Tom Hendrikx wrote:> hi list,
>
> I'm having trouble with a new setup. My server is running postfix
> (2.5.5), dovecot (1.1.7), dspam (3.8.0). These all seems to work with
> eachother. When I add dovecot-antispam in the mix, the following problem
> occurs:
>
> New mail arrives, postfix hands the mail to dspam using a
> content_filter, and dspam clasifies the mail, running as the dspam user.
> Dspam writes its data away in a sqlite database. Mail then gets
> reinjected into postfix and delivered to the system user by deliver.
>
> When I manually classify a mail using dovecot-antispam, dovecot runs
> dspam classification as the system user. This gives the error "failed
to
> call dspam" in my client, and the message "dspam[20203]: query
error:
> attempt to write a readonly database: see sql.errors for more
details".
>
> Since the mentioned sql.errors is owned by the system user and not by
> the "dspam" user, it seems that the re-classification proces is
run as
> that user, so he has no write access to the sqlite db, which is owned by
> dspam:dspam. I could fix this by manually changing group ownership to
> the database, but maybe there is a more generic way to solve this?
>
To answer my own question: I think i have it working by adding to
dovecot.conf:
antispam_dspam_binary = /usr/local/bin/dspam-wrapper
Contents of the wrapper:
#!/bin/sh
/usr/bin/sudo -u dspam /usr/bin/dspam $@
Finally, adding to /etc/sudoers:
%mail ALL=(dspam) NOPASSWD: /usr/bin/dspam
Since the actual users have no shell access to the mail server itself, I
see no direct security implications here. But maybe there is some more
elegant way?
--
Regards,
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090614/25ed88e7/attachment-0002.bin>