postfix, procmail and SELinux - No Go
Marc Schwartz (via MN)
mschwartz at mn.rr.com
Wed Jun 7 18:12:34 UTC 2006
On Wed, 2006-06-07 at 17:56 +0100, Paul Howarth wrote:
> On Wed, 2006-06-07 at 12:20 -0400, Daniel J Walsh wrote:
> > I will be turning on dcc and razor policy in next rawhide update. This
> > should cover some of the problems you are having. Please send
> > me all of your policy so that I can get it in the upstream pool.
>
> We may need to do some rework then, since what we have, particularly for
> dcc, is getting the dcc client to work in spamd when running in the
> spamd domain. By turning on the dcc policy, this will all change.
>
> Similarly, Mark seems to be running razor from pyzor, so the policy
> tweaks have been for getting razor working as pyzor_t.
>
> I can send you what we've got so far, but it'll be of limited
> usefulness. Perhaps more useful would be if Mark could let you know
> where the various files/programs are installed to in the upstream
> default configuration (and his config, if different), so that the file
> contexts in policy can be right first time.
<snip of policies>
Paul and Dan,
As of this moment, now running in Enforcing Mode, the following are
known to work with Paul's policies and context changes:
Incoming multiple POP3 account mail via fetchmail is working.
fetchmail, BTW, runs every 2 mins. from my own crontab file, not the
system crontab, using ~/.fetchmailrc.
Outgoing mail via company SMTP server is working
Mail forwarding off my laptop via procmail/postfix is working
Clamassassin is working
Spamassassin is working
I have not yet had any Viagra-like e-mails to be able to test the other
remote servers (ie. pyzor, razor and DCC) to check for function.
Hopefully some with come through today (why can't you get them when you
want them.... ;-).
The context changes that we made are:
chcon system_u:object_r:initrc_exec_t /var/dcc/libexec/start-*
chcon system_u:object_r:initrc_exec_t /var/dcc/libexec/start-*
restorecon -v /usr/local/bin/clamassassin
restorecon -v /var/run/utmp
Running 'fixfiles check' shows no errors.
As of this moment, there are no new avc messages since going to
Enforcing Mode.
In terms of installs:
1. SA is the default Core install
2. Pyzor is pyzor.noarch from Extras
3. ClamAV is (from Extras):
clamav-devel-0.88.2-1.fc5
clamav-server-0.88.2-1.fc5
clamav-lib-0.88.2-1.fc5
clamav-update-0.88.2-1.fc5
clamav-milter-0.88.2-1.fc5
clamav-exim-0.86.2-5.fc5
clamav-data-0.88.2-1.fc5
clamav-0.88.2-1.fc5
4. Razor is perl-Razor-Agent.i386 from Extras
5. DCC is installed from the tarball at:
http://www.rhyolite.com/anti-spam/dcc/
6. Clamassassin is installed from the tarball at:
http://jameslick.com/clamassassin/
There are three cron jobs that run at night as well to update the remote
tests:
# Run DCC Update at 1 am
00 01 * * * root /var/dcc/libexec/updatedcc > /dev/null
# Run pyzor update at 1:10 am
10 01 * * * root /usr/bin/pyzor discover > /dev/null
# Run razor update at 1:20 am
20 01 * * * root /usr/bin/razor-admin -discover > /dev/null
And there is an hourly cron ClamAV update:
# Run ClamAV Update every hour
00 * * * * root freshclam --quiet
I have root's e-mail (via postfix) coming to my local account using an
alias in /etc/aliases and the 'mailbox-command' in /etc/postfix/main.cf
is set to /usr/bin/procmail.
The contents of /etc/mail/spamassassin/v310.pre were modified to enable
razor and DCC. This involved uncommenting:
loadplugin Mail::SpamAssassin::Plugin::Razor2
and
loadplugin Mail::SpamAssassin::Plugin::DCC
SA personal settings in ~/.spamassassin/user_prefs:
rewrite_header Subject [***** SPAM (_SCORE_) *****]
# Enable RBL Checks
skip_rbl_checks 0
# Enable Bayesian filtering and learning
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1
# Pyzor Settings
use_pyzor 1
# Razor Scores to override system settings
# Need to modify /etc/mail/spamassassin/v310pre
use_razor2 1
score RAZOR2_CHECK 0.5
score RAZOR2_CF_RANGE_51_100 0.5
score RAZOR2_CF_RANGE_E4_51_100 1.5
score RAZOR2_CF_RANGE_E8_51_100 1.5
# DCC checks to override system settings
# Need to modify /etc/mail/spamassassin/v310pre
use_dcc 1
score DCC_CHECK 2.17
Finally, my ~/.procmailrc (without the test forwarding) is:
# Scan for viruses using ClamAV
# This sets: "X-Virus-Status: Yes"
:0 fw
| /usr/local/bin/clamassassin
# Scan with SpamAssassin
:0 fw
# Use spamc with spamd daemon to save CPU
# This sets: "X-Spam-Status: Yes"
# Size setting only scans e-mails < 256k bytes
| /usr/bin/spamc -s 256000
If there is anything else you need to know, let me know. As soon as I
can confirm the use and hits on DCC, razor and pyzor I will follow up.
Thanks!
Marc Schwartz
< A slow spam day? I can't believe that I am anxiously awaiting a
solicitation for an ED drug... :-) >
More information about the fedora-selinux-list
mailing list