X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/185b5456076ca86959643ce2f19c98c0f82f281e..48507a38f1410a43af1df681d593290a5e4bf038:/spam.m4 diff --git a/spam.m4 b/spam.m4 index 705fbee..4253e88 100644 --- a/spam.m4 +++ b/spam.m4 @@ -25,6 +25,45 @@ DIVERT(null) ###-------------------------------------------------------------------------- ### Spam filtering. +## The Exim documentation tells lies. +## +## : *${run{*<_command_>* *<_args_>*}{*<_string1_>*}{*<_string2_>*}}* +## : The command and its arguments are first expanded separately, [...] +## +## They aren't. The whole command-and-args are expanded together, and then +## split at unquoted spaces. This unpleasant hack sorts out the mess. +m4_define(<:SHQUOTE:>, <:"${rxquote:$1}":>) + +## Utilities for collecting spam limits. +m4_define(<:SPAMLIMIT_CHECK:>, + <:${if match{$1}{\N^-?[0-9]+$\N} {spam_limit=$1} {}}:>) + +m4_define(<:SPAMLIMIT_ROUTER:>, +<:$1: + driver = redirect + data = :unknown: + verify_only = true + condition = ${if !eq{$acl_c_mode}{submission}} + condition = ${extract{spam_limit}{$address_data}{false}{true}}:>) + +m4_define(<:SPAMLIMIT_SET:>, + <:address_data = \ + ${if def:address_data {$address_data}{}} \ + $1:>) + +m4_define(<:SPAMLIMIT_LOOKUP:>, + <:condition = ${if exists{$1}} + SPAMLIMIT_SET(<:${lookup {$2$3$4@$5/$6} nwildlsearch {$1} \ + {SPAMLIMIT_CHECK($value)}}:>):>) + +m4_define(<:SPAMLIMIT_USERV:>, + <:SPAMLIMIT_SET(<:${run {/usr/bin/timeout 5s \ + userv CONF_userv_opts \ + SHQUOTE($1) exim-spam-limit \ + SHQUOTE($6) SHQUOTE($2) SHQUOTE($3) \ + SHQUOTE($4) SHQUOTE(@$5)} \ + {SPAMLIMIT_CHECK($value)}}:>):>) + SECTION(global, policy)m4_dnl spamd_address = CONF_spamd_address CONF_spamd_port @@ -34,48 +73,55 @@ SECTION(routers, allspam)m4_dnl ## limit and insert it into the `address_data' where the RCPT ACL can find ## it. This router always declines, so it doesn't affect the overall outcome ## of the verification. -fetch_spam_limit: - driver = redirect - data = :unknown: - verify_only = true +SPAMLIMIT_ROUTER(fetch_spam_limit_lookup) + check_local_user local_part_suffix = CONF_user_suffix_list local_part_suffix_optional = true + SPAMLIMIT_LOOKUP(CONF_userconf_dir/spam-limit, + $local_part_prefix, $local_part, $local_part_suffix, $domain, + $sender_address) + +SPAMLIMIT_ROUTER(fetch_spam_limit_userv) check_local_user - address_data = \ - ${if def:address_data {$address_data}{}} \ - ${if exists {CONF_userconf_dir/spam-limit} \ - {${lookup {$local_part_prefix\ - $local_part\ - $local_part_suffix\ - @$domain/\ - $sender_address} \ - nwildlsearch {CONF_userconf_dir/spam-limit} \ - {spam_limit=$value} \ - {}}} \ - {}} \ - ${if exists {CONF_userconf_dir/spam-limit.userv} \ - {${run {timeout 5s -- \ - userv $local_part exim-spam-limit \ - $sender_address \ - $local_part_prefix \ - $local_part \ - $local_part_suffix \ - @$domain} \ - {${if match{$value}{\N^[0-9]+$\N} \ - {spam_limit=$value} \ - {}}} \ - {}}} \ - {}} + local_part_suffix = CONF_user_suffix_list + local_part_suffix_optional = true + condition = ${if exists{CONF_userconf_dir/spam-limit.userv}} + SPAMLIMIT_USERV(SHQUOTE($local_part), + $local_part_prefix, $local_part, $local_part_suffix, $domain, + $sender_address) SECTION(acl, rcpt-hooks)m4_dnl ## Do per-recipient spam-filter processing. require acl = rcpt_spam SECTION(acl, misc)m4_dnl -rcpt_spam: +skip_spam_check: - ## If the client is trusted, don't bother with any of this. + ## If the client is trusted, or this is a new submission, don't + ## bother with any of this. We will have verified the sender + ## fairly aggressively before granting this level of trust. accept hosts = +trusted + accept condition = ${if eq{$acl_c_mode}{submission}} + + ## If this is a virtual domain, and it says `spam-check=no', then + ## skip. + accept domains = ${if exists{CONF_sysconf_dir/domains.conf} \ + {partial0-lsearch; CONF_sysconf_dir/domains.conf} \ + {}} + !condition = DOMKV(spam-check, {${expand:$value}}{true}) + + ## Otherwise we should check. + deny + +rcpt_spam: + + ## See if we should do this check. + accept acl = skip_spam_check + + ## Always accept mail to `postmaster'. Currently this is not + ## negotiable; maybe a tweak can be added to `domains.conf' if + ## necessary. + accept local_parts = postmaster ## Collect the user's spam threshold from the `address_data' ## variable, where it was left by the `fetch_spam_limit' router @@ -113,8 +159,11 @@ SECTION(acl, data-spam)m4_dnl SECTION(acl, misc)m4_dnl data_spam: - ## If the client is trusted, don't bother with any of this. - accept hosts = +trusted + ## See if we should do this check. + accept acl = skip_spam_check + + ## Check header validity. + require verify = header_syntax ## Check the message for spam, comparing to the configured limit. deny spam = exim:true @@ -125,6 +174,7 @@ data_spam: ## Insert headers from the spam check now that we've decided to ## accept the message. warn + ## Convert the limit (currently 10x fixed point) into a ## decimal for presentation. set acl_m_spam_limit_presentation = \ @@ -155,7 +205,7 @@ data_spam: ## their scores. Leave `<<...>>' around everything else. set acl_m_spam_tests = \ ${sg{$acl_m_spam_tests} \ - {\N(?s)\n\s*([\d.]+)\s+([-\w]+)\s\N} \ + {\N(?s)\n\s*(-?[\d.]+)\s+([-\w]+)\s\N} \ {>>\$2:\$1,<<}} ## Strip everything still in `<<...>>' pairs, including any @@ -178,7 +228,6 @@ data_spam: limit=$acl_m_spam_limit_presentation, \n\t\ tests=$acl_m_spam_tests - ## We're good. accept