Procmail Setup NOT Working

[Robert Ober <ro...@robob.com>]

Hello Folks,

I am using Spamassassin 3.2.5 with Sendmail 8.14.1 in an installation 
for office and offsite users.  The initial setup was to have 
Spamassassin to rewrite the subject so that the users could setup a 
filter in Outlook.  Problem is that some users are setup to have their 
email forwarded to their cellphone/blackberry and the spam is in that 
inbox.  So I found some articles and decided to have the spam go to a 
file.  The following is the new version of the /etc/procmailrc:

DROPPRIVS=yes


LOGFILE=/var/log/procmail.log
VERBOSE=yes
LOGABSTRACT=all

:0fw
| /usr/bin/spamc


# Mail that is very likely spam (>15) can be dropped on the floor.
# Move the # down one line to drop it.
# Note that dropping mail on the floor is a *bad*
# idea unless you really, really believe no false positives will
# have a score greater than 15.
SPAMFOLDER=spam
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
#/dev/null
almost-certainly-spam

:0 w :$SPAMFOLDER/.lock
* ^X-Spam-Status: Yes
$SPAMFOLDER/.




No spam is going to the spam file in /var/spool/mail although the main 
offsite user did have a .lock . I even dropped the level from 8 to 5 . 
The main offsite user is being flooded and sees all the spam on his 
phone.  I even rebooted the server (Fedora Linux Core 6) last night.   
Also, what ownership should the logfile(procmail.log) have?  I did 660 
and tried mail.mail and it still complains in the maillog that it cannot 
write to the logfile.

Ideas would be most welcome.

Thanks,
Robert A. Ober

Re: Procmail Setup NOT Working

[Theo Van Dinter <fe...@apache.org>]

2009/4/28 Robert Ober <ro...@robob.com>:
> It was global and I want it to stay global.  The old procmailrc is:
>
> DROPPRIVS=yes
>
> :0fw
> | /usr/bin/spamc

That's a global config, but you're running it per-user due to the
DROPPRIVS line.  fyi.

> All I want to do now is have all the identified spam(X-Spam-Status: Yes ?)
> go to a global file instead of delivered to the users.  The global spam file
> will be readable by only myself and management.

Just create a file and set the permissions to be globally writable,
then point procmail at it.
You can set the read perms however you want.

This makes it hard for users to figure out that some of their mail is
missing though, and makes it harder for them to recover it.

Re: Procmail Setup NOT Working

[John Hardin <jh...@impsec.org>]

On Tue, 28 Apr 2009, Robert Ober wrote:

> All I want to do now is have all the identified spam(X-Spam-Status: Yes 
> ?) go to a global file instead of delivered to the users.  The global 
> spam file will be readable by only myself and management.  Company owned 
> systems, so no privacy implied nor should be expected.

Do you really want that mailbox file to be world-writable?

Alternative: create a spam user, and have procmail _forward_ spams to that 
user. Procmail would have to skip SA scoring and forwarding if it was 
running as that user, of course.

Then you don't need to worry about access permissions on the spam box.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Ignorance doesn't make stuff not exist.               -- Bucky Katt
-----------------------------------------------------------------------
  10 days until the 64th anniversary of VE day

Re: Procmail Setup NOT Working

[Robert Ober <ro...@robob.com>]

On 4/28/09 3:00 PM, Karsten Bräckelmann wrote:
> On Tue, 2009-04-28 at 13:32 -0500, Robert Ober wrote:
>> On 4/28/09 11:34 AM, Karsten Bräckelmann wrote:
>>


It was global and I want it to stay global.  The old procmailrc is:

DROPPRIVS=yes

:0fw
| /usr/bin/spamc


No .procmailrc for the users.  And Spamassassin is set to rewrite the 
subject with *****Possible SPAM*****

All I want to do now is have all the identified spam(X-Spam-Status: Yes 
?) go to a global file instead of delivered to the users.  The global 
spam file will be readable by only myself and management.  Company owned 
systems, so no privacy implied nor should be expected.

I appreciate the responses.

Thanks,
Robert A. Ober
PS: If not, how else?

Re: Procmail Setup NOT Working

[Karsten Bräckelmann <gu...@rudersport.de>]

On Tue, 2009-04-28 at 13:32 -0500, Robert Ober wrote:
> On 4/28/09 11:34 AM, Karsten Bräckelmann wrote:
> 
> >> DROPPRIVS=yes
> >
> > procmail is being run on behalf of the recipient.
> 
> Makes sense,  any way to make sure the log is writeable other that to 
> put all the users in a group?

Ah, just answered the same question at the very end. ;)

> >> LOGFILE=/var/log/procmail.log
> >> VERBOSE=yes
> >> LOGABSTRACT=all
> >
> > MAILDIR is not set, so it defaults to $HOME.
> 
> How does this apply for doing Spamassassin globally?

It doesn't. I mentioned it to point out where mail will be delivered to
by procmail. Or rather would, if the $HOME would exist...

However, there *is* a point here that matters to SA. It's not the
delivering, which is important only to your IMAP server, or whatever
else you plan to access the "spam" folders procmail delivers to.

The point that matters to SA is the existence of a $HOME. Since you told
procmail to drop privs, and do the filtering on behalf of the recipient
user, spamc will be invoked as that user, too -- and spamd will attempt
to access per-user configs, and maybe even attempt to create it.

How exactly did you do the SA filtering before?

Site-wide config and dedicated SA or mail processing user? Are these
email users real system users, or virtual? Sounds like you have been
using some site-wide setup before -- and now you just switched to a
per-user config.  Do you really want that?


> > Does your "main offsite user" even have a $HOME? What user is this being
> > run as? Check its home...
> 
> Yes, but all mail goes to /var/spool/mail.  Each user has a file there 
> under their name.

So?  See my post again, about the setting of MAILDIR and where procmail
will deliver according to your recipes. Which, BTW, does not impact the
default folder, when procmail reaches the end of the recipes. It most
likely will be the same as it currently is -- given you're doing
*per-user* processing with procmail...

Which might not be what you want to switch to. Humm...

Site-wide SA integration with procmail using a single, side-wide
quarantine folder. Anyone? :)


Did you check the SA site and wiki for some hints?


> >> SPAMFOLDER=spam
> >> :0:
> >> * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> >> #/dev/null
> >> almost-certainly-spam
> >
> > This would deliver in *mbox* format into $MAILDIR/almost-certainly-spam
> >
> >> :0 w :$SPAMFOLDER/.lock

That lock file likely isn't writable either.

> >> * ^X-Spam-Status: Yes
> >> $SPAMFOLDER/.
> >
> > Here you specify *MH* format, delivering into $MAILDIR/spam/
> 
> Well I just copied from an article.  How do I change it for mbox?

You'd better carefully review the source you copy from. That's quite a
gross mis-configuration. Oh, and also carefully check if the source
actually applies to your case.

As for changing to mbox, see man procmailrc, last paragraph of the
section "Recipe action line".  Spoiler: mbox format will be used if you
specify a regular *file*, that's no / or /. suffix.


> >> No spam is going to the spam file in /var/spool/mail although the main
> >> offsite user did have a .lock . I even dropped the level from 8 to 5 .
> >> The main offsite user is being flooded and sees all the spam on his
> >> phone.  I even rebooted the server (Fedora Linux Core 6) last night.
> >> Also, what ownership should the logfile(procmail.log) have?  I did 660
> >> and tried mail.mail and it still complains in the maillog that it cannot
> >> write to the logfile.
> >
> > procmail is not being run as user mail. See DROPPRIVS in man procmailrc.
> 
> Will do.
> 
> > You should sort out *where* to deliver, and what *format* to use. Also
> > it seems the user procmail runs as is not allowed to write to the
> > delivery destinations -- and/or does not have a $HOME.
> 
> Sendmail with mbox.  As I stated, it was working just for rewritting the 

Well, *how* was it working before? How did you integrate SA? (see above)

> subject.  How do I set procmail to run as mail or whatever.  This is 
> unclear to me.  I want this to work globally, all spam to the same file.

Hmm, never done such a stunt, but this *could* work.  NOTE: I did NOT
try it, use on your own risk!

In the global procmailrc file, first do the filtering through spamc/d,
deliver spam to dedicated, system mbox files -- and then set DROPPRIVS
for default mail spool delivery.

Again, this is untested!

And I really don't like the idea of a global quarantine anyway, possibly
containing sensitive and private data. Who will review the spam !?


> > You will see the failed delivery attempts and falling through to the
> > next recipe / default mailbox in the procmail logs, once they are
> > writable...
> 
> Still do not understand how to do that.

Add the user to the group? Or even make it world-writable, just for
debugging purposes. But without a log, you're stabbing in the dark.
Procmail can't even complain to you, which it would loudly.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Procmail Setup NOT Working

[Robert Ober <ro...@robob.com>]

On 4/28/09 11:34 AM, Karsten Bräckelmann wrote:

>> DROPPRIVS=yes
>
> procmail is being run on behalf of the recipient.
>

Makes sense,  any way to make sure the log is writeable other that to 
put all the users in a group?

>> LOGFILE=/var/log/procmail.log
>> VERBOSE=yes
>> LOGABSTRACT=all
>
> MAILDIR is not set, so it defaults to $HOME.

How does this apply for doing Spamassassin globally?

> Does your "main offsite user" even have a $HOME? What user is this being
> run as? Check its home...

Yes, but all mail goes to /var/spool/mail.  Each user has a file there 
under their name.

>
>> :0fw
>> | /usr/bin/spamc
>>
>>
>> # Mail that is very likely spam (>15) can be dropped on the floor.
>> # Move the # down one line to drop it.
>> # Note that dropping mail on the floor is a *bad*
>> # idea unless you really, really believe no false positives will
>> # have a score greater than 15.
>> SPAMFOLDER=spam
>> :0:
>> * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
>> #/dev/null
>> almost-certainly-spam
>
> This would deliver in *mbox* format into $MAILDIR/almost-certainly-spam
>
>> :0 w :$SPAMFOLDER/.lock
>> * ^X-Spam-Status: Yes
>> $SPAMFOLDER/.
>
> Here you specify *MH* format, delivering into $MAILDIR/spam/


Well I just copied from an article.  How do I change it for mbox?

>> No spam is going to the spam file in /var/spool/mail although the main
>> offsite user did have a .lock . I even dropped the level from 8 to 5 .
>> The main offsite user is being flooded and sees all the spam on his
>> phone.  I even rebooted the server (Fedora Linux Core 6) last night.
>> Also, what ownership should the logfile(procmail.log) have?  I did 660
>> and tried mail.mail and it still complains in the maillog that it cannot
>> write to the logfile.
>
> procmail is not being run as user mail. See DROPPRIVS in man procmailrc.

Will do.

> You should sort out *where* to deliver, and what *format* to use. Also
> it seems the user procmail runs as is not allowed to write to the
> delivery destinations -- and/or does not have a $HOME.

Sendmail with mbox.  As I stated, it was working just for rewritting the 
subject.  How do I set procmail to run as mail or whatever.  This is 
unclear to me.  I want this to work globally, all spam to the same file.

> You will see the failed delivery attempts and falling through to the
> next recipe / default mailbox in the procmail logs, once they are
> writable...
>
>

Still do not understand how to do that.

Thanks for the help,
Robert:-)

Re: Procmail Setup NOT Working

[Karsten Bräckelmann <gu...@rudersport.de>]

On Tue, 2009-04-28 at 11:07 -0500, Robert Ober wrote:

> filter in Outlook.  Problem is that some users are setup to have their 
> email forwarded to their cellphone/blackberry and the spam is in that 
> inbox.  So I found some articles and decided to have the spam go to a 
> file.  The following is the new version of the /etc/procmailrc:
> 
> DROPPRIVS=yes

procmail is being run on behalf of the recipient.

> LOGFILE=/var/log/procmail.log
> VERBOSE=yes
> LOGABSTRACT=all

MAILDIR is not set, so it defaults to $HOME.

Does your "main offsite user" even have a $HOME? What user is this being
run as? Check its home...

> :0fw
> | /usr/bin/spamc
> 
> 
> # Mail that is very likely spam (>15) can be dropped on the floor.
> # Move the # down one line to drop it.
> # Note that dropping mail on the floor is a *bad*
> # idea unless you really, really believe no false positives will
> # have a score greater than 15.
> SPAMFOLDER=spam
> :0:
> * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> #/dev/null
> almost-certainly-spam

This would deliver in *mbox* format into $MAILDIR/almost-certainly-spam

> :0 w :$SPAMFOLDER/.lock
> * ^X-Spam-Status: Yes
> $SPAMFOLDER/.

Here you specify *MH* format, delivering into $MAILDIR/spam/


> No spam is going to the spam file in /var/spool/mail although the main 
> offsite user did have a .lock . I even dropped the level from 8 to 5 . 
> The main offsite user is being flooded and sees all the spam on his 
> phone.  I even rebooted the server (Fedora Linux Core 6) last night.   
> Also, what ownership should the logfile(procmail.log) have?  I did 660 
> and tried mail.mail and it still complains in the maillog that it cannot 
> write to the logfile.

procmail is not being run as user mail. See DROPPRIVS in man procmailrc.


You should sort out *where* to deliver, and what *format* to use. Also
it seems the user procmail runs as is not allowed to write to the
delivery destinations -- and/or does not have a $HOME.

You will see the failed delivery attempts and falling through to the
next recipe / default mailbox in the procmail logs, once they are
writable...


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}