[Dovecot] antispam plugin, amavis and sa-learn

Steffen Kaiser skdovecot at smail.inf.fh-bonn-rhein-sieg.de
Tue Jul 8 13:47:33 EEST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 8 Jul 2008, Johannes Bauer wrote:

> (1) making the amavis user's .spamassassin directory to world-writeable
> and handing the path to sa-learn with the --dbpath parameter. That failed
> - the IMAP client says "Move not allowed" when I try to move a message to
> or from the Spam IMAP folder.

> (3) editing sudoers to allow 'sudo -u amavis sa-learn' without a password.
> This works fine on the command line, but fails with the same error as (1)
> when used with the plugin.

Hmm, "Move not allowed" from the client?

What do you see from Dovecot? I mean when you speak IMAP directly or 
trace/sniff a non-SSL connection. I have the impression, that you hit a 
situation, like:

"Cannot APPEND to a SPAM folder."

However, in this case it should not work with the sendmail binary.

For (3): did you allow all users to call sudo without password?
I mean:
  su - user sudo -u amavis sa-learn
Also, did you noticed this paragraphe in man sudo?
        -H  The -H (HOME) option sets the HOME environment variable to the
            homedir of the target user (root by default) as specified in
            passwd(5).  By default, sudo does not modify HOME (see set_home 
and
            always_set_home in sudoers(5)).

If HOME is not amavis's HOME, sa-learn might be upset.

Wrap your program in order to trace the problems of sa-learn:

#!/bin/bash

(
  id -a
  [snip] sa-learn [snip]
  rc=$?
  echo "exit code $rc"
  exit $rc
) > /tmp/antispam.out.$$ 2> /tmp/antispam.err.$$

sa-learn needs to lock the database, maybe you get race problems? I used 
to call sa-learn via --no-sync and --sync'ed in regular intervals.
Also, maybe you need a combination of -u/-C/-p.

> Although I compiled the plugin from git with debugging to syslog
> activated, I do not get any error messages in mail.log where all messages
> from dovecot are logged.

Well, my antispam logs go to syslog, but Dovecot logs to a file.

> Now, I know that the methods above aren't exactly secure, so if anybody

Dunno, but you want to train a site-wide database with information from 
the user. So what you consider unsecure in particular? If you are afraid 
of bugs in sa-learn, you should limit this ability to a certain group of 
users, because any user can push any "message" Dovecot accepts to 
sa-learn, regardless of its internal structure.

I have moved the Bayes DB to SQL to avoid the locking problems I had.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIc0XIVJMDrex4hCIRAnN1AJwMeiSWiRl/qBbQwDNYIw6T+Zg6iwCeKNyA
jcyx0LXE7EQ2oot6wrBp+lA=
=NhLz
-----END PGP SIGNATURE-----

More information about the dovecot mailing list