1SA-UPDATE(1)          User Contributed Perl Documentation         SA-UPDATE(1)
2
3
4

NAME

6       sa-update - automate SpamAssassin rule updates
7

SYNOPSIS

9       sa-update [options]
10
11       Options:
12
13         --channel channel       Retrieve updates from this channel
14                                 Use multiple times for multiple channels
15         --channelfile file      Retrieve updates from the channels in the file
16         --checkonly             Check for update availability, do not install
17         --install file          Install updates directly from this file. Signature
18                                 verification will use "file.asc", or "file.sha512"
19                                 or "file.sha256".
20         --allowplugins          Allow updates to load plugin code (DANGEROUS)
21         --gpgkey key            Trust the key id to sign releases
22                                 Use multiple times for multiple keys
23         --gpgkeyfile file       Trust the key ids in the file to sign releases
24         --gpghomedir path       Store the GPG keyring in this directory
25         --gpg and --nogpg       Use (or do not use) GPG to verify updates
26                                 (--gpg is assumed by use of the above
27                                 --gpgkey and --gpgkeyfile options)
28         --import file           Import GPG key(s) from file into sa-update's
29                                 keyring. Use multiple times for multiple files
30         --updatedir path        Directory to place updates, defaults to the
31                                 SpamAssassin site rules directory
32                                 (default: /var/lib/spamassassin/4.000000)
33         --refreshmirrors        Force the MIRRORED.BY file to be updated
34         --forcemirror url       Use a specific mirror instead of downloading from
35                                 official mirrors
36         --httputil util         Force used download tool. By default first found
37                                 from these is used: curl, wget, fetch, lwp
38         --score-multiplier x.x  Adjust all scores from update channel, multiply
39                                 with given value (integer or float).
40         --score-limit x.x       Adjust all scores from update channel, limit
41                                 to given value (integer or float). Limiting
42                                 is done after possible multiply operation.
43         -D, --debug [area=n,...]  Print debugging messages
44         -v, --verbose           Be verbose, like print updated channel names;
45                                 For more verbosity specify multiple times
46         -V, --version           Print version
47         -h, --help              Print usage message
48         -4                      Force using the inet protocol (IPv4), not inet6
49         -6                      Force using the inet6 protocol (IPv6), not inet
50

DESCRIPTION

52       sa-update automates the process of downloading and installing new rules
53       and configuration, based on channels.  The default channel is
54       updates.spamassassin.org, which has updated rules since the previous
55       release.
56
57       Update archives are verified using GPG signatures by default.  If GPG
58       is disabled (not recommended), file integrity is checked with SHA512 or
59       SHA256 checksums.
60
61       Note that "sa-update" will not restart "spamd" or otherwise cause a
62       scanner to reload the now-updated ruleset automatically.  Instead,
63       "sa-update" is typically used in something like the following manner:
64
65               sa-update && /etc/init.d/spamassassin reload
66
67       This works because "sa-update" only returns an exit status of 0 if it
68       has successfully downloaded and installed an updated ruleset.
69
70       The program sa-update uses the underlying operating system umask for
71       the updated rule files it installs.  You may wish to run sa-update from
72       a script that sets the umask prior to calling sa-update.  For example:
73
74               #!/bin/sh
75               umask 022
76               sa-update
77

OPTIONS

79       --channel
80           sa-update can update multiple channels at the same time.  By
81           default, it will only access "updates.spamassassin.org", but more
82           channels can be specified via this option.  If there are multiple
83           additional channels, use the option multiple times, once per
84           channel.  i.e.:
85
86                   sa-update --channel foo.example.com --channel bar.example.com
87
88       --channelfile
89           Similar to the --channel option, except specify the additional
90           channels in a file instead of on the commandline.  This is useful
91           when there are a lot of additional channels.
92
93       --checkonly
94           Only check if an update is available, don't actually download and
95           install it.  The exit code will be 0 or 1 as described below.
96
97       --install
98           Install updates "offline", from the named tar.gz file, instead of
99           performing DNS lookups and HTTP invocations.
100
101           Files named file.asc, file.sha512, or file.sha256 will be used for
102           GPG signature, and the SHA256 and SHA512 checksums, respectively.
103           The filename provided must contain a version number of at least 3
104           digits, which will be used as the channel's update version number.
105
106           Multiple --channel switches cannot be used with --install.  To
107           install multiple channels from tarballs, run "sa-update" multiple
108           times with different --channel and --install switches, e.g.:
109
110                   sa-update --channel foo.example.com --install foo-34958.tgz
111                   sa-update --channel bar.example.com --install bar-938455.tgz
112
113       --allowplugins
114           Allow downloaded updates to activate plugins.  The default is not
115           to activate plugins; any "loadplugin" or "tryplugin" lines will be
116           commented in the downloaded update rules files.
117
118           You should never enable this for 3rd party update channels, since
119           plugins can execute unrestricted code on your system, even possibly
120           as root! This includes spamassassin official updates, which have no
121           need to include running code.
122
123           Use --reallyallowplugins option to bypass warnings and make it
124           work.
125
126       --gpg, --nogpg
127           sa-update by default will verify update archives by use of GPG
128           signature.
129
130           If you wish to skip GPG verification (very unsafe), you can use the
131           --nogpg option to disable its use.  Use of the following gpgkey-
132           related options will override --nogpg and keep GPG verification
133           enabled.
134
135           If GPG is disabled, only SHA512 or SHA256 checksums are used to
136           verify whether or not the downloaded archive has been corrupted,
137           but it does not offer any form of security regarding whether or not
138           the downloaded archive is legitimate (aka: non-modifed by
139           evildoers).
140
141           Note: Only GnuPG is supported (ie: not any other PGP software).
142
143       --gpgkey
144           sa-update has the concept of "release trusted" GPG keys.  When an
145           archive is downloaded and the signature verified, sa-update
146           requires that the signature be from one of these "release trusted"
147           keys or else verification fails.  This prevents third parties from
148           manipulating the files on a mirror, for instance, and signing with
149           their own key.
150
151           By default, sa-update trusts key ids "24F434CE" and "5244EC45",
152           which are the standard SpamAssassin release key and its sub-key.
153           Use this option to trust additional keys.  See the --import option
154           for how to add keys to sa-update's keyring.  For sa-update to use a
155           key it must be in sa-update's keyring and trusted.
156
157           For multiple keys, use the option multiple times.  i.e.:
158
159                   sa-update --gpgkey E580B363 --gpgkey 298BC7D0
160
161           Note: use of this option automatically enables GPG verification.
162
163       --gpgkeyfile
164           Similar to the --gpgkey option, except specify the additional keys
165           in a file instead of on the commandline.  This is extremely useful
166           when there are a lot of additional keys that you wish to trust.
167
168       --gpghomedir
169           Specify a directory path to use as a storage area for the
170           "sa-update" GPG keyring.  By default, this is
171
172                   /etc/mail/spamassassin/sa-update-keys
173
174       --import
175           Use to import GPG key(s) from a file into the sa-update keyring
176           which is located in the directory specified by --gpghomedir.
177           Before using channels from third party sources, you should use this
178           option to import the GPG key(s) used by those channels.  You must
179           still use the --gpgkey or --gpgkeyfile options above to get sa-
180           update to trust imported keys.
181
182           To import multiple keys, use the option multiple times.  i.e.:
183
184                   sa-update --import channel1-GPG.KEY --import channel2-GPG.KEY
185
186           Note: use of this option automatically enables GPG verification.
187
188       --refreshmirrors
189           Force the list of sa-update mirrors for each channel, stored in the
190           MIRRORED.BY file, to be updated.  By default, the MIRRORED.BY file
191           will be cached for up to 7 days after each time it is downloaded.
192
193       --forcemirror
194           Force the download from a specific host instead of relying on
195           mirrors listed in MIRRORED.BY.
196
197       --updatedir
198           By default, "sa-update" will use the system-wide rules update
199           directory:
200
201                   /var/lib/spamassassin/4.000000
202
203           If the updates should be stored in another location, specify it
204           here.
205
206           Note that use of this option is not recommended; if you're just
207           using sa-update to download updated rulesets for a scanner, and sa-
208           update is placing updates in the wrong directory, you probably need
209           to rebuild SpamAssassin with different "Makefile.PL" arguments,
210           instead of overriding sa-update's runtime behaviour.
211
212       -D [area,...], --debug [area,...]
213           Produce debugging output.  If no areas are listed, all debugging
214           information is printed.  Diagnostic output can also be enabled for
215           each area individually; area is the area of the code to instrument.
216           For example, to produce diagnostic output on channel, gpg, and
217           http, use:
218
219                   sa-update -D channel,gpg,http
220
221           For more information about which areas (also known as channels) are
222           available, please see the documentation at
223           <https://wiki.apache.org/spamassassin/DebugChannels>.
224
225       -h, --help
226           Print help message and exit.
227
228       -V, --version
229           Print sa-update version and exit.
230

EXIT CODES

232       In absence of a --checkonly option, an exit code of 0 means: an update
233       was available, and was downloaded and installed successfully.  If
234       --checkonly was specified, an exit code of 0 means: an update was
235       available.
236
237       An exit code of 1 means no fresh updates were available.
238
239       An exit code of 2 means that at least one update is available but that
240       a lint check of the site pre files failed.  The site pre files must
241       pass a lint check before any updates are attempted.
242
243       An exit code of 3 means that at least one update succeeded while other
244       channels failed.  If using sa-compile, you should proceed with it.
245
246       An exit code of 4 or higher, indicates that errors occurred while
247       attempting to download and extract updates, and no channels were
248       updated.
249

SEE ALSO

251       Mail::SpamAssassin(3) Mail::SpamAssassin::Conf(3) spamassassin(1)
252       spamd(1) <https://wiki.apache.org/spamassassin/RuleUpdates>
253

PREREQUISITES

255       "Mail::SpamAssassin"
256

BUGS

258       See <https://issues.apache.org/SpamAssassin/>
259

AUTHORS

261       The Apache SpamAssassin(tm) Project <https://spamassassin.apache.org/>
262
264       SpamAssassin is distributed under the Apache License, Version 2.0, as
265       described in the file "LICENSE" included with the distribution.
266
267       Copyright (C) 2015 The Apache Software Foundation
268
269
270
271perl v5.36.0                      2023-01-21                      SA-UPDATE(1)
Impressum