Versions Compared

Old Version 3

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version 4

changes.mady.by.user ASF Infrabot

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Note: This page is under construction and shouldn't be considered "complete". If there are any questions, etc, please feel free to contact the users at spamassassin.apache.org list for more information.

...

Using sa-update

What is sa-update?

The goal of sa-update is to download new configuration files (rules, scores, etc,) so that SpamAssassin will use them to better catch spam and/or to avoid catching ham messages. The main reason to use sa-update is that the old method of disseminating rules (a new SpamAssassin release) is a lengthy process that can take months. Spam is rapidly changing, and new rules are often written in response. With sa-update, those rules can quickly (potentially within minutes) be distributed and the new spam caught. sa-update allows rules to be distributed as they are developed, while full SpamAssassin releases can focus on bug fixes and new features.

Channels

Simply put, channels are locations where sa-update can download rule and configuration files. By default, sa-update will use the updates.spamassassin.org channel to receive official updates from the SpamAssassin project, but anyone can create a channel and publish updates. By default, sa-update (and spamassassin) expect to find updates in the /var/lib/spamassassin/<spamassassin version> directory, which will have each channel in its own directory underneath. For example:

No Format

/var/lib/spamassassin
`-- 3.001001
    `-- updates_spamassassin_org

Shows the channel updates.spamassassin.org available for SpamAssassin 3.1.1, underneath the /var/lib/spamassassin directory.

For more information about what makes up a channel and how it all works together, please see the Publishing channels for sa-update section below.

NOTE: Once the /var/lib/spamassassin/<spamassassin version> directory exists, spamassassin expects to find all rules underneath that directory, so make sure that the first time you run sa-update it completes successfully (see below for information about running in debug mode).

sa-update commandline

sa-update has several parameters that can be passed via the commandline.

Channel / Location Related

--updatedir <path>:: sa-update by default places updates in the /var/lib/spamassassin/<spamassassin version> directory. If updates should go into a different directory, specify it via this option.
--channel <channel>:: sa-update by default only uses the updates.spamassassin.org channel for updates. If other channels should be used, specify it with this option. For multiple channels, specify this option multiple times. ie:

No Format
 sa-update --channel updates.spamassassin.org --channel saupdates.example.com

--channelfile <file>:: If multiple channels are going to be used at once, it may be easier to write the channels to a file, and then use this option to point to that file. ie:

No Format

$ rm -f channels ; touch channels
$ echo updates.spamassassin.org >> channels
$ echo saupdates.example.com >> channels
$ sa-update --channelfile channels

GPG Related

--(no)gpg:: By default, sa-update will require the use of GPG signatures to verify that downloaded updates are in fact legitimate. However, there may be channels which do not publish GPG signatures, or the system may not have GPG installed. In these situations, specify the

No Format
 --nogpg

option to disable the use of GPG. Note: By using the --gpgkey or --gpgkeyfile options as shown below, --gpg is automatically enabled.
--gpghomedir <path>:: sa-update tries to keep its keys separate from the user's keys by using a different directory for the keyrings (passed to gpg via its --homedir option). By default, the location is /etc/mail/spamassassin/sa-update-keys. If a different location is desired, use this option to specify it.
--gpgkey <key id>:: Specify which GPG key ids should be trusted to sign update packages. If there are multiple keys, use this option multiple times to list them. Generally it's safer to specify the whole key fingerprint, but it is more common to see simply the last 8 hex digits used. ie:

No Format
 sa-update --gpgkey 26C900A46DD40CD5AD24F6D7DEE01987265FA05B --gpgkey 5244EC45

--gpgkeyfile <file>:: Similar to channelfile, if there are multiple keys to be trusted, it may be easier to specify them in a file and then use this option to point sa-update at the file. ie:

No Format

$ rm -f gpgkeys ; touch gpgkeys
$ echo 26C900A46DD40CD5AD24F6D7DEE01987265FA05B >> gpgkeys
$ echo 5244EC45 >> gpgkeys
$ sa-update --gpgkeyfile gpgkeys

Other

Wiki Markup
-D, --debug \[area=n,...\]::	Show debugging information.  This can be useful just to see what sa-update is doing, but is also useful to debug problems, etc.  This option takes the same optional parameter (areas) as the other standard [SpamAssassin] tools.
-V, --version::			Display which version of sa-update is installed.  sa-update is versioned by Subversion revision number as opposed to being tied to a specific [SpamAssassin] version.
-h, --help::			Print usage message.

More information is available via the POD/man page for sa-update.

Examples

No Format
sa-update && service spamassassin restart

...

  • From a technical standpoint, updates can also contain plugins. However, the default channel, updates.spamassassin.org, will not publish plugins using this method at this time.
  • Currently, for 3.1.1 and 3.2.0, to use any channel for updates requires that updates.spamassassin.org also be used. This is because once the update directory exists, the SpamAssassin modules expect to find all rules in that directory.

...

Publishing channels for sa-update

Channels are fairly simple to setup and use. Simply put, updates are files contained in a standard tar.gz archive, distributed via HTTP. To allow for frequent requests update checks from clients, a lightweight announcement method (DNS queries) is used by generating certain DNS records which to specify what update version is available the latest for a any given version of SpamAssassin. sa-update also uses a published mirror file which lists all of the URLs where the update can be downloaded from, optionally including weights for different mirrors.

...

When looking for an update, sa-update reverses the version and queries makes a DNS TXT query for <version>.<channel>. ie: Running 3.1.01's sa-update, the default updates.spamassassin.org channel causes a DNS lookup for 01.1.3.updates.spamassassin.org. The query is for a TXT record containing the update number, which should be a monotonically increasing value. Assuming an update is necessary, sa-update will then read the MIRRORED.BY file (downloading it first if necessary from the URL found in a DNS TXT record mirrors.<channel>). Then the

Summary

DNS Records:

  • mirrors.<channel> TXT "http://URL/TO/MIRRORS/FILE"
    No Format
     mirrors.updates.spamassassin.org TXT "http://spamassassin.apache.org/updates/MIRRORED.BY"
  • <version>.<channel> TXT "UPDATE_NUMBER"
    No Format
     *.1.3.updates.spamassassin.org TXT "386156"

...

  • Only files (no directories) contained in a tar.gz archive file named UPDATE_NUMBER.tar.gz
  • A sha1sum file named UPDATE_NUMBER.tar.gz.sha1 with the output of
    No Format
     sha1sum UPDATE_NUMBER.tar.gz
    .
  • Recommended, but optional, a detached GPG signature for the update named UPDATE_NUMBER.tar.gz.asc via something like
    No Format
     gpg -bas UPDATE_NUMBER.tar.gz

...