TL;DL unser mail server hat jetzt endlich SpamAssassin laufen. Is opt-in, wer will bitte melden. Für wir@ ists schon aktiv.
Der filter läuft zur SMTP time und schmeißt als spam klassifizierte mails sofort mit nem 5xx permanent reject zurück statt die anzunehmen. IMO ist das die einzige variante wie man spam filter in Ö machen sollte wegen diesem OGH urteil.
Das hat aber leider das problem dass man dann nicht so einfach pro-user regeln bzw sa-learn verwenden kann weil halt an einer SMTP transaktion mehrere empfänger involviert sein können die entscheidung aber pro transaktion fallen muss.
Das wäre aber eh erst dann notwendig wenn man jemand wirklich was am SA schrauben will. Bei mir scheint das aber auch gut ohne das zu funktionieren. Schlimmsten falls müsste man halt nochmal nen zweiten pro-user filter zur delivery time dazuschalten falls reines default SA ruleset nicht reicht.
Hier noch der leicht zensierte patch ausm etckeeper git falls es wen interessiert:
From: root <root@it-syndikat.org>
Date: Sat, 22 Aug 2020 18:54:39 +0200
Subject: [PATCH] Implement spamassassin SMTP time filtering with user opt-in
This also fixes /etc/mailname which was wrong. It has to be the host we want,
for example, mutt to append when you just enter an unqualified local part. So
just 'wir' should become wir@it-syndikat.org, not
wir@mail.parabox.it-syndikat.org!
Furthermore the syntax in /etc/hosts was wrong and swaks was choking on that.
---
.etckeeper | 4 +-
default/spamassassin | 2 +-
exim4/conf.d/acl/40_its_check_data | 50 +++++++++++++++++++
exim4/conf.d/acl/40_its_check_rcpt | 29 +++++++++++
exim4/conf.d/main/000_its_localmacros | 4 +-
group | 1 +
gshadow | 1 +
hosts | 2 +-
mailname | 2 +-
passwd | 1 +
rc2.d/{K04spamassassin => S04spamassassin} | 0
rc3.d/{K04spamassassin => S04spamassassin} | 0
rc4.d/{K04spamassassin => S04spamassassin} | 0
rc5.d/{K04spamassassin => S04spamassassin} | 0
shadow | 1 +
.../spamassassin.service | 1 +
16 files changed, 92 insertions(+), 6 deletions(-)
create mode 100644 exim4/conf.d/acl/40_its_check_data
create mode 100644 exim4/conf.d/acl/40_its_check_rcpt
rename rc2.d/{K04spamassassin => S04spamassassin} (100%)
rename rc3.d/{K04spamassassin => S04spamassassin} (100%)
rename rc4.d/{K04spamassassin => S04spamassassin} (100%)
rename rc5.d/{K04spamassassin => S04spamassassin} (100%)
create mode 120000 systemd/system/multi-user.target.wants/spamassassin.service
diff --git a/.etckeeper b/.etckeeper
index ad88a90..127e18d 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -41,7 +41,7 @@ mkdir -p './udev/hwdb.d'
mkdir -p './udev/rules.d'
maybe chmod 0755 '.'
maybe chmod 0700 '.etckeeper'
-maybe chmod 0600 '.gitignore'
+maybe chmod 0644 '.gitignore'
maybe chmod 0644 'Muttrc'
maybe chmod 0755 'Muttrc.d'
maybe chmod 0644 'Muttrc.d/charset.rc'
@@ -608,6 +608,8 @@ maybe chmod 0644 'exim4/conf.d/acl/20_exim4-config_local_deny_exceptions'
maybe chmod 0644 'exim4/conf.d/acl/30_exim4-config_check_mail'
maybe chmod 0644 'exim4/conf.d/acl/30_exim4-config_check_rcpt'
maybe chmod 0644 'exim4/conf.d/acl/40_exim4-config_check_data'
+maybe chmod 0644 'exim4/conf.d/acl/40_its_check_data'
+maybe chmod 0644 'exim4/conf.d/acl/40_its_check_rcpt'
maybe chmod 0755 'exim4/conf.d/auth'
maybe chmod 0644 'exim4/conf.d/auth/00_exim4-config_header'
maybe chmod 0644 'exim4/conf.d/auth/30_exim4-config_examples'
diff --git a/default/spamassassin b/default/spamassassin
index 9efb197..279434a 100644
--- a/default/spamassassin
+++ b/default/spamassassin
@@ -30,4 +30,4 @@ PIDFILE="/var/run/spamd.pid"
# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
-CRON=0
+CRON=1
diff --git a/exim4/conf.d/acl/40_its_check_data b/exim4/conf.d/acl/40_its_check_data
new file mode 100644
index 0000000..a9cbec2
--- /dev/null
+++ b/exim4/conf.d/acl/40_its_check_data
@@ -0,0 +1,50 @@
+### acl/40_its_check_data
+##########################
+
+# DXLD -- This ACL wraps the default acl_check_data and adds spam
+# checking and smtp time reject. We override the MAIN_ACL_CHECK_DATA
+# macro in 000_its-localmacros to have this take effect.
+
+acl_check_data_its:
+
+ # Run the Debian/exim default ACL
+ require
+ acl = acl_check_data
+
+ warn
+ remove_header = X-Spam-score: X-Spam-score-int : X-Spam-bar : X-Spam-report
+
+ warn
+ condition = $acl_m_want_spamcheck
+ #^ Only scan opted-in users' mail. The acl variable is set in
+ # 40_its_check_rcpt.
+ spam = sa-its:true
+ add_header = X-Spam-score: $spam_score
+ add_header = X-Spam-bar: $spam_bar
+ condition = ${if eq{$spam_action}{reject}{true}{false}}
+ set acl_m_is_spam = yes
+
+ # If spamassassin asked us to reject the message do so and attach
+ # the spam report to the SMTP message so the sender has some idea
+ # why this happened.
+ #
+ # We have to make sure to escape the spam report to be 7bit clean
+ # though since SA just returns plain UTF-8 and exim just stuffs this
+ # string right in the SMTP response, which doesn't like 8bit
+ # characters. --DXLD
+ deny
+ message = Classified as spam (score $spam_score):\n${escape8bit:$spam_report}
+ condition = $acl_m_is_spam
+
+ # This adds the spamassassin report as a message header, but only
+ # for score>1 and only on incoming mail.
+ #
+ # Since this DATA ACL is evaluated in the sending and recieving
+ # directions check the sender domain is not local before adding the
+ # header.
+ warn
+ sender_domains = ! +local_domains
+ condition = ${if >{$spam_score_int}{1}{true}{false}}
+ add_header = X-Spam-report: ${escape8bit:$spam_report}
+
+ accept
diff --git a/exim4/conf.d/acl/40_its_check_rcpt b/exim4/conf.d/acl/40_its_check_rcpt
new file mode 100644
index 0000000..c7550a4
--- /dev/null
+++ b/exim4/conf.d/acl/40_its_check_rcpt
@@ -0,0 +1,29 @@
+### acl/40_its_check_rcpt
+##########################
+
+# DXLD -- This ACL wraps the default acl_check_rcpt and adds DNSBL
+# checks as the defult CHECK_RCPT_*_DNSBL macros only add
+# unscruitnizable headers. We override the MAIN_ACL_CHECK_RCPT macro
+# in 000_its-localmacros to have this take effect.
+
+acl_check_rcpt_its:
+ # Run the default ACL
+ require
+ acl = acl_check_rcpt
+
+ deny
+ dnslists = zen.spamhaus.org
+ log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+
+ deny
+ !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
+ {CONFDIR/local_domain_dnsbl_whitelist}\
+ {}}
+ dnslists = dbl.spamhaus.org/$sender_address_domain
+ log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+
+ warn
+ local_parts = wir
+ set acl_m_want_spamcheck = yes
+
+ accept
diff --git a/exim4/conf.d/main/000_its_localmacros b/exim4/conf.d/main/000_its_localmacros
index 2e5e714..dd371f4 100644
--- a/exim4/conf.d/main/000_its_localmacros
+++ b/exim4/conf.d/main/000_its_localmacros
@@ -1,10 +1,10 @@
MAIN_TLS_ENABLE = yes
-#REMOTE_SMTP_HOSTS_AVOID_TLS = mail.xiretza.xyz
+MAIN_ACL_CHECK_RCPT = acl_check_rcpt_its
+MAIN_ACL_CHECK_DATA = acl_check_data_its
CHECK_RCPT_SPF = yes
CHECK_RCPT_VERIFY_SENDER = yes
CHECK_RCPT_REVERSE_DNS = yes
-CHECK_RCPT_IP_DNSBLS = zen.spamhaus.org
delay_warning = 5m:30m:2h:6h:24h
diff --git a/group b/group
index 787f14e..049473b 100644
--- a/group
+++ b/group
@@ -70,3 +70,4 @@ systemd-coredump:x:999:
kvm:x:117:
render:x:118:
debian-spamd:x:119:
+sa-its:x:120:
diff --git a/gshadow b/gshadow
index 91484a6..00ae7b8 100644
--- a/gshadow
+++ b/gshadow
@@ -70,3 +70,4 @@ systemd-coredump:!!::
kvm:!::
render:!::
debian-spamd:!::
+sa-its:!::
diff --git a/hosts b/hosts
index bd05445..5a53572 100644
--- a/hosts
+++ b/hosts
@@ -1,5 +1,5 @@
127.0.0.1 localhost
-127.0.1.1 mail.parabox.it-syndikat.org, mail.it-syndikat.org, mail
+127.0.1.1 mail.it-syndikat.org mail.parabox.it-syndikat.org mail
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
diff --git a/mailname b/mailname
index d1656dd..5f6f11c 100644
--- a/mailname
+++ b/mailname
@@ -1 +1 @@
-mail.parabox.it-syndikat.org
+it-syndikat.org
diff --git a/passwd b/passwd
index 5d48d27..0bacd74 100644
--- a/passwd
+++ b/passwd
@@ -45,3 +45,4 @@ freifunk:x:1019:1019::/home/freifunk:
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
_rpc:x:111:65534::/run/rpcbind:/usr/sbin/nologin
debian-spamd:x:112:119::/var/lib/spamassassin:/bin/sh
+sa-its:x:113:120::/home/sa-its:/usr/sbin/nologin
diff --git a/rc2.d/K04spamassassin b/rc2.d/S04spamassassin
similarity index 100%
rename from rc2.d/K04spamassassin
rename to rc2.d/S04spamassassin
diff --git a/rc3.d/K04spamassassin b/rc3.d/S04spamassassin
similarity index 100%
rename from rc3.d/K04spamassassin
rename to rc3.d/S04spamassassin
diff --git a/rc4.d/K04spamassassin b/rc4.d/S04spamassassin
similarity index 100%
rename from rc4.d/K04spamassassin
rename to rc4.d/S04spamassassin
diff --git a/rc5.d/K04spamassassin b/rc5.d/S04spamassassin
similarity index 100%
rename from rc5.d/K04spamassassin
rename to rc5.d/S04spamassassin
diff --git a/shadow b/shadow
index 3cf20d5..df0e647 100644
diff --git a/systemd/system/multi-user.target.wants/spamassassin.service b/systemd/system/multi-user.target.wants/spamassassin.service
new file mode 120000
index 0000000..1d5deb8
--- /dev/null
+++ b/systemd/system/multi-user.target.wants/spamassassin.service
@@ -0,0 +1 @@
+/lib/systemd/system/spamassassin.service
\ No newline at end of file
--