Adding sa-exim to Exim

Until now I have been using SpamAssassin using the spam content scanning built into Exim. This gives me detailed control over what happens to messages. However, I decided I wanted to review the messages that are rejected.  Looking at my options sa-exim appeared to be a simple solution. I found it was as simple as I hoped. This article covers how I implemented it on Ubuntu and should be directly applicable to other Debian-based distributions.

Read more

The eximstats utility includes code to analyze the messages generated by sa-exim. This provides statistics on ham and spam.

As sa-exim is somewhat obsoleted by the ability to call Spamassassin (and Rspamd) directly, I have replicated the functionality as an inclusion to the Data ACL. It is covered in another post.

Installation

As I already had SpamAssassin installed, adding sa-exim was simple. I merely need to run the command sudo apt-get install sa-exim. This installed the package and added it into the split configuration of Exim. If are modifying your configuration, it is much simpler to use the split configuration. Besides the installed changes you are likely going to want to add the ACLs specified here. These are outlined as additions to the split configuration but could be added to the unsplit configuration. (Comments on adapting these changes to the unsplit configuration are specified a the end.) This configuration should work with the default exim-daemon-light package.

Defining Options and Macros

The file /etc/exim4/exim4.conf.localmacros contains options and macros for the unsplit configuration file. When using the split configuration these are loaded from the /etc/exim4/conf.d/main directory. By creating a 00_localmacros symlink pointing to /etc/exim4/exim4.conf.localmacros the same configuration can be used for both the split and unsplit configurations.

# Define macrs to use local check-rcpt and check-data rules
CHECK_RCPT_LOCAL_ACL_FILE = CONFDIR/acls/30_local-config_check-rcpt
CHECK_DATA_LOCAL_ACL_FILE = CONFDIR/acls/40_local-config_check-data

# Specify recipients not be to be rejected - default postmaster
CHECK_RCPT_POSTMASTER = postmaster : spamtrap

# Specify spamd location and allow retry
spamd_address = 127.0.0.1 783 retry=10s

Enabling sa-exim

As shipped sa-exim is disabled. The sa-exim.conf file has a default setting indicating that no messages are to be scanned. This file needs to be edited to evaluate conditions enabling scanning and rejection of messages.

I found three methods that could be used.

  • Creating an if statement to evaluate the remote address to determine if the message should be scanned;
  • Setting the variable acl_m0 to “do_not_scan”, “canreject”, or a third value to cover all conditions; or
  • Adding headers indicating whether scanning or rejection is desired. (This has and advantage of making the settings visible in the headers of the delivered message.)

I chose to use the extended variable format and set variables if scanning is desired or message rejection is permitted. The configuration treats the variables as false if they are not set. The variables I chose are acl_m_scan and acl_m_canreject. As the variables may not be set, the conditions below may need to be modified if your configuration requires a referenced variable to exist. On older Exim versions variables like acl_m0 and acl_m1 could be used.

The simplest way to configure sa-exim is to append the desired configuration items to the end of the installed sa-exim.conf file. This makes local settings easy to locate. Commented settings below are set to the default values.

# Scanning and rejection conditions noted above
# bool_lax works better than bool
SAEximRunCond: ${if bool_lax{$acl_m_scan}}
SAEximRejCond: ${if bool_lax{$acl_m_can_reject}}

# Generic conditions
SAEximDebug: 0
SAspamcUser: mail
#SAmaxbody: 256000
SAmaxrcptlistlength: 8000

# Thresholds - SAdevnull is commented in the default settings
#SAdevnull: 25.0
#SApermreject: 12.0

# Conditions controlling saving a copy of the message
# Disable these if you are not going to examine the results
#SAtimeoutSavCond: 1
#SAerrorSavCond: 1
#SAdevnullSavCond: 1
#SApermrejectSavCond: 1

Extending ACLs

The default Ubuntu/Debian configuration allows for local additions to the Recipient and Data ACLs by file inclusion. These files survive updates to the default configuration.

If your configuration does not have the inclusion capability, the inclusions below should be added just before the final accept clauses in the relevant ACL. Alternatively, you can add code to include the additions in the same location. The code used to include the recipient addition is:

  .ifdef CHECK_RCPT_LOCAL_ACL_FILE
  .include CHECK_RCPT_LOCAL_ACL_FILE
  .endif

I use the directory /etc/exim4/acls to contain the inclusion files. Using file inclusion adds a slight overhead when new Exim processes are started. This is trivial compared to the total overhead of processing a message.

Extending the Recipient ACL

This ACL enables rejection of the message with high spam scores. Mail sent only to the postmaster or similar accounts will be flagged and delivered. If the postmaster is one of several recipients (which should not be the case), the message may be rejected. The macro CHECK_RCPT_LOCAL_ACL_FILE points to this file.

### /etc/exim4/acls/30_local-config_check_rcpt
#####################################

#### NOTE: If we get here the sender is remote and unauthenticated

  # Not postmaster or local sender so enable spam rejection
  warn
    set acl_m_reject = yes

Extending the Data ACL

The Data ACL process all SMTP messages after the Data has been received. This is the last ACL called before the sa-exim code is executed. If desired, the Data ACL can be configured as the non-SMTP ACL.

The Data ACL inclusion marks messages for sa-exim to scan. This setting must be done the scanning will not be done.

### acls/40_local-config_check_data
#####################################

  # Scan message if unauthenticted and remote
  warn
    !authenticated = *
    !hosts = : +relay_from_hosts
    set acl_m_scan = yes

The Data ACL processes messages after the data has been received. It does not process non-SMTP messages in the default configuration.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Cookie Consent with Real Cookie Banner