Thank you for you quick answer and the suggestions, Steffen.
(3) editing sudoers to allow 'sudo -u amavis sa-learn' without a password. This works fine on the command line, but fails with the same error as (1) when used with the plugin.
Hmm, "Move not allowed" from the client?
What do you see from Dovecot? I mean when you speak IMAP directly or trace/sniff a non-SSL connection. I have the impression, that you hit a situation, like:
"Cannot APPEND to a SPAM folder."
The relevant lines in a sniffed IMAP connection:
cpy1 COPY 4 "Spam" cpy1 NO failed to send mail
At least that's what I gathered from a binary tcpdump, I haven't looked at it with a protocol analyzer.
However, in this case it should not work with the sendmail binary.
For (3): did you allow all users to call sudo without password? I mean: su - user sudo -u amavis sa-learn Also, did you noticed this paragraphe in man sudo? -H The -H (HOME) option sets the HOME environment variable to the homedir of the target user (root by default) as specified in passwd(5). By default, sudo does not modify HOME (see set_home and always_set_home in sudoers(5)).
If HOME is not amavis's HOME, sa-learn might be upset.
from sudoers:
ALL ALL= (amavis) NOPASSWD: /usr/bin/sa-learn
It works fine if I su to one of the local users and execute
sudo -H -u amavis /usr/bin/sa-learn -D [args]
I can access amavis' bayes db read and write.
Wrap your program in order to trace the problems of sa-learn:
#!/bin/bash
( id -a [snip] sa-learn [snip] rc=$? echo "exit code $rc" exit $rc ) > /tmp/antispam.out.$$ 2> /tmp/antispam.err.$$
sa-learn needs to lock the database, maybe you get race problems? I used to call sa-learn via --no-sync and --sync'ed in regular intervals. Also, maybe you need a combination of -u/-C/-p.
I inserted the above sudo line into the wrapper script; it worked fine when called from the command line and when called from the antispam plugin.
However, when I skipped the wrapper and called sudo sa-learn directly, it again failed with the above error.
But as it works with the wrapper script, that's ok for me. I trimmed down the logging and had sa-learn process the command line parameters given by the antispam. For reference, the command is now:
/usr/bin/sudo -H -u amavis /usr/bin/sa-learn $1 $2
Although I compiled the plugin from git with debugging to syslog activated, I do not get any error messages in mail.log where all messages from dovecot are logged.
Well, my antispam logs go to syslog, but Dovecot logs to a file.
Hm, yes, of course it is. Don't know why I was looking in mail.log when it says it logs to syslog. But the output did not contain any useful information in this case, anyway.
Now, I know that the methods above aren't exactly secure, so if anybody
Dunno, but you want to train a site-wide database with information from the user. So what you consider unsecure in particular? If you are afraid of bugs in sa-learn, you should limit this ability to a certain group of users, because any user can push any "message" Dovecot accepts to sa-learn, regardless of its internal structure.
In general, I try to avoid suid and word writeable system directories as much as possible. I can live with the sudo solution - after all, the worst a user could do is deleting the bayes db.
Again, thank you for your suggestions, it really helped getting this to work the way I wanted.
Bye, Johannes