3

I have mail gateway servers configured to use MailScanner + Postfix + SpamAssassin as described here, along with MailWatch as a web front end.

When sa-learn is run from MailWatch (it's run as the postfix user), it throws this error:

SA Learn: config: path "/root/.spamassassin" is inaccessible: Permission denied, Learned tokens from 0 message(s) (1 message(s) examined)

Running "sudo -u postfix spamassassin --lint -D" gives this bit of info:

dbg: config: read file /etc/mail/spamassassin/mailscanner.cf
warn: config: path "/root/.spamassassin" is inaccessible: Permission denied
dbg: config: mkdir /root/.spamassassin failed: mkdir /root/.spamassassin: Permission denied at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1577
dbg: config: Permission denied
dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file

The bayes tokens are learned correctly, however this error is a minor annoyance and I'd like to fix it... Either by forcing SpamAssassin to not check the /root/.spamassassin/ directory for the config & prefs, or to fix MailWatch so it calls sa-learn correctly & doesn't throw this error.

gharper
  • 5,365
  • 4
  • 28
  • 34

6 Answers6

2

The real fix is to disable "per-user" config in spamassassin and globally set the Baysean DB, but a quick patch would be to add the "-H" option to sudo to use postfix's home directory where it should have permission to write as postfix.

LapTop006
  • 6,466
  • 19
  • 26
  • This sounds like it might be along the correct lines, but I'm still looking for specific documentation on how to accomplish this... once I do & if it turns out to be correct, I'll post it here and check this as answered unless someone beats me to the punch. – gharper Jul 13 '09 at 23:07
  • Of course the other option is to symlink /root/.spamassassin to ~postfix/.spamassassin I've done this on one machine and it does work as long as the permissions are ok. – LapTop006 Jul 14 '09 at 14:42
2

This is not a bug it is because you are running the sa-learn command with an invalid user. For example my setup uses the standard debian-spamd user.

# sa-learn -u debian-spamd --dbpath /var/lib/spamassassin/.spamassassin/bayes --dump magic
0.000          0          3          0  non-token data: bayes db version
0.000          0         84          0  non-token data: nspam
0.000          0       6565          0  non-token data: nham
0.000          0      15128          0  non-token data: ntokens
0.000          0 1510837441          0  non-token data: oldest atime
0.000          0 1519232775          0  non-token data: newest atime
0.000          0          0          0  non-token data: last journal sync atime
0.000          0          0          0  non-token data: last expiry atime
0.000          0          0          0  non-token data: last expire atime delta
0.000          0          0          0  non-token data: last expire reduction count

And for accounts

# sa-learn --ham -u debian-spamd --showdots --dir /var/vmail/mydomain.com/support/cur/*
.
Learned tokens from 1 message(s) (1 message(s) examined)

I have 20 email accounts on the server and crons to match for ham and spam and never the error. Make sure your setup and user:group correct on relevant files/directories.

Link to a quick tutorial on how to fix https://www.devcu.com/forums/topic/745-spamassassin-is-inaccessible-permission-denied/

devCU Soft
  • 51
  • 4
1

This could be a workaround:

# chmod o+x /root
# mv -f /root/.spamassassin /root/.spamassassin.err
# ln -s /var/spool/MailScanner/spamassassin /root/.spamassassin
# mkdir -p /var/spool/MailScanner/spamassassin
# chown postfix.apache /var/spool/MailScanner/spamassassin
# chmod 770 /var/spool/MailScanner/spamassassin
  • 1
    This was my original thought for a workaround, but making /root traversable by anyone doesn't really give me the warm fuzzies... While I don't think it's necessarily a security risk, I'd rather avoid it if at all possible. – gharper Jul 29 '09 at 15:07
0

Shouldn't you use the spamassassin daemon spamd instead? Then you'd use the spamc command instead of spamassassin. Basically, run spamd from its startup script, and use spamc from your mailscanner.

wazoox
  • 6,782
  • 4
  • 30
  • 62
  • MailScanner doesn't actually use spamd, spamc, or the spamassassin script directly, it calls the installed perl modules. – gharper Jun 25 '09 at 20:11
  • 2
    I see. Then you should tell sa-learn to use some other place ( postfix-writable) to store its data with the --dbpath option. – wazoox Jun 26 '09 at 09:26
  • 1
    The bayes database is already writable by postfix, which is why tokens are being learned correctly - what I'm trying to fix is sa-learn checking the root directory for config files first & throwing an error before correctly using the global config file in /etc/MailScanner/ and moving on. – gharper Jun 26 '09 at 15:19
0

Did you try adding --dbpath parameter, like this ?

sa-learn --dbpath /var/lib/amavis/.spamassassin/ ....
hayalci
  • 3,611
  • 3
  • 25
  • 37
  • Yup, and it still throws the "config: path "/root/.spamassassin" is inaccessible: Permission denied" error – gharper Jul 13 '09 at 22:35
0

The Cause
The cause is that spamassassin (which is called by sa-learn, spamc, spamd, spampd etc), tries to read a per-user config file from $HOME.

This happens even if the config option allow_user_rules is set to 0 (IMO this is probably a bug and it's been round a long time).

As it can't find this folder (because of permissions) it then tries to create the folder.

As those who run sa-learn inside a cron know this is very annoying as we get a failure email even from a successful run. Just google the error config: path "/root/.spamassassin" is inaccessible: Permission denied and see how many people this affects (and the insecure fixes they suggest). The only safe solution for cron was to ignroe it and pipe stdout and stderr to /dev/null, but that's a bit extreme.

It does this regardless of what -C or -p or --dbpath options are passed, so you can't fix it either in the command line options or the global config.

The Fix
The solution, that worked for me, is to call sa-learn and pass a temporary $HOME environment variable pointing to a location where the non-root user running spamassassin can write, in my case this is /var/cache/spampd: e.g.

HOME=/var/cache/spampd sa-learn --spam /var/vmail/jason/.SPAM/cur
Jay M
  • 358
  • 4
  • 10