This file is indexed.

/etc/exim4/sa-exim.conf is in sa-exim 4.2.1-14.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
# Options for spamassassin running in exim's local_scan (SA Exim)
# By Marc MERLIN <marc_soft@merlins.org> - Initial version: April 2002
# Sander Smeenk <ssmeenk@freshdot.net> - Improvements: March 2004
#
# Sample file version 1.16 for SA-Exim 4.1 - 2005/01/10 
#
# The parse routine is minimalistic. It expects "option: value" (exactly
# one space after the colon, and none before). You should put long lines
# on one line. The parser isn't capable of parsing multiline values.
#
# SA threshold values are parsed as floats and other numerical options
# are ints. String options have to be set. To unset them, comment out the
# variable, don't set it to nothing.
#
# READ THIS:
# ---------
# Watch your logs, you will get errors and your messages will get
# temporarily bounced if expansions fail. Watch your logs!
#
# If you are afraid that spammers might use a header that is used here
# as a default, have exim set it to another value than 'Yes' and check
# here for that other value.
#
# For every expansion, anything that doesn't expand to "" or "0"
# (without quotes) will be considered true. If you set the string to 1,
# it will be true without going through exim's condition evaluator (and
# if you leave it unset, it will default to 0)
#
# You should not put double quotes around expressions!
# --- snip ---

# Enable basic verbose output by default. Watch your logs!
SAEximDebug: 1


# Default path is /usr/bin/spamc, but you can change it here
SAspamcpath: /usr/bin/spamc

# Which characters are retained from a Message-Id header (for safety, we
# remove characters that might cause problems with shell parsing)
# Change the default at your own risk (you also have to change this in
# the SA greylisting patch if you use that)
#SAsafemesgidchars: !#%( )*+,-.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~

# If SAspamcSockPath is set spamc uses socket to connect to spamd,
# use --socketpath pathname as argument to spamd (new in SA 2.60).
# Leave it unset if you want spamc to connect(AF_INET) to spamd at
# 127.0.0.1 (this is the default shown in the options below), but if
# you set it, it will override the two TCP connect options below
#SAspamcSockPath: /var/run/spamd.sock

# SAspamcHost / SAspamcPort: TCP socket where your spamd is listening.
# Default is to let spamc use any settings in spamc.conf.
#SAspamcHost: 127.0.0.1
#SAspamcPort: 783

# SAspamcUser: The username passed to spamc. Some tricks are needed to 
# decide on one user when there are many recipients. This string is of
# course expanded. If unset or empty, spamc will use the user Exim 
# runs as. We suggest that you decide what username to use in the ACLs
# and set an ACL variable.
#SAspamcUser: $acl_m2

# Exim configuration string to run before running SA against the message
# This decides whether SA gets run against the message or not.  This
# default will not reject messages if the message had SA headers but
# they weren't added by us.
SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{::1}}}}
# If you want more detailed control over when to run SA, it's recommended
# that you set an ACL variable indicating this from the acl section of
# your Exim configuration file. The current maintainer sets acl_m0 to 
# "noscan" if the sending host is localhost or has authenticated.
#SAEximRunCond: ${if !eq{$acl_m0}{noscan}}
# (This means exactly the same as ${if !eq{$acl_m0}{noscan} {true}{}}, 
# where the empty string is considered false.)

#----------------------------------------------------------------------
# Remove or comment out the following line to enable sa-exim
SAEximRunCond: 0
#----------------------------------------------------------------------

# If and only if SAEximRunCond was true, and we did run SA, this
# expression decides whether we actually consider acting upon SAdevnull,
# SApermreject, and SAtempreject if you have them set.
#
# Use this to tag messages that you shouldn't reject (messages sent to
# abuse or postmaster for instance).
#
# As an example, set acl_m0 to "canreject" if a recipient other than
# postmaster or abuse is encountered (and the sender isn't local). That
# way, spammers can't circumvent blocking by sending to postmaster and 
# 99 other recipients. (If acl_m0 is taken, you'll of course have to use
# a different variable.
#SAEximRejCond: ${if eq{$acl_m0}{canreject}}


# How much of the body we feed to spamassassin (in bytes)
# Default is 250KB
SAmaxbody: 256000

# Do you want to feed SAmaxbody's worth of the message body if it is too big?
# Either, you skip messages that are too big and not scan them, or you can
# truncate the body and feed that to SA.
# Note that SA will sometimes raise the spam score if it can't parse
# the message correctly (since the end is missing, decoding will fail)
# Default is 0: do not scan messages that are too big
# (note that this is parsed as a condition)
SATruncBodyCond: 0

# If you want SA to report_safe you need sa-exim to rewrite the body of
# the message since SA encapsulates the spam as a mime attachment.
# You probably want SATruncBodyCond to be 0 or else you'll end up with a
# partial message if it's larger than SAmaxbody and it's spam
#
# Also note that if you enable this option, any saved message will be saved
# after the body has been modified by SA.
# (this is not a condition as SA's report_safe is not conditional)
SARewriteBody: 0

# Prepend saved messages with an fake From-header to make the file look like a
# valid mbox file
SAPrependArchiveWithFrom: 1

# If you are archiving messages that are rejected, how much do you want
# to archive? Default is 20MB.
SAmaxarchivebody: 20971520

# On errors, if you are saving messages, you probably want the entire message
# Default size saved (if you are saving errors) is 1GB
SAerrmaxarchivebody: 1073741824

# You can have SA-Exim add a X-SA-Exim-Rcpt-To header, which will list all
# the recipients for the Email, unless the list gets bigger than 
# SAmaxrcptlistlength bytes.
# The default value of 0 disables the header for privacy reasons (the header
# exposes Bcced recipients)
# Any value bigger than 8000 will be ignored because there is a limit on the
# size of headers that you can have and exim's string_sprintf
# Note that if you are planning to use greylisting, you should set this
# value to 8000 since SA's greylisting code needs the recipients.
SAmaxrcptlistlength: 0

# Add X-SA-Exim-Rcpt-To and X-SA-Exim-Mail-From headers before SA scans
# the message.
# If this option is enabled, SARewiteBody is true, and safe_mode is
# enabled in SA, you end up with the X-SA-Exim-Rcpt-To/X-SA-Exim-Mail-From in
# the attatched message as well without the ability to remove them later in an
# exim transport (think privacy). 
# In real life this is usually not a problem because the message is spam anyway,
# and if you turn this off, you lose the option to use those headers to score
# the message with SA.
SAaddSAEheaderBeforeSA: 1

# How many seconds you want to allow spamc to run. Exim 4.04 and better will
# kill us after a default of 5 minutes. This however is not great, because the
# mail gets temporarily rejected
# You should set this and have SA Exim handle the timeout itself and accept the
# message if spamc takes too long (instead of timing out)
# A value of 0 means no timeout, and we run until exim stops us. 
# I know of at least one mail server (nanog's merit.edu) that will not
# wait a full 5mn (which causes tempreject and resends), so the default is 4mn
#SAtimeout: 240

# Do you want to save mails that were accepted because spamc timed out?
# Specify a directory to enable the feature.
# SA-Exim will try to create the directory if it has the permissions to do so,
# check your maillog for failures (or create the directory yourself and make it
# writeable by exim)
SAtimeoutsave: /var/spool/sa-exim/SAtimeoutsave

# You can optionally save or not save messages that matched the above rule
SAtimeoutSavCond: 1


# You should really create this directory for local_scan to save messages that
# created an error. If you don't want this, comment out this variable
# Make sure all these directories are owned by the exim user
# SA-Exim will try to  create the directory if it has  the permissions to do
# so, check your maillog for failures  (or create the directory yourself and
# make it writeable by exim)
SAerrorsave: /var/spool/sa-exim/SAerrorsave

# You can optionally save or not save messages that matched the above rule
# You should not put double quotes around the expression
SAerrorSavCond: 1

# If you set to 1, SA will temporarily reject messages that generated an error
# while they were processed (they'll still be saved if SAerrorsave is set).
# Otherwise (0 = false), the messages are just accepted, which seems like a
# more sensible default
SAtemprejectonerror: 0


###############################################################################
# NOTE: Spamd needs to tell sa-exim that the message SA-Exim gave spamd
# is spam before sa-exim will consider the SA tresholds.
# In other words, you cannot reject mails on SA scores if you set that
# threshold to a lower threshold than SA's required_hits value.
# The one exception to this rule is SAtempreject (in order to let you
# temporarily reject mail when you are doing greylisting, see
# README.greylisting in the documentation for details)
###############################################################################

# SA score when you start stalling the sender by sending many continuation
# lines for up to SAteergrubetime
# This is now a string (without quotes) that gets evaluated at runtime by exim
# but you can still assign a simple float value to it
# Note that this is an obvious abuse of SMTP, but eh, they started it :-)
# Of course, this means that each incoming spam with the right score threshold
# will keep an exim process busy on your machine. Make sure you can afford it.
# Default value is 2^20, which should disable the behavior

# Please, don't teergrube people who relay for you or your own MXes :-)
# This option is left behind for backward compatibility, but you can now
# get the same result by putting a condition string in SAteergrube
# The trick is to list your score if the condition succeeds, and a really 
# high score otherwise.
#SAteergrube: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {25}{1048576}}

# SAteergrubecond is deprecated (replaced by SAteergrube)
# You used to be say whether you would apply the teergrubing score with this
# condition, but now that scores are conditions, it is obsolete
#SAteergrubecond: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq {$sender_host_address}{127.0.0.2}} } {1}{0}}

# How long do you want to stall the sender (in seconds)
# If you set the value too high, you might get too many exim processes running
# and run out of process slots
# Remember, don't come crying if playing with this "feature" causes your mail
# server to catch fire :-)
SAteergrubetime: 900

# You can optionally save or not save messages that matched the above rule
SAteergrubeSavCond: 1

# Do you want to save mails that you stalled for later analysis?
# Specify a directory to enable the feature.
# SA-Exim will try to create the directory if it has the permissions to do so,
# check your maillog for failures (or create the directory yourself and make it
# writeable by exim)
SAteergrubesave: /var/spool/sa-exim/SAteergrube

# When you stall the sender, you will probably get the mail again.
# By default, we'll  only save messages by message ID so  that we don't save
# multiple copies every time the sender tries again.
# Of course, this means someone could fake someone else's message ID to
# overwrite the saved copy of another spam. Such is life :-)
SAteergrubeoverwrite: 1



# If you reach this score, the mail is accepted and tossed (/dev/nulled).
# The default value is 2^20 which should ensure this never happens.
# This is now a string (without quotes) that gets evaluated at runtime by exim
# but you can still assign a simple float value to it
# You should be really sure that the message is spam because the sender will
# get no notification
#SAdevnull: 20.0

# You can optionally save or not save messages that matched the above rule
SAdevnullSavCond: 1

# Do you want to save mails that are tossed?
# Specify a directory to enable the feature.
# This is just in case you do want to keep a copy of the alledge spams somewhere
# Messages are saved by unixdate_Message-Id or just unix date if there is no
# Message-Id.
# SA-Exim will try to create the directory if it has the permissions to do so,
# check your maillog for failures (or create the directory yourself and make it
# writeable by exim)
SAdevnullsave: /var/spool/sa-exim/SAdevnull



# SA score when you start rejecting Emails (this is better than the above as
# it can notify the sender in case you reject non-spam by mistake)
# This is now a string (without quotes) that gets evaluated at runtime by exim
# but you can still assign a simple float value to it
# Default value is 2^20, which should disable the behavior if you comment out
# the line below
SApermreject: 12.0

# You can optionally save or not save messages that matched the above rule
SApermrejectSavCond: 1

# Do you want to save mails that are rejected?
# Specify a directory to enable the feature.
# SA-Exim will try to create the directory if it has the permissions to do so,
# check your maillog for failures (or create the directory yourself and make it
# writeable by exim)
SApermrejectsave: /var/spool/sa-exim/SApermreject



# SA score when you start returning a temporary reject.
# There are few reasons to use this, except if you're reading your tempreject
# save folder (see below) and ajusting scores on the fly, or if you are using
# greylisting
# This is now a string (without quotes) that gets evaluated at runtime by exim
# but you can still assign a simple float value to it
# Default value is 2^20, which should disable the behavior
#SAtempreject: 9.0

# You can optionally save or not save messages that matched the above rule
SAtemprejectSavCond: 1

# Do you want to save mails that are temporarily rejected?
# Specify a directory to enable the feature.
# You could use this to analyse what SA is bouncing and adding an allow rule
# to accept the mail next time it is sent back to you
# SA-Exim will try to create the directory if it has the permissions to do so,
# check your maillog for failures (or create the directory yourself and make it
# writeable by exim)
SAtemprejectsave: /var/spool/sa-exim/SAtempreject

# When you send back a temp reject code, you will get the mail again.
# By default, we'll only save messages by message ID so that we don't save
# multiple copies every time the sender tries again.
# Of course, this means someone could fake someone else's message ID to
# overwrite the saved copy of another spam. Such is life :-)
SAtemprejectoverwrite: 1

# See README.greylisting in the documentation for the following options
# This is the string that SpamAssassin adds if the message is whitelisted
# We use this to optionally increase the score needed for a tempreject
# (in order to let a message through when it would otherwise have been
# temprejected)
# Default value is "GREYLIST_ISWHITE" (as used in the patch provided by SA-Exim)
SAgreylistiswhitestr: GREYLIST_ISWHITE

# By how much do we temporarly raise tempreject to allow a mail in when it
# would otherwise have been temp rejected (because SA flagged it was whitelisted
# by the greylisting code provided as a patch to SA in the SA-Exim distro)
# Note that greylisting will not work in until you patch SA with the greylist
# function
# Note that you most likely want 
# SAtempreject + SAgreylistraisetempreject <= SApermreject
# Default value is 3.0 but you'd probably to lower the tempreject score and
# increase this one (see README.greylisting)
SAgreylistraisetempreject: 3.0


# Do you want to save mails that are flagged as spam by SA, but not rejected by
# any of the above thresholds?  Specify a directory to enable the feature.
# That's one way to track mails thare are going through even though they were
# flagged by SA (note that you could also save them in exim's system_filter,
# although copies saved here happen before exim makes modification to the
# message like rewriting)
# SA-Exim will try to create the directory if it has the permissions to do so,
# check your maillog for failures (or create the directory yourself and make it
# writeable by exim)
SAspamacceptsave: /var/spool/sa-exim/SAspamaccept

# You can control which messages you want saved if you only want a subset
SAspamacceptSavCond: 0


# Do you want to save mails that are not flagged as spam by SA
# Specify a directory to enable the feature.
# This is only here for completeness, if you want to save all messages not
# flagged as spam by SA (you could also do this in system_filter)
# SA-Exim will try to create the directory if it has the permissions to do so,
# check your maillog for failures (or create the directory yourself and make it
# writeable by exim)
SAnotspamsave: /var/spool/sa-exim/SAnotspam

# You can control which messages you want saved if you only want a subset
SAnotspamSavCond: 0

# All the following strings can take one '%s' which will be replaced by
# spamstatus: "SA score, trigger score"
SAmsgteergrubewait: Wait for more output
SAmsgteergruberej: Please try again later
SAmsgpermrej: Rejected
SAmsgtemprej: Please try again later
# This string is a static string, do not include "%s"
SAmsgerror: Temporary local error while processing message, please contact postmaster.