debian/0000755000000000000000000000000011772374014007174 5ustar debian/README.Debian0000644000000000000000000001234011346617610011234 0ustar -------------------------------------------------------------- Integrating spamass-milter into your sendmail installation -------------------------------------------------------------- You will need to edit /etc/mail/sendmail.mc and add an INPUT_MAIL_FILTER line that connects to the spamass-milter socket. By default the spamass-milter socket is /var/run/spamass/spamass.sock; so your INPUT_MAIL_FILTER should look something like: # spamassassin settings INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass/spamass.sock, F=, T=S:4m;R:4m;E:10m')dnl define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl define(`confMILTER_MACROS_ENVRCPT',`b, i, j, r, v, Z, _')dnl Briefly, the F=, tells sendmail to just pass the connection through if the milter fails. This is most likely the setting you want. If you want to temporarily fail a connection, you can set F=T. You almost definitely don't want to reject connections, but if necessary, you can do that by setting F=R. You may also need to adjust these timeout settings, as spamd can be sluggish on a slow machine. S is the timeout for sending information from the MTA to a filter. R is the timeout for reading a reply from the filter. E is the overall timeout between sending end-of-message to filter and waiting for the final acknowledgment. The settings above seem to work well on a Celeron 466 that receives around 1000 emails an hour. You may wish to adjust them according to your needs. See http://www.sendmail.com/partner/resources/development/milter_api/installation.html and http://www.sendmail.org/m4/adding_mailfilters.html#INPUT_MAIL_FILTER for more information on milters. If you are using the alias expansion method, -x, you will need to add spamass-milter to the smmsp group using: adduser spamass-milter smmsp; This does not need to be done unless you are using alias expansion. -------------------------------------------------------------- Integrating spamass-milter into your postfix installation -------------------------------------------------------------- You need to edit /etc/postfix/main.cf and configure smptpd_milters so that postfix connects to the spamass-milter socket. Something like: # spamass-milter configuration smtpd_milters = unix:/var/spool/postfix/spamass/spamass.sock should work. Note, however, if you're using a chrooted version of postfix, you'll need the local path to the socket inside of the chroot. In recent versions of Debian the following should work: # spamass-milter configuration smtpd_milters = unix:/spamass/spamass.sock # milter macros useful for spamass-milter milter_connect_macros = j {daemon_name} v {if_name} _ See http://www.postfix.org/MILTER_README.html or /usr/share/doc/postfix/MILTER_README.gz (in postfix-doc) for information on how to set tempfail and the various timeouts that the sendmail configuration above uses. The defaults for spamass-milter adjust themselves so that no configuration in /etc/default/spamass-milter should be required. [However, if you are not doing so, see below.] ------------------------------------------------------------- Adjusting how spamass-milter is started ------------------------------------------------------------- You can adjust how spamass-milter starts, and the options it calls spamc with by adjusting /etc/default/spamass-milter. OPTIONS is passed directly to spamass-milter by /etc/init.d/spamass-milter. [Refer to spamass-milter(1) for details.] Other settings which may be of use: SOCKET sets the location of the socket; defaults to /var/run/spamass/spamass.sock unless you are running postfix, where it is set to /var/spool/postfix/spamass/spamass.sock. SOCKETOWNER is the owner of the socket, which defaults to root:root or postfix:postfix if you're running postfix. SOCKETMODE is the mode of the socket, which defaults to 0600 or 0660 if you're running postfix. RUNAS controls the user which spamass-milter runs as; defaults to spamass-milter. If you want to use an inet socket for spamass-milter (like inet:9999 or inet:9999@127.0.0.1), then you'll need to make the following configuration changes in /etc/default/spamass-milter: SOCKET="inet:9999@127.0.0.1" SOCKETMODE="" SOCKETOWNER="" ------------------------------------------------------------- Debugging spamass-milter ------------------------------------------------------------- As spamass-milter is still undergoing development, you may see bugs from time to time. If spamass-milter is segfaulting (SEGV or SIG 11) please build a debugging version of the spamass-milter package and install it: mkdir temp; cd temp; apt-get source spamass-milter; apt-get build-dep spamass-milter; cd spamass-milter-*; DEB_BUILD_OPTIONS='nostrip' CXXFLAGS='-O0 -g' fakeroot debian/rules clean binary; dpkg -i spamass-milter*.deb; Then turn on coredumps (ulimit -c unlimited), and start spamass-milter as usual (/etc/init.d/spamass-milter start). When spamass-milter cores, run gdb on the core, ala: gdb /usr/sbin/spamass-milter /foo/corefile.pid thread apply all where bt q and send the results along with your bug report using reportbug. -- Don Armstrong , Wed, 11 Mar 2009 03:51:55 -0700 debian/watch0000644000000000000000000000014110662734102010214 0ustar version=2 http://download.savannah.gnu.org/releases/spamass-milt/spamass-milter-([\d\.]+).tar.gz debian/reportbug0000644000000000000000000000174610662734102011133 0ustar #!/bin/sh -e # Stolen from apt's reportbug scripts # reportbug #169495 if [ -z "$YESNO" ]; then YESNO=$"yYnN" fi cat <&3 cat /etc/default/spamass-milter >&3 || true echo -e "\n-- /etc/init.d/spamass-milter --\n" cat /etc/init.d/spamass-milter >&3 || true echo -e "\n-- /etc/mail/sendmail.mc --\n" cat /etc/mail/sendmail.mc >&3 || true fi debian/control0000644000000000000000000000203011770673624010601 0ustar Source: spamass-milter Section: mail Priority: extra Standards-Version: 3.9.2 Build-Depends: libmilter-dev, debhelper (>= 9), groff-base, autotools-dev Maintainer: Don Armstrong Vcs-Svn: svn://svn.donarmstrong.com/deb_pkgs/spamass-milter/trunk Vcs-Browser: http://wsvn.donarmstrong.com/deb_pkgs/spamass-milter/trunk Package: spamass-milter Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, spamc, adduser Recommends: spamassassin, sendmail|postfix Homepage: http://savannah.nongnu.org/projects/spamass-milt/ Description: milter for filtering mail through spamassassin A milter used to filter mail through spamassassin (spamc) early in the delivery process. Enables site wide filtering through spamassassin without speed penalties incured by setting up and tearing down procmail processes for each e-mail. . Will work with sendmail, postfix, or any other MTA which can use milters. . - Administrator (or user) specified rejection threshold - User specific spamassassin settings - Header-only modification debian/NEWS.Debian0000644000000000000000000000313411130472725011051 0ustar spamass-milter (0.3.1-6) unstable; urgency=low * Note that users of postfix may wish to add "milter_connect_macros = j {daemon_name} v {if_name} _" to their main.cf if they haven't already done so. See README.Debian. -- Don Armstrong Mon, 05 Jan 2009 13:04:21 -0800 spamass-milter (0.3.1-5) unstable; urgency=low * spamass-milter now tries to run as spamass-milter. This means that the socket can no longer be located in /var/run/sendmail/spamass.sock and must be moved to /var/run/spamass/spamass.sock. The init.d script checks for the old location and reverts to running as root with a warning. To switch to the new behavoir, change your /etc/mail/localconf.m4 appropriately (or wherever you specify milters.) * The default for unknown users is now the spamass-milter user, which is passed to spamc. Its home directory is /var/lib/spamass-milter. If you wish to use a different user, simply edit /etc/defaults/spamass-milter * spamass-milter now attempts to automatically detect postfix installs and set up SOCKET, RUNAS, SOCKETOWNER, and SOCKETMODE appropriately. -- Don Armstrong Mon, 19 Feb 2007 16:10:19 -0800 spamass-milter (0.3.0-2) unstable; urgency=low * spamass-milter now has a (currently not available upstream) -I option which will allow authenticated senders to skip SA checks in outbound mail. As this option is not yet integrated in upstream, the actually command line option may change in the future. You Have Been Warned. -- Don Armstrong Fri, 23 Dec 2005 03:28:31 -0800 debian/copyright0000644000000000000000000000110710662734102011121 0ustar Authors: Georg C. F. Greve Michael Brown Dan Nelson Webpage: http://savannah.nongnu.org/projects/spamass-milt/ Download: http://savannah.nongnu.org/download/spamass-milt/ Debianized: Don Armstrong Thu, 30 Jan 2003 01:26:45 -0500 Copyright: Copyright (c) 2002 Georg C. F. Greve , all rights maintained by FSF Europe e.V., Villa Vogelsang, Antonienallee 1, 45279 Essen, Germany License: GPL, available at /usr/share/common-licenses/GPL debian/spamass-milter.postinst0000644000000000000000000000151111770671234013742 0ustar #!/bin/sh set -e case "$1" in configure) # Create the spamassmilter user if [ -x /usr/sbin/adduser ]; then if ! id -u spamass-milter >/dev/null 2>&1; then adduser --system --no-create-home --home /var/lib/spamass-milter spamass-milter; fi; fi; # Attempt to remove /var/run/spamass if it exists # If we're upgrading from -4 or earlier, we want to remove the # pidfile if spamass.milter isn't running, and then remove # /var/run/spamass if dpkg --compare-versions "$2" 'lt' '0.3.1-5'; then if [ -f /var/run/spamass/spamass.pid ] && ! kill -0 "$(cat /var/run/spamass/spamass.pid)"; then rm -f /var/run/spamass/spamass.pid; fi; if [ -d /var/run/spamass ]; then rmdir --ignore-fail-on-non-empty /var/run/spamass ; fi; fi; ;; *) # do nothing ;; esac ###DEBHELPER### exit 0; debian/compat0000644000000000000000000000000211652065544010374 0ustar 9 debian/patches/0000755000000000000000000000000011772373734010633 5ustar debian/patches/fix_header_char_cast0000644000000000000000000000254211770707112014653 0ustar Description: Fix a const cast in the header Author: Don Armstrong Forwarded: no Index: spamass-milter/spamass-milter.cpp =================================================================== --- spamass-milter.orig/spamass-milter.cpp 2012-06-21 13:02:08.000000000 -0700 +++ spamass-milter/spamass-milter.cpp 2012-06-21 13:02:15.000000000 -0700 @@ -363,7 +363,7 @@ // }}} /* Update a header if SA changes it, or add it if it is new. */ -void update_or_insert(SpamAssassin* assassin, SMFICTX* ctx, string oldstring, t_setter setter, char *header ) +void update_or_insert(SpamAssassin* assassin, SMFICTX* ctx, string oldstring, t_setter setter, const char *header ) { string::size_type eoh1 = assassin->d().find("\n\n"); string::size_type eoh2 = assassin->d().find("\n\r\n"); @@ -386,15 +386,16 @@ { /* change if old one was present, append if non-null */ char* cstr = const_cast(newstring.c_str()); + char* hstr = const_cast(header); if (oldsize > 0) { debug(D_UORI, "u_or_i: changing"); - smfi_chgheader(ctx, header, 1, newstring.size() > 0 ? + smfi_chgheader(ctx, hstr, 1, newstring.size() > 0 ? cstr : NULL ); } else if (newstring.size() > 0) { debug(D_UORI, "u_or_i: inserting"); - smfi_addheader(ctx, header, cstr); + smfi_addheader(ctx, hstr, cstr); } } else { debian/patches/auth_in_received0000644000000000000000000000462711770707343014057 0ustar Description: Include Auth information in the received line Origin: https://www.linuxhacker.at/opensource-projects/spamass-milter Bug: #627989 Author: Herbert Straub, Knut Arne Bjørndal Forwarded: no Index: spamass-milter/spamass-milter.cpp =================================================================== --- spamass-milter.orig/spamass-milter.cpp 2012-06-21 13:03:42.000000000 -0700 +++ spamass-milter/spamass-milter.cpp 2012-06-21 14:02:32.000000000 -0700 @@ -898,7 +898,8 @@ */ const char *macro_b, *macro_i, *macro_j, *macro_r, - *macro_s, *macro_v, *macro_Z, *macro__; + *macro_s, *macro_v, *macro_Z, *macro__, + *macro_auth_type, *macro_auth_ssf; char date[32]; /* RFC 822 date. */ @@ -935,7 +936,22 @@ macro_r = "SMTP"; warnmacro("r", "ENVRCPT"); } - + + /* Authenticated bits Information */ + macro_auth_type = smfi_getsymval(ctx, "{auth_type}"); + if (!macro_auth_type) + { + macro_auth_type = ""; + warnmacro("auth_type", "ENVRCPT"); + } + + macro_auth_ssf = smfi_getsymval(ctx, "{auth_ssf}"); + if (!macro_auth_ssf) + { + macro_auth_ssf = ""; + warnmacro("auth_ssf", "ENVRCPT"); + } + /* Sendmail currently cannot pass us the {s} macro, but I do not know why. Leave this in for the day sendmail is fixed. Until that day, use the value remembered by @@ -974,11 +990,22 @@ assassin->output((string)"X-Envelope-From: "+assassin->from()+"\r\n"); assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n"); - assassin->output((string) - "Received: from "+macro_s+" ("+macro__+")\r\n\t"+ - "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+ + string rec_header; + rec_header=(string)"Received: from "+macro_s+" ("+macro__+")\r\n\t"; + if (strlen(macro_auth_type)!=0) { + rec_header+=(string)"(authenticated"; + if (strlen(macro_auth_ssf)!=0) { + rec_header+=(string)" bits="+macro_auth_ssf; + } + rec_header+=(string)")\r\n\t"; + } + rec_header+=(string)"by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+ + macro_r+" id "+macro_i+"\r\n\t"+ macro_b+"\r\n\t"+ - "(envelope-from "+assassin->from()+")\r\n"); + "(envelope-from "+assassin->from()+"\r\n"; + + debug(D_SPAMC, "Received header for spamc: %s", rec_header.c_str()); + assassin->output(rec_header); } else assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n"); debian/patches/add_ipv6_support0000644000000000000000000001737011770707045014050 0ustar Description: Add support for ipv6 Origin: http://wilmer.gaast.net/blog/archives/61-spamass-milter-and-IPv6.html Bug: #569483 Author: Wilmer van der Gaast Forwarded: no Index: spamass-milter/spamass-milter.cpp =================================================================== --- spamass-milter.orig/spamass-milter.cpp 2012-06-21 13:03:25.000000000 -0700 +++ spamass-milter/spamass-milter.cpp 2012-06-21 13:03:42.000000000 -0700 @@ -88,6 +88,7 @@ #include "subst_poll.h" #endif #include +#include // C++ includes #include @@ -678,6 +679,8 @@ { struct context *sctx; int rv; + struct sockaddr_in localhost; + debug(D_FUNC, "mlfi_connect: enter"); @@ -687,10 +690,15 @@ { /* not a socket; probably a local user calling sendmail directly */ /* set to 127.0.0.1 */ - sctx->connect_ip.s_addr = htonl(INADDR_LOOPBACK); + strcpy(sctx->connect_ip, "127.0.0.1"); + localhost.sin_family = AF_INET; + localhost.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + hostaddr = (struct sockaddr*) &localhost; } else { - sctx->connect_ip = ((struct sockaddr_in *) hostaddr)->sin_addr; + getnameinfo(hostaddr, sizeof(struct sockaddr_in6), + sctx->connect_ip, 63, NULL, 0, NI_NUMERICHOST); + debug(D_FUNC, "Remote address: %s", sctx->connect_ip); } sctx->assassin = NULL; sctx->helo = NULL; @@ -704,10 +712,10 @@ } /* debug(D_ALWAYS, "ZZZ set private context to %p", sctx); */ - if (ip_in_networklist(sctx->connect_ip, &ignorenets)) + if (ip_in_networklist(hostaddr, &ignorenets)) { debug(D_NET, "%s is in our ignore list - accepting message", - inet_ntoa(sctx->connect_ip)); + sctx->connect_ip); debug(D_FUNC, "mlfi_connect: exit ignore"); return SMFIS_ACCEPT; } @@ -779,7 +787,7 @@ return SMFIS_TEMPFAIL; }; - assassin->set_connectip(string(inet_ntoa(sctx->connect_ip))); + assassin->set_connectip(string(sctx->connect_ip)); // Store a pointer to the assassin object in our context struct sctx->assassin = assassin; @@ -2033,69 +2041,119 @@ { char *tnet = strsep(&token, "/"); char *tmask = token; - struct in_addr net, mask; + struct in_addr net; + struct in6_addr net6; if (list->num_nets % 10 == 0) - list->nets = (struct net*)realloc(list->nets, sizeof(*list->nets) * (list->num_nets + 10)); + list->nets = (union net*)realloc(list->nets, sizeof(*list->nets) * (list->num_nets + 10)); - if (!inet_aton(tnet, &net)) + if (inet_pton(AF_INET, tnet, &net)) { - fprintf(stderr, "Could not parse \"%s\" as a network\n", tnet); - exit(1); - } + struct in_addr mask; + + if (tmask) + { + if (strchr(tmask, '.') == NULL) + { + /* CIDR */ + unsigned int bits; + int ret; + ret = sscanf(tmask, "%u", &bits); + if (ret != 1 || bits > 32) + { + fprintf(stderr,"%s: bad CIDR value", tmask); + exit(1); + } + mask.s_addr = htonl(~((1L << (32 - bits)) - 1) & 0xffffffff); + } else if (!inet_pton(AF_INET6, tmask, &mask)) + { + fprintf(stderr, "Could not parse \"%s\" as a netmask\n", tmask); + exit(1); + } + } else + mask.s_addr = 0xffffffff; - if (tmask) + { + char *snet = strdup(inet_ntoa(net)); + debug(D_MISC, "Adding %s/%s to network list", snet, inet_ntoa(mask)); + free(snet); + } + + net.s_addr = net.s_addr & mask.s_addr; + list->nets[list->num_nets].net4.af = AF_INET; + list->nets[list->num_nets].net4.network = net; + list->nets[list->num_nets].net4.netmask = mask; + list->num_nets++; + } else if (inet_pton(AF_INET6, tnet, &net6)) { - if (strchr(tmask, '.') == NULL) + int mask; + + if (tmask) { - /* CIDR */ - unsigned int bits; - int ret; - ret = sscanf(tmask, "%u", &bits); - if (ret != 1 || bits > 32) + if (sscanf(tmask, "%d", &mask) != 1 || mask > 128) { fprintf(stderr,"%s: bad CIDR value", tmask); exit(1); } - mask.s_addr = htonl(~((1L << (32 - bits)) - 1) & 0xffffffff); - } else if (!inet_aton(tmask, &mask)) - { - fprintf(stderr, "Could not parse \"%s\" as a netmask\n", tmask); - exit(1); - } + } else + mask = 128; + + list->nets[list->num_nets].net6.af = AF_INET6; + list->nets[list->num_nets].net6.network = net6; + list->nets[list->num_nets].net6.netmask = mask; + list->num_nets++; } else - mask.s_addr = 0xffffffff; - { - char *snet = strdup(inet_ntoa(net)); - debug(D_MISC, "Adding %s/%s to network list", snet, inet_ntoa(mask)); - free(snet); + fprintf(stderr, "Could not parse \"%s\" as a network\n", tnet); + exit(1); } - net.s_addr = net.s_addr & mask.s_addr; - list->nets[list->num_nets].network = net; - list->nets[list->num_nets].netmask = mask; - list->num_nets++; } free(string); } -int ip_in_networklist(struct in_addr ip, struct networklist *list) +int ip_in_networklist(struct sockaddr *addr, struct networklist *list) { int i; if (list->num_nets == 0) return 0; - - debug(D_NET, "Checking %s against:", inet_ntoa(ip)); + + //debug(D_NET, "Checking %s against:", inet_ntoa(ip)); for (i = 0; i < list->num_nets; i++) { - debug(D_NET, "%s", inet_ntoa(list->nets[i].network)); - debug(D_NET, "/%s", inet_ntoa(list->nets[i].netmask)); - if ((ip.s_addr & list->nets[i].netmask.s_addr) == list->nets[i].network.s_addr) - { - debug(D_NET, "Hit!"); - return 1; + if (list->nets[i].net.af == AF_INET && addr->sa_family == AF_INET) + { + struct in_addr ip = ((struct sockaddr_in *)addr)->sin_addr; + + debug(D_NET, "%s", inet_ntoa(list->nets[i].net4.network)); + debug(D_NET, "/%s", inet_ntoa(list->nets[i].net4.netmask)); + if ((ip.s_addr & list->nets[i].net4.netmask.s_addr) == list->nets[i].net4.network.s_addr) + { + debug(D_NET, "Hit!"); + return 1; + } + } else if (list->nets[i].net.af == AF_INET6 && addr->sa_family == AF_INET6) + { + u_int8_t *ip = ((struct sockaddr_in6 *)addr)->sin6_addr.s6_addr; + int mask, j; + + mask = list->nets[i].net6.netmask; + for (j = 0; j < 16 && mask > 0; j++, mask -= 8) + { + unsigned char bytemask; + + bytemask = (mask < 8) ? ~((1L << (8 - mask)) - 1) : 0xff; + + if ((ip[j] & bytemask) != (list->nets[i].net6.network.s6_addr[j] & bytemask)) + break; + } + + if (mask <= 0) + { + debug(D_NET, "Hit!"); + return 1; + } } } Index: spamass-milter/spamass-milter.h =================================================================== --- spamass-milter.orig/spamass-milter.h 2012-06-21 13:03:25.000000000 -0700 +++ spamass-milter/spamass-milter.h 2012-06-21 13:03:42.000000000 -0700 @@ -56,16 +56,30 @@ extern struct smfiDesc smfilter; /* struct describing a single network */ -struct net +union net { - struct in_addr network; - struct in_addr netmask; + struct + { + uint8_t af; + } net; + struct + { + uint8_t af; + struct in_addr network; + struct in_addr netmask; + } net4; + struct + { + uint8_t af; + struct in6_addr network; + int netmask; /* Just the number of bits for IPv6 */ + } net6; }; /* an array of networks */ struct networklist { - struct net *nets; + union net *nets; int num_nets; }; @@ -165,7 +179,7 @@ /* Private data structure to carry per-client data between calls */ struct context { - struct in_addr connect_ip; // remote IP address + char connect_ip[64]; // remote IP address char *helo; SpamAssassin *assassin; // pointer to the SA object if we're processing a message }; @@ -182,7 +196,7 @@ int cmp_nocase_partial(const string&, const string&); void closeall(int fd); void parse_networklist(char *string, struct networklist *list); -int ip_in_networklist(struct in_addr ip, struct networklist *list); +int ip_in_networklist(struct sockaddr *addr, struct networklist *list); void parse_debuglevel(char* string); char *strlwr(char *str); void warnmacro(char *macro, char *scope); debian/patches/ignore_by_smtp_auth0000644000000000000000000000722111770707546014621 0ustar Description: Add ignore authenticated senders option From: Paul Traina Bug: #301755 Index: spamass-milter/spamass-milter.1.in =================================================================== --- spamass-milter.orig/spamass-milter.1.in 2012-06-21 12:53:44.000000000 -0700 +++ spamass-milter/spamass-milter.1.in 2012-06-21 12:56:56.000000000 -0700 @@ -14,6 +14,7 @@ .Op Fl e Ar defaultdomain .Op Fl f .Op Fl i Ar networks +.Op Fl I .Op Fl m .Op Fl M .Op Fl P Ar pidfile @@ -119,6 +120,8 @@ flags will append to the list. For example, if you list all your internal networks, no outgoing emails will be filtered. +.It Fl I +Ignores messages if the sender has authenticated via SMTP AUTH. .It Fl m Disables modification of the .Ql Subject: Index: spamass-milter/spamass-milter.cpp =================================================================== --- spamass-milter.orig/spamass-milter.cpp 2012-06-21 12:53:49.000000000 -0700 +++ spamass-milter/spamass-milter.cpp 2012-06-21 12:56:56.000000000 -0700 @@ -169,6 +169,7 @@ char *spambucket; bool flag_full_email = false; /* pass full email address to spamc */ bool flag_expand = false; /* alias/virtusertable expansion */ +bool ignore_authenticated_senders = false; bool warnedmacro = false; /* have we logged that we couldn't fetch a macro? */ // {{{ main() @@ -177,7 +178,7 @@ main(int argc, char* argv[]) { int c, err = 0; - const char *args = "fd:mMp:P:r:u:D:i:b:B:e:x"; + const char *args = "fd:mMp:P:r:u:D:i:Ib:B:e:x"; char *sock = NULL; bool dofork = false; char *pidfilename = NULL; @@ -209,6 +210,10 @@ debug(D_MISC, "Parsing ignore list"); parse_networklist(optarg, &ignorenets); break; + case 'I': + debug(D_MISC, "Ignore authenticated senders"); + ignore_authenticated_senders = true; + break; case 'm': dontmodifyspam = true; smfilter.xxfi_flags &= ~SMFIF_CHGBODY; @@ -276,7 +281,7 @@ cout << PACKAGE_NAME << " - Version " << PACKAGE_VERSION << endl; cout << "SpamAssassin Sendmail Milter Plugin" << endl; cout << "Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host]" << endl; - cout << " [-e defaultdomain] [-f] [-i networks] [-m] [-M]" << endl; + cout << " [-e defaultdomain] [-f] [-i networks] [-I] [-m] [-M]" << endl; cout << " [-P pidfile] [-r nn] [-u defaultuser] [-x]" << endl; cout << " [-- spamc args ]" << endl; cout << " -p socket: path to create socket" << endl; @@ -290,6 +295,7 @@ cout << " -f: fork into background" << endl; cout << " -i: skip (ignore) checks from these IPs or netblocks" << endl; cout << " example: -i 192.168.12.5,10.0.0.0/8,172.16.0.0/255.255.0.0" << endl; + cout << " -I: skip (ignore) checks if sender is authenticated" << endl; cout << " -m: don't modify body, Content-type: or Subject:" << endl; cout << " -M: don't modify the message at all" << endl; cout << " -P pidfile: Put processid in pidfile" << endl; @@ -746,6 +753,22 @@ } /* debug(D_ALWAYS, "ZZZ got private context %p", sctx); */ + if (ignore_authenticated_senders) + { + char *auth_authen; + + auth_authen = smfi_getsymval(ctx, "{auth_authen}"); + debug(D_MISC, "auth_authen=%s", auth_authen ?: ""); + + if (auth_authen) + { + debug(D_MISC, "sender authenticated (%s) - accepting message", + auth_authen); + debug(D_FUNC, "mlfi_envfrom: exit ignore"); + return SMFIS_ACCEPT; + } + } + debug(D_FUNC, "mlfi_envfrom: enter"); try { // launch new SpamAssassin debian/patches/series0000644000000000000000000000015211770705724012042 0ustar ignore_by_smtp_auth fix_spacing_in_received_header fix_header_char_cast add_ipv6_support auth_in_received debian/patches/fix_spacing_in_received_header0000644000000000000000000000132211770707217016705 0ustar Description: Fix spacing in the received header Author: Marco d'Itri Bug: #510665 Forwarded: no Index: spamass-milter/spamass-milter.cpp =================================================================== --- spamass-milter.orig/spamass-milter.cpp 2012-06-21 13:02:06.000000000 -0700 +++ spamass-milter/spamass-milter.cpp 2012-06-21 13:02:08.000000000 -0700 @@ -967,7 +967,7 @@ assassin->output((string) "Received: from "+macro_s+" ("+macro__+")\r\n\t"+ - "by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+";\r\n\t"+ + "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+ macro_b+"\r\n\t"+ "(envelope-from "+assassin->from()+")\r\n"); debian/changelog0000644000000000000000000001550011772373243011052 0ustar spamass-milter (0.3.2-1) unstable; urgency=low * New upstream release * No longer create home directory for spamass-milter; remove on purge if it exists (closes: #668717) * Use autotools-dev to update config.sub/config.guess (closes: #539791) * Include support for ipv6 (Thanks to Wilmer van der Gaast) (closes: #569483) * Add SMTP auth information to received header (Thanks to Knut Arne Bjørndal) (closes: #627989) -- Don Armstrong Mon, 13 Jun 2011 17:00:00 -0700 spamass-milter (0.3.1-10) unstable; urgency=low * Fix zombies which were happening with -x. (closes: #575019) -- Don Armstrong Mon, 22 Mar 2010 14:39:12 -0700 spamass-milter (0.3.1-9) unstable; urgency=high * Call restorecon on the socket and pidfile directories to make SELinux happy (thanks to Russell Coker) (closes: #518552) * Document how to make inet:9999@127.0.0.1 work (closes: #519245) * Document that using the -x option requires being in the smmsp group (closes: #515158) * Deal with inet:999 sockets (closes: #514749) - handle them more sanely in the init script - document how to deal with them in README.Debian and /etc/spamass-milter/default * Use new popenenv function instead of open; fixes remote code exploit as the spamass-milter user when run using -x. (closes: #573228) -- Don Armstrong Wed, 11 Mar 2009 03:59:39 -0700 spamass-milter (0.3.1-8) unstable; urgency=low * Update the documentation in README.Debian to indicate that a different path to the postfix socket may be required in chrooted postfix installs (closes: #496003) * Update milter_connect_macros_line (thanks to Marco d'Itri) * Fix the code to generate a sendmail-compatible header (thanks to Marco d'Itri) (closes: #510665). * Put Homepage in the proper location * Update standards version with only the above change -- Don Armstrong Fri, 23 Jan 2009 15:40:41 -0800 spamass-milter (0.3.1-7) unstable; urgency=low * Add LSB options to init script (closes: #467145) * Add status init script command support -- Don Armstrong Mon, 25 Feb 2008 16:00:57 -0800 spamass-milter (0.3.1-6) unstable; urgency=low * New version to allow building against libmilter1 -- Don Armstrong Sat, 19 May 2007 19:01:17 -0700 spamass-milter (0.3.1-5) unstable; urgency=low * Run spamass-milter as a new user, spamassmilter instead of nobody (closes: #411094) * Use --oknodo in stop so we don't fail when spamassmilter is not running (closes: #412524) -- Don Armstrong Mon, 26 Feb 2007 17:26:33 -0800 spamass-milter (0.3.1-4) unstable; urgency=low * Flip the order of socket and piddir creation, because the default for sendmail has them in the same directory. [This was breaking new sendmail installs.] -- Don Armstrong Sun, 28 Jan 2007 17:43:53 -0800 spamass-milter (0.3.1-3) unstable; urgency=low * Use dirname instead of basename (closes: #391909) * Add RUNAS option to change the user that spamass-milter runs as. * Automatically detect postfix installs, and change the PID, SOCKET, and SOCKETMODE options accordingly (closes: #391789) Thanks to Zach Sadecki and Marco d'Itri for testing this fix. -- Don Armstrong Mon, 1 Jan 2007 11:07:17 -0800 spamass-milter (0.3.1-2) unstable; urgency=low * Create /var/run/sendmail if it doesn't already exist to allow for /var/run on a tmpfs (closes: #373812) * Stop depending on sendmail, and begin recommending sendmail or postfix (closes: #378460) -- Don Armstrong Wed, 5 Apr 2006 13:21:11 -0700 spamass-milter (0.3.1-1) unstable; urgency=low * New upstream release - Adds more macros to avoid mails being tagged ALL_TRUSTED (closes: #354239) -- Don Armstrong Wed, 5 Apr 2006 12:16:08 -0700 spamass-milter (0.3.0-2) unstable; urgency=low * Add -I option to stop delaying mail from authenticated users. Thanks to Paul Traina for the patch. (closes: #301755) * Delete config.h, config.log, and config.status in the clean target * Update standards version (no changes) -- Don Armstrong Fri, 23 Dec 2005 05:12:38 -0800 spamass-milter (0.3.0-1) unstable; urgency=low * New upstream release (closes: #295586) * Include sendmail.mc in the reportbug script * Stop using cdbs * Specify path to spamc and sendmail directly to eliminate (useless) build dependencies on spamc and sendmail -- Don Armstrong Tue, 1 Mar 2005 18:20:21 -0800 spamass-milter (0.2.0-7) unstable; urgency=low * Updates to deal with changes in spamassassin 3.0 - hits is now score in the X-Spam-Status: header (closes: #273798) * Parse user+detail@foo.com addresses correctly (load preferences of the user user instead of the user+detail user.) * Uploaded by Stephen Gran -- Don Armstrong Thu, 30 Sep 2004 13:56:17 -0700 spamass-milter (0.2.0-6) unstable; urgency=low * Add patch from cvs to create pidfile and use it in init script to avoid start-stop-daemon needing /proc (closes: #216455) * Use cdbs - Add lintian override as the config.* patches aren't applied until buildtime * Migrate patches to debian/patches * Init scripts now send the right signal to stop spamass-milter * Uploaded by Stephen Gran -- Don Armstrong Tue, 24 Feb 2004 10:09:09 -0800 spamass-milter (0.2.0-5) unstable; urgency=low * Changed recommends: spamd to spamassassin (closes: #204139) * Fix typo in init script (oknod should be oknodo) (closes: #204301) * Add debugging howto section to README.Debian * Uploaded by Stephen Gran -- Don Armstrong Fri, 29 Aug 2003 18:00:05 -0700 spamass-milter (0.2.0-4) unstable; urgency=low * Add missing build-depends on groff - Fixes FTBFS on autobuilders. * Update Standards Version to 3.6.0 -- Don Armstrong Wed, 30 Jul 2003 01:32:00 -0700 spamass-milter (0.2.0-3) unstable; urgency=low * Patch by Valentin Chopov to fix segfaults on empty message bodies. [The "bob" patch] -- Don Armstrong Mon, 21 Jul 2003 12:48:02 -0700 spamass-milter (0.2.0-2) unstable; urgency=low * Removed bashism from /etc/init.d/spamass-milter [s/source/./] as suggested and noticed by Joost van Baal . -- Don Armstrong Sun, 20 Jul 2003 01:13:18 -0700 spamass-milter (0.2.0-1) unstable; urgency=low * New upstream release -- Don Armstrong Thu, 26 Jun 2003 20:38:15 -0400 spamass-milter (0.1.3a-1) unstable; urgency=low * Initial debian packaging -- Don Armstrong Thu, 30 Jan 2003 01:24:44 -0500 debian/rules0000755000000000000000000000421211770674051010255 0ustar #!/usr/bin/make -f DH_VERBOSE = 1 %: dh $@ --parallel --with autotools_dev override_dh_auto_configure: SPAMC="/usr/bin/spamc" SENDMAIL="/usr/sbin/sendmail" \ dh_auto_configure; override_dh_auto_clean: dh_auto_clean; rm -f config.log config.status config.h Makefile stamp-h1 spamass-milter.1 # PREFIX=$(shell pwd)/debian/spamass-milter/usr # # patch: patch-stamp # patch-stamp: # dh_testdir # # if [ -e debian/patches ]; then \ # for a in `ls debian/patches/*.diff`; do \ # patch -f -p0 < $$a; \ # done; \ # fi; # # rm -f unpatch-stamp; # touch $@ # # unpatch: unpatch-stamp # unpatch-stamp: # dh_testdir # # if [ -e debian/patches ]; then \ # for a in `ls debian/patches/*.diff`; do \ # patch -f -p0 -R < $$a; \ # done; \ # fi; # # rm -f patch-stamp # touch $@ # # # configure: configure-stamp # configure-stamp: # # # SPAMC and SENDMAIL are the location of the spamc and sendmail binary, respectively. PREFIX is the location to install to. # # We must specify --mandir because for some ungodly reason, it's being installed into /usr/man by default # LDFLAGS="-L/usr/lib/libmilter" SPAMC="/usr/bin/spamc" SENDMAIL="/usr/sbin/sendmail" \ # ./configure --prefix=$(PREFIX) --mandir=$(PREFIX)/share/man # touch $@ # # build: configure build-stamp # build-stamp: # dh_testdir # # $(MAKE) # # touch $@ # # clean: # dh_testdir # dh_testroot # # rm -f build-stamp # rm -f patch-stamp # rm -f unpatch-stamp # rm -f configure-stamp # # if [ -e Makefile -a -e config.status ]; then \ # $(MAKE) clean; \ # fi # # the clean target doesn't nuke these, so we kill them here. # rm -f config.log config.h config.status # dh_clean # # install: build # dh_testdir # dh_testroot # dh_clean -k # dh_installdirs # # $(MAKE) install # # binary-indep: # # binary-arch: build install # dh_testdir # dh_testroot # dh_installchangelogs ChangeLog # dh_installdocs NEWS README # dh_installman # dh_installinit # dh_link # dh_strip # dh_compress # dh_fixperms # dh_installdeb # dh_shlibdeps # dh_gencontrol # dh_md5sums # dh_builddeb # # binary: binary-arch # .PHONY: build clean binary-arch binary-indep binary install debian/spamass-milter.postrm0000644000000000000000000000040311770671266013407 0ustar #!/bin/sh set -e case "$1" in purge) # remove /var/lib/spamass-milter if it exists if [ -e /var/lib/spamass-milter ]; then rmdir --ignore-fail-on-non-empty /var/lib/spamass-milter fi; ;; *) # do nothing ;; esac ###DEBHELPER### exit 0; debian/source/0000755000000000000000000000000011772373734010504 5ustar debian/source/format0000644000000000000000000000001411770707405011704 0ustar 3.0 (quilt) debian/spamass-milter.default0000644000000000000000000000160711145424140013475 0ustar # spamass-milt startup defaults # OPTIONS are passed directly to spamass-milter. # man spamass-milter for details # Non-standard configuration notes: # See README.Debian if you use the -x option with sendmail # You should not pass the -d option in OPTIONS; use SOCKET for that. # Default, use the spamass-milter user as the default user, ignore # messages from localhost OPTIONS="-u spamass-milter -i 127.0.0.1" # Reject emails with spamassassin scores > 15. #OPTIONS="-r 15" # Do not modify Subject:, Content-Type: or body. #OPTIONS="-m" ###################################### # If /usr/sbin/postfix is executable, the following are set by # default. You can override them by uncommenting and changing them # here. ###################################### # SOCKET="/var/spool/postfix/spamass/spamass.sock" # SOCKETOWNER="postfix:postfix" # SOCKETMODE="0660" ###################################### debian/spamass-milter.init0000644000000000000000000001221211575525662013030 0ustar #!/bin/sh # # $Id: spamass-milter.init 553 2011-06-14 00:30:42Z don $ # # Sample init script for Debian GNU/Linux # # Copyright (c) 2002 Georg C. F. Greve , # all rights maintained by FSF Europe e.V., # Villa Vogelsang, Antonienallee 1, 45279 Essen, Germany # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Contact: # Michael Brown # This init script was modified on Thu, 30 Jan 2003 02:06:04 -0500 by # Don Armstrong from contrib/spamass-milter to # allow force-reload and options specified in # /etc/default/spamass-milter necessary for inclusion in debian. # It has been modified additionally to support LSB Boot options and # status on Friday, July 6, 2007 14:02:44 PDT ### BEGIN INIT INFO # Provides: spamass-milter # Required-Start: $syslog $local_fs $remote_fs # Required-Stop: $syslog $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: milter for spamassassin # Description: Calls spamassassin to allow filtering out # spam from ham in libmilter compatible MTAs. ### END INIT INFO PATH=/sbin:/bin:/usr/sbin:/usr/bin NAME=spamass-milter DAEMON=/usr/sbin/spamass-milter SOCKET=/var/run/spamass/spamass.sock PIDFILE=/var/run/spamass/spamass.pid DESC="Sendmail milter plugin for SpamAssassin" DEFAULT=/etc/default/spamass-milter OPTIONS="" RUNAS="spamass-milter" CHUID="" SOCKETMODE="0600" SOCKETOWNER="root:root" test -x $DAEMON || exit 0 if [ -e /etc/mail/sendmail.cf ] && egrep -q 'X.+S=local:/var/run/sendmail/spamass\.sock' /etc/mail/sendmail.cf; then SOCKET=/var/run/sendmail/spamass.sock SOCKETMODE="" SOCKETOWNER="" RUNAS="" echo "WARNING: You are using the old location of spamass.sock. Change your input filter to use"; echo "/var/run/spamass/spamass.sock so spamass-milter can run as spamass-milter"; fi; # If /usr/sbin/postfix exists, set up the defaults for a postfix install # These can be overridden in /etc/default/spamass-milter if [ -x /usr/sbin/postfix ]; then SOCKET="/var/spool/postfix/spamass/spamass.sock" SOCKETOWNER="postfix:postfix" SOCKETMODE="0660" fi; if [ -r $DEFAULT ]; then . $DEFAULT; fi; if [ -n "$RUNAS" ]; then CHUID="--chuid $RUNAS"; fi; set -e start() { # Because the default socket is in the same location as the # pidfile, we create them in this order. for DIR in "$(dirname $PIDFILE)" "$(dirname $SOCKET)"; do # if the dirname is '.', then it's some kind of odd socket, like # an inet socket. Don't create the directory in such a case if [ "$DIR" != "." ] && [ ! -d "$DIR" ]; then mkdir -p "$DIR"; if [ -x /sbin/restorecon ]; then /sbin/restorecon "$DIR"; fi; if [ -n "$RUNAS" ]; then chown "$RUNAS" "$DIR"; fi; fi; done; if [ -n "$RUNAS" ] && [ -d $(dirname $PIDFILE) ] && [ "$(stat -c '%U' $(dirname $PIDFILE))" != "$RUNAS" ]; then echo "WARNING: $NAME will run as user $RUNAS but $(dirname $PIDFILE) is not owned by $RUNAS"; echo "Either delete this directory or chown it appropriately. Startup attempts may fail."; fi; if [ -n "$RUNAS" ] && [ $(dirname $SOCKET) != "." ] && [ -d $(dirname $SOCKET) ] && [ "$(stat -c '%U' $(dirname $SOCKET))" != "$RUNAS" ]; then echo "WARNING: $NAME will run as user $RUNAS but $(dirname $SOCKET) is not owned by $RUNAS"; echo "Either delete this directory or chown it appropriately. Startup attempts may fail."; fi; if [ $(dirname $SOCKET) != "." ]; then /bin/rm -f $SOCKET fi; start-stop-daemon --start -p $PIDFILE $CHUID --exec $DAEMON -- -P $PIDFILE -f -p $SOCKET $OPTIONS sleep 1s if [ -n "$SOCKETMODE" ]; then chmod $SOCKETMODE $SOCKET; fi; if [ -n "$SOCKETOWNER" ]; then chown $SOCKETOWNER $SOCKET; fi; } stop(){ start-stop-daemon --oknodo --stop -p $PIDFILE --signal 3 --exec $DAEMON /bin/sleep 5s /bin/rm -f $SOCKET /bin/rm -f $PIDFILE } status(){ if [ -e $PIDFILE ]; then if kill -0 $(cat $PIDFILE); then echo "${NAME} running"; exit 0; else echo "${NAME} dead but $PIDFILE exists"; exit 1; fi; echo "${NAME} not running"; exit 3; fi; } case "$1" in start) echo -n "Starting $DESC: " start echo "${NAME}" ;; stop) echo -n "Stopping $DESC: " stop echo "${NAME}" ;; force-reload | restart) echo -n "Restarting $DESC: " stop start echo "${NAME}" ;; status) status ;; *) N=$0 echo "Usage: $N {start|stop|restart|force-reload|status}" >&2 exit 1 ;; esac exit 0