Pkg exim4 users - Apr 2006 - spamassassin headers

I have set up exim4-daemon-heavy/clamd/spamd on unstable. 

Debian Sid GNU/linux 2.6.16-1-k7
clamav              0.88.1-1            antivirus scanner for Unix
clamav-base         0.88.1-1            base package for clamav,
clamav-daemon       0.88.1-1            antivirus scanner daemon
clamav-docs         0.88.1-1            documentation package 
clamav-freshclam    0.88.1-1            downloads clamav virus database
exim4-base          4.61-1              support files for all exim MTA
exim4-config        4.61-1              configuration for the exim MTA 
exim4-daemon-heavy  4.61-1              exim MTA (v4) daemon 
spamassassin        3.1.0a-2            Perl-based spam filter using


After a bit of fiddling the basic setup works really well: outgoing mail
gets send out and incoming mail is tested by clamav and spamd before
being filtered by ~/.forward and subsequently delivered into a
Maildir-folder. Kinda like advertised ;-)

Something seems to go wrong with the headers, reporting and ultimately
delivery of spam-positives though.

I have a similar setup running exim4-light with spamassassin via
router-transport on Sarge/Debian-stable. There the "X-Spam-Flag: YES"
header is inserted and the spam-body of a positive is kept out of view
and attached to a warning message.

Here exim has the protective message hiding in the headers under
"X-Spam_report" (see below), leaving the spam-body unshielded in the
Inbox, in full view for the unsuspecting user. This is neither a good
nor a pretty thing.

Not setting the header "X-Spam-Flag: YES" on spam breaks the filtering
with .forward and Spam gets delivered into the inbox. 
I cannot seem to set this header manually: adding "X-Spam-Flag:
YES\n\"
to the ACL(below) ends up as header: "X-ACL-Warn: X-Spam-Flag: YES"

Negatives get no X-Spam headers at all by default, which is confusing
since it took a trip to /var/log/syslog (or /var/log/mail.info) to find
out that spamd actually processed the message. Is it exim that doesn''t
pass on the X-Spam headers set by spamassassin? Why? I sure didn''t
override that in order to have to set different ones manually in exim.
Is it a bug or a feature?

Example of ACL + SPAM

ACL: 
	warn
	spam = Debian-exim
	message =  X-Spam_score: $spam_score\n\
        X-Spam_score_int: $spam_score_int\n\
        X-Spam_bar: $spam_bar\n\
        X-Spam_report: $spam_report

SPAM (full message source):

------begin message source------
Return-path: <nws@cevnet.mine.nu>
Envelope-to: nws@cevnet.mine.nu
Received: from localhost ([127.0.0.1]) by cevnet.mine.nu with esmtp
(Exim 4.61) (envelope-from <nws@cevnet.mine.nu>) id 1FWNSh-0004NS-Vh for
nws@cevnet.mine.nu; Thu, 20 Apr 2006 02:56:00 +0200
Subject: test
From: Chris <nws@cevnet.mine.nu>
To: nws@cevnet.mine.nu
Content-Type: text/plain
Date: Thu, 20 Apr 2006 02:55:59 +0200
Message-Id: <1145494559.20239.2.camel@cevnet>
Mime-Version: 1.0
X-Mailer: Evolution 2.6.0 
Content-Transfer-Encoding: 7bit
X-Spam_score: 998.4
X-Spam_score_int: 9984
X-Spam_bar: +++++++++++++++++++++++++++++++++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system
"cevnet.mine.nu", has identified this incoming email as possible spam.
The original message has been attached to this so you can view it (if it
isn''t spam) or label similar future email.  If you have any questions,
see the administrator of that system for details. Content preview: 
CUT--->GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL<---CUT
Chris <nws@cevnet.mine.nu> [...]  Content analysis details:   (998.4
points, 5.0 required) pts rule name              description ----
----------------------
--------------------------------------------------
-1.8 ALL_TRUSTED   Passed through trusted hosts only via SMTP
1000 GTUBE         BODY: Generic Test for Unsolicited Bulk Email 
2.5 BAYES_40       BODY: Bayesian spam probability is 20 to 40%
[score:0.3348]
-2.3 AWL           AWL: From: address is in the auto white-list
X-Evolution-Source: imap://chris@localhost/ 


CUT--->GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL<---CUT


-----end message source------


please cc me

Thanks,
-- 
Chris <nws@cevnet.mine.nu>

What does your local.cf have for report_safe? I thought that this 
controlled the X-Spam-headers

...man spamassassin.conf

"If this option is set to 0, incoming spam is only modified by adding 
some X-Spam- headers and no changes will be made to the body. In 
addition, a header named X-Spam-Report will be added to spam. You can 
use the remove_header option to remove that header after setting 
report_safe to 0"

Or am I barking up the wrong tree?
Dp.

On 20 Apr 2006 at 6:58, Chris wrote:
> I have set up exim4-daemon-heavy/clamd/spamd on unstable. 
> 
> Debian Sid GNU/linux 2.6.16-1-k7
> clamav              0.88.1-1            antivirus scanner for Unix
> clamav-base         0.88.1-1            base package for clamav,
> clamav-daemon       0.88.1-1            antivirus scanner daemon
> clamav-docs         0.88.1-1            documentation package
> clamav-freshclam    0.88.1-1            downloads clamav virus
> database exim4-base          4.61-1              support files for all
> exim MTA exim4-config        4.61-1              configuration for the
> exim MTA exim4-daemon-heavy  4.61-1              exim MTA (v4) daemon
> spamassassin        3.1.0a-2            Perl-based spam filter using
> 
> 
> After a bit of fiddling the basic setup works really well: outgoing
> mail gets send out and incoming mail is tested by clamav and spamd
> before being filtered by ~/.forward and subsequently delivered into a
> Maildir-folder. Kinda like advertised ;-)
> 
> Something seems to go wrong with the headers, reporting and ultimately
> delivery of spam-positives though.
> 
> I have a similar setup running exim4-light with spamassassin via
> router-transport on Sarge/Debian-stable. There the "X-Spam-Flag:
YES"
> header is inserted and the spam-body of a positive is kept out of view
> and attached to a warning message.
> 
> Here exim has the protective message hiding in the headers under
> "X-Spam_report" (see below), leaving the spam-body unshielded in
the
> Inbox, in full view for the unsuspecting user. This is neither a good
> nor a pretty thing.
> 
> Not setting the header "X-Spam-Flag: YES" on spam breaks the
filtering
> with .forward and Spam gets delivered into the inbox. I cannot seem to
> set this header manually: adding "X-Spam-Flag: YES\n\" to the
> ACL(below) ends up as header: "X-ACL-Warn: X-Spam-Flag: YES"
> 
> Negatives get no X-Spam headers at all by default, which is confusing
> since it took a trip to /var/log/syslog (or /var/log/mail.info) to
> find out that spamd actually processed the message. Is it exim that
> doesn''t pass on the X-Spam headers set by spamassassin? Why? I
sure
> didn''t override that in order to have to set different ones
manually
> in exim. Is it a bug or a feature?
> 
> Example of ACL + SPAM
> 
> ACL: 
>  warn
>  spam = Debian-exim
>  message =  X-Spam_score: $spam_score\n\
>         X-Spam_score_int: $spam_score_int\n\
>         X-Spam_bar: $spam_bar\n\
>         X-Spam_report: $spam_report                                   
> 
> SPAM (full message source):
> 
> ------begin message source------
> Return-path: <nws@cevnet.mine.nu>
> Envelope-to: nws@cevnet.mine.nu
> Received: from localhost ([127.0.0.1]) by cevnet.mine.nu with esmtp
> (Exim 4.61) (envelope-from <nws@cevnet.mine.nu>) id 1FWNSh-0004NS-Vh
> for nws@cevnet.mine.nu; Thu, 20 Apr 2006 02:56:00 +0200 Subject: test
> From: Chris <nws@cevnet.mine.nu> To: nws@cevnet.mine.nu Content-Type:
> text/plain Date: Thu, 20 Apr 2006 02:55:59 +0200 Message-Id:
> <1145494559.20239.2.camel@cevnet> Mime-Version: 1.0 X-Mailer:
> Evolution 2.6.0 Content-Transfer-Encoding: 7bit X-Spam_score: 998.4
> X-Spam_score_int: 9984 X-Spam_bar:
> +++++++++++++++++++++++++++++++++++++++++++++++++++ X-Spam_report:
> Spam detection software, running on the system "cevnet.mine.nu",
has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn''t spam) or
> label similar future email.  If you have any questions, see the
> administrator of that system for details. Content preview:
> CUT--->GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL<---CUT Chris
> <nws@cevnet.mine.nu> [...]  Content analysis details:   (998.4
points,
> 5.0 required) pts rule name              description ----
> ----------------------
> -------------------------------------------------- -1.8 ALL_TRUSTED  
> Passed through trusted hosts only via SMTP 1000 GTUBE         BODY:
> Generic Test for Unsolicited Bulk Email 2.5 BAYES_40       BODY:
> Bayesian spam probability is 20 to 40% [score:0.3348] -2.3 AWL        
>   AWL: From: address is in the auto white-list X-Evolution-Source:
> imap://chris@localhost/ 
> 
> 
> CUT--->GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL<---CUT
> 
> 
> -----end message source------
> 
> 
> please cc me
> 
> Thanks,
> -- 
> Chris <nws@cevnet.mine.nu>
> 
> 
> _______________________________________________
> Pkg-exim4-users mailing list
> Pkg-exim4-users@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users
>

Dermot Paikkos wrote:
> What does your local.cf have for report_safe? I thought that this 
> controlled the X-Spam-headers
> 
> ....man spamassassin.conf
> 
> "If this option is set to 0, incoming spam is only modified by adding 
> some X-Spam- headers and no changes will be made to the body. In 
> addition, a header named X-Spam-Report will be added to spam. You can 
> use the remove_header option to remove that header after setting 
> report_safe to 0"
> 
> Or am I barking up the wrong tree?
> Dp.
I use my own exim4.conf file so I may be a bit off base here.  First, 
spamassassin does not add the headers to the message, but exim does.  So 
  I don''t think the value of report_safe is a factor here.  The headers
are added by the ACLs.  Here is your ACL sample:

ACL:
	warn
	spam = Debian-exim
	message =  X-Spam_score: $spam_score\n\
         X-Spam_score_int: $spam_score_int\n\
         X-Spam_bar: $spam_bar\n\
         X-Spam_report: $spam_report

I''m not sure if you can add multiple headers that way.  I do it in my 
setup with separate ACLs.   Here is a sample:

#------------------------------------------------------------------------------
# Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide
# settings (user "nobody"), no matter if over threshold or not.
warn
   spam      = nobody:true/defer_ok
   message   = X-Spam-Score: $spam_score ($spam_bar)
warn
   spam      = nobody:true/defer_ok
   message   = X-Spam-Report: $spam_report

#------------------------------------------------------------------------------
# Add X-Spam-Flag if spam is over system-wide threshold.
warn
   spam    = nobody/defer_ok
   message = X-Spam-Flag: YES

I always add the X-Spam-Score and X-Spam-Report headers and only add the 
X-Spam-Flag header if it''s spam.  Note that I have the report as a 
header and I think you want it as an attachment in the body?  If so,
I''m
not sure how to do that. :(

I hope this helps,
mikeS

-- 
Michael F. Sprague     | mfs@saneinc.net
http://www.saneinc.net | use STD::disclaimer;
System and Network Engineering (SaNE), Inc

On 2006-04-20 Chris <nws@cevnet.mine.nu> wrote:
[...]
> Something seems to go wrong with the headers, reporting and ultimately
> delivery of spam-positives though.
> I have a similar setup running exim4-light with spamassassin via
> router-transport on Sarge/Debian-stable. There the "X-Spam-Flag:
YES"
> header is inserted and the spam-body of a positive is kept out of view
> and attached to a warning message.
Running spamassassin by router-transport works differently, exim hands
off the message to spamassassin, spamassassin modifies it and exim
works on the modified copy.

OTOH if spamassassin is invoked via ACL exim passes a copy of the
message to spamassassin, and exim checks whether spamassassin tagged
it as spam (depending on this the spam=... condition is true or false)
saves *some* of its output (score and report) into exim expansion
variables but any changes spamassassin made to the message like report
safe are discarded, as exim does not use the modified copy.
> Here exim has the protective message hiding in the headers under
> "X-Spam_report" (see below), leaving the spam-body unshielded in
the
> Inbox, in full view for the unsuspecting user. This is neither a good
> nor a pretty thing.
> Not setting the header "X-Spam-Flag: YES" on spam breaks the
filtering
> with .forward and Spam gets delivered into the inbox. 
> I cannot seem to set this header manually: adding "X-Spam-Flag:
YES\n\"
> to the ACL(below) ends up as header: "X-ACL-Warn: X-Spam-Flag:
YES"
[reordered]

You are claiming that
> ACL: 
> 	warn
> 	spam = Debian-exim
> 	message =  X-Spam_score: $spam_score\n\
>         X-Spam_score_int: $spam_score_int\n\
>         X-Spam_bar: $spam_bar\n\
>         X-Spam-Flag: YES\n\
>         X-Spam_report: $spam_report
results in X-ACL-Warn: X-Spam-Flag: YES?
or are you using
> ACL: 
> 	warn
> 	spam = Debian-exim
> 	message =  X-Spam_score: $spam_score\n\
>         X-Spam_score_int: $spam_score_int\n\
>         X-Spam_bar: $spam_bar\n\
>         X-Spam_report: $spam_report
>         X-Spam-Flag: YES\n\
which should result in a syntax error.
> Negatives get no X-Spam headers at all by default, which is confusing
> since it took a trip to /var/log/syslog (or /var/log/mail.info) to find
> out that spamd actually processed the message.
That is how you configured it. You told exim to check whether the
message was spam (spam = Debian-exim) and *if* this was true to add
some headers.
> Is it exim that doesn''t
> pass on the X-Spam headers set by spamassassin?
see above.
> Why? I sure didn''t override that in order to have to set different
> ones manually in exim.  Is it a bug or a feature?
It is documented. ;-) 

cu andreas

-- 
The ''Galactic Cleaning'' policy undertaken by Emperor Zhark is
a personal
vision of the emperor''s, and its inclusion in this work does not
constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.                                (c) Jasper Ffforde

Chris wrote:
> I have set up exim4-daemon-heavy/clamd/spamd on unstable. 
> 
> After a bit of fiddling the basic setup works really well: outgoing mail
> gets send out and incoming mail is tested by clamav and spamd before
> being filtered by ~/.forward and subsequently delivered into a
> Maildir-folder. Kinda like advertised ;-)
> 
> Something seems to go wrong with the headers, reporting and ultimately
> delivery of spam-positives though.
> 
> Here exim has the protective message hiding in the headers under
> "X-Spam_report" (see below), leaving the spam-body unshielded in
the
> Inbox, in full view for the unsuspecting user. This is neither a good
> nor a pretty thing.
> 
> Not setting the header "X-Spam-Flag: YES" on spam breaks the
filtering
> with .forward and Spam gets delivered into the inbox. 
> I cannot seem to set this header manually: adding "X-Spam-Flag:
YES\n\"
> to the ACL(below) ends up as header: "X-ACL-Warn: X-Spam-Flag:
YES"
> 
> Negatives get no X-Spam headers at all by default, which is confusing
> since it took a trip to /var/log/syslog (or /var/log/mail.info) to find
> out that spamd actually processed the message. Is it exim that
doesn''t
> pass on the X-Spam headers set by spamassassin? Why? I sure didn''t
> override that in order to have to set different ones manually in exim.
> Is it a bug or a feature?
This doesn''t answer your question directly, but I use sa-exim and it 
makes it very simple for integration of spamassassin with exim.  It will 
return the message after spamassassin has worked on it, allowing you to 
keep the modifications made by spamassassin.

-- 
Good day, eh.
Chris

On Thu, 2006-04-20 at 19:36 +0200, Andreas Metzler wrote:
> On 2006-04-20 Chris <nws@cevnet.mine.nu> wrote:
> You are claiming that
> > ACL: 
> > 	warn
> > 	spam = Debian-exim
> > 	message =  X-Spam_score: $spam_score\n\
> >         X-Spam_score_int: $spam_score_int\n\
> >         X-Spam_bar: $spam_bar\n\
> >         X-Spam-Flag: YES\n\
> >         X-Spam_report: $spam_report
> 
> results in X-ACL-Warn: X-Spam-Flag: YES?
Close, I actually used:

warn 
spam = Debian-exim
 message = X-Spam-Flag: YES\n\
 X-Spam_score: $spam_score\n\
 x-Spam_score_int: $spam_score_int\n\
 X-Spam_bar: $spam_bar\n\
 X-Spam_report: $spam_report

but the result indeed was "X-ACL-Warn: X-Spam-Flag: YES".
> or are you using
> 
> > ACL: 
> > 	warn
> > 	spam = Debian-exim
> > 	message =  X-Spam_score: $spam_score\n\
> >         X-Spam_score_int: $spam_score_int\n\
> >         X-Spam_bar: $spam_bar\n\
> >         X-Spam_report: $spam_report
> >         X-Spam-Flag: YES\n\
> 
> which should result in a syntax error.
I checked: it does. No I didn''t use that.

>Michael Sprague <mfs@saneinc.net>
> I''m not sure if you can add multiple headers that way.
It is (commented) in debian''s exim4-config_4.61-1 
/etc/exim4/conf.d/acl/40_exim4-config_check_data.
I merely uncommented it. I thought I could add to that, but now I
understand this is the only info saved from SA and thus the only X-Spam
headers available for this acl.

I set the X-Spam-Flag now by adding this acl:

warn
  spam = Debian-exim/defer_ok
  message = X-Spam-Flag: YES

It works fine.
> > Negatives get no X-Spam headers at all by default, which is confusing
> > since it took a trip to /var/log/syslog (or /var/log/mail.info) to
find
> > out that spamd actually processed the message.
> 
> That is how you configured it. You told exim to check whether the
> message was spam (spam = Debian-exim) and *if* this was true to add
> some headers.
> It is documented. ;-) 
:-)

I understand the *if* but I counted on SA''s config for adding the
headers, not on exim discarding them in order for me to have to add them
manually.

As my understanding grows I can see more logic into the way exim is
handling it, BUT: coming from a setup with routers-transport I kinda
expected more or less the same behaviour.

Changing over from exim-light to heavy caused me to loose control over
SpamAssassin, which does a perfectly fine job adding headers to both
pos'' and negs, and I can also fine-tune those in SA''s config
files. Why
change that and make me loose info about the scan, loose control over
SA''s way of spam-reporting in headers? (on which clients base
filtering), and even worse:
>Michael Sprague <mfs@saneinc.net>
>Note that I have the report as a header and I think you want it as an
>attachment in the body?  If so, I''m not sure how to do that. :(
No, I want the report in the body and the spam attached, as I declare
in /etc/spamassassin/local.cf:
# Save spam messages as a message/rfc822 MIME attachment instead 
# of modifying the original message (0: off, 2: use text/plain
# instead)                              
report_safe 1 

This is not at all what I expected from exim4-daemon-heavy. Should I go
back to *-light and do the content scanning with router-transport? or
add a router-transport combo to get proper spam reporting?

The way I see it is that the trade off for smtp-time scanning right now
is a buggy way of handling spam. I can''t believe this is what it should
do. I understand from the reactions that my config is correct and that
this behaviour is indeed not a bug :-( 

Maybe it could be added to the README.documentation that SA''s
body/headers are discarded and that *if* you want headers and a
"X-SPAM-flag: YES" for spam uncommenting and adding these lines is
necessary. Leaving the fact that you have no longer a choice in the way
spam is reported.

What is the benefit of the above to SA''s original treatment?

I think this could be improved. I also think there should be a
meta-package for exim/clamav/spamassassin, so that after Debconf there
is a working setup. 

Input appreciated!

Thanks,
-- 
Chris <nws@cevnet.mine.nu>

On Fri, Apr 21, 2006 at 09:39:46AM +0800, Chris Purves
wrote:
> This doesn''t answer your question directly, but I use sa-exim and
it
> makes it very simple for integration of spamassassin with exim.
What''s the advantage of sa-exim over exim''s built-in ACL-based
spamassassin interface?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Marc Haber wrote:
> On Fri, Apr 21, 2006 at 09:39:46AM +0800, Chris Purves wrote:
>> This doesn''t answer your question directly, but I use sa-exim
and it
>> makes it very simple for integration of spamassassin with exim.
> 
> What''s the advantage of sa-exim over exim''s built-in
ACL-based
> spamassassin interface?
> 
That''s a good question and one I''ve been wondering about
myself lately.
  I haven''t used the built-in spamassassin ACL, but from what I 
understand from the exim specicification, you cannot make use of changes 
made to the message by spamassassin.  I believe that Andreas Metzler 
confirms this.

I like to have spamassassin write the test results to the headers and 
sa-exim allows this.  Also, if you''re not comfortable with editing the 
exim configuration, sa-exim has a separate configuration file.  This was 
a big plus for me when I installed it six months ago, since I didn''t 
understand the exim configuration.

One of the features promoted by the author, but not used by me, is the 
ability to teergrube: hold an incoming spam connection for some minutes 
thereby using up the spammers'' resources.

You can also greylist, although I haven''t used this.  Basically during 
receiving you tell the sender to try again later, then you decide if you 
want to accept the mail next time.

It also allows you to save copies of all types of mail.  This was useful 
for me when I was making a lot of configuration changes to spamassassin 
and I wanted to see the messages I was rejecting.

All in all, I don''t think it does anything that you couldn''t
do with
exim natively, but it''s less work.  And comparing directly with the 
built-in spam ACL the ability to modify the message is the major 
difference for me.

I''m interested to hear what others have to say.

-- 
Good day, eh.
Chris

On Fri, Apr 21, 2006 at 03:32:46PM +0800, Chris Purves
wrote:
> Marc Haber wrote:
> >On Fri, Apr 21, 2006 at 09:39:46AM +0800, Chris Purves wrote:
> >>This doesn''t answer your question directly, but I use
sa-exim and it
> >>makes it very simple for integration of spamassassin with exim.
> >
> >What''s the advantage of sa-exim over exim''s built-in
ACL-based
> >spamassassin interface?
> >
> 
> That''s a good question and one I''ve been wondering about
myself lately.
>  I haven''t used the built-in spamassassin ACL, but from what I 
> understand from the exim specicification, you cannot make use of changes 
> made to the message by spamassassin.
You cannot directly make changes, but it surely is possible to add the
results of the scan to the message, for example like this:

X-Spam-Score: (-) -1.9
X-Spam-Report: torres.zugschlus.de
        Content analysis details:   (-1.9 points, 5.0 required)
        pts  rule name              description
        ---- ---------------------- -------------------------------------------
        1.3 INFO_TLD                URI: Contains an URL in the INFO top-level
domain
        -2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1% 
[score: 0.0000]
        -0.6 AWL                    AWL: From: address is in the auto white-list

> I believe that Andreas Metzler confirms this.
And http://www.exim.org/eximwiki/ExiscanExamples contains instructions
about how to do this. Please note that the majority of the complexity
mentioned in that document is getting the headers removed before
re-adding them.
> I like to have spamassassin write the test results to the headers and 
> sa-exim allows this.  Also, if you''re not comfortable with editing
the
> exim configuration, sa-exim has a separate configuration file.  This was 
> a big plus for me when I installed it six months ago, since I
didn''t
> understand the exim configuration.
Running a tool without understanding its configuration is like asking
for trouble.
> One of the features promoted by the author, but not used by me, is the 
> ability to teergrube: hold an incoming spam connection for some minutes 
> thereby using up the spammers'' resources.
Can be done with ACLs as well, using the delay command.
> I''m interested to hear what others have to say.
So am I.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Marc Haber wrote:
> On Fri, Apr 21, 2006 at 03:32:46PM +0800, Chris Purves wrote:
>> Marc Haber wrote:
>>> On Fri, Apr 21, 2006 at 09:39:46AM +0800, Chris Purves wrote:
>>>> This doesn''t answer your question directly, but I use
sa-exim and it
>>>> makes it very simple for integration of spamassassin with exim.
>>> What''s the advantage of sa-exim over exim''s
built-in ACL-based
>>> spamassassin interface?
>>>
>> That''s a good question and one I''ve been wondering
about myself lately.
>>  I haven''t used the built-in spamassassin ACL, but from what I
>> understand from the exim specicification, you cannot make use of
changes
>> made to the message by spamassassin.
> 
> You cannot directly make changes, but it surely is possible to add the
> results of the scan to the message, for example like this:
> 
> X-Spam-Score: (-) -1.9
> X-Spam-Report: torres.zugschlus.de
>         Content analysis details:   (-1.9 points, 5.0 required)
>         pts  rule name              description
>         ---- ----------------------
-------------------------------------------
>         1.3 INFO_TLD                URI: Contains an URL in the INFO
top-level domain
>         -2.6 BAYES_00               BODY: Bayesian spam probability is 0 to
1%  [score: 0.0000]
>         -0.6 AWL                    AWL: From: address is in the auto
white-list
> 
That''s good to know. I missed the $spam_report variable the first time
I
looked at the specification.  I may switch to the exiscan method to see 
what it is like.
>> I like to have spamassassin write the test results to the headers and 
>> sa-exim allows this.  Also, if you''re not comfortable with
editing the
>> exim configuration, sa-exim has a separate configuration file.  This
was
>> a big plus for me when I installed it six months ago, since I
didn''t
>> understand the exim configuration.
> 
> Running a tool without understanding its configuration is like asking
> for trouble.
Well I agree with you there, but modifying said configuration is like 
asking for more trouble. :-)

-- 
Good day, eh.
Chris

On 2006-04-21 Marc Haber <mh+pkg-exim4-users@zugschlus.de>
wrote:
> On Fri, Apr 21, 2006 at 09:39:46AM +0800, Chris Purves wrote:
> > This doesn''t answer your question directly, but I use sa-exim
and it
> > makes it very simple for integration of spamassassin with exim.
> What''s the advantage of sa-exim over exim''s built-in
ACL-based
> spamassassin interface?
Afaik, nowadays probably only the possibilty of making use of
spamassassin''s report_safe feature (hiding away the original mail in a
MIME attachment).
              cu andreas
-- 
The ''Galactic Cleaning'' policy undertaken by Emperor Zhark is
a personal
vision of the emperor''s, and its inclusion in this work does not
constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.                                (c) Jasper Ffforde

On 2006-04-21 Chris <nws@cevnet.mine.nu> wrote:
> On Thu, 2006-04-20 at 19:36 +0200, Andreas Metzler wrote: 
> > On 2006-04-20 Chris <nws@cevnet.mine.nu> wrote:
> > You are claiming that
> > > ACL: 
> > > 	warn
> > > 	spam = Debian-exim
> > > 	message =  X-Spam_score: $spam_score\n\
> > >         X-Spam_score_int: $spam_score_int\n\
> > >         X-Spam_bar: $spam_bar\n\
> > >         X-Spam-Flag: YES\n\
> > >         X-Spam_report: $spam_report
> > 
> > results in X-ACL-Warn: X-Spam-Flag: YES?
> Close, I actually used:
> warn 
> spam = Debian-exim
>  message = X-Spam-Flag: YES\n\
>  X-Spam_score: $spam_score\n\
>  x-Spam_score_int: $spam_score_int\n\
>  X-Spam_bar: $spam_bar\n\
>  X-Spam_report: $spam_report
> but the result indeed was "X-ACL-Warn: X-Spam-Flag: YES".
Strange, seems to work for me.
[...]
>> That is how you configured it. You told exim to check whether the
>> message was spam (spam = Debian-exim) and *if* this was true to add
>> some headers.
>> It is documented. ;-) 
> :-)
> I understand the *if* but I counted on SA''s config for adding the
> headers, not on exim discarding them in order for me to have to add them
> manually.
> As my understanding grows I can see more logic into the way exim is
> handling it, BUT: coming from a setup with routers-transport I kinda
> expected more or less the same behaviour.
> Changing over from exim-light to heavy caused me to loose control over
> SpamAssassin, which does a perfectly fine job adding headers to both
> pos'' and negs, and I can also fine-tune those in SA''s
config files. Why
> change that and make me loose info about the scan, loose control over
> SA''s way of spam-reporting in headers?
[...]

I do not know. But I guess because it fits better into exim. - Acls
only decide what to accept and how to tag it. There''ll also be
implementation issues.
> Maybe it could be added to the README.documentation that SA''s
> body/headers are discarded and that *if* you want headers and a
> "X-SPAM-flag: YES" for spam uncommenting and adding these lines
is
> necessary. Leaving the fact that you have no longer a choice in the way
> spam is reported.
[...]

The documentation could spell out louder that
any alterations spamassassin or that a virus-scanner made to the
message are discarded, as it acts only on a temporary copy. It
currently says:

| All the content-scanning facilites work on a MBOX copy of the message
| that is temporarily created in a file called:
| <spool_directory>/scan/<message_id>/<message_id>.eml
| 
| The .eml extension is a friendly hint to virus scanners that they can
| expect an MBOX-like structure inside that file. The file is created
| when the first content scanning facility is called. Subsequent calls
| to content scanning conditions open the same file again. The directory
| is recursively removed when the acl_smtp_data ACL has finished
| running, unless
| 
| control = no_mbox_unspool
| 
| has been encountered. 
cu andreas
-- 
The ''Galactic Cleaning'' policy undertaken by Emperor Zhark is
a personal
vision of the emperor''s, and its inclusion in this work does not
constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.                                (c) Jasper Ffforde

On Fri, 2006-04-21 at 19:36 +0200, Andreas Metzler wrote:
> 
> The documentation could spell out louder that
> any alterations spamassassin or that a virus-scanner made to the
> message are discarded, as it acts only on a temporary copy. It
> currently says:
> 
> | All the content-scanning facilites work on a MBOX copy of the message
> | that is temporarily created in a file called:
> | <spool_directory>/scan/<message_id>/<message_id>.eml
> | 
> | The .eml extension is a friendly hint to virus scanners that they can
> | expect an MBOX-like structure inside that file. The file is created
> | when the first content scanning facility is called. Subsequent calls
> | to content scanning conditions open the same file again. The directory
> | is recursively removed when the acl_smtp_data ACL has finished
> | running, unless
> | 
> | control = no_mbox_unspool
> | 
> | has been encountered. 

Thanks, it is more or less clear to me now. I had some preconceptions
about the way it would work based on experience with *-light and spamc.
The acl path is a different one with different results. I may check out
sa-exim later. 

Thanks for your responses.

-- 
Chris <nws@cevnet.mine.nu>