false}}
delay = 120s
log_message = delaying spammer by 120s
# For a high spam rating, reject at the SMTP level
deny message = this message has been judged to be spam
spam = nobody:true
condition = ${if >{$spam_score_int}{80}{true}{false}}
delay = 240s
log_message = delaying spammer by 240s and rejecting spam at SMTP ($spam_score)
accept
2017-01-09 23:45:10 1cQjck-0001fD-2F accepting message content from certified connection
2017-01-09 23:45:10 1cQjck-0001fD-2F SA: Debug: SAEximRunCond expand returned: '1'
2017-01-09 23:45:10 1cQjck-0001fD-2F SA: Debug: check succeeded, running spamc
2017-01-09 23:45:11 1cQjck-0001fD-2F SA: Action: scanned but message isn't spam: score=3.8 required=5.0 (scanned in 1/1 secs | Message-Id: 1701092345040.21445@???). From <mark-xxxxxxx@???> (host=xxxxx.net [x.x.x.x]) for xxxxxxxxxxxxxx@???
2017-01-09 23:45:11 1cQjck-0001fD-2F <= mark@??? H=xxxxxx.net (stax.localdomain) [x.x.x.x] P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes S=1156 id=1701092345040.21445@???
2017-01-09 23:45:11 1cQjck-0001fD-2F => xxxxxxxxxxxxxx@??? R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [2a00:1450:400c:c01::1b] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1484005511 7si346350wmu.55 - gsmtp"
