Thank you for you quick answer and the suggestions, Steffen. > >> (3) editing sudoers to allow 'sudo -u amavis sa-learn' without a >> password. >> This works fine on the command line, but fails with the same error as >> (1) >> when used with the plugin. > > Hmm, "Move not allowed" from the client? > > What do you see from Dovecot? I mean when you speak IMAP directly or > trace/sniff a non-SSL connection. I have the impression, that you hit a > situation, like: > > "Cannot APPEND to a SPAM folder."
The relevant lines in a sniffed IMAP connection: cpy1 COPY 4 "Spam" cpy1 NO failed to send mail At least that's what I gathered from a binary tcpdump, I haven't looked at it with a protocol analyzer. > > However, in this case it should not work with the sendmail binary. > > For (3): did you allow all users to call sudo without password? > I mean: > su - user sudo -u amavis sa-learn > Also, did you noticed this paragraphe in man sudo? > -H The -H (HOME) option sets the HOME environment variable to the > homedir of the target user (root by default) as specified in > passwd(5). By default, sudo does not modify HOME (see > set_home > and > always_set_home in sudoers(5)). > > If HOME is not amavis's HOME, sa-learn might be upset. from sudoers: ALL ALL= (amavis) NOPASSWD: /usr/bin/sa-learn It works fine if I su to one of the local users and execute sudo -H -u amavis /usr/bin/sa-learn -D [args] I can access amavis' bayes db read and write. > > Wrap your program in order to trace the problems of sa-learn: > > #!/bin/bash > > ( > id -a > [snip] sa-learn [snip] > rc=$? > echo "exit code $rc" > exit $rc > ) > /tmp/antispam.out.$$ 2> /tmp/antispam.err.$$ > > sa-learn needs to lock the database, maybe you get race problems? I used > to call sa-learn via --no-sync and --sync'ed in regular intervals. > Also, maybe you need a combination of -u/-C/-p. I inserted the above sudo line into the wrapper script; it worked fine when called from the command line and when called from the antispam plugin. However, when I skipped the wrapper and called sudo sa-learn directly, it again failed with the above error. But as it works with the wrapper script, that's ok for me. I trimmed down the logging and had sa-learn process the command line parameters given by the antispam. For reference, the command is now: /usr/bin/sudo -H -u amavis /usr/bin/sa-learn $1 $2 > >> Although I compiled the plugin from git with debugging to syslog >> activated, I do not get any error messages in mail.log where all >> messages >> from dovecot are logged. > > Well, my antispam logs go to syslog, but Dovecot logs to a file. > Hm, yes, of course it is. Don't know why I was looking in mail.log when it says it logs to syslog. But the output did not contain any useful information in this case, anyway. >> Now, I know that the methods above aren't exactly secure, so if anybody > > Dunno, but you want to train a site-wide database with information from > the user. So what you consider unsecure in particular? If you are afraid > of bugs in sa-learn, you should limit this ability to a certain group of > users, because any user can push any "message" Dovecot accepts to > sa-learn, regardless of its internal structure. In general, I try to avoid suid and word writeable system directories as much as possible. I can live with the sudo solution - after all, the worst a user could do is deleting the bayes db. Again, thank you for your suggestions, it really helped getting this to work the way I wanted. Bye, Johannes
