1SA-UPDATE(1)          User Contributed Perl Documentation         SA-UPDATE(1)
2
3
4

NAME

6       sa-update - automate SpamAssassin rule updates
7

SYNOPSIS

9       sa-update [options]
10
11       Options:
12
13         --channel channel       Retrieve updates from this channel
14                                 Use multiple times for multiple channels
15         --channelfile file      Retrieve updates from the channels in the file
16         --checkonly             Check for update availability, do not install
17         --install filename      Install updates directly from this file. Signature
18                                 verification will use "file.asc", "file.sha256",
19                                 and "file.sha512".
20         --allowplugins          Allow updates to load plugin code (DANGEROUS)
21         --gpgkey key            Trust the key id to sign releases
22                                 Use multiple times for multiple keys
23         --gpgkeyfile file       Trust the key ids in the file to sign releases
24         --gpghomedir path       Store the GPG keyring in this directory
25         --gpg and --nogpg       Use (or do not use) GPG to verify updates
26                                 (--gpg is assumed by use of the above
27                                 --gpgkey and --gpgkeyfile options)
28         --import file           Import GPG key(s) from file into sa-update's
29                                 keyring. Use multiple times for multiple files
30         --updatedir path        Directory to place updates, defaults to the
31                                 SpamAssassin site rules directory
32                                 (default: /var/lib/spamassassin/3.004006)
33         --refreshmirrors        Force the MIRRORED.BY file to be updated
34         --httputil util         Force used download tool. By default first found
35                                 from these is used: curl, wget, fetch, lwp
36         -D, --debug [area=n,...]  Print debugging messages
37         -v, --verbose           Be verbose, like print updated channel names;
38                                 For more verbosity specify multiple times
39         -V, --version           Print version
40         -h, --help              Print usage message
41         -4                      Force using the inet protocol (IPv4), not inet6
42         -6                      Force using the inet6 protocol (IPv6), not inet
43

DESCRIPTION

45       sa-update automates the process of downloading and installing new rules
46       and configuration, based on channels.  The default channel is
47       updates.spamassassin.org, which has updated rules since the previous
48       release.
49
50       Update archives are verified using SHA256 and SHA512 hashes and GPG
51       signatures, by default.
52
53       Note that "sa-update" will not restart "spamd" or otherwise cause a
54       scanner to reload the now-updated ruleset automatically.  Instead,
55       "sa-update" is typically used in something like the following manner:
56
57               sa-update && /etc/init.d/spamassassin reload
58
59       This works because "sa-update" only returns an exit status of 0 if it
60       has successfully downloaded and installed an updated ruleset.
61
62       The program sa-update uses the underlying operating system umask for
63       the updated rule files it installs.  You may wish to run sa-update from
64       a script that sets the umask prior to calling sa-update.  For example:
65
66               #!/bin/sh
67               umask 022
68               sa-update
69

OPTIONS

71       --channel
72           sa-update can update multiple channels at the same time.  By
73           default, it will only access "updates.spamassassin.org", but more
74           channels can be specified via this option.  If there are multiple
75           additional channels, use the option multiple times, once per
76           channel.  i.e.:
77
78                   sa-update --channel foo.example.com --channel bar.example.com
79
80       --channelfile
81           Similar to the --channel option, except specify the additional
82           channels in a file instead of on the commandline.  This is useful
83           when there are a lot of additional channels.
84
85       --checkonly
86           Only check if an update is available, don't actually download and
87           install it.  The exit code will be 0 or 1 as described below.
88
89       --install
90           Install updates "offline", from the named tar.gz file, instead of
91           performing DNS lookups and HTTP invocations.
92
93           Files named file.sha256, file.sha512, and file.asc will be used for
94           the SHA256 and SHA512 hashes and the GPG signature, respectively.
95           The filename provided must contain a version number of at least 3
96           digits, which will be used as the channel's update version number.
97
98           Multiple --channel switches cannot be used with --install.  To
99           install multiple channels from tarballs, run "sa-update" multiple
100           times with different --channel and --install switches, e.g.:
101
102                   sa-update --channel foo.example.com --install foo-34958.tgz
103                   sa-update --channel bar.example.com --install bar-938455.tgz
104
105       --allowplugins
106           Allow downloaded updates to activate plugins.  The default is not
107           to activate plugins; any "loadplugin" or "tryplugin" lines will be
108           commented in the downloaded update rules files.
109
110           You should never enable this for 3rd party update channels, since
111           plugins can execute unrestricted code on your system, even possibly
112           as root! This includes spamassassin official updates, which have no
113           need to include running code.
114
115           Use --reallyallowplugins option to bypass warnings and make it
116           work.
117
118       --gpg, --nogpg
119           sa-update by default will verify update archives by use of SHA256
120           and SHA512 checksums and GPG signature.  SHA* hashes can verify
121           whether or not the downloaded archive has been corrupted, but it
122           does not offer any form of security regarding whether or not the
123           downloaded archive is legitimate (aka: non-modifed by evildoers).
124           GPG verification of the archive is used to solve that problem.
125
126           If you wish to skip GPG verification, you can use the --nogpg
127           option to disable its use.  Use of the following gpgkey-related
128           options will override --nogpg and keep GPG verification enabled.
129
130           Note: Currently, only GPG itself is supported (ie: not PGP).  v1.2
131           has been tested, although later versions ought to work as well.
132
133       --gpgkey
134           sa-update has the concept of "release trusted" GPG keys.  When an
135           archive is downloaded and the signature verified, sa-update
136           requires that the signature be from one of these "release trusted"
137           keys or else verification fails.  This prevents third parties from
138           manipulating the files on a mirror, for instance, and signing with
139           their own key.
140
141           By default, sa-update trusts key ids "24F434CE" and "5244EC45",
142           which are the standard SpamAssassin release key and its sub-key.
143           Use this option to trust additional keys.  See the --import option
144           for how to add keys to sa-update's keyring.  For sa-update to use a
145           key it must be in sa-update's keyring and trusted.
146
147           For multiple keys, use the option multiple times.  i.e.:
148
149                   sa-update --gpgkey E580B363 --gpgkey 298BC7D0
150
151           Note: use of this option automatically enables GPG verification.
152
153       --gpgkeyfile
154           Similar to the --gpgkey option, except specify the additional keys
155           in a file instead of on the commandline.  This is extremely useful
156           when there are a lot of additional keys that you wish to trust.
157
158       --gpghomedir
159           Specify a directory path to use as a storage area for the
160           "sa-update" GPG keyring.  By default, this is
161
162                   /etc/mail/spamassassin/sa-update-keys
163
164       --import
165           Use to import GPG key(s) from a file into the sa-update keyring
166           which is located in the directory specified by --gpghomedir.
167           Before using channels from third party sources, you should use this
168           option to import the GPG key(s) used by those channels.  You must
169           still use the --gpgkey or --gpgkeyfile options above to get sa-
170           update to trust imported keys.
171
172           To import multiple keys, use the option multiple times.  i.e.:
173
174                   sa-update --import channel1-GPG.KEY --import channel2-GPG.KEY
175
176           Note: use of this option automatically enables GPG verification.
177
178       --refreshmirrors
179           Force the list of sa-update mirrors for each channel, stored in the
180           MIRRORED.BY file, to be updated.  By default, the MIRRORED.BY file
181           will be cached for up to 7 days after each time it is downloaded.
182
183       --updatedir
184           By default, "sa-update" will use the system-wide rules update
185           directory:
186
187                   /var/lib/spamassassin/3.004006
188
189           If the updates should be stored in another location, specify it
190           here.
191
192           Note that use of this option is not recommended; if you're just
193           using sa-update to download updated rulesets for a scanner, and sa-
194           update is placing updates in the wrong directory, you probably need
195           to rebuild SpamAssassin with different "Makefile.PL" arguments,
196           instead of overriding sa-update's runtime behaviour.
197
198       -D [area,...], --debug [area,...]
199           Produce debugging output.  If no areas are listed, all debugging
200           information is printed.  Diagnostic output can also be enabled for
201           each area individually; area is the area of the code to instrument.
202           For example, to produce diagnostic output on channel, gpg, and
203           http, use:
204
205                   sa-update -D channel,gpg,http
206
207           For more information about which areas (also known as channels) are
208           available, please see the documentation at
209           <http://wiki.apache.org/spamassassin/DebugChannels>.
210
211       -h, --help
212           Print help message and exit.
213
214       -V, --version
215           Print sa-update version and exit.
216

EXIT CODES

218       In absence of a --checkonly option, an exit code of 0 means: an update
219       was available, and was downloaded and installed successfully.  If
220       --checkonly was specified, an exit code of 0 means: an update was
221       available.
222
223       An exit code of 1 means no fresh updates were available.
224
225       An exit code of 2 means that at least one update is available but that
226       a lint check of the site pre files failed.  The site pre files must
227       pass a lint check before any updates are attempted.
228
229       An exit code of 3 means that at least one update succeeded while other
230       channels failed.  If using sa-compile, you should proceed with it.
231
232       An exit code of 4 or higher, indicates that errors occurred while
233       attempting to download and extract updates, and no channels were
234       updated.
235

SEE ALSO

237       Mail::SpamAssassin(3) Mail::SpamAssassin::Conf(3) spamassassin(1)
238       spamd(1) <http://wiki.apache.org/spamassassin/RuleUpdates>
239

PREREQUISITES

241       "Mail::SpamAssassin"
242

BUGS

244       See <http://issues.apache.org/SpamAssassin/>
245

AUTHORS

247       The Apache SpamAssassin(tm) Project <https://spamassassin.apache.org/>
248
250       SpamAssassin is distributed under the Apache License, Version 2.0, as
251       described in the file "LICENSE" included with the distribution.
252
253       Copyright (C) 2015 The Apache Software Foundation
254
255
256
257perl v5.32.1                      2021-04-14                      SA-UPDATE(1)
Impressum