User postfix refuses to run sa-learn

Martin Wickman martin.wickman at xms.se
Sun Sep 16 18:57:39 IST 2007


Glenn Steen wrote:

> On 16/09/2007, Martin Wickman <martin.wickman at xms.se> wrote:
>> Glenn Steen wrote:
>>> On 16/09/2007, Martin Wickman <martin.wickman at xms.se> wrote:
>>>> I'm running MailScanner with spamassassin and postfix. I have configured
>>>> postfix to execute a script which runs sa-learn on all new mails that
>>>> gets sent to the 'spam' user. The idea is to update the site-global
>>>> /var/spool/MailScanner/spamassassin/bayes.* database automatically when
>>>> my users forwards their spam.
>>>>
>>>> In postfix/master.cf I have this rule:
>>>>
>>>> spam unix -  n n -   -   pipe user=postfix:postfix
>>>>     argv=/usr/local/bin/sa-learn-wrapper.pl spam ${sender}
>>>>
>>>> That says that postfix should run a command which updates the bayes
>>>> database.
>>>>
>>>> BUT that fails horrible because postfix refuses to run commands as the
>>>> postfix user...
>>>>
>>>> 'Run As User' is postfix and thus /var/spool/.../bayes* is also owned by
>>>> postfix. Afaik I *need* to run sa-learn as postfix since the
>>>> bayes-database and spamassassin is owned and ran by postfix. Its some
>>>> kind of catch-22 here :(

[..]

> And you don't run Postfix chrooted? That happens to be the standard on
> most distros (of Linux)... So it might be something like that still.
> It wouldn't show if you "su- postfix -s /bin/bash", since that
> wouldn't be chrooted to (something like) /var/spool/postfix, just have
> it's home dir there.

Well, its CentOS postfix rpm built from http://postfix.wl0.org/en/ and
I'm pretty sure its not chrooted.

> As to the "standard setup", where you put bayes isn't that much
> standardised... I still wan't to know _if_ you have bayes_path etc set
> in such a way that all invocations of SA will find/use that setting (I
> suspect this is the case, but ... better safe than sorry:-). A classic
> problems is that one lacks the mailscanner.cf link to
> spam.assassin.prefs.conf, so anything set there isn't picked up by
> sa-learn etc... Which would default to trying to use
> $HOME/.spamassassin/... for everything bayes... and the default for
> that dir (which also is the root of the jail) usually isn't writable
> by the postfix user (and shouldn't be!).

Ok, thanks for you help, but I dont think that is the problem. The
problem is that postfix owns the bayes-files and the postfix-software
dont want to run scripts as the postfix user. pipe(8) explains this as
"The software refuses to execute commands  with  root  privileges,
or with  the  privileges of the mail system owner."

Btw, the setup is taken from
http://www.jousset.org/pub/sa-postfix.en.html if you want de details.
Thats site is off-line or something, but google has working cache:
http://www.google.com/search?q=cache:S0-FoGYZSHwJ:www.jousset.org/pub/sa-postfix.en.html+http://www.jousset.org/pub/sa-postfix.en.html&hl=en&ct=clnk&cd=1&gl=se&client=firefox-a

>> This is not a path problem, its a problem because SA runs as postfix and
>> I need sa-learn to run as postfix as well, since the bayes database in
>> bayes_path is postfix owned.
> Fine, but do tell if you have the symbolic link from
> /etc/mail/spamassassin/mailscanner.cf to
> /etc/MailScanner/spam.assassin.prefs.conf, please.

Yupp:

$ file /etc/mail/spamassassin/mailscanner.cf
/etc/mail/spamassassin/mailscanner.cf: symbolic link to
`/etc/MailScanner/spam.assassin.prefs.conf'

> If you do the su from above, can you run the script successfully by hand?
> What error logs do you get?

No errors, ie:

[root at xxx ~]# su -s /bin/sh postfix
sh-3.1$ id
uid=89(postfix) gid=89(postfix) groups=12(mail),89(postfix)
sh-3.1$ sa-learn --spam /tmp/spamish
Learned tokens from 1 message(s) (1 message(s) examined)
sh-3.1$ sa-learn --forget /tmp/spamish
Forgot tokens from 1 message(s) (1 message(s) examined)

For the record, running as a non-root, not-postfix user gives this error
as expected:

$ sa-learn --forget /tmp/spamish
bayes: expire_old_tokens: locker: safe_lock: cannot create lockfile
/var/spool/MailScanner/spamassassin/bayes.mutex: Permission denied
Forgot tokens from 0 message(s) (1 message(s) examined)
bayes: locker: safe_lock: cannot create lockfile
/var/spool/MailScanner/spamassassin/bayes.mutex: Permission denied


More information about the MailScanner mailing list