markasjunk2 problem on Windows Server

[mishoddt]

Hello,

I can't make markasjunk2 run using the cmd_learn learning_driver on a Windows Server 2003. I've installed the last SAwin32 and sa-learn from the SAwin32 | SpamAssassin for Win32 site, PHP 5.2.11/FastCGI. The spamassasin and the sa-learn work with no issues. But with markasjunk2 got stuck with probably some permissions issue. Here is my configuration and the errors I'm getting:



$rcmail_config['markasjunk2_learning_driver'] = 'cmd_learn';
$rcmail_config['markasjunk2_read_spam'] = true;
$rcmail_config['markasjunk2_unread_ham'] = false;
$rcmail_config['markasjunk2_detach_ham'] = true;
$rcmail_config['markasjunk2_spam_flag'] = 'Junk';
$rcmail_config['markasjunk2_ham_flag'] = null;
$rcmail_config['markasjunk2_debug'] = true;
$rcmail_config['markasjunk2_spam_cmd'] = 'sa-learn.exe --spam c:\sa\spam\%f';
$rcmail_config['markasjunk2_ham_cmd'] = 'sa-learn.exe --ham %f';
$rcmail_config['markasjunk2_spam_dir'] = 'c:\sa\spam';
$rcmail_config['markasjunk2_ham_dir'] = 'c:\sa\ham';
$rcmail_config['markasjunk2_filename'] = null;
$rcmail_config['markasjunk2_email_spam'] = null;
$rcmail_config['markasjunk2_email_ham'] = null;
$rcmail_config['markasjunk2_email_attach'] = true;
$rcmail_config['markasjunk2_email_subject'] = 'learn this message as %t';

With these settings the messages are succesfuly moved from the Inbox to the Junk foler, but noting is learned with the sa-learn. I found the error log in the c:\WINDOWS\Temp\php-errors.log
The error message is:
PHP Warning:  exec() [function.exec]: Unable to fork [sa-learn.exe --ham C:\WINDOWS\Temp\rcmB6.tmp] in C:\Inetpub\wwwroot\webmail\plugins\markasjunk2\drivers\cmd_learn.php on line 44

Digging the web I found that the cmd.exe needs read/execute permitions for the web service. So after give them to it, what is unfortunately a security risk, a new error shows:
PHP Fatal error:  Maximum execution time of 120 seconds exceeded in C:\Inetpub\wwwroot\webmail\plugins\markasjunk2\drivers\cmd_learn.php on line 46
Also a file ("rcmB6.tmp" for example) and a folder "pdk-SYSTEM-2704" (this is created by the spamd service and the "SYSTEM" is the account the service run as) with bunch of dll created in the :\WINDOWS\Temp\pdk-SYSTEM-2704, but noting in the C:\sa\spam\.


If I replace
$rcmail_config['markasjunk2_spam_cmd'] = 'sa-learn.exe --spam c:\sa\spam\%f';
with
$rcmail_config['markasjunk2_spam_cmd'] = 'echo "Test" > c:\sa\spam\debug.txt';  
on pressing the "Mark As Spam" button the c:\sa\spam\debug.txt is created, the "Test" word is wroten and the email is moved to the Junk folder.


Any help and ideas will be highly appreciated, thanks!

[JohnDoh]

you you dont need to set the $rcmail_config['markasjunk2_spam_dir'] and $rcmail_config['markasjunk2_ham_cmd'] options, these are for the dir_learn driver. When running cmd_learn message files are saved in the RC temp dir so you command simply needs to be 'sa-learn.exe --spam %f'.

[mishoddt]

Hello and thanks for the reply!

I changed the $rcmail_config['markasjunk2_spam_dir'] and $rcmail_config['markasjunk2_ham_dir'] back to nulls. This doesn't change the error, it's still "time out", but these are not the reason.

I narrowed it down to the security permissions.
First of all the default security account for a IIS application pool is the NETWORK SERVICE and this is the accoun tne php-cgi.exe use to run. I needed to create an app pool running under the LOCAL SYSTEM account. The Networ Service and the Local Service accounts don't have sufficient rights, I still can't figure out for what exactly.

For the plugin to execute the spam/ham_cmd sa-learn.exe --spam/ham it shows that it needs to execute at first the cmd.exe. So I needed to give the Internet Guest Account IUSR_servername execute permissions to cmd.exe. I don't like it, this is a security risk.

The IUSR_servername needs and write permissions to the "temp" and "logs" folders under the Roundcube folder.

My spamd service runs under Local System account.

With this configuration the plugin seems to work, I still need to test with spam messages. Right now I don't have spam emails in this test server mailbox, but when I report any (non spam) message as spam I have in the log:
0 => 'Learned tokens from 1 message(s) (1 message(s) examined)'

Please, if anyone have idea how to work around the cmd.exe anonymus execute permissions, let me know.

Thanks!