User postfix refuses to run sa-learn

Glenn Steen glenn.steen at gmail.com
Sun Sep 16 19:26:46 IST 2007 

On 16/09/2007, Martin Wickman <martin.wickman at xms.se> wrote:
> Glenn Steen wrote:
>
(snip)
> > And you don't run Postfix chrooted? That happens to be the standard on
> > most distros (of Linux)... So it might be something like that still.
> > It wouldn't show if you "su- postfix -s /bin/bash", since that
> > wouldn't be chrooted to (something like) /var/spool/postfix, just have
> > it's home dir there.
>
> Well, its CentOS postfix rpm built from http://postfix.wl0.org/en/ and
> I'm pretty sure its not chrooted.
Ok.

> > As to the "standard setup", where you put bayes isn't that much
> > standardised... I still wan't to know _if_ you have bayes_path etc set
> > in such a way that all invocations of SA will find/use that setting (I
> > suspect this is the case, but ... better safe than sorry:-). A classic
> > problems is that one lacks the mailscanner.cf link to
> > spam.assassin.prefs.conf, so anything set there isn't picked up by
> > sa-learn etc... Which would default to trying to use
> > $HOME/.spamassassin/... for everything bayes... and the default for
> > that dir (which also is the root of the jail) usually isn't writable
> > by the postfix user (and shouldn't be!).
>
> Ok, thanks for you help, but I dont think that is the problem. The
> problem is that postfix owns the bayes-files and the postfix-software
> dont want to run scripts as the postfix user. pipe(8) explains this as
> "The software refuses to execute commands  with  root  privileges,
> or with  the  privileges of the mail system owner."
Ah. Yes. Might be a problem:-D. So then a rethink might be in order.
Why not just let procmail or a cron job handle it?
Procmail should be fairly easy, provided you have it already... well,
even if you don't:-).
Or running a cronjob that "plunders" the spam mailbox (which would
need be a real mailbox) and run the script on the messages... should
be fairly easy too. I'm sure there are others that have done something
like that before, perhaps even documented it (haven't checked the
wiki)...

> Btw, the setup is taken from
> http://www.jousset.org/pub/sa-postfix.en.html if you want de details.
> Thats site is off-line or something, but google has working cache:
> http://www.google.com/search?q=cache:S0-FoGYZSHwJ:www.jousset.org/pub/sa-postfix.en.html+http://www.jousset.org/pub/sa-postfix.en.html&hl=en&ct=clnk&cd=1&gl=se&client=firefox-a
>
Too tired to go look, perhaps tomorrow:).

> >> This is not a path problem, its a problem because SA runs as postfix and
> >> I need sa-learn to run as postfix as well, since the bayes database in
> >> bayes_path is postfix owned.
> > Fine, but do tell if you have the symbolic link from
> > /etc/mail/spamassassin/mailscanner.cf to
> > /etc/MailScanner/spam.assassin.prefs.conf, please.
>
> Yupp:
>
> $ file /etc/mail/spamassassin/mailscanner.cf
> /etc/mail/spamassassin/mailscanner.cf: symbolic link to
> `/etc/MailScanner/spam.assassin.prefs.conf'
>
Good, and thanks. Thought so, but ... it's best to cover all basic
stuff first:-).

> > If you do the su from above, can you run the script successfully by hand?
> > What error logs do you get?
>
> No errors, ie:
>
> [root at xxx ~]# su -s /bin/sh postfix
> sh-3.1$ id
> uid=89(postfix) gid=89(postfix) groups=12(mail),89(postfix)
> sh-3.1$ sa-learn --spam /tmp/spamish
> Learned tokens from 1 message(s) (1 message(s) examined)
> sh-3.1$ sa-learn --forget /tmp/spamish
> Forgot tokens from 1 message(s) (1 message(s) examined)

Looks good, kind of like expected.

> For the record, running as a non-root, not-postfix user gives this error
> as expected:
>
> $ sa-learn --forget /tmp/spamish
> bayes: expire_old_tokens: locker: safe_lock: cannot create lockfile
> /var/spool/MailScanner/spamassassin/bayes.mutex: Permission denied
> Forgot tokens from 0 message(s) (1 message(s) examined)
> bayes: locker: safe_lock: cannot create lockfile
> /var/spool/MailScanner/spamassassin/bayes.mutex: Permission denied

As expected... One wonders what would happen if you played a bit with
the script and the "sticky bit".... A "non-PF script" calls the sticky
"PF script"...;-)

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list