###--------------------------------------------------------------------------
### Spam filtering.
-SECTION(global, policy)m4_dnl
-spamd_address = CONF_spamd_address CONF_spamd_port
-
-SECTION(routers, allspam)m4_dnl
-## If we're verifying an address and the recipient has a `~/.mail/spam-limit'
-## file, then look up the recipient and sender addresses to find a plausible
-## limit and insert it into the `address_data' where the RCPT ACL can find
-## it. This router always declines, so it doesn't affect the overall outcome
-## of the verification.
-fetch_spam_limit:
+## The Exim documentation tells lies.
+##
+## : *${run{*<_command_>* *<_args_>*}{*<_string1_>*}{*<_string2_>*}}*
+## : The command and its arguments are first expanded separately, [...]
+##
+## They aren't. The whole command-and-args are expanded together, and then
+## split at unquoted spaces. This unpleasant hack sorts out the mess.
+m4_define(<:SHQUOTE:>, <:"${rxquote:$1}":>)
+
+## Utilities for collecting spam limits.
+m4_define(<:SPAMLIMIT_CHECK:>,
+ <:${if match{$1}{\N^-?[0-9]+$\N} {spam_limit=$1} {}}:>)
+
+m4_define(<:SPAMLIMIT_ROUTER:>,
+<:$1:
driver = redirect
data = :unknown:
verify_only = true
- local_part_suffix = CONF_user_suffix_list
- local_part_suffix_optional = true
- check_local_user
- address_data = \
+ condition = ${if !eq{$acl_c_mode}{submission}}
+ condition = ${extract{spam_limit}{$address_data}{false}{true}}:>)
+
+m4_define(<:SPAMLIMIT_SET:>,
+ <:address_data = \
${if def:address_data {$address_data}{}} \
- ${if exists {CONF_userconf_dir/spam-limit} \
- {${lookup {$local_part_prefix\
- $local_part\
- $local_part_suffix\
- @$domain/\
- $sender_address} \
- nwildlsearch {CONF_userconf_dir/spam-limit} \
- {spam_limit=$value} \
- {}}} \
- {}} \
- ${if exists {CONF_userconf_dir/spam-limit.userv} \
- {${run {timeout 5s -- \
- userv $local_part exim-spam-limit \
- $sender_address \
- $local_part_prefix \
- $local_part \
- $local_part_suffix \
- @$domain} \
- {${if match{$value}{\N^[0-9]+$\N} \
- {spam_limit=$value} \
- {}}} \
- {}}} \
- {}}
+ $1:>)
+
+m4_define(<:SPAMLIMIT_LOOKUP:>,
+ <:condition = ${if exists{$1}}
+ SPAMLIMIT_SET(<:${lookup {$2$3$4@$5/$6} nwildlsearch {$1} \
+ {SPAMLIMIT_CHECK($value)}}:>):>)
+
+m4_define(<:SPAMLIMIT_USERV:>,
+ <:SPAMLIMIT_SET(<:${run {/usr/bin/timeout 5s \
+ userv CONF_userv_opts \
+ SHQUOTE($1) exim-spam-limit \
+ SHQUOTE($6) SHQUOTE($2) SHQUOTE($3) \
+ SHQUOTE($4) SHQUOTE(@$5)} \
+ {SPAMLIMIT_CHECK($value)}}:>):>)
+
+SECTION(global, policy)m4_dnl
+spamd_address = CONF_spamd_address CONF_spamd_port
SECTION(acl, rcpt-hooks)m4_dnl
## Do per-recipient spam-filter processing.
require acl = rcpt_spam
SECTION(acl, misc)m4_dnl
-rcpt_spam:
+skip_spam_check:
- ## If the client is trusted, don't bother with any of this.
+ ## If the client is trusted, or this is a new submission, don't
+ ## bother with any of this. We will have verified the sender
+ ## fairly aggressively before granting this level of trust.
accept hosts = +trusted
+ accept condition = ${if eq{$acl_c_mode}{submission}}
+
+ ## If all domains have disabled spam checking then don't check.
+ accept !condition = $acl_c_spam_check_domain
+
+ ## Otherwise we should check.
+ deny
+
+rcpt_spam:
+
+ ## If this is a virtual domain, and it says `spam-check=no', then we
+ ## shouldn't check spam. But we can't check domains at DATA time, so
+ ## instead we must track whether all recipients have disabled
+ ## checking.
+ warn !domains = ${if exists{CONF_sysconf_dir/domains.conf} \
+ {partial0-lsearch; CONF_sysconf_dir/domains.conf} \
+ {}}
+ set acl_c_spam_check_domain = true
+ warn !condition = $acl_c_spam_check_domain
+ condition = DOMKV(spam-check, {${expand:$value}}{true})
+ set acl_c_spam_check_domain = true
+
+ ## See if we should do this check.
+ accept acl = skip_spam_check
+
+ ## Always accept mail to `postmaster'. Currently this is not
+ ## negotiable; maybe a tweak can be added to `domains.conf' if
+ ## necessary.
+ accept local_parts = postmaster
## Collect the user's spam threshold from the `address_data'
## variable, where it was left by the `fetch_spam_limit' router
SECTION(acl, misc)m4_dnl
data_spam:
- ## If the client is trusted, don't bother with any of this.
- accept hosts = +trusted
+ ## See if we should do this check.
+ accept acl = skip_spam_check
## Check header validity.
require verify = header_syntax
## Insert headers from the spam check now that we've decided to
## accept the message.
warn
+
## Convert the limit (currently 10x fixed point) into a
## decimal for presentation.
set acl_m_spam_limit_presentation = \
## their scores. Leave `<<...>>' around everything else.
set acl_m_spam_tests = \
${sg{$acl_m_spam_tests} \
- {\N(?s)\n\s*([\d.]+)\s+([-\w]+)\s\N} \
+ {\N(?s)\n\s*(-?[\d.]+)\s+([-\w]+)\s\N} \
{>>\$2:\$1,<<}}
## Strip everything still in `<<...>>' pairs, including any
set acl_m_spam_tests = ${sg{$acl_m_spam_tests}{!(.)}{\$1}}
## Insert the headers.
- add_header = X-SpamAssassin-Score: \
+ ADD_HEADER(<:X-CONF_header_token-SpamAssassin-Score: \
$spam_score/$acl_m_spam_limit_presentation \
- ($spam_bar)
- add_header = X-SpamAssassin-Status: \
+ ($spam_bar):>)
+ ADD_HEADER(<:X-CONF_header_token-SpamAssassin-Status: \
score=$spam_score, \
limit=$acl_m_spam_limit_presentation, \n\t\
- tests=$acl_m_spam_tests
-
+ tests=$acl_m_spam_tests:>)
## We're good.
accept