From: [email protected]

Package: sa-exim
Version: 4.0-2
Severity: minor

I installed this, installed spamassassin, started up spamd, and turned on
split config in exim4 after reading other bug reports, and the damn thing
still doesn't do anything. I've read through all the documentation and
I still have only a faint clue how sa-exim is connected to exim4 and I
have no clue why it isn't working.

Supposedly the defaults should at least result in some sort of header
being added to incoming messages, and I even added "add_header all foo
bar" to the spamassassin config, which (according to spamassassin docs)
should result in a header added to all messages, but nothing like that
is happening. As far as I can tell without running strace on exim,
spamc is not getting run at all.

-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages sa-exim depends on:
ii debconf [debconf-2.0] 1.4.30 Debian configuration management sy ii exim4-daemon-light 4.34-4 Lightweight version of the Exim (v ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an ii spamassassin 2.63-1 Perl-based spam filter using text ii spamc 2.63-1 Client for perl-based spam filteri

-- debconf information:
sa-exim/purge_spool: false


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

I had some problems too getting it to work, but after some talking to the sa-exim maintainer and the exim mailing list I managed to get it to work.

I'll try to look back over what information I got collected up and submit it as a patch for the README.Debian file (as indeed I'd already agreed to do with sa-exim maintainer).

BR,
Millis


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

Quoting Millis Miller ([email protected]):

I had some problems too getting it to work, but after some talking to
the sa-exim maintainer and the exim mailing list I managed to get it
to work.

What is missing in the documentation is how to make sure Exim4 actually
uses the sa-exim.so loadable module. Millis, I believe that was your
problem too, you thought you used the split_config, but
update-exim4.conf didn't update the autogenerated exim4.conf because /etc/exim4/update-exim4.conf.conf showed dc_use_split_config='false'.

So what i'm gonna do is add a few lines to README.Debian to clarify
how to find out what exim4.conf the system is using, and how to make
sure it is updated at all...

The rest of configuring sa-exim is all explained in the README.gz and
even more in /etc/exim4/sa-exim.conf.

The reason why i'm not letting sa-exim run on each and every message immediately after installation is because it *CAN* actually throw
messages away. Clueless users might not notice and blame me...

HTH,
Sander.
--
| If TCP/IP handshaking was less formal,
| perhaps SYN / ACK would be Yo! / 'sup? instead...
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

Yes, that was essentially my problem. Once that was corrected, it worked
fine (obviously, had to comment out the
SAEximRunCond: 0
line in /etc/exim4/sa-exim.conf for it to actually work, as well as
enabling the daemon in the /etc/spamassassin/default file).

Effectively, the README updaet should be to see what the file returned
by 'exim4 -bV | tail -1' command is, and then doing a grep on that file
for 'local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so'.

If you find this line, merely need to check that you have the split file operation enabled in your update-exim4.conf.conf file (no idea why mine
wasn't enabled, I had specified split file at config time and hadn'nt
knowingly changed this parameter).


Thanks Sander,
Millis

On Sun, 2004-08-15 at 11:49, Sander Smeenk wrote:

Quoting Millis Miller ([email protected]):

I had some problems too getting it to work, but after some talking to
the sa-exim maintainer and the exim mailing list I managed to get it
to work.

What is missing in the documentation is how to make sure Exim4 actually
uses the sa-exim.so loadable module. Millis, I believe that was your
problem too, you thought you used the split_config, but
update-exim4.conf didn't update the autogenerated exim4.conf because /etc/exim4/update-exim4.conf.conf showed dc_use_split_config='false'.

So what i'm gonna do is add a few lines to README.Debian to clarify
how to find out what exim4.conf the system is using, and how to make
sure it is updated at all...

The rest of configuring sa-exim is all explained in the README.gz and
even more in /etc/exim4/sa-exim.conf.

The reason why i'm not letting sa-exim run on each and every message immediately after installation is because it *CAN* actually throw
messages away. Clueless users might not notice and blame me...

HTH,
Sander.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBH0RJPiGAmnxCk08RAtztAJ9eVf6v9td/5iG1zpWjg5ZzbiLyEACfVEe4 ns0FY1B/nJXEzSUlmjZGcGQ=
=Heny
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

On Sun, Aug 15, 2004 at 12:49:23PM +0200, Sander Smeenk wrote:

Quoting Millis Miller ([email protected]):

I had some problems too getting it to work, but after some talking to
the sa-exim maintainer and the exim mailing list I managed to get it
to work.

What is missing in the documentation is how to make sure Exim4 actually
uses the sa-exim.so loadable module. Millis, I believe that was your
problem too, you thought you used the split_config, but
update-exim4.conf didn't update the autogenerated exim4.conf because /etc/exim4/update-exim4.conf.conf showed dc_use_split_config='false'.

Like I said, I enabled split config already, that's not the problem.

Actually, as you can see from my bug report, it is scanning messages
that originate from my system, just not incoming messages (?!).

--
Christopher Cramer <[email protected]>
On r�siste � l'invasion des arm�es; on ne r�siste pas � l'invasion
des id�es. -- Victor Hugo


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

Quoting Christopher Cramer ([email protected]):

Like I said, I enabled split config already, that's not the problem. Actually, as you can see from my bug report, it is scanning messages
that originate from my system, just not incoming messages (?!).

Every message passes Exim's DATA acl, and that is where sa-exim hooks
in. And it being that your system scans OUTGOING messages but not
INCOMING messages looks to me pretty much like you might need to read sa-exim.conf some more, and come with clearer reports than
'documentation sucks' and 'the damn thing still does nothing'.

--
| Chinese proverb: Man who stand on toilet is high on pot
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

On Sun, Aug 15, 2004 at 08:08:47PM +0200, Sander Smeenk wrote:

Every message passes Exim's DATA acl, and that is where sa-exim hooks
in. And it being that your system scans OUTGOING messages but not
INCOMING messages looks to me pretty much like you might need to read sa-exim.conf some more, and come with clearer reports than
'documentation sucks' and 'the damn thing still does nothing'.

I don't see anything in sa-exim.conf for scanning outgoing versus
incoming. It turned out to be an issue with the exim4 config, in any case.

The problem with coming up with a better report was that I had nothing to
go on - there was nothing in the logs saying anything like "We decided
not to scan this message because...". The reason I filed the bug report
was not because I assumed that there was a bug in the software somewhere,
but because I figured I was doing something wrong but I had no idea where
to look.

Usually it is the case that there would be some pointers in the docs
(where do I look to figure out what's wrong? what do I need to change
in the exim4 config? etc.), but the documentation is very spartan. The spamassassin docs mostly assume you are setting it up with procmail and
the exim4 docs are just enormous and at first one is not quite sure
where to look.

So anyway, I think it would be helpful if in README.Debian there
was a statement mentioning the DATA acl, and a pointer to the access
control list section of the exim4 manual. I haven't checked your new
package yet, but in the one I have installed now, all I can find is the misleading statement "This code works without anything in the exim conf"
in README.gz.

--
Christopher Cramer <[email protected]>
On r�siste � l'invasion des arm�es; on ne r�siste pas � l'invasion
des id�es. -- Victor Hugo


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

Quoting Christopher Cramer ([email protected]):

Every message passes Exim's DATA acl, and that is where sa-exim hooks
in. And it being that your system scans OUTGOING messages but not
INCOMING messages looks to me pretty much like you might need to read sa-exim.conf some more, and come with clearer reports than
'documentation sucks' and 'the damn thing still does nothing'.

I don't see anything in sa-exim.conf for scanning outgoing versus
incoming.

Hmm. What is this then:

# This decides whether SA gets run against the message or not. Messages
# will not be rejected if the message had SA headers but weren't added
# by us If you comment this out, SA will be disabled
SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}}

See that 'if' construct?

It tells sa-exim not to run when the message comes from 127.0.0.1, or
a special header has been added. So it only limits scanning on outgoing messages, unless you have X-SA-Do-Not-Run: Yes in all your incoming
messages...

It turned out to be an issue with the exim4 config, in any case.

What exactly was causing the problem then? I'm really curious.

With a sa-exim install, the only 'switch' that tells sa-exim to run or
not is in sa-exim.conf, called 'SAEximRunCond'. I gathered that you had
that misconfigured, because that has triggers not to run with local
IP's, when configured correctly.

The problem with coming up with a better report was that I had nothing to
go on - there was nothing in the logs saying anything like "We decided
not to scan this message because...".

Well, okay. That tells me you didn't read, or understand what you read,
in sa-exim.conf. On one of the first lines is this snippet:

And you didn't see the first lines in sa-exim saying:
# Mostly always useful. Higher values == more debug output.
SAEximDebug: 1

And you didn't think of changing that to 9999, and reading exim's logfiles?

THAT would have been a start.

So anyway, I think it would be helpful if in README.Debian there
was a statement mentioning the DATA acl, and a pointer to the access
control list section of the exim4 manual.

Umm. SA-Exim and Exim's DATA ACL's are completely unrelated. You do not
have to fiddle with acl_data to get sa-exim working. It would only
obfuscate things to point to Exim's DATA acl's from sa-exim's docs.

I haven't checked your new package yet, but in the one I have
installed now, all I can find is the misleading statement "This code
works without anything in the exim conf" in README.gz.

You might call that 'misleading'. In the original design of Exim4 and
sa-exim it should be as easy as that to have Exim call the sa-exim
module. And from your emails I understand that after installing sa-exim,
it did in fact run, but only outgoing messages...
To me that is a configuration issue, "the code did actually work without
any changes to exim.conf". But enough about that...

IMHO people should read and understand what they are doing. It's not my
job to supply them with flowcharts on how to solve problems. As in your
case, if you had read the config file, you would have found SAEximDebug.

Kind regards,
Sander.
--
| There are 10 types of people, those who read binary, and those who don't.
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBIFXf1GN+QQjOyU0RAh53AKCOmwQVTrXoPm73e/xnOJLrF55d+QCfVksD VP4lls6vA0Rggi1aa6oZLas=
=Z4pb
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)