[Dovecot] antispam plugin, amavis and sa-learn
Steffen Kaiser
skdovecot at smail.inf.fh-bonn-rhein-sieg.de
Tue Jul 8 13:47:33 EEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 8 Jul 2008, Johannes Bauer wrote:
> (1) making the amavis user's .spamassassin directory to world-writeable
> and handing the path to sa-learn with the --dbpath parameter. That failed
> - the IMAP client says "Move not allowed" when I try to move a message to
> or from the Spam IMAP folder.
> (3) editing sudoers to allow 'sudo -u amavis sa-learn' without a password.
> This works fine on the command line, but fails with the same error as (1)
> when used with the plugin.
Hmm, "Move not allowed" from the client?
What do you see from Dovecot? I mean when you speak IMAP directly or
trace/sniff a non-SSL connection. I have the impression, that you hit a
situation, like:
"Cannot APPEND to a SPAM folder."
However, in this case it should not work with the sendmail binary.
For (3): did you allow all users to call sudo without password?
I mean:
su - user sudo -u amavis sa-learn
Also, did you noticed this paragraphe in man sudo?
-H The -H (HOME) option sets the HOME environment variable to the
homedir of the target user (root by default) as specified in
passwd(5). By default, sudo does not modify HOME (see set_home
and
always_set_home in sudoers(5)).
If HOME is not amavis's HOME, sa-learn might be upset.
Wrap your program in order to trace the problems of sa-learn:
#!/bin/bash
(
id -a
[snip] sa-learn [snip]
rc=$?
echo "exit code $rc"
exit $rc
) > /tmp/antispam.out.$$ 2> /tmp/antispam.err.$$
sa-learn needs to lock the database, maybe you get race problems? I used
to call sa-learn via --no-sync and --sync'ed in regular intervals.
Also, maybe you need a combination of -u/-C/-p.
> Although I compiled the plugin from git with debugging to syslog
> activated, I do not get any error messages in mail.log where all messages
> from dovecot are logged.
Well, my antispam logs go to syslog, but Dovecot logs to a file.
> Now, I know that the methods above aren't exactly secure, so if anybody
Dunno, but you want to train a site-wide database with information from
the user. So what you consider unsecure in particular? If you are afraid
of bugs in sa-learn, you should limit this ability to a certain group of
users, because any user can push any "message" Dovecot accepts to
sa-learn, regardless of its internal structure.
I have moved the Bayes DB to SQL to avoid the locking problems I had.
Bye,
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIc0XIVJMDrex4hCIRAnN1AJwMeiSWiRl/qBbQwDNYIw6T+Zg6iwCeKNyA
jcyx0LXE7EQ2oot6wrBp+lA=
=NhLz
-----END PGP SIGNATURE-----
More information about the dovecot
mailing list