Postfix and Spamassassin

[kbocek]

My postfix setup is processing all my mail through a custom script to add footers, etc. The end of my script looks like:

Code: Select all

/usr/bin/spamc -E --username=mailfilt <in.$$ >spam.$$
spamexit=$?

if [ "$spamexit" -gt 0 ]
then
    /usr/libexec/dovecot/dovecot-lda -d myuser -m Junk <spam.$$
else
    $SENDMAIL "$@" <spam.$$
fi

Spamc is working and flagging emails. But I'm trying to figure out how to deliver spam to the Junk folder. The dovecot-lda command does not work giving a permission denied error. The script is running as the user "mailfilt".

Is dovecot-lda the wrong program here? How do I deliver email to a specific folder?

Thanks.

[kbocek]

So I'm running this script as the user "mailfilt". I've installed a custom selinux rule to get this user to work with Postfix. I see in maillog:

Code: Select all

dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=494(mailfilt) egid=490(mailfilt) missing +r perm: /var/run/dovecot/auth-userdb, euid is not dir owner)

So I thought running the dovecot-lda command as root would fix things. In /etc/sudoers:

Code: Select all

mailfilt ALL=/usr/libexec/dovecot/dovecot-lda

But now I get

Code: Select all

server1 postfix/pipe[2829]: BA4BC7FDD3: to=<kbocek@kbocek.com>, orig_to=<test@hbs.biz>, relay=mailfilt, delay=9.7, delays=0.09/0.01/0/9.6, dsn=5.3.0, status=bounced (Command died with status 126: "/etc/postfix/mailfilt.sh". Command output: /etc/postfix/mailfilt.sh: line 138: /usr/bin/sudo: Permission denied )

Is there something I'm doing wrong getting the user mailfilt to run sudo?

[kbocek]

Looks like an selinux issue:

Code: Select all

type=AVC msg=audit(1497989009.040:138023): avc:  denied  { execute } for  pid=3269 comm="mailfilt.sh" name="sudo" dev=dm-0 ino=6938 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file

[kbocek]

This post https://serverfault.com/questions/32400 ... anual-crea suggested some selinux changes:

Code: Select all

semanage login -a -s staff_u -r s0 mailfilt

and

Code: Select all

mailfilt ALL=(ALL)       ROLE=sysadm_r   TYPE=sysadm_t  ALL

But I'm still getting the same permission denied.

[TrevorH]

Why are you trying to run sudo from within a mail filter????

[kbocek]

Because the dovecot-lda command in my first post is failing and I don't know why. I'm trying to get it to execute.

[kbocek]

Well it looks like I'll have to go through the painful audit2allow process to get this working:

https://wiki.centos.org/HowTos/SELinux

I've done this several times. Invoke the process I am attempting to get working. Extract from the audit log. Create a custom rule. Repeat until it works.

[TrevorH]

Extract from the audit log. Create a custom rule. Repeat until it works.

Third step should not be necessary but you're missing step 0 which helps to avoid step 3... namely setenforce 0 first.