0

My mailserver set-up is quite old, but did its job for many years. With the last major update from Debian 9 to 10, SpamAssassin stopped working. Today I took the time to search for reasons, and I do not understand what I found.

Running spamassassin --lint as debian-spamd fails to load all modules with lines like:

Nov  4 13:00:50.573 [5216] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AskDNS.pm: lib/Mail/SpamAssassin/Plugin/AskDNS.pm: Keine Berechtigung at (eval 115) line 1.

Using strace I see:

stat("lib/Mail/SpamAssassin/Plugin/AskDNS.pmc", 0x7ffc01e14860) = -1 EACCES (Keine Berechtigung)
stat("lib/Mail/SpamAssassin/Plugin/AskDNS.pm", 0x7ffc01e14860) = -1 EACCES (Keine Berechtigung)

Running spamassassin --lint as root reports no issues except a missing Bayes database, which is to be expected. But the actual issue is that it does neither use any of the files denied for debian-spamd, which simply do not exist:

stat("lib/Mail/SpamAssassin/Plugin/AskDNS.pmc", 0x7ffdafdc1aa0) = -1 ENOENT (Datei oder Verzeichnis nicht gefunden)
stat("lib/Mail/SpamAssassin/Plugin/AskDNS.pm", 0x7ffdafdc1aa0) = -1 ENOENT (Datei oder Verzeichnis nicht gefunden)
stat("/usr/share/perl5/Mail/SpamAssassin/Plugin/AskDNS.pmc", 0x7ffdafdc1aa0) = -1 ENOENT (Datei oder Verzeichnis nicht gefunden)
stat("/usr/share/perl5/Mail/SpamAssassin/Plugin/AskDNS.pm", {st_mode=S_IFREG|0644, st_size=29190, ...}) = 0
openat(AT_FDCWD, "/usr/share/perl5/Mail/SpamAssassin/Plugin/AskDNS.pm", O_RDONLY|O_CLOEXEC) = 4

namei -om /usr/share/perl5/Mail/SpamAssassin/Plugin/AskDNS.pm reveals that this file is accessible by anyone. And in fact, I can e.g. cat it as debian-spamd. But it is apparently not even tried.

On the other hand I did find / -type d -name 'lib' -exec namei -om {} \; and there is neither any ´lib´ folder, which would be inaccessible, nor does find / -type d | grep lib/Mail list any matching folders, which might be denied.

The server is a LXC container running current Debian 10.6 as does the host.

Any ideas to further pin down the issue are appreciated.

Lars Hanke
  • 281
  • 2
  • 15

1 Answers1

0

The issue seems to be that SpamAssassin first checks ./lib/... before it checks standard paths. I did my test from /root, which is inaccessible for other users, i.e. . failed already with EPERM. Apparently, this causes SpamAssassin to give up immediately.

Starting SpamAssassin from the home directory of debian-spamd succeeded.

Lars Hanke
  • 281
  • 2
  • 15