chiark - git - mdw - exim-config/blob - spam.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Spam filtering for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 DIVERT(null)
  25 ###--------------------------------------------------------------------------
  26 ### Spam filtering.
  27
  28 ## The Exim documentation tells lies.
  29 ##
  30 ## : *${run{*<_command_>* *<_args_>*}{*<_string1_>*}{*<_string2_>*}}*
  31 ## :     The command and its arguments are first expanded separately, [...]
  32 ##
  33 ## They aren't.  The whole command-and-args are expanded together, and then
  34 ## split at unquoted spaces.  This unpleasant hack sorts out the mess.
  35 m4_define(<:SHQUOTE:>, <:"${rxquote:$1}":>)
  36
  37 ## Utilities for collecting spam limits.
  38 m4_define(<:SPAMLIMIT_CHECK:>,
  39         <:${if match{$1}{\N^-?[0-9]+$\N} {spam_limit=$1} {}}:>)
  40
  41 m4_define(<:SPAMLIMIT_ROUTER:>,
  42 <:$1:
  43         driver = redirect
  44         data = :unknown:
  45         verify_only = true
  46         condition = ${if !eq{$acl_c_mode}{submission}}
  47         condition = ${extract{spam_limit}{$address_data}{false}{true}}:>)
  48
  49 m4_define(<:SPAMLIMIT_SET:>,
  50         <:address_data = \
  51                 ${if def:address_data {$address_data}{}} \
  52                 m4_ifelse(<:$2:>, <::>, <::>, <:$2 \
  53                 :>)$1:>)
  54
  55 m4_define(<:SPAMLIMIT_LOOKUP:>,
  56         <:condition = ${if exists{$1}}
  57         SPAMLIMIT_SET(<:${lookup {$2@$3/$4} nwildlsearch {$1} \
  58                                {SPAMLIMIT_CHECK(<:$value:>)}}:>, <:$5:>):>)
  59
  60 m4_define(<:SPAMLIMIT_USERV:>,
  61         <:SPAMLIMIT_SET(<:${run {/usr/bin/timeout 5s \
  62                                         /usr/bin/userv CONF_userv_opts \
  63                                         SHQUOTE($1) exim-spam-limit \
  64                                         SHQUOTE($4) \
  65                                         SHQUOTE($2) SHQUOTE(@$3)} \
  66                                 {SPAMLIMIT_CHECK(<:$value:>)}}:>, <:$5:>):>)
  67
  68 m4_define(<:GET_ADDRDATA:>,
  69         <:extract{<:$1:>}{${if def:address_data{$address_data}{}}}:>)
  70
  71 SECTION(global, policy)m4_dnl
  72 spamd_address = CONF_spamd_address CONF_spamd_port
  73
  74 SECTION(acl, rcpt-hooks)m4_dnl
  75         ## Do per-recipient spam-filter processing.
  76         require  acl = rcpt_spam
  77
  78 SECTION(acl, misc)m4_dnl
  79 skip_spam_check:
  80
  81         ## If the client is trusted, or this is a new submission, don't
  82         ## bother with any of this.  We will have verified the sender
  83         ## fairly aggressively before granting this level of trust.
  84         accept   hosts = CONF_relay_clients
  85         accept   condition = ${if eq{$acl_c_mode}{submission}}
  86
  87         ## If all domains have disabled spam checking then don't check.
  88         accept  !condition = $acl_c_spam_check_domain
  89
  90         ## Otherwise we should check.
  91         deny
  92
  93 rcpt_spam:
  94
  95         ## If this is a virtual domain, and it says `spam-check=no', then we
  96         ## shouldn't check spam.  But we can't check domains at DATA time, so
  97         ## instead we must track whether all recipients have disabled
  98         ## checking.
  99         warn    !domains = ${if exists{CONF_sysconf_dir/domains.conf} \
 100                          {partial0-lsearch; CONF_sysconf_dir/domains.conf} \
 101                          {}}
 102                  set acl_c_spam_check_domain = true
 103         warn    !condition = $acl_c_spam_check_domain
 104                  condition = DOMKV(spam-check, {${expand:$value}}{true})
 105                  set acl_c_spam_check_domain = true
 106
 107         ## See if we should do this check.
 108         accept   acl = skip_spam_check
 109
 110         ## Always accept mail to `postmaster'.  Currently this is not
 111         ## negotiable; maybe a tweak can be added to `domains.conf' if
 112         ## necessary.
 113         accept   local_parts = postmaster
 114
 115         ## Collect the user's spam threshold from the `address_data'
 116         ## variable, where it was left by the `fetch_spam_limit' router
 117         ## during recipient verification.  (This just saves duplicating this
 118         ## enormous expression.)
 119         warn     set acl_m_this_spam_limit = \
 120                         ${sg {${GET_ADDRDATA(spam_limit){$value}{nil}}} \
 121                              {^(|.*\\D.*)\$}{CONF_spam_max}}
 122
 123         warn     condition = ${GET_ADDRDATA(user){true}{false}}
 124                  set acl_m_spam_users = \
 125                         ${if def:acl_m_spam_users {$acl_m_spam_users::}{}}\
 126                         ${GET_ADDRDATA(user) \
 127                                 {$value=${sg{$local_part@$domain}\
 128                                             {([!:])}{!\$1}}} \
 129                                 fail}
 130
 131         ## If there's a spam limit already established, and it's different
 132         ## from this user's limit, then the sender will have to try this user
 133         ## again later.
 134         defer   !hosts = +trusted
 135                  message = "You'd better try this one later"
 136                  condition = ${if def:acl_m_spam_limit {true}{false}}
 137                  condition = ${if ={$acl_m_spam_limit} \
 138                                    {$acl_m_this_spam_limit} \
 139                                   {false}{true}}
 140
 141         ## There's no limit set yet, or the user's limit is the same as the
 142         ## existing one, or the client's local and we're not checking for
 143         ## spam anyway.  Whichever way, it's safe to set it now.
 144         warn     set acl_m_spam_limit = $acl_m_this_spam_limit
 145
 146         ## All done.
 147         accept
 148
 149 SECTION(acl, data-hooks)m4_dnl
 150         ## Do spam checking.
 151         require  acl = data_spam
 152
 153 SECTION(acl, misc)m4_dnl
 154 data_spam:
 155
 156         ## See if we should do this check.
 157         accept   acl = skip_spam_check
 158
 159         ## Check header validity.
 160         require  verify = header_syntax
 161
 162         ## Check the message for spam, comparing to the configured limit.
 163         warn     spam = exim:true
 164
 165         ## That won't actually do anything if the SpamAssassin server failed
 166         ## for some reason.  Check that the reported score is not completely
 167         ## empty.
 168         defer    message = "Spam checking server offline: try again soon"
 169                  condition = ${if eq{$spam_score}{}}
 170
 171         ## Format some reporting stuff.
 172         warn
 173
 174                  ## Convert the limit (currently 10x fixed point) into a
 175                  ## decimal for presentation.
 176                  set acl_m_spam_limit_presentation = \
 177                         ${sg{$acl_m_spam_limit}{\N(\d)$\N}{.\$1}}
 178
 179                  ## Convert the report into something less obnoxious.  Plain
 180                  ## old SpamAssassin has an `X-Spam-Status' header which
 181                  ## lists the matched rules and provides some other basic
 182                  ## information.  Try to extract something similar from the
 183                  ## report.
 184                  ##
 185                  ## This is rather fiddly.
 186
 187                  ## Firstly, escape angle brackets, because we'll be using
 188                  ## them for our own purposes.
 189                  set acl_m_spam_tests = ${sg{$spam_report}{([!<>])}{!\$1}}
 190
 191                  ## Trim off the blurb paragraph and the preview.  The rest
 192                  ## should be fairly well behaved.  Wrap double angle-
 193                  ## brackets around the remainder; these can't appear in the
 194                  ## body because we escaped them all earlier.
 195                  set acl_m_spam_tests = \
 196                         ${sg{$acl_m_spam_tests} \
 197                             {\N^(?s).*\n Content analysis details:(.*)$\N} \
 198                             {<<\$1>>}}
 199
 200                  ## Extract the information about the matching rules and
 201                  ## their scores.  Leave `<<...>>' around everything else.
 202                  set acl_m_spam_tests = \
 203                         ${sg{$acl_m_spam_tests} \
 204                             {\N(?s)\n\s*(-?[\d.]+)\s+([-\w]+)\s\N} \
 205                             {>>\$2:\$1,<<}}
 206
 207                  ## Strip everything still in `<<...>>' pairs, including any
 208                  ## escaped characters inside.
 209                  set acl_m_spam_tests = \
 210                         ${sg{$acl_m_spam_tests}{\N(?s)<<([^!>]+|!.)*>>\N}{}}
 211
 212                  ## Trim off a trailing comma.
 213                  set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{,\s*\$}{}}
 214
 215                  ## Undo the escaping.
 216                  set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{!(.)}{\$1}}
 217
 218         ## If we've decided to reject, then leave a dropping in the log file
 219         ## so that users can analyse rejections for incoming messages, and
 220         ## tell the sender to get knotted.
 221         deny     message = Tinned meat product detected ($spam_score)
 222                  log_message = Spam rejection \
 223                         score=$spam_score \
 224                         limit=$acl_m_spam_limit_presentation \
 225                         tests=$acl_m_spam_tests \
 226                         users=$acl_m_spam_users
 227                  condition = ${if >{$spam_score_int}{$acl_m_spam_limit} \
 228                                   {true}{false}}
 229
 230         ## Insert headers from the spam check now that we've decided to
 231         ## accept the message.
 232         warn
 233                  ADD_HEADER(<:X-CONF_header_token-SpamAssassin-Score: \
 234                         $spam_score/$acl_m_spam_limit_presentation \
 235                         ($spam_bar):>)
 236                  ADD_HEADER(<:X-CONF_header_token-SpamAssassin-Status: \
 237                         score=$spam_score, \
 238                         limit=$acl_m_spam_limit_presentation, \n\t\
 239                         tests=$acl_m_spam_tests:>)
 240
 241         ## We're good.
 242         accept
 243
 244 DIVERT(null)
 245 ###----- That's all, folks --------------------------------------------------