lists.m4: Update the IP address lists following server move.

[exim-config] / spam.m4

### -*-m4-*-
###
### Spam filtering for distorted.org.uk Exim configuration
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

DIVERT(null)
###--------------------------------------------------------------------------
### Spam filtering.

## The Exim documentation tells lies.
##
## : *${run{*<_command_>* *<_args_>*}{*<_string1_>*}{*<_string2_>*}}*
## :     The command and its arguments are first expanded separately, [...]
##
## They aren't.  The whole command-and-args are expanded together, and then
## split at unquoted spaces.  This unpleasant hack sorts out the mess.
m4_define(<:SHQUOTE:>, <:"${rxquote:$1}":>)

## Utilities for collecting spam limits.
m4_define(<:SPAMLIMIT_CHECK:>,
        <:${if match{$1}{\N^-?[0-9]+$\N} {spam_limit=$1} {}}:>)

m4_define(<:SPAMLIMIT_ROUTER:>,
<:$1:
        driver = redirect
        data = :unknown:
        verify_only = true
        condition = ${if !eq{$acl_c_mode}{submission}}
        condition = ${extract{spam_limit}{$address_data}{false}{true}}:>)

m4_define(<:SPAMLIMIT_SET:>,
        <:address_data = \
                ${if def:address_data {$address_data}{}} \
                m4_ifelse(<:$2:>, <::>, <::>, <:$2 \
                :>)$1:>)

m4_define(<:SPAMLIMIT_LOOKUP:>,
        <:condition = ${if exists{$1}}
        SPAMLIMIT_SET(<:${lookup {$2@$3/$4} nwildlsearch {$1} \
                               {SPAMLIMIT_CHECK(<:$value:>)}}:>, <:$5:>):>)

m4_define(<:SPAMLIMIT_USERV:>,
        <:SPAMLIMIT_SET(<:${run {/usr/bin/timeout 5s \
                                        /usr/bin/userv CONF_userv_opts \
                                        SHQUOTE($1) exim-spam-limit \
                                        SHQUOTE($4) \
                                        SHQUOTE($2) SHQUOTE(@$3)} \
                                {SPAMLIMIT_CHECK(<:$value:>)}}:>, <:$5:>):>)

m4_define(<:GET_ADDRDATA:>,
        <:extract{<:$1:>}{${if def:address_data{$address_data}{}}}:>)

SECTION(global, policy)m4_dnl
spamd_address = CONF_spamd_address CONF_spamd_port

SECTION(acl, rcpt-hooks)m4_dnl
        ## Do per-recipient spam-filter processing.
        require  acl = rcpt_spam

SECTION(acl, misc)m4_dnl
skip_spam_check:

        ## If the client is trusted, or this is a new submission, don't
        ## bother with any of this.  We will have verified the sender
        ## fairly aggressively before granting this level of trust.
        accept   hosts = +trusted
        accept   condition = ${if eq{$acl_c_mode}{submission}}

        ## If all domains have disabled spam checking then don't check.
        accept  !condition = $acl_c_spam_check_domain

        ## Otherwise we should check.
        deny

rcpt_spam:

        ## If this is a virtual domain, and it says `spam-check=no', then we
        ## shouldn't check spam.  But we can't check domains at DATA time, so
        ## instead we must track whether all recipients have disabled
        ## checking.
        warn    !domains = ${if exists{CONF_sysconf_dir/domains.conf} \
                         {partial0-lsearch; CONF_sysconf_dir/domains.conf} \
                         {}}
                 set acl_c_spam_check_domain = true
        warn    !condition = $acl_c_spam_check_domain
                 condition = DOMKV(spam-check, {${expand:$value}}{true})
                 set acl_c_spam_check_domain = true

        ## See if we should do this check.
        accept   acl = skip_spam_check

        ## Always accept mail to `postmaster'.  Currently this is not
        ## negotiable; maybe a tweak can be added to `domains.conf' if
        ## necessary.
        accept   local_parts = postmaster

        ## Collect the user's spam threshold from the `address_data'
        ## variable, where it was left by the `fetch_spam_limit' router
        ## during recipient verification.  (This just saves duplicating this
        ## enormous expression.)
        warn     set acl_m_this_spam_limit = \
                        ${sg {${GET_ADDRDATA(spam_limit){$value}{nil}}} \
                             {^(|.*\\D.*)\$}{CONF_spam_max}}

        warn     condition = ${GET_ADDRDATA(user){true}{false}}
                 set acl_m_spam_users = \
                        ${if def:acl_m_spam_users {$acl_m_spam_users::}{}}\
                        ${GET_ADDRDATA(user) \
                                {$value=${sg{$local_part@$domain}\
                                            {([!:])}{!\$1}}} \
                                fail}

        ## If there's a spam limit already established, and it's different
        ## from this user's limit, then the sender will have to try this user
        ## again later.
        defer   !hosts = +trusted
                 message = "You'd better try this one later"
                 condition = ${if def:acl_m_spam_limit {true}{false}}
                 condition = ${if ={$acl_m_spam_limit} \
                                   {$acl_m_this_spam_limit} \
                                  {false}{true}}

        ## There's no limit set yet, or the user's limit is the same as the
        ## existing one, or the client's local and we're not checking for
        ## spam anyway.  Whichever way, it's safe to set it now.
        warn     set acl_m_spam_limit = $acl_m_this_spam_limit

        ## All done.
        accept

SECTION(acl, data-hooks)m4_dnl
        ## Do spam checking.
        require  acl = data_spam

SECTION(acl, misc)m4_dnl
data_spam:

        ## See if we should do this check.
        accept   acl = skip_spam_check

        ## Check header validity.
        require  verify = header_syntax

        ## Check the message for spam, comparing to the configured limit.
        warn     spam = exim:true

        ## Format some reporting stuff.
        warn

                 ## Convert the limit (currently 10x fixed point) into a
                 ## decimal for presentation.
                 set acl_m_spam_limit_presentation = \
                        ${sg{$acl_m_spam_limit}{\N(\d)$\N}{.\$1}}

                 ## Convert the report into something less obnoxious.  Plain
                 ## old SpamAssassin has an `X-Spam-Status' header which
                 ## lists the matched rules and provides some other basic
                 ## information.  Try to extract something similar from the
                 ## report.
                 ##
                 ## This is rather fiddly.

                 ## Firstly, escape angle brackets, because we'll be using
                 ## them for our own purposes.
                 set acl_m_spam_tests = ${sg{$spam_report}{([!<>])}{!\$1}}

                 ## Trim off the blurb paragraph and the preview.  The rest
                 ## should be fairly well behaved.  Wrap double angle-
                 ## brackets around the remainder; these can't appear in the
                 ## body because we escaped them all earlier.
                 set acl_m_spam_tests = \
                        ${sg{$acl_m_spam_tests} \
                            {\N^(?s).*\n Content analysis details:(.*)$\N} \
                            {<<\$1>>}}

                 ## Extract the information about the matching rules and
                 ## their scores.  Leave `<<...>>' around everything else.
                 set acl_m_spam_tests = \
                        ${sg{$acl_m_spam_tests} \
                            {\N(?s)\n\s*(-?[\d.]+)\s+([-\w]+)\s\N} \
                            {>>\$2:\$1,<<}}

                 ## Strip everything still in `<<...>>' pairs, including any
                 ## escaped characters inside.
                 set acl_m_spam_tests = \
                        ${sg{$acl_m_spam_tests}{\N(?s)<<([^!>]+|!.)*>>\N}{}}

                 ## Trim off a trailing comma.
                 set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{,\s*\$}{}}

                 ## Undo the escaping.
                 set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{!(.)}{\$1}}

        ## If we've decided to reject, then leave a dropping in the log file
        ## so that users can analyse rejections for incoming messages, and
        ## tell the sender to get knotted.
        deny     message = Tinned meat product detected ($spam_score)
                 log_message = Spam rejection \
                        score=$spam_score \
                        limit=$acl_m_spam_limit_presentation \
                        tests=$acl_m_spam_tests \
                        users=$acl_m_spam_users
                 condition = ${if >{$spam_score_int}{$acl_m_spam_limit} \
                                  {true}{false}}

        ## Insert headers from the spam check now that we've decided to
        ## accept the message.
        warn
                 ADD_HEADER(<:X-CONF_header_token-SpamAssassin-Score: \
                        $spam_score/$acl_m_spam_limit_presentation \
                        ($spam_bar):>)
                 ADD_HEADER(<:X-CONF_header_token-SpamAssassin-Status: \
                        score=$spam_score, \
                        limit=$acl_m_spam_limit_presentation, \n\t\
                        tests=$acl_m_spam_tests:>)

        ## We're good.
        accept

DIVERT(null)
###----- That's all, folks --------------------------------------------------