spamassassin tmp directory
spamassassin tmp directory
I am looking to change the tmp directory for spamasassin. The background is that when you use dazuko and add /tmp to the direcotries to scan, spamassassin fails to scan some objects. This happens because spamassassin uses /tmp when it's scanning the files and dazxuko recognizes the message payload as, for example, malware and refuses access to to file. Then spamassassin creates errors in maillog. So now I am trying to move the spamassassin working directory out of /tmp but I cannot really find any instructions on how to do it. Anyone got an idea?
Re: spamassassin tmp directory
BTW, the errors message looks like this:
spamd[7484]: prefork: sysread(9) failed after 300 secs at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/SpamdForkScaling.pm line 648.
spamd[26802]: util: cannot open /tmp/.spamassassin24612kkYBdEtmp: Permission denied at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Util.pm line 1375.
Mike has explained to me (thanks again Mike for being so educational and understanding for us not being security expertsd in your explanations!), that dazuko uses the inode to get the directories when it starts, so this error often appears when you are rebooting your server.
spamd[7484]: prefork: sysread(9) failed after 300 secs at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/SpamdForkScaling.pm line 648.
spamd[26802]: util: cannot open /tmp/.spamassassin24612kkYBdEtmp: Permission denied at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Util.pm line 1375.
Mike has explained to me (thanks again Mike for being so educational and understanding for us not being security expertsd in your explanations!), that dazuko uses the inode to get the directories when it starts, so this error often appears when you are rebooting your server.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4155
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: spamassassin tmp directory
What happens if you set $TMPDIR in the spamassassin user's environment to some other directory?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4155
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: spamassassin tmp directory
Yes, I can confirm this works. Heres how to do this:
Open the file:
/etc/init.d/spamassassin
Scroll down to this line:
daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID
Yours might be a little different, if so look for the line that starts spamd (although this is what it looks like on Centos and Fedora). Above that line, add this line:
export TMPDIR=/var/spamtmp
So the function should now look like this:
start)
# tell portreserve to release the port
[ -x /sbin/portrelease ] && /sbin/portrelease spamd &>/dev/null || :
# Start daemon.
echo -n $"Starting $prog: "
export TMPDIR=/var/spamtmp
daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID
RETVAL=$?
echo
if [ $RETVAL = 0 ]; then
touch /var/lock/subsys/spamd
fi
;;
Go create the directory /var/spamtmp:
mkdir /var/spamtmp
Set that directory to only be writable by spamd (this is really important for security reasons):
chown <user that spamd runs as> /var/spamtmp
chmod og-rwx /var/spamtmp
Restart spamassassin:
/etc/init.d/spamassassin restart
Open the file:
/etc/init.d/spamassassin
Scroll down to this line:
daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID
Yours might be a little different, if so look for the line that starts spamd (although this is what it looks like on Centos and Fedora). Above that line, add this line:
export TMPDIR=/var/spamtmp
So the function should now look like this:
start)
# tell portreserve to release the port
[ -x /sbin/portrelease ] && /sbin/portrelease spamd &>/dev/null || :
# Start daemon.
echo -n $"Starting $prog: "
export TMPDIR=/var/spamtmp
daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID
RETVAL=$?
echo
if [ $RETVAL = 0 ]; then
touch /var/lock/subsys/spamd
fi
;;
Go create the directory /var/spamtmp:
mkdir /var/spamtmp
Set that directory to only be writable by spamd (this is really important for security reasons):
chown <user that spamd runs as> /var/spamtmp
chmod og-rwx /var/spamtmp
Restart spamassassin:
/etc/init.d/spamassassin restart
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: spamassassin tmp directory
Thanks a bunch! Been out of town for a few days, but will try it out during the weekend.
Re: spamassassin tmp directory
I am having some troubles. I cannot find out which user is running spamd. When I ps I get:
So I thought is was running as root. I thried to leave root as owner of the dir, but only got a bunch of:
Code: Select all
root 30666 0.1 1.4 53080 45676 ? Ss 19:58 0:02 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
Code: Select all
Jun 6 19:58:01 server7 spamd[30590]: util: secure_tmpfile failed to create file /var/spamtmp/.spamassassin30590jvtQrctmp': Permission denied
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4155
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: spamassassin tmp directory
This happens when spamassassin is run as root. Run it as a non-priv user and the issue should go away.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: spamassassin tmp directory
And where do I do this? It is a bit confusing when you look at it. some instructions are for psa-spamassassin, some for spamasassin and some for qmail-scanner. Tried changing /etc/sysconfig/spamassassin but started to get quite a few errors in maillog (used popuser as user).
Sorry for all these qwuestions, but everything has been running flawlessly and I really haven't had to look into every setup detail...
Sorry for all these qwuestions, but everything has been running flawlessly and I really haven't had to look into every setup detail...
Re: spamassassin tmp directory
Answering my own question (at least I think I do...).
It seems like it is running as user qscand if you are using qmail-scanner.
It seems like it is running as user qscand if you are using qmail-scanner.