sa-learn with remote Dovecot folders

Gedalya gedalya at gedalya.net
Fri Apr 10 00:41:45 UTC 2015 

On 04/09/2015 11:37 AM, Andreas Kasenides wrote:
> You got me thinking towards the antispam plugin which I have nto used 
> before, but can you elaborate if my users are system users and the 
> training is done only via a cron entry? 

I always used the antispam plugin, as a way to initiate training via IMAP.
Is your bayes database central (system-wide) or per user? Is it SQL or 
separate db files owned per user?

Without antispam plugin, your cron command can be perhaps something like 
this (as root)

doveadm user '*' | while read user; do
     doveadm search -u $user mailbox Junk all | while read guid uid; do
         doveadm -f flow fetch -u $user text mailbox-guid $guid uid $uid 
| sed s/^text=// | ssh -i /path/to/ssh-key root@$spamassassin-box "su -l 
-c 'spamassassin --report' $user"
         # expunge, so we don't repeat it if no other reason
         doveadm expunge -u $user mailbox-guid $guid uid $uid
     done
done

remember to do this before:
ssh-keyscan $spamassassin-box >> /etc/ssh/ssh_known_hosts
to allow non-interactive ssh connections.

You can improve security by setting up a special user instead of root, 
allowing it to become other users with no password using sudo with only 
the needed command(s) allowed, and use a:
command="/usr/local/bin/training-wrapper"
prefixed to the ssh public key in the authorized_keys file.

/usr/local/bin/training-wrapper:

#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
report)
sa-learn --spam
;;
revoke)
sa-learn --ham
;;
*)
echo "Wwwwhat?"
;;
esac

and invoke this as
ssh $user@$sa-box report
or:
ssh $user@$sa-box revoke

It is very important to allow for ham training, not only spam training. 
The antispam plugin allows for that.

If your bayes database is SQL, you can use sa-learn -u $user --ham / 
sa-learn -u $user --spam, instead of su / sudo.
I however like spamassassin --report for reporting to dcc / razor / 
pyzor (--revoke exists but doesn't really do anything beyond bayes ;-)). 
This command doesn't have a -u flag so I guess su / sudo is necessary.

If you configure the antispam plugin to ssh into another box and run a 
learning process, the IMAP command won't complete until the ssh command 
returns. I personally like to drop off the email messages to be picked 
up asynchronously by another process, for better IMAP responsiveness.
Fill out the few missing details about your spamassassin / bayes setup 
and I can gladly give you more specific details on how to set this up.

More information about the dovecot mailing list