From 611b1961b81552737ae9345dac12a3f1cd914212 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 27 Jun 2018 20:28:02 +0100 Subject: Restore rsmapd support Following discussions on the exim-user mailinglist it seems that the conclusion that the interface was nonfunctioning was unwarranted. --- doc/doc-docbook/spec.xfpt | 29 ++++++++++++---- doc/doc-txt/ChangeLog | 7 ++-- src/README.UPDATING | 2 -- src/src/spam.c | 88 ++++++++++++++++++++++++++++++++++++++++------- src/src/spam.h | 1 + test/src/server.c | 17 +++++++-- 6 files changed, 117 insertions(+), 27 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 82e4dfaff..9cddddde5 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -32266,14 +32266,20 @@ deny message = This message contains malware ($malware_name) .endd -.section "Scanning with SpamAssassin" "SECTscanspamass" +.section "Scanning with SpamAssassin and Rspamd" "SECTscanspamass" .cindex "content scanning" "for spam" .cindex "spam scanning" .cindex "SpamAssassin" +.cindex "Rspamd" The &%spam%& ACL condition calls SpamAssassin's &%spamd%& daemon to get a spam -score and a report for the message. You can get SpamAssassin at -&url(http://www.spamassassin.org), or, if you have a working Perl -installation, you can use CPAN by running: +score and a report for the message. +Support is also provided for Rspamd. + +For more information about installation and configuration of SpamAssassin or +Rspamd refer to their respective websites at +&url(http://spamassassin.apache.org) and &url(http://www.rspamd.com) + +SpamAssassin can be installed with CPAN by running: .code perl -MCPAN -e 'install Mail::SpamAssassin' .endd @@ -32299,6 +32305,14 @@ server (currently defaulting to 120s). With a lower value the Linux connection tracking may consider your half-closed connection as dead too soon. + +To use Rspamd (which by default listens on all local addresses +on TCP port 11333) +you should add &%variant=rspamd%& after the address/port pair, for example: +.code +spamd_address = 127.0.0.1 11333 variant=rspamd +.endd + As of version 2.60, &%SpamAssassin%& also supports communication over UNIX sockets. If you want to us these, supply &%spamd_address%& with an absolute file name instead of an address/port pair: @@ -32383,7 +32397,8 @@ The right-hand side of the &%spam%& condition specifies a name. This is relevant if you have set up multiple SpamAssassin profiles. If you do not want to scan using a specific profile, but rather use the SpamAssassin system-wide default profile, you can scan for an unknown name, or simply use &"nobody"&. -However, you must put something on the right-hand side. +Rspamd does not use this setting. However, you must put something on the +right-hand side. The name allows you to use per-domain or per-user antispam profiles in principle, but this is not straightforward in practice, because a message may @@ -32452,8 +32467,10 @@ when running in country-specific locales, which are not legal unencoded in headers. .vitem &$spam_action$& -Either 'reject' or 'no action' depending on the +For SpamAssassin either 'reject' or 'no action' depending on the spam score versus threshold. +For Rspamd, the recommended action. + .endlist The &%spam%& condition caches its results unless expansion in diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 58b82bddd..754f48b15 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -72,13 +72,10 @@ JH/15 Rework TLS client-side context management. Stop using a global, and explicitly pass a context around. This enables future use of TLS for connections to service-daemons (eg. malware scanning) while a client smtp connection is using TLS; with cutthrough connections this is quite likely. -JH/15 Support for Rspamd, as a variant of the "spam" ACL condition used for - connecting to a SpamAssassain "spamd" daemon for content scanning, is - removed. Following changes to the protocol used for communication with - Rspamd it was apparently inoperable. JH/16 Fix ARC verification to do AS checks in reverse order. -JH/16 Support a "tls" option on the ${readsocket } expansion item. + +JH/17 Support a "tls" option on the ${readsocket } expansion item. Exim version 4.91 diff --git a/src/README.UPDATING b/src/README.UPDATING index 11cd0ba44..2438cc953 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -34,8 +34,6 @@ Exim version 4.92 is limited to one retry unless the (new) config option dns_cname_loops is changed. - * Support for Rspamd has been removed. - Exim version 4.91 ----------------- diff --git a/src/src/spam.c b/src/src/spam.c index db6cf8495..9384bfa0d 100644 --- a/src/src/spam.c +++ b/src/src/spam.c @@ -16,7 +16,7 @@ uschar spam_score_buffer[16]; uschar spam_score_int_buffer[16]; uschar spam_bar_buffer[128]; -uschar * spam_action_buffer; +uschar spam_action_buffer[32]; uschar spam_report_buffer[32600]; uschar prev_user_name[128] = ""; int spam_ok = 0; @@ -30,6 +30,7 @@ static int spamd_param_init(spamd_address_container *spamd) { /* default spamd server weight, time and priority value */ +spamd->is_rspamd = FALSE; spamd->is_failed = FALSE; spamd->weight = SPAMD_WEIGHT; spamd->timeout = SPAMD_TIMEOUT; @@ -94,6 +95,12 @@ if (Ustrncmp(param, "time=", 5) == 0) return 0; /* OK */ } +if (Ustrcmp(param, "variant=rspamd") == 0) + { + spamd->is_rspamd = TRUE; + return 0; + } + if (Ustrncmp(param, "tmo=", 4) == 0) { int sec = readconf_readtime((s = param+4), '\0', FALSE); @@ -361,15 +368,42 @@ start = time(NULL); } (void)fcntl(spamd_cctx.sock, F_SETFL, O_NONBLOCK); -/* now we are connected to spamd on spamd_sock */ - -(void)string_format(spamd_buffer, - sizeof(spamd_buffer), - "REPORT SPAMC/1.2\r\nUser: %s\r\nContent-length: %ld\r\n\r\n", - user_name, - mbox_size); -/* send our request */ -wrote = send(spamd_cctx.sock, spamd_buffer, Ustrlen(spamd_buffer), 0); +/* now we are connected to spamd on spamd_cctx.sock */ +if (sd->is_rspamd) + { + gstring * req_str; + const uschar * s; + + req_str = string_append(NULL, 8, + "CHECK RSPAMC/1.3\r\nContent-length: ", string_sprintf("%lu\r\n", mbox_size), + "Queue-Id: ", message_id, + "\r\nFrom: <", sender_address, + ">\r\nRecipient-Number: ", string_sprintf("%d\r\n", recipients_count)); + + for (i = 0; i < recipients_count; i ++) + req_str = string_append(req_str, 3, + "Rcpt: <", recipients_list[i].address, ">\r\n"); + if ((s = expand_string(US"$sender_helo_name")) && *s) + req_str = string_append(req_str, 3, "Helo: ", s, "\r\n"); + if ((s = expand_string(US"$sender_host_name")) && *s) + req_str = string_append(req_str, 3, "Hostname: ", s, "\r\n"); + if (sender_host_address) + req_str = string_append(req_str, 3, "IP: ", sender_host_address, "\r\n"); + if ((s = expand_string(US"$authenticated_id")) && *s) + req_str = string_append(req_str, 3, "User: ", s, "\r\n"); + req_str = string_catn(req_str, US"\r\n", 2); + wrote = send(spamd_cctx.sock, req_str->s, req_str->ptr, 0); + } +else + { /* spamassassin variant */ + (void)string_format(spamd_buffer, + sizeof(spamd_buffer), + "REPORT SPAMC/1.2\r\nUser: %s\r\nContent-length: %ld\r\n\r\n", + user_name, + mbox_size); + /* send our request */ + wrote = send(spamd_cctx.sock, spamd_buffer, Ustrlen(spamd_buffer), 0); + } if (wrote == -1) { @@ -393,6 +427,7 @@ if (wrote == -1) pollfd.fd = spamd_cctx.sock; pollfd.events = POLLOUT; #endif +(void)fcntl(spamd_cctx.sock, F_SETFL, O_NONBLOCK); do { read = fread(spamd_buffer,1,sizeof(spamd_buffer),mbox_file); @@ -459,7 +494,8 @@ if (ferror(mbox_file)) (void)fclose(mbox_file); /* we're done sending, close socket for writing */ -shutdown(spamd_cctx.sock, SHUT_WR); +if (!sd->is_rspamd) + shutdown(spamd_cctx.sock,SHUT_WR); /* read spamd response using what's left of the timeout. */ memset(spamd_buffer, 0, sizeof(spamd_buffer)); @@ -483,6 +519,33 @@ if (i <= 0 && errno != 0) /* reading done */ (void)close(spamd_cctx.sock); +if (sd->is_rspamd) + { /* rspamd variant of reply */ + int r; + if ( (r = sscanf(CS spamd_buffer, + "RSPAMD/%7s 0 EX_OK\r\nMetric: default; %7s %lf / %lf / %lf\r\n%n", + spamd_version, spamd_short_result, &spamd_score, &spamd_threshold, + &spamd_reject_score, &spamd_report_offset)) != 5 + || spamd_report_offset >= offset /* verify within buffer */ + ) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "%s cannot parse spamd %s, output: %d", loglabel, callout_address, r); + return DEFER; + } + /* now parse action */ + p = &spamd_buffer[spamd_report_offset]; + + if (Ustrncmp(p, "Action: ", sizeof("Action: ") - 1) == 0) + { + p += sizeof("Action: ") - 1; + q = &spam_action_buffer[0]; + while (*p && *p != '\r' && (q - spam_action_buffer) < sizeof(spam_action_buffer) - 1) + *q++ = *p++; + *q = '\0'; + } + } +else { /* spamassassin */ /* dig in the spamd output and put the report in a multiline header, if requested */ @@ -501,7 +564,8 @@ if (i <= 0 && errno != 0) } } - spam_action_buffer = spamd_score >= spamd_threshold ? US"reject" : US"no action"; + Ustrcpy(spam_action_buffer, + spamd_score >= spamd_threshold ? "reject" : "no action"); } /* Create report. Since this is a multiline string, diff --git a/src/src/spam.h b/src/src/spam.h index 9f6b749cc..2fe73809e 100644 --- a/src/src/spam.h +++ b/src/src/spam.h @@ -27,6 +27,7 @@ typedef struct spamd_address_container { uschar * hostspec; + int is_rspamd:1; int is_failed:1; unsigned int weight; unsigned int timeout; diff --git a/test/src/server.c b/test/src/server.c index 719350c15..d433ebe0e 100644 --- a/test/src/server.c +++ b/test/src/server.c @@ -519,6 +519,11 @@ s = script; for (count = 0; count < connection_count; count++) { + struct { + int left; + BOOL in_use; + } content_length = { 0, FALSE }; + alarm(timeout); if (port <= 0) { @@ -729,6 +734,7 @@ for (count = 0; count < connection_count; count++) alarm(timeout); n = read(dup_accept_socket, CS buffer+offset, s->len - offset); + if (content_length.in_use) content_length.left -= n; if (n == 0) { printf("%sxpected EOF read from client\n", @@ -746,8 +752,9 @@ for (count = 0; count < connection_count; count++) if (data) do { n = (read(dup_accept_socket, &c, 1) == 1 && c == '.'); + if (content_length.in_use) content_length.left--; while (c != '\n' && read(dup_accept_socket, &c, 1) == 1) - ; + if (content_length.in_use) content_length.left--; } while (!n); else if (memcmp(ss, buffer, n) != 0) { @@ -770,7 +777,8 @@ for (count = 0; count < connection_count; count++) goto END_OFF; } alarm(0); - n = (int)strlen(CS buffer); + n = strlen(CS buffer); + if (content_length.in_use) content_length.left -= (n - offset); while (n > 0 && isspace(buffer[n-1])) n--; buffer[n] = 0; printf("%s\n", buffer); @@ -784,6 +792,11 @@ for (count = 0; count < connection_count; count++) break; } } + + if (sscanf(CCS buffer, "