Author Topic: markasjunk2 sa-learn problem  (Read 27453 times)

Offline svoboda77

  • Newbie
  • *
  • Posts: 4
Re: markasjunk2 sa-learn problem
« Reply #15 on: September 25, 2013, 05:49:17 AM »
Hello,

1/ --username option only works with database stored in SQL, see "man sa-learn" and http://www.iredmail.org/wiki/index.php?title=IRedMail/FAQ/Store.SpamAssassin.Bayes.In.SQL

2/ If you don't use SQL database for Bayes, then each user has its own SpamAssassin Bayes database, stored in .spamassassin/ in its home directory. So if you try "sa-learn --dump magic" from terminal logged in as root, you are dumping the root's database stored in /root/.spamassassin, not the one used by your MTA. You can either specify path to the database using "--dbpath" parameter or you have to run the "sa-learn" command as the correct user (depends on your system)

Here is my situation. I am running a Debian 7.1 server, mailserver configured with iRedMail 0.8.5 (postfix, amavis, spamassassin, clamav, apache, roundcube 0.9.2).

Apache runs as "www-data" user.
Spamassassin runs as "amavis" user, its home is /var/lib/amavis. This means that the Bayes database is stored in /var/lib/amavis/.spamassassin/.

Code: [Select]
root@newmail:~# ls -lA /var/lib/amavis/
total 16
srwxr-x--- 1 amavis amavis    0 Sep 24 22:50 amavisd.sock
drwxr-x--- 2 amavis amavis 4096 Sep 24 22:50 db
drwx------ 2 amavis amavis 4096 Sep 24 18:18 .spamassassin
drwxrwx--- 4 amavis amavis 4096 Sep 25 10:31 tmp
drwxr-x--- 2 amavis amavis 4096 Sep 24 17:40 virusmails

By default the .spamassassin folder (and the files inside) are owned by amavis:amavis with 700 rights. So we have to run "sa-learn" as user "amavis".

I have installed markasjunk2 with following configuration (only the rellevant settings printed):

Code: [Select]
$rcmail_config['markasjunk2_learning_driver'] = cmd_learn;
$rcmail_config['markasjunk2_ham_mbox'] = null;
$rcmail_config['markasjunk2_spam_mbox'] = null;
$rcmail_config['markasjunk2_debug'] = true;
$rcmail_config['markasjunk2_spam_cmd'] = 'sa-learn --dbpath /var/lib/amavis/.spamassassin/ --spam %f';
$rcmail_config['markasjunk2_ham_cmd'] = 'sa-learn --dbpath /var/lib/amavis/.spamassassin/ --ham %f';

With this settings, the "sa-learn" command is run as the same user as Apache: "www-data". The parameter "--dbpath /var/lib/amavis/.spamassassin/" says not to use SpamAssassin Bayes database in "www-data" home directory but to use database in /var/lib/amavis/.spamassassin instead.

I changed rights to the /var/lib/amavis/.spamassassin/ folder (and its contents) to 770 and added "www-data" to "amavis" group. So "www-data" (the user who runs the script) should have full rights to the folder. To be 100% sure I set everything correctly I tried this command from terminal:

Code: [Select]
root@newmail:~# sudo -u www-data sa-learn --dbpath /var/lib/amavis/.spamassassin/ --spam /usr/share/doc/spamassassin/examples/sample-spam.txt
Learned tokens from 1 message(s) (1 message(s) examined)

OK, it woks!

But when I try to send some spam to the database using the "Junk" button in Roundcube, which should invoke the same command run as "www-data" user, it reads the file, but for some strange reason the message is not saved to the database.

Code: [Select]
Sep 25 08:22:23 newmail roundcube: sa-learn --dbpath /var/lib/amavis/.spamassassin/ --spam /usr/share/apache2/roundcubemail-0.9.2/temp/rcmSALearngzkfy8
Sep 25 08:22:23 newmail roundcube: array (#012  0 => 'Learned tokens from 0 message(s) (1 message(s) examined)',#012)

The message is "examined", so the script can read it. But it is not saved to the database. I even tried to chmod the /var/lib/amavis/.spamassassin/ to "777", still the same result.

I tried different approach. Run the "sa-learn" command from markasjunk2 plugin as "amavis" user. Plugin settings changed to:

Code: [Select]
$rcmail_config['markasjunk2_spam_cmd'] = 'sudo -u amavis sa-learn --ham %f';
/etc/sudoers configured:

Code: [Select]
# Allow webserver run sa-learn as user amavis
www-data ALL = (amavis) NOPASSWD:/usr/bin/sa-learn

but with this setting the message in temp file is not even examined, because it is owned by www-data:www-data with rights set to 600:

Code: [Select]
-rw------- 1 www-data www-data 5038 Sep 25 10:30 /usr/share/apache2/roundcubemail-0.9.2/temp/rcmSALearnGsgD71
OK, next approach. Run the "sa-learn" command from the script as root. Plugin configuration changed:

Code: [Select]
$rcmail_config['markasjunk2_spam_cmd'] = 'sudo sa-learn --dbpath /var/lib/amavis/.spamassassin/ --spam %f';
$rcmail_config['markasjunk2_ham_cmd'] = 'sudo sa-learn --dbpath /var/lib/amavis/.spamassassin/ --ham %f';

and /etc/sudoers edited (with visudo):

Code: [Select]
# Allow webserver run sa-learn as root
www-data ALL = (root) NOPASSWD:/usr/bin/sa-learn

and now it works!

Code: [Select]
Sep 25 11:37:30 newmail roundcube: sudo sa-learn --dbpath /var/lib/amavis/.spamassassin/ --spam /usr/share/apache2/roundcubemail-0.9.2/temp/rcmSALearnSI6r9G
Sep 25 11:37:30 newmail roundcube: array (#012  0 => 'Learned tokens from 1 message(s) (1 message(s) examined)',#012)

WTF? Why has the script to be executed with root privileges (!!!), when I had the permissions set correctly?

Any ideas?
Lukas.