User postfix refuses to run sa-learn

Martin Wickman martin.wickman at xms.se
Sun Sep 16 20:04:53 IST 2007


Glenn Steen wrote:
> On 16/09/2007, Martin Wickman <martin.wickman at xms.se> wrote:
>> Glenn Steen wrote:

[..]

>> Ok, thanks for you help, but I dont think that is the problem. The
>> problem is that postfix owns the bayes-files and the postfix-software
>> dont want to run scripts as the postfix user. pipe(8) explains this as
>> "The software refuses to execute commands  with  root  privileges,
>> or with  the  privileges of the mail system owner."
> Ah. Yes. Might be a problem:-D. So then a rethink might be in order.
> Why not just let procmail or a cron job handle it?

Yeah I thought about that, but the problem is still there (I think?).
Only the postfix user can update the bayes data and it wont help much
having procmail do it.

Do you think it is possible to change MailScanner.conf in some way, ie
to have a separate SA-user which is not 'postfix'? As it is now "Run As
User" is postfix and maybe it's possible to change something here, akin
to "Quarantine User"?

> Procmail should be fairly easy, provided you have it already... well,
> even if you don't:-).
> Or running a cronjob that "plunders" the spam mailbox (which would
> need be a real mailbox) and run the script on the messages... should
> be fairly easy too. I'm sure there are others that have done something
> like that before, perhaps even documented it (haven't checked the
> wiki)...

Thought of that too, but there is the issue with forwarded spammails.
That is, attached mails needs to be splitted into single mails before
se-learn can grok them correctly. Also, having to run sa-learn on the
whole corpus all the time seems wasteful.

>> Btw, the setup is taken from
>> http://www.jousset.org/pub/sa-postfix.en.html if you want de details.
>> Thats site is off-line or something, but google has working cache:
>> http://www.google.com/search?q=cache:S0-FoGYZSHwJ:www.jousset.org/pub/sa-postfix.en.html+http://www.jousset.org/pub/sa-postfix.en.html&hl=en&ct=clnk&cd=1&gl=se&client=firefox-a
>>
> Too tired to go look, perhaps tomorrow:).

Please do :-)

[..]

>> For the record, running as a non-root, not-postfix user gives this error
>> as expected:
>>
>> $ sa-learn --forget /tmp/spamish
>> bayes: expire_old_tokens: locker: safe_lock: cannot create lockfile
>> /var/spool/MailScanner/spamassassin/bayes.mutex: Permission denied
>> Forgot tokens from 0 message(s) (1 message(s) examined)
>> bayes: locker: safe_lock: cannot create lockfile
>> /var/spool/MailScanner/spamassassin/bayes.mutex: Permission denied
> 
> As expected... One wonders what would happen if you played a bit with
> the script and the "sticky bit".... A "non-PF script" calls the sticky
> "PF script"...;-)

Dunno, didn't think script could be setuid?


More information about the MailScanner mailing list