postfix, procmail and SELinux - No Go

Marc Schwartz (via MN) mschwartz at mn.rr.com
Wed Jun 7 18:12:34 UTC 2006 

On Wed, 2006-06-07 at 17:56 +0100, Paul Howarth wrote:
> On Wed, 2006-06-07 at 12:20 -0400, Daniel J Walsh wrote:
> > I will be turning on dcc and razor policy in next rawhide update.  This 
> > should cover some of the problems you are having.  Please send
> > me all of your policy so that I can get it in the upstream pool.
> 
> We may need to do some rework then, since what we have, particularly for
> dcc, is getting the dcc client to work in spamd when running in the
> spamd domain. By turning on the dcc policy, this will all change.
> 
> Similarly, Mark seems to be running razor from pyzor, so the policy
> tweaks have been for getting razor working as pyzor_t.
> 
> I can send you what we've got so far, but it'll be of limited
> usefulness. Perhaps more useful would be if Mark could let you know
> where the various files/programs are installed to in the upstream
> default configuration (and his config, if different), so that the file
> contexts in policy can be right first time.

<snip of policies>

Paul and Dan,

As of this moment, now running in Enforcing Mode, the following are
known to work with Paul's policies and context changes:

  Incoming multiple POP3 account mail via fetchmail is working.
  fetchmail, BTW, runs every 2 mins. from my own crontab file, not the
  system crontab, using ~/.fetchmailrc.

  Outgoing mail via company SMTP server is working

  Mail forwarding off my laptop via procmail/postfix is working

  Clamassassin is working

  Spamassassin is working


I have not yet had any Viagra-like e-mails to be able to test the other
remote servers (ie. pyzor, razor and DCC) to check for function.
Hopefully some with come through today (why can't you get them when you
want them....  ;-).



The context changes that we made are:

  chcon system_u:object_r:initrc_exec_t /var/dcc/libexec/start-*
  chcon system_u:object_r:initrc_exec_t /var/dcc/libexec/start-*
  restorecon -v /usr/local/bin/clamassassin
  restorecon -v /var/run/utmp



Running 'fixfiles check' shows no errors.



As of this moment, there are no new avc messages since going to
Enforcing Mode.



In terms of installs:

1. SA is the default Core install

2. Pyzor is pyzor.noarch from Extras

3. ClamAV is (from Extras):

    clamav-devel-0.88.2-1.fc5
    clamav-server-0.88.2-1.fc5
    clamav-lib-0.88.2-1.fc5
    clamav-update-0.88.2-1.fc5
    clamav-milter-0.88.2-1.fc5
    clamav-exim-0.86.2-5.fc5
    clamav-data-0.88.2-1.fc5
    clamav-0.88.2-1.fc5

4. Razor is perl-Razor-Agent.i386 from Extras

5. DCC is installed from the tarball at:

     http://www.rhyolite.com/anti-spam/dcc/

6. Clamassassin is installed from the tarball at: 

     http://jameslick.com/clamassassin/



There are three cron jobs that run at night as well to update the remote
tests:

  # Run DCC Update at 1 am
  00 01 * * * root /var/dcc/libexec/updatedcc > /dev/null

  # Run pyzor update at 1:10 am
  10 01 * * * root /usr/bin/pyzor discover > /dev/null

  # Run razor update at 1:20 am
  20 01 * * * root /usr/bin/razor-admin -discover > /dev/null


And there is an hourly cron ClamAV update:

  # Run ClamAV Update every hour
  00 * * * * root freshclam --quiet



I have root's e-mail (via postfix) coming to my local account using an
alias in /etc/aliases and the 'mailbox-command' in /etc/postfix/main.cf
is set to /usr/bin/procmail.



The contents of /etc/mail/spamassassin/v310.pre were modified to enable
razor and DCC. This involved uncommenting:

  loadplugin Mail::SpamAssassin::Plugin::Razor2

and

  loadplugin Mail::SpamAssassin::Plugin::DCC





SA personal settings in ~/.spamassassin/user_prefs:

rewrite_header Subject          [***** SPAM (_SCORE_) *****]


# Enable RBL Checks
skip_rbl_checks         0


# Enable Bayesian filtering and learning
use_bayes                       1
use_bayes_rules                 1
bayes_auto_learn                1


# Pyzor Settings
use_pyzor               1


# Razor Scores to override system settings
# Need to modify /etc/mail/spamassassin/v310pre
use_razor2              1
score RAZOR2_CHECK 0.5
score RAZOR2_CF_RANGE_51_100 0.5
score RAZOR2_CF_RANGE_E4_51_100 1.5
score RAZOR2_CF_RANGE_E8_51_100 1.5


# DCC checks to override system settings
# Need to modify /etc/mail/spamassassin/v310pre
use_dcc                 1
score DCC_CHECK 2.17




Finally, my ~/.procmailrc (without the test forwarding) is:

# Scan for viruses using ClamAV
# This sets: "X-Virus-Status: Yes"
:0 fw
| /usr/local/bin/clamassassin

# Scan with SpamAssassin
:0 fw
# Use spamc with spamd daemon to save CPU
# This sets: "X-Spam-Status: Yes"
# Size setting only scans e-mails < 256k bytes
| /usr/bin/spamc -s 256000




If there is anything else you need to know, let me know. As soon as I
can confirm the use and hits on DCC, razor and pyzor I will follow up.

Thanks!

Marc Schwartz

< A slow spam day? I can't believe that I am anxiously awaiting a
solicitation for an ED drug... :-) >

More information about the fedora-selinux-list mailing list