[CentOS] Spamassassin as root and pyzor
hywelbr at googlemail.com
Fri Jul 25 10:46:16 UTC 2008
First, many thanks to Paul and Spiro for your help with this.
Spiro Harvey, Knossos Networks Ltd wrote:
>> Ideally I would like a link to a webpage entitled "How I learnt to
>> stop worrying and run spamass-milter as root".
> We've got a few boxen running spamd as non-privileged user, but
> spamassassin milter runs as root with no problems.
> On the flip-side to your query, I haven't found anything that states
> spamass milter shouldn't be run as root.
I eventually did run into problems running spamass-milter as root in
that spamd tried to run as "nobody" which has a homedir as "/", and of
course could not find any configs and could not set lockfiles, etc.
E.g. from my maillog:
Jul 21 11:46:15 elbrus spamd: spamd: still running as root:
user not specified with -u, not found, or set to root, falling back to
Jul 21 11:46:15 elbrus spamd: spamd: processing message
<alpine.LRH.1.10.0807211145440.21127> for root:99
Jul 21 11:46:16 elbrus spamd: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp
lockfile /.spamassassin/auto-whitelist.lock.elbrus.12517 for
/.spamassassin/auto-whitelist.lock: No such file or directory
So I created a new sa-milt user (with a suitable home directory) and
used that (fixed the spamass-milter init script to do "daemon --user").
Running the milter as "sa-milt" seems to cause spamd to run as
"sa-milt". It meant a bit of hassle relocating the socket to a sa-milt
owned directory, etc, but at least it does seem to work now. Perhaps it
would be more appropriate for the spamass-milter package to come like this?
>> Also, a related question: is it worth installing pyzor, or will
>> spamassassin on its own be enough? I ask because pyzor doesn't seem
>> to be in any of the main repositories.
> Don't know about Pyzor specifically, but we use Vipal's Razor with
> success. Our situation is that we're an ISP, so we like the extra
> checking to be as absolutely sure as possible that we're only
> rejecting real spam. of course a few spams still trickle through but
> we haven't had a single false positive.
And there are Dag el5 packages for razor too!
However, still having some problems setting this up.
If I run spamassassin on the command-line it seems to use it, but not
from spamass-milter :-(
More information about the CentOS