On 31 Oct 2017, at 7:27 (-0400), David Gessel wrote:
bayes_file_mode 0777
Don't do that. I know the SiteWideBayes page recommends that, but it's
wrong. It's a bad idea to EVER make ANY file mode 0777 on any normal
system. Something mangled your Bayes DB. Anything running on that system
*could* do so. Maybe it was innocent, maybe not.
One alternative: use 0770 (or even 775) and use group membership control
access. You can then symlink the ~/.spamassassin directories of users in
the group to that of the primary SA user (i.e. whatever amavisd runs as)
OR hardlink the Bayes and autowhitelist files from the primary user's
directory into that of other users.
Another alternative: use 0700 and whenever doing anything with the
Bayes/AWL/TxRep DBs, do it as the primary user of he sitewide DB. This
requires giving that user read access to user mail but that's safe
because it already is seeing it all pre-delivery anyway. The safest
approach for that is setting an ACL on the Maildir/. I use MIMEDefang
instead of amavisd so the ACL for mine looks like this:
bigsky:~ bill$ ls -led Maildir/
drwx------+ 239 bill bill 8670 Oct 31 09:31 Maildir/
0: user:defang allow
list,search,readattr,file_inherit,directory_inherit
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
