spamassassin tmp directory

[biggles]

I am looking to change the tmp directory for spamasassin. The background is that when you use dazuko and add /tmp to the direcotries to scan, spamassassin fails to scan some objects. This happens because spamassassin uses /tmp when it's scanning the files and dazxuko recognizes the message payload as, for example, malware and refuses access to to file. Then spamassassin creates errors in maillog. So now I am trying to move the spamassassin working directory out of /tmp but I cannot really find any instructions on how to do it. Anyone got an idea?

[biggles]

BTW, the errors message looks like this:

spamd[7484]: prefork: sysread(9) failed after 300 secs at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/SpamdForkScaling.pm line 648.

spamd[26802]: util: cannot open /tmp/.spamassassin24612kkYBdEtmp: Permission denied at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Util.pm line 1375.

Mike has explained to me (thanks again Mike for being so educational and understanding for us not being security expertsd in your explanations!), that dazuko uses the inode to get the directories when it starts, so this error often appears when you are rebooting your server.

[mikeshinn]

What happens if you set $TMPDIR in the spamassassin user's environment to some other directory?

[mikeshinn]

Yes, I can confirm this works. Heres how to do this:

Open the file:

/etc/init.d/spamassassin

Scroll down to this line:

daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID

Yours might be a little different, if so look for the line that starts spamd (although this is what it looks like on Centos and Fedora). Above that line, add this line:

export TMPDIR=/var/spamtmp

So the function should now look like this:

start)
# tell portreserve to release the port
[ -x /sbin/portrelease ] && /sbin/portrelease spamd &>/dev/null || :
# Start daemon.
echo -n $"Starting $prog: "
export TMPDIR=/var/spamtmp
daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID
RETVAL=$?
echo
if [ $RETVAL = 0 ]; then
touch /var/lock/subsys/spamd
fi
;;

Go create the directory /var/spamtmp:

mkdir /var/spamtmp

Set that directory to only be writable by spamd (this is really important for security reasons):

chown <user that spamd runs as> /var/spamtmp
chmod og-rwx /var/spamtmp

Restart spamassassin:

/etc/init.d/spamassassin restart

[biggles]

Thanks a bunch! Been out of town for a few days, but will try it out during the weekend.

[biggles]

I am having some troubles. I cannot find out which user is running spamd. When I ps I get:

Code: Select all

root     30666  0.1  1.4  53080 45676 ?        Ss   19:58   0:02 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid

So I thought is was running as root. I thried to leave root as owner of the dir, but only got a bunch of:

Code: Select all

Jun  6 19:58:01 server7 spamd[30590]: util: secure_tmpfile failed to create file /var/spamtmp/.spamassassin30590jvtQrctmp': Permission denied 

[mikeshinn]

This happens when spamassassin is run as root. Run it as a non-priv user and the issue should go away.

[biggles]

And where do I do this? It is a bit confusing when you look at it. some instructions are for psa-spamassassin, some for spamasassin and some for qmail-scanner. Tried changing /etc/sysconfig/spamassassin but started to get quite a few errors in maillog (used popuser as user).

Sorry for all these qwuestions, but everything has been running flawlessly and I really haven't had to look into every setup detail...

[biggles]

Answering my own question (at least I think I do...).

It seems like it is running as user qscand if you are using qmail-scanner.