IMAPSieve - permission issues (learn from user)

[rsk]

I have followed the tutorial at https://docs.directadmin.com/other-...m/incoming-spam.html#how-to-enable-pigeonhole

and modified the last 2 shell scripts to be used for rspamd instead of spamassassin - as I want to teach rspamd from user input (when moving emails to spam folder and vice versa). However, I receive permission errors.

/etc/dovecot/conf.d/99-imap-sieve.conf

plugin {
  sieve_plugins = sieve_imapsieve sieve_extprograms

  # From elsewhere to Spam folder
  imapsieve_mailbox1_name = INBOX.spam
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_before = file:/usr/local/bin/dovecot-sieve/report-spam.sieve

  # From Spam folder to elsewhere
  imapsieve_mailbox2_name = *
  imapsieve_mailbox2_from = INBOX.spam
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/usr/local/bin/dovecot-sieve/report-ham.sieve

  sieve_pipe_bin_dir = /usr/local/bin/dovecot-sieve

  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
}

report-spam.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamd-learn-spam.sh";

report-ham.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamd-learn-ham.sh";

sievec report-spam.sieve
sievec report-ham.sieve

chown mail. report-spam.sieve
chown mail. report-ham.sieve

rspamd-learn-spam.sh

#!/bin/bash
exec /usr/bin/rspamc learn_spam

rspamd-learn-ham.sh

#!/bin/bash
exec /usr/bin/rspamc learn_ham

Upon moving an email from any folder to spam, I can see in the logs the errors due to permission. I have tried everything including chown'ing to dovecot, mail, etc. and even for testing purposes chmod'd the .sh files to 777. The errors I get are below

Jul 29 18:45:20 server dovecot[19738]: imap([email protected])<22560><6hIb1EXIhNBWYXhY>: Fatal: execvp(/usr/local/bin/dovecot-sieve/rspamd-learn-spam.sh) failed: Permission denied
Jul 29 18:45:20 server dovecot[19738]: imap([email protected])<22560><6hIb1EXIhNBWYXhY>: program exec:/usr/local/bin/dovecot-sieve/rspamd-learn-spam.sh (22561): Terminated with non-zero exit code 84
Jul 29 18:45:20 server dovecot[19738]: imap([email protected])<22560><6hIb1EXIhNBWYXhY>: Error: sieve: failed to execute to program `rspamd-learn-spam.sh': refer to server log for more information. [2021-07-29 18:45:20]
Jul 29 18:45:20 server dovecot[19738]: imap([email protected])<22560><6hIb1EXIhNBWYXhY>: Error: sieve: Execution of script /usr/local/bin/dovecot-sieve/report-spam.sieve failed

Appreciate any help

Thanks!

 

[rsk]

Fiddled some more, and now the permission error is gone, but the following are still there ...

Jul 31 01:26:18 server dovecot[19120]: imap([email protected])<19235><wTvoi1/IDv5WYXhY>: program exec:/usr/local/bin/dovecot-sieve/rspamd-learn-ham.sh (19236): Terminated with non-zero exit code 1
Jul 31 01:26:18 server dovecot[19120]: imap([email protected])<19235><wTvoi1/IDv5WYXhY>: Error: sieve: failed to execute to program `rspamd-learn-ham.sh': refer to server log for more information. [2021-07-31 01:26:18]
Jul 31 01:26:18 server dovecot[19120]: imap([email protected])<19235><wTvoi1/IDv5WYXhY>: Error: sieve: Execution of script /usr/local/bin/dovecot-sieve/report-ham.sieve failed

 

[rsk]

Latest error ...

Aug  1 10:51:20 server dovecot[21983]: imap([email protected])<32400><fHpwjnvIVdhWYXhY>: Error: program exec:/usr/local/bin/dovecot-sieve/rspamd-learn-spam.sh (32401): write(program stdin) failed: Broken pipe
Aug  1 10:51:20 server dovecot[21983]: imap([email protected])<32400><fHpwjnvIVdhWYXhY>: program exec:/usr/local/bin/dovecot-sieve/rspamd-learn-spam.sh (32401): Terminated with non-zero exit code 243
Aug  1 10:51:20 server dovecot[21983]: imap([email protected])<32400><fHpwjnvIVdhWYXhY>: Error: sieve: failed to pipe message to program `rspamd-learn-spam.sh': refer to server log for more information. [2021-08-01 10:51:20]
Aug  1 10:51:20 server dovecot[21983]: imap([email protected])<32400><fHpwjnvIVdhWYXhY>: Error: sieve: Execution of script /usr/local/bin/dovecot-sieve/report-spam.sieve failed

 

[jigster]

I'm having exactly the same issue. Did you find a solution? How did you fix the 'Permission denied' error? Thanks

 

[turbohost]

Same issue here.

 

[tristan]

@rsk Did you ever find a working solution? Would be nice if the documentation could be updated for Rspamd.

 

[jigster]

This is what I did to get it working:

Check rspamc is working:

rspamc -h /var/run/rspamd/rspamd_controller.sock stat

Follow all the steps here, skipping step 1 (that's for Spamassassin not Rspamd)

In step 10, alter the SSH script to:

#!/bin/bash
inputmail=`/usr/bin/cat`
echo "${inputmail}" | rspamc -h /var/run/rspamd/rspamd_controller.sock learn_spam

Then to get it to work I had to change the permissions:

chown mail. /usr/local/bin/dovecot-sieve/sa-learn-{spam,ham}.sh;
chmod 750 /usr/local/bin/dovecot-sieve/sa-learn-{spam,ham}.sh;

And in /etc/rspamd/local.d/worker-controller.inc change the 'mode'

mode=0622

Finally restart rspamd and dovecot

systemctl restart rspamd; service dovecot restart

Test moving emails from spam to inbox and back, and look at the maillog and rspam logs to check it works correctly.

I don't know if there are any security concerns from changing the permissions as above, any comments anyone?

 

[apogee]

I just spent the last 3 days this week implementing this, now it works partially, but I use junk and not inbox.spam because I like it better and it bothers me that it is a subfolder in inbox. Roundcube is also cleaner in my opinion, and I have added the "spam" and "not spam" buttons in Roundcube. I also used parts of that: https://github.com/darix/dovecot-sieve-antispam-rspamd/

That is why my configuration is different and looks like this:
/etc/dovecot/conf.d/99-imap-sieve.conf:

plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms

# From elsewhere to Junk folder
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/usr/local/bin/dovecot-sieve/report-spam.sieve

# From Junk folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/usr/local/bin/dovecot-sieve/report-ham.sieve

sieve_pipe_bin_dir = /usr/local/bin/dovecot-sieve

sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
}

Learned spam message (moved in Thunderbird from inbox to Junk):

2023-02-08 20:08:33 #2112300(controller) <9c3ef3>; csession; rspamd_controller_check_password: allow unauthorized connection from a unix socket
2023-02-08 20:08:33 #2112300(controller) <9c3ef3>; csession; rspamd_message_parse: loaded message; id: <Kq1K_S_DTfS7HaVFsFhFPw@geopod-ismtpd-5-0>; queue-id: <undef>; size: 463191; checksum: <5b983c269f780ea24519e01d13bb3c11>
2023-02-08 20:08:33 #2112300(controller) <9c3ef3>; csession; rspamd_mime_part_detect_language: detected part language: en
2023-02-08 20:08:33 #2112300(controller) <9c3ef3>; csession; rspamd_mime_part_detect_language: detected part language: en
2023-02-08 20:08:33 #2112300(controller) <9c3ef3>; csession; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 2; 200 required
2023-02-08 20:08:33 #2112300(controller) <9c3ef3>; csession; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 4; 200 required
2023-02-08 20:08:33 #2112300(controller) <9c3ef3>; csession; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
2023-02-08 20:08:33 #2112300(controller) <9c3ef3>; csession; rspamd_controller_learn_fin_task: </var/run/rspamd/rspamd_controller.sock> learned message as spam: Kq1K_S_DTfS7HaVFsFhFPw@geopod-ismtpd-5-0

Learnen ham message (moved in Thunderbird from Junk to inbox):

2023-02-08 20:15:00 #2112300(controller) <ad7995>; csession; rspamd_controller_check_password: allow unauthorized connection from a unix socket
2023-02-08 20:15:00 #2112300(controller) <ad7995>; csession; rspamd_message_parse: loaded message; id: <VI1PR04MB55044F73B713712BFD34FADCBEDA9@VI1PR04MB5504.eurprd04.prod.outlook.com>; queue-id: <undef>; size: 82576; checksum: <2a9bb4708868e55762d54b8f66d60b0f>
2023-02-08 20:15:00 #2112300(controller) <ad7995>; csession; rspamd_mime_part_detect_language: detected part language: de
2023-02-08 20:15:00 #2112300(controller) <ad7995>; csession; rspamd_mime_part_detect_language: detected part language: de
2023-02-08 20:15:00 #2112300(controller) <ad7995>; csession; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 3; 200 required
2023-02-08 20:15:00 #2112300(controller) <ad7995>; csession; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 6; 200 required
2023-02-08 20:15:00 #2112300(controller) <ad7995>; csession; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
2023-02-08 20:15:00 #2112300(controller) <ad7995>; csession; rspamd_controller_learn_fin_task: </var/run/rspamd/rspamd_controller.sock> learned message as ham: VI1PR04MB55044F73B713712BFD34FADCBEDA9@VI1PR04MB5504.eurprd04.prod.outlook.com

what bothers me is that every time a warning is logged:

rspamd_controller_check_password: allow unauthorized connection from a unix socket

I've not yet found out if the socket permissions are safe, my setup is now running with our free test customers for few weeks. If all goes well, it will be rolled out to the production infrastructure.

 

[zEitEr]

We use sudo in the scripts to solve the issue with rspamd socket. Something like:

#!/usr/bin/bash
# ...skipped part...
sudo /usr/local/bin/dovecot-sieve/learn_spam.sh <<< "${inputmail}";
# ...skipped part...

 

[tristan]

I've not yet found out if the socket permissions are safe, my setup is now running with our free test customers for few weeks. If all goes well, it will be rolled out to the production infrastructure.

Wondering if everything is working as expected for you or whether you tweaked anything to your setup. Would love if you could share.

 

[amphora]

Gonna bump this topic hoping for a solution.

I'm trying the same at the moment and also getting these errors:

Dec  7 11:51:00 vps03 dovecot[19266]: imap(xxx)<19340><muLTA+kLU9lQcH5l>: program exec:/usr/local/bin/dovecot-sieve/rspamd-learn-ham.sh (21860): Terminated with non-zero exit code 1
Dec  7 11:51:00 vps03 dovecot[19266]: imap(xxx)<19340><muLTA+kLU9lQcH5l>: Error: sieve: failed to execute to program `rspamd-learn-ham.sh': refer to server log for more information. [2023-12-07 11:51:00]
Dec  7 11:51:00 vps03 dovecot[19266]: imap(xxx)<19340><muLTA+kLU9lQcH5l>: Error: sieve: Execution of script /usr/local/bin/dovecot-sieve/report-ham.sieve failed

Changing mode from 0600 to 0622 or use sudo did't help either.

 

[zEitEr]

Wonder why you use 0600 or 0622. It should be at least 0700 or even 0750.

 

[amphora]

Wonder why you use 0600 or 0622. It should be at least 0700 or even 0750.

It was suggested by @jigster, 0600 is actually the default. Don't confuse it with chmod/file permissions...

 

[zEitEr]

OK, I see. Thanks for clarification. Anyway, sudo should work fine. It works for us as mentioned in the #9. You might have missed a step to allow usage of that script with sudo. If this is the case, then consider reading sudo documentation on how to complete the step.

 

[amphora]

Update:

In step 10, alter the SSH script to:
Code:

#!/bin/bash
inputmail=`/usr/bin/cat`
echo "${inputmail}" | rspamc -h /var/run/rspamd/rspamd_controller.sock learn_spam

Seemed to do the trick! Thanks @jigster