mdw@git.distorted.org.uk Git - exim-config/blob - spam.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Spam filtering for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 DIVERT(null)
  25 ###--------------------------------------------------------------------------
  26 ### Spam filtering.
  27
  28 ## The Exim documentation tells lies.
  29 ##
  30 ## : *${run{*<_command_>* *<_args_>*}{*<_string1_>*}{*<_string2_>*}}*
  31 ## :     The command and its arguments are first expanded separately, [...]
  32 ##
  33 ## They aren't.  The whole command-and-args are expanded together, and then
  34 ## split at unquoted spaces.  This unpleasant hack sorts out the mess.
  35 m4_define(<:SHQUOTE:>, <:"${rxquote:$1}":>)
  36
  37 ## Utilities for collecting spam limits.
  38 m4_define(<:SPAMLIMIT_CHECK:>,
  39         <:${if match{$1}{\N^-?[0-9]+$\N} {spam_limit=$1} {}}:>)
  40
  41 m4_define(<:SPAMLIMIT_ROUTER:>,
  42 <:$1:
  43         driver = redirect
  44         data = :unknown:
  45         verify_only = true
  46         condition = ${if !eq{$acl_c_mode}{submission}}
  47         condition = ${extract{spam_limit}{$address_data}{false}{true}}:>)
  48
  49 m4_define(<:SPAMLIMIT_SET:>,
  50         <:address_data = \
  51                 ${if def:address_data {$address_data}{}} \
  52                 $1:>)
  53
  54 m4_define(<:SPAMLIMIT_LOOKUP:>,
  55         <:condition = ${if exists{$1}}
  56         SPAMLIMIT_SET(<:${lookup {$2$3$4@$5/$6} nwildlsearch {$1} \
  57                                {SPAMLIMIT_CHECK($value)}}:>):>)
  58
  59 m4_define(<:SPAMLIMIT_USERV:>,
  60         <:SPAMLIMIT_SET(<:${run {/usr/bin/timeout 5s \
  61                                         userv CONF_userv_opts \
  62                                         SHQUOTE($1) exim-spam-limit \
  63                                         SHQUOTE($6) SHQUOTE($2) SHQUOTE($3) \
  64                                         SHQUOTE($4) SHQUOTE(@$5)} \
  65                                 {SPAMLIMIT_CHECK($value)}}:>):>)
  66
  67 SECTION(global, policy)m4_dnl
  68 spamd_address = CONF_spamd_address CONF_spamd_port
  69
  70 SECTION(routers, allspam)m4_dnl
  71 ## If we're verifying an address and the recipient has a `~/.mail/spam-limit'
  72 ## file, then look up the recipient and sender addresses to find a plausible
  73 ## limit and insert it into the `address_data' where the RCPT ACL can find
  74 ## it.  This router always declines, so it doesn't affect the overall outcome
  75 ## of the verification.
  76 SPAMLIMIT_ROUTER(fetch_spam_limit_lookup)
  77         check_local_user
  78         local_part_suffix = CONF_user_suffix_list
  79         local_part_suffix_optional = true
  80         SPAMLIMIT_LOOKUP(CONF_userconf_dir/spam-limit,
  81                 $local_part_prefix, $local_part, $local_part_suffix, $domain,
  82                 $sender_address)
  83
  84 SPAMLIMIT_ROUTER(fetch_spam_limit_userv)
  85         check_local_user
  86         local_part_suffix = CONF_user_suffix_list
  87         local_part_suffix_optional = true
  88         condition = ${if exists{CONF_userconf_dir/spam-limit.userv}}
  89         SPAMLIMIT_USERV(SHQUOTE($local_part),
  90                 $local_part_prefix, $local_part, $local_part_suffix, $domain,
  91                 $sender_address)
  92
  93 SECTION(acl, rcpt-hooks)m4_dnl
  94         ## Do per-recipient spam-filter processing.
  95         require  acl = rcpt_spam
  96
  97 SECTION(acl, misc)m4_dnl
  98 skip_spam_check:
  99
 100         ## If the client is trusted, or this is a new submission, don't
 101         ## bother with any of this.  We will have verified the sender
 102         ## fairly aggressively before granting this level of trust.
 103         accept   hosts = +trusted
 104         accept   condition = ${if eq{$acl_c_mode}{submission}}
 105
 106         ## If all domains have disabled spam checking then don't check.
 107         accept  !condition = $acl_c_spam_check_domain
 108
 109         ## Otherwise we should check.
 110         deny
 111
 112 rcpt_spam:
 113
 114         ## If this is a virtual domain, and it says `spam-check=no', then we
 115         ## shouldn't check spam.  But we can't check domains at DATA time, so
 116         ## instead we must track whether all recipients have disabled
 117         ## checking.
 118         warn    !domains = ${if exists{CONF_sysconf_dir/domains.conf} \
 119                          {partial0-lsearch; CONF_sysconf_dir/domains.conf} \
 120                          {}}
 121                  set acl_c_spam_check_domain = true
 122         warn    !condition = $acl_c_spam_check_domain
 123                  condition = DOMKV(spam-check, {${expand:$value}}{true})
 124                  set acl_c_spam_check_domain = true
 125
 126         ## See if we should do this check.
 127         accept   acl = skip_spam_check
 128
 129         ## Always accept mail to `postmaster'.  Currently this is not
 130         ## negotiable; maybe a tweak can be added to `domains.conf' if
 131         ## necessary.
 132         accept   local_parts = postmaster
 133
 134         ## Collect the user's spam threshold from the `address_data'
 135         ## variable, where it was left by the `fetch_spam_limit' router
 136         ## during recipient verification.  (This just saves duplicating this
 137         ## enormous expression.)
 138         warn     set acl_m_this_spam_limit = \
 139                         ${sg {${extract {spam_limit} \
 140                                         {${if def:address_data \
 141                                               {$address_data}{}}} \
 142                                         {$value}{nil}}} \
 143                              {^(|.*\\D.*)\$}{CONF_spam_max}}
 144
 145         ## If there's a spam limit already established, and it's different
 146         ## from this user's limit, then the sender will have to try this user
 147         ## again later.
 148         defer   !hosts = +trusted
 149                  message = "You'd better try this one later"
 150                  condition = ${if def:acl_m_spam_limit {true}{false}}
 151                  condition = ${if ={$acl_m_spam_limit} \
 152                                    {$acl_m_this_spam_limit} \
 153                                   {false}{true}}
 154
 155         ## There's no limit set yet, or the user's limit is the same as the
 156         ## existing one, or the client's local and we're not checking for
 157         ## spam anyway.  Whichever way, it's safe to set it now.
 158         warn     set acl_m_spam_limit = $acl_m_this_spam_limit
 159
 160         ## All done.
 161         accept
 162
 163 SECTION(acl, data-spam)m4_dnl
 164         ## Do spam checking.
 165         require  acl = data_spam
 166
 167 SECTION(acl, misc)m4_dnl
 168 data_spam:
 169
 170         ## See if we should do this check.
 171         accept   acl = skip_spam_check
 172
 173         ## Check header validity.
 174         require  verify = header_syntax
 175
 176         ## Check the message for spam, comparing to the configured limit.
 177         deny     spam = exim:true
 178                  message = Tinned meat product detected ($spam_score)
 179                  condition = ${if >{$spam_score_int}{$acl_m_spam_limit} \
 180                                   {true}{false}}
 181
 182         ## Insert headers from the spam check now that we've decided to
 183         ## accept the message.
 184         warn
 185
 186                  ## Convert the limit (currently 10x fixed point) into a
 187                  ## decimal for presentation.
 188                  set acl_m_spam_limit_presentation = \
 189                         ${sg{$acl_m_spam_limit}{\N(\d)$\N}{.\$1}}
 190
 191                  ## Convert the report into something less obnoxious.  Plain
 192                  ## old SpamAssassin has an `X-Spam-Status' header which
 193                  ## lists the matched rules and provides some other basic
 194                  ## information.  Try to extract something similar from the
 195                  ## report.
 196                  ##
 197                  ## This is rather fiddly.
 198
 199                  ## Firstly, escape angle brackets, because we'll be using
 200                  ## them for our own purposes.
 201                  set acl_m_spam_tests = ${sg{$spam_report}{([!<>])}{!\$1}}
 202
 203                  ## Trim off the blurb paragraph and the preview.  The rest
 204                  ## should be fairly well behaved.  Wrap double angle-
 205                  ## brackets around the remainder; these can't appear in the
 206                  ## body because we escaped them all earlier.
 207                  set acl_m_spam_tests = \
 208                         ${sg{$acl_m_spam_tests} \
 209                             {\N^(?s).*\n Content analysis details:(.*)$\N} \
 210                             {<<\$1>>}}
 211
 212                  ## Extract the information about the matching rules and
 213                  ## their scores.  Leave `<<...>>' around everything else.
 214                  set acl_m_spam_tests = \
 215                         ${sg{$acl_m_spam_tests} \
 216                             {\N(?s)\n\s*(-?[\d.]+)\s+([-\w]+)\s\N} \
 217                             {>>\$2:\$1,<<}}
 218
 219                  ## Strip everything still in `<<...>>' pairs, including any
 220                  ## escaped characters inside.
 221                  set acl_m_spam_tests = \
 222                         ${sg{$acl_m_spam_tests}{\N(?s)<<([^!>]+|!.)*>>\N}{}}
 223
 224                  ## Trim off a trailing comma.
 225                  set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{,\s*\$}{}}
 226
 227                  ## Undo the escaping.
 228                  set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{!(.)}{\$1}}
 229
 230                  ## Insert the headers.
 231                  add_header = X-SpamAssassin-Score: \
 232                         $spam_score/$acl_m_spam_limit_presentation \
 233                         ($spam_bar)
 234                  add_header = X-SpamAssassin-Status: \
 235                         score=$spam_score, \
 236                         limit=$acl_m_spam_limit_presentation, \n\t\
 237                         tests=$acl_m_spam_tests
 238
 239         ## We're good.
 240         accept
 241
 242 DIVERT(null)
 243 ###----- That's all, folks --------------------------------------------------