[Dovecot] antispam plugin, amavis and sa-learn

Johannes Bauer jb at 5pm.de
Thu Jul 10 09:53:57 EEST 2008


Thank you for you quick answer and the suggestions, Steffen.

>
>> (3) editing sudoers to allow 'sudo -u amavis sa-learn' without a
>> password.
>> This works fine on the command line, but fails with the same error as
>> (1)
>> when used with the plugin.
>
> Hmm, "Move not allowed" from the client?
>
> What do you see from Dovecot? I mean when you speak IMAP directly or
> trace/sniff a non-SSL connection. I have the impression, that you hit a
> situation, like:
>
> "Cannot APPEND to a SPAM folder."

The relevant lines in a sniffed IMAP connection:

cpy1 COPY 4 "Spam"
cpy1 NO failed to send mail

At least that's what I gathered from a binary tcpdump, I haven't looked at
it with a protocol analyzer.

>
> However, in this case it should not work with the sendmail binary.
>
> For (3): did you allow all users to call sudo without password?
> I mean:
>   su - user sudo -u amavis sa-learn
> Also, did you noticed this paragraphe in man sudo?
>         -H  The -H (HOME) option sets the HOME environment variable to the
>             homedir of the target user (root by default) as specified in
>             passwd(5).  By default, sudo does not modify HOME (see
> set_home
> and
>             always_set_home in sudoers(5)).
>
> If HOME is not amavis's HOME, sa-learn might be upset.

from sudoers:

ALL     ALL= (amavis) NOPASSWD: /usr/bin/sa-learn

It works fine if I su to one of the local users and execute

sudo -H -u amavis /usr/bin/sa-learn -D [args]

I can access amavis' bayes db read and write.

>
> Wrap your program in order to trace the problems of sa-learn:
>
> #!/bin/bash
>
> (
>   id -a
>   [snip] sa-learn [snip]
>   rc=$?
>   echo "exit code $rc"
>   exit $rc
> ) > /tmp/antispam.out.$$ 2> /tmp/antispam.err.$$
>
> sa-learn needs to lock the database, maybe you get race problems? I used
> to call sa-learn via --no-sync and --sync'ed in regular intervals.
> Also, maybe you need a combination of -u/-C/-p.

I inserted the above sudo line into the wrapper script; it worked fine
when called from the command line and when called from the antispam
plugin.

However, when I skipped the wrapper and called sudo sa-learn directly, it
again failed with the above error.

But as it works with the wrapper script, that's ok for me.
I trimmed down the logging and had sa-learn process the command line
parameters given by the antispam. For reference, the command is now:

/usr/bin/sudo -H -u amavis /usr/bin/sa-learn $1 $2

>
>> Although I compiled the plugin from git with debugging to syslog
>> activated, I do not get any error messages in mail.log where all
>> messages
>> from dovecot are logged.
>
> Well, my antispam logs go to syslog, but Dovecot logs to a file.
>

Hm, yes, of course it is. Don't know why I was looking in mail.log when it
says it logs to syslog. But the output did not contain any useful
information in this case, anyway.

>> Now, I know that the methods above aren't exactly secure, so if anybody
>
> Dunno, but you want to train a site-wide database with information from
> the user. So what you consider unsecure in particular? If you are afraid
> of bugs in sa-learn, you should limit this ability to a certain group of
> users, because any user can push any "message" Dovecot accepts to
> sa-learn, regardless of its internal structure.

In general, I try to avoid suid and word writeable system directories as
much as possible. I can live with the sudo solution - after all, the worst
a user could do is deleting the bayes db.

Again, thank you for your suggestions, it really helped getting this to
work the way I wanted.

Bye,
Johannes



More information about the dovecot mailing list