On Mon, Jun 22, 2015 at 10:42 PM, Bill Cole <sausers-20150...@billmail.scconsult.com> wrote: > On 22 Jun 2015, at 21:45, Michael B Allen wrote: > >> On Mon, Jun 22, 2015 at 8:01 PM, Reindl Harald <h.rei...@thelounge.net> >> wrote: >>>> >>>> [root@www .spamassassin]# pwd >>>> /var/log/spamassassin/.spamassassin >>>> [root@www .spamassassin]# ls -la >>>> total 1100 >>>> drwx------ 2 spamd spamd 4096 Jun 22 19:42 . >>>> drwx------ 3 spamd spamd 4096 Jun 7 00:41 .. >>>> -rw------- 1 spamd spamd 45056 Jun 22 19:42 bayes_seen >>>> -rw------- 1 spamd spamd 1290240 Jun 22 19:42 bayes_toks >>>> -rw-r--r-- 1 spamd spamd 1869 Jun 7 00:41 user_prefs >>> >>> >>> >>> i doubt that SA is using the bayes of root >>> so you just rain the wrong bayes >> >> >> So with a default install (CentOS 7 in my case and I suspect pretty >> much all other systems), bayes will NOT just work by default unless >> you explicitly modify /etc/mail/spamassassin/local.cf to tell sa-learn >> to use the bayes db owned by spamd >> (/var/log/spamassassin/.spamassassin/bayes in my case) and NOT the one >> owned by root? >> >> However, I have done this: >> >> bayes_path /var/log/spamassassin/.spamassassin/bayes >> bayes_file_mode 0777 > > > Don't do that, ever, on any regular file, on any system that has processes > running as more than just root. I know it's in the SA Wiki, but it's an > irresponsible recommendation.
Yeah, I was going to ask about this because it seems to me if the db is owned by spamd and spamassassin is running as user spamd and sa-learn is running as root then 0600 should be fine (although it's not obvious to me why SA needs a "file mode" in the first place). So then what do you recommend that the bayes_file_mode value be precisely? At any rate, the whole thing seems to be working now incidentally. I am getting BAYES_XX tags now. As stated in my other followup message, SA seems to have detected the broken db and fixed it because it suddenly just stated working and sa-learn --dump magic works and is showing the right numbers. So just for posterity, the problem was I just needed "bayes_path /var/log/spamassassin/.spamassassin/bayes" in local.cf to make sa-learn use that db instead of /root/.spamassassin/bayes. Looks like it choked initially but somehow it's working now. >> Everything is installed as user / group spamd and postfix is set to >> call spamassassin with user=spamd. And I assume I must run sa-learn as >> root so that it can access Maildir directories and that bayes_path >> tells sa-learn where the db is. So now what's the problem? > > > Wrong assumption. > > The sa-learn program is for anyone to manually work with their own Bayes DB, > including for the owner of a system-wide Bayes DB to work with that Bayes > DB. If you have a system-wide Bayes DB, it should be fed by either a > system-wide filtering mechanism operating as part of the delivery process > and running as the owner of the global DB or by users running the spamc > client under their own ids to feed a spamd daemon running as the owner of > the global DB or by a combination of the two. The CentOS 7 package installs > spamd and spamc, and if you want to learn already-delivered mail into a > global BayesDB, those are the tools to use. Yes, I want a system-wide bayes db. And I am running spamd and spamc and I assume that is all working (but of course I have no idea if it really is). But I want users to be able to put spams that get through into ~/Maildir/.LearnAsSpam and then, every once in a while, I want to run sa-learn on all of those messages for the system-wide db. So can that be done without running sa-learn as root? Ideally I would think sa-learn should be able to run as root just to access files but use a spamd child to process them and update the bayes db. Possible? Mike
