[exim-config] / spam.m4

### -*-m4-*-
###
### Spam filtering for distorted.org.uk Exim configuration
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

DIVERT(null)
###--------------------------------------------------------------------------
### Spam filtering.

SECTION(global, policy)m4_dnl
spamd_address = CONF_spamd_address CONF_spamd_port

SECTION(routers, allspam)m4_dnl
## If we're verifying an address and the recipient has a `~/.mail/spam-limit'
## file, then look up the recipient and sender addresses to find a plausible
## limit and insert it into the `address_data' where the RCPT ACL can find
## it.  This router always declines, so it doesn't affect the overall outcome
## of the verification.
fetch_spam_limit:
	driver = redirect
	data = :unknown:
	verify_only = true
	local_part_suffix = CONF_user_suffix_list
	local_part_suffix_optional = true
	check_local_user
	address_data = \
		${if def:address_data {$address_data}{}} \
		${if exists {CONF_userconf_dir/spam-limit} \
		     {${lookup {$local_part_prefix\
					$local_part\
					$local_part_suffix\
					@$domain/\
					$sender_address} \
			       nwildlsearch {CONF_userconf_dir/spam-limit} \
			       {spam_limit=$value} \
			       {}}} \
		     {}} \
		${if exists {CONF_userconf_dir/spam-limit.userv} \
		     {${run {timeout 5s -- \
				userv $local_part exim-spam-limit \
					$sender_address \
					$local_part_prefix \
					$local_part \
					$local_part_suffix \
					@$domain} \
			    {${if match{$value}{\N^[0-9]+$\N} \
				  {spam_limit=$value} \
				  {}}} \
			    {}}} \
		     {}}

SECTION(acl, rcpt-hooks)m4_dnl
	## Do per-recipient spam-filter processing.
	require	 acl = rcpt_spam

SECTION(acl, misc)m4_dnl
rcpt_spam:

	## If the client is trusted, don't bother with any of this.
	accept	 hosts = +trusted

	## Always accept mail to `postmaster'.  Currently this is not
	## negotiable; maybe a tweak can be added to `domains.conf' if
	## necessary.
	accept	 local_parts = postmaster

	## Collect the user's spam threshold from the `address_data'
	## variable, where it was left by the `fetch_spam_limit' router
	## during recipient verification.  (This just saves duplicating this
	## enormous expression.)
	warn	 set acl_m_this_spam_limit = \
			${sg {${extract {spam_limit} \
					{${if def:address_data \
					      {$address_data}{}}} \
					{$value}{nil}}} \
			     {^(|.*\\D.*)\$}{CONF_spam_max}}

	## If there's a spam limit already established, and it's different
	## from this user's limit, then the sender will have to try this user
	## again later.
	defer	!hosts = +trusted
		 message = "You'd better try this one later"
		 condition = ${if def:acl_m_spam_limit {true}{false}}
		 condition = ${if ={$acl_m_spam_limit} \
				   {$acl_m_this_spam_limit} \
				  {false}{true}}

	## There's no limit set yet, or the user's limit is the same as the
	## existing one, or the client's local and we're not checking for
	## spam anyway.  Whichever way, it's safe to set it now.
	warn	 set acl_m_spam_limit = $acl_m_this_spam_limit

	## All done.
	accept

SECTION(acl, data-spam)m4_dnl
	## Do spam checking.
	require	 acl = data_spam

SECTION(acl, misc)m4_dnl
data_spam:

	## If the client is trusted, don't bother with any of this.
	accept	 hosts = +trusted

	## Check header validity.
	require	 verify = header_syntax

	## Check the message for spam, comparing to the configured limit.
	deny	 spam = exim:true
		 message = Tinned meat product detected ($spam_score)
		 condition = ${if >{$spam_score_int}{$acl_m_spam_limit} \
				  {true}{false}}

	## Insert headers from the spam check now that we've decided to
	## accept the message.
	warn

		 ## Convert the limit (currently 10x fixed point) into a
		 ## decimal for presentation.
		 set acl_m_spam_limit_presentation = \
			${sg{$acl_m_spam_limit}{\N(\d)$\N}{.\$1}}

		 ## Convert the report into something less obnoxious.  Plain
		 ## old SpamAssassin has an `X-Spam-Status' header which
		 ## lists the matched rules and provides some other basic
		 ## information.  Try to extract something similar from the
		 ## report.
		 ##
		 ## This is rather fiddly.

		 ## Firstly, escape angle brackets, because we'll be using
		 ## them for our own purposes.
		 set acl_m_spam_tests = ${sg{$spam_report}{([!<>])}{!\$1}}

		 ## Trim off the blurb paragraph and the preview.  The rest
		 ## should be fairly well behaved.  Wrap double angle-
		 ## brackets around the remainder; these can't appear in the
		 ## body because we escaped them all earlier.
		 set acl_m_spam_tests = \
			${sg{$acl_m_spam_tests} \
			    {\N^(?s).*\n Content analysis details:(.*)$\N} \
			    {<<\$1>>}}

		 ## Extract the information about the matching rules and
		 ## their scores.  Leave `<<...>>' around everything else.
		 set acl_m_spam_tests = \
			${sg{$acl_m_spam_tests} \
			    {\N(?s)\n\s*(-?[\d.]+)\s+([-\w]+)\s\N} \
			    {>>\$2:\$1,<<}}

		 ## Strip everything still in `<<...>>' pairs, including any
		 ## escaped characters inside.
		 set acl_m_spam_tests = \
			${sg{$acl_m_spam_tests}{\N(?s)<<([^!>]+|!.)*>>\N}{}}

		 ## Trim off a trailing comma.
		 set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{,\s*\$}{}}

		 ## Undo the escaping.
		 set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{!(.)}{\$1}}

		 ## Insert the headers.
		 add_header = X-SpamAssassin-Score: \
			$spam_score/$acl_m_spam_limit_presentation \
			($spam_bar)
		 add_header = X-SpamAssassin-Status: \
			score=$spam_score, \
			limit=$acl_m_spam_limit_presentation, \n\t\
			tests=$acl_m_spam_tests

	## We're good.
	accept

DIVERT(null)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
185b5456 MW	1	### --m4--
	2	###
	3	### Spam filtering for distorted.org.uk Exim configuration
	4	###
	5	### (c) 2012 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	DIVERT(null)
	25	###--------------------------------------------------------------------------
	26	### Spam filtering.
	27
	28	SECTION(global, policy)m4_dnl
	29	spamd_address = CONF_spamd_address CONF_spamd_port
	30
	31	SECTION(routers, allspam)m4_dnl
	32	## If we're verifying an address and the recipient has a `~/.mail/spam-limit'
	33	## file, then look up the recipient and sender addresses to find a plausible
	34	## limit and insert it into the `address_data' where the RCPT ACL can find
	35	## it. This router always declines, so it doesn't affect the overall outcome
	36	## of the verification.
	37	fetch_spam_limit:
	38	driver = redirect
	39	data = :unknown:
	40	verify_only = true
	41	local_part_suffix = CONF_user_suffix_list
	42	local_part_suffix_optional = true
	43	check_local_user
	44	address_data = \
	45	${if def:address_data {$address_data}{}} \
	46	${if exists {CONF_userconf_dir/spam-limit} \
	47	{${lookup {$local_part_prefix\
	48	$local_part\
	49	$local_part_suffix\
	50	@$domain/\
	51	$sender_address} \
	52	nwildlsearch {CONF_userconf_dir/spam-limit} \
	53	{spam_limit=$value} \
	54	{}}} \
	55	{}} \
	56	${if exists {CONF_userconf_dir/spam-limit.userv} \
	57	{${run {timeout 5s -- \
	58	userv $local_part exim-spam-limit \
	59	$sender_address \
	60	$local_part_prefix \
	61	$local_part \
	62	$local_part_suffix \
	63	@$domain} \
	64	{${if match{$value}{\N^[0-9]+$\N} \
65	{spam_limit=$value} \
66	{}}} \
67	{}}} \
68	{}}
69
70	SECTION(acl, rcpt-hooks)m4_dnl
71	## Do per-recipient spam-filter processing.
72	require acl = rcpt_spam
73
74	SECTION(acl, misc)m4_dnl
75	rcpt_spam:
76
77	## If the client is trusted, don't bother with any of this.
78	accept hosts = +trusted
79
aa935c91 MW	80	## Always accept mail to `postmaster'. Currently this is not
	81	## negotiable; maybe a tweak can be added to `domains.conf' if
	82	## necessary.
	83	accept local_parts = postmaster
	84
185b5456 MW	85	## Collect the user's spam threshold from the `address_data'
	86	## variable, where it was left by the `fetch_spam_limit' router
	87	## during recipient verification. (This just saves duplicating this
	88	## enormous expression.)
	89	warn set acl_m_this_spam_limit = \
	90	${sg {${extract {spam_limit} \
	91	{${if def:address_data \
	92	{$address_data}{}}} \
	93	{$value}{nil}}} \
	94	{^(\|.\\D.)\$}{CONF_spam_max}}
	95
	96	## If there's a spam limit already established, and it's different
	97	## from this user's limit, then the sender will have to try this user
	98	## again later.
	99	defer !hosts = +trusted
	100	message = "You'd better try this one later"
	101	condition = ${if def:acl_m_spam_limit {true}{false}}
	102	condition = ${if ={$acl_m_spam_limit} \
	103	{$acl_m_this_spam_limit} \
	104	{false}{true}}
	105
	106	## There's no limit set yet, or the user's limit is the same as the
	107	## existing one, or the client's local and we're not checking for
	108	## spam anyway. Whichever way, it's safe to set it now.
	109	warn set acl_m_spam_limit = $acl_m_this_spam_limit
	110
	111	## All done.
	112	accept
	113
	114	SECTION(acl, data-spam)m4_dnl
	115	## Do spam checking.
	116	require acl = data_spam
	117
	118	SECTION(acl, misc)m4_dnl
	119	data_spam:
	120
	121	## If the client is trusted, don't bother with any of this.
	122	accept hosts = +trusted
	123
09ca3919 MW	124	## Check header validity.
	125	require verify = header_syntax
	126
185b5456 MW	127	## Check the message for spam, comparing to the configured limit.
	128	deny spam = exim:true
	129	message = Tinned meat product detected ($spam_score)
	130	condition = ${if >{$spam_score_int}{$acl_m_spam_limit} \
	131	{true}{false}}
	132
	133	## Insert headers from the spam check now that we've decided to
	134	## accept the message.
	135	warn
a882a548	136
185b5456 MW	137	## Convert the limit (currently 10x fixed point) into a
	138	## decimal for presentation.
	139	set acl_m_spam_limit_presentation = \
	140	${sg{$acl_m_spam_limit}{\N(\d)$\N}{.\$1}}
	141
	142	## Convert the report into something less obnoxious. Plain
	143	## old SpamAssassin has an `X-Spam-Status' header which
	144	## lists the matched rules and provides some other basic
	145	## information. Try to extract something similar from the
	146	## report.
	147	##
	148	## This is rather fiddly.
	149
	150	## Firstly, escape angle brackets, because we'll be using
	151	## them for our own purposes.
	152	set acl_m_spam_tests = ${sg{$spam_report}{([!<>])}{!\$1}}
	153
	154	## Trim off the blurb paragraph and the preview. The rest
	155	## should be fairly well behaved. Wrap double angle-
	156	## brackets around the remainder; these can't appear in the
	157	## body because we escaped them all earlier.
	158	set acl_m_spam_tests = \
	159	${sg{$acl_m_spam_tests} \
	160	{\N^(?s).\n Content analysis details:(.)$\N} \
	161	{<<\$1>>}}
	162
	163	## Extract the information about the matching rules and
	164	## their scores. Leave `<<...>>' around everything else.
	165	set acl_m_spam_tests = \
	166	${sg{$acl_m_spam_tests} \
4ff4d304	167	{\N(?s)\n\s*(-?[\d.]+)\s+([-\w]+)\s\N} \
185b5456 MW	168	{>>\$2:\$1,<<}}
	169
	170	## Strip everything still in `<<...>>' pairs, including any
	171	## escaped characters inside.
	172	set acl_m_spam_tests = \
	173	${sg{$acl_m_spam_tests}{\N(?s)<<([^!>]+\|!.)*>>\N}{}}
	174
	175	## Trim off a trailing comma.
	176	set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{,\s*\$}{}}
	177
	178	## Undo the escaping.
	179	set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{!(.)}{\$1}}
	180
	181	## Insert the headers.
	182	add_header = X-SpamAssassin-Score: \
	183	$spam_score/$acl_m_spam_limit_presentation \
	184	($spam_bar)
	185	add_header = X-SpamAssassin-Status: \
	186	score=$spam_score, \
	187	limit=$acl_m_spam_limit_presentation, \n\t\
	188	tests=$acl_m_spam_tests
	189
185b5456 MW	190	## We're good.
	191	accept
	192
	193	DIVERT(null)
	194	###----- That's all, folks --------------------------------------------------