[CentOS] Spamassassin as root and pyzor

Hywel Richards hywelbr at googlemail.com
Fri Jul 25 10:46:16 UTC 2008


First, many thanks to Paul and Spiro for your help with this.

Spiro Harvey, Knossos Networks Ltd wrote:
>> Ideally I would like a link to a webpage entitled "How I learnt to 
>> stop worrying and run spamass-milter as root".
>
> We've got a few boxen running spamd as non-privileged user, but 
> spamassassin milter runs as root with no problems.
>
> On the flip-side to your query, I haven't found anything that states 
> spamass milter shouldn't be run as root.
>
I eventually did run into problems running spamass-milter as root in 
that spamd tried to run as "nobody" which has a homedir as "/", and of 
course could not find any configs and could not set lockfiles, etc.

E.g. from my maillog:
  Jul 21 11:46:15 elbrus spamd[12517]: spamd: still running as root: 
user not specified with -u, not found, or set to root, falling back to 
nobody
  Jul 21 11:46:15 elbrus spamd[12517]: spamd: processing message 
<alpine.LRH.1.10.0807211145440.21127> for root:99
  Jul 21 11:46:16 elbrus spamd[12517]: auto-whitelist: open of 
auto-whitelist file failed: locker:   safe_lock: cannot create tmp 
lockfile /.spamassassin/auto-whitelist.lock.elbrus.12517 for 
/.spamassassin/auto-whitelist.lock: No such file or directory

So I created a new sa-milt user (with a suitable home directory) and 
used that (fixed the spamass-milter init script to do "daemon --user"). 
Running the milter as "sa-milt" seems to cause spamd to run as 
"sa-milt". It meant a bit of hassle relocating the socket to a sa-milt 
owned directory, etc, but at least it does seem to work now. Perhaps it 
would be more appropriate for the spamass-milter package to come like this?
>> Also, a related question: is it worth installing pyzor, or will 
>> spamassassin on its own be enough? I ask because pyzor doesn't seem 
>> to be in any of the main repositories.
>
> Don't know about Pyzor specifically, but we use Vipal's Razor with 
> success. Our situation is that we're an ISP, so we like the extra 
> checking to be as absolutely sure as possible that we're only 
> rejecting real spam. of course a few spams still trickle through but 
> we haven't had a single false positive.
>
And there are Dag el5 packages for razor too!

However, still having some problems setting this up.
If I run spamassassin on the command-line it seems to use it, but not 
from spamass-milter :-(

Hywel.




More information about the CentOS mailing list