Kopano spamd error - PermissionError: [Errno 1] Operation not permitted

fbartels

@ckruijntjens said in Kopano spamd error - PermissionError: [Errno 1] Operation not permitted:

if i do this is inotify-learnspam still doing its part?

I have not completely followed the other topic, but there was something about the antispam system running on a different system and the need to pipe/copy the mail to the other system. so if the message needs to cross systems local ownership is not really relevant.

@ckruijntjens said in Kopano spamd error - PermissionError: [Errno 1] Operation not permitted:

hi yust tried and still have this error

Above i posted a command to test the chown.

@fbartels

hi i have rspamd and kopano on the same system. now if i check the logs when i change the sa user to kopano it only gives me a warning in journalctl.

0_1547196540694_4d90850d-6e06-4bb4-8993-0fbf653aa8c6-image.png

connection refused?

itis working now.

BMWfan

@ckruijntjens and what was now the solution? My problem is on the kopano-spamd process and you mixed your problems with inotify also in this topic why i lost a little the overview here.

On my Debian 9 Server:

If i choose a mail in mail inbox to sort it in the junk mail folder i get this messages in /var/log/kopano/spamd.log:

2019-01-12 08:17:57,330 - spamd - INFO - Learning message as SPAM, entryid: 00000000A497753E7B1B4CE3894BB06ABB7C1F450100000005000000D451EC976A324DCAA23AF88AB788EAD800000000
2019-01-12 08:17:57,356 - spamd - ERROR - Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/kopano/log.py", line 103, in log_exc
    try: yield
  File "/usr/lib/python3/dist-packages/kopano_spamd/__init__.py", line 83, in update
    self.learn(item, searchkey, True)
  File "/usr/lib/python3/dist-packages/kopano_spamd/__init__.py", line 106, in learn
    os.chown(emlfilename, uid, gid)
PermissionError: [Errno 1] Operation not permitted: '/var/lib/kopano/spamd/spam/9DFD4A4E633343C081465B7B8EDBCBE4.eml'

i installed the python 3 deamon via apt-get install python3-daemon.

I have spamassassin, clamav and amavis running that’s why i assigned kopano to the amavis group via gpasswd -a kopano amavis.

i can execute this command sudo -H -u kopano chown kopano:amavis /var/lib/kopano/spamd/spam/9DFD4A4E633343C081465B7B8EDBCBE4.eml
so the rights should be correct, or?

So, what could it be?

cblaha

What @BMWfan describes is exactly the origin problem.

@BMWfan

Hi,
Wat i did was adding kopano to my rspamd group and rspamd to kopano group.

The sa_group is kopano

Now its working for me

cblaha

Hi, the hint of @ckruijntjens was the last piece of the puzzle to the solution. After changing sa_group to kopano, kopano-spamd runs without errors.

BMWfan

@ckruijntjens thank you, this works for me now also after i changed the sa_group to kopano in the configuration etc/kopano/spamd.cfg but now is my inotify-spamlearn not more functioning as here described define-ham-and-spam-for-spamassassin, or what could i do that i could use amavis as the sa_group?

@BMWfan

Glad it worked👍👍👍

ashceryth

@cblaha @ckruijntjens @BMWfan

Guys, I think what you did is a workaround. Since you set the sa_group to kopano there is no change when executing chown (https://github.com/Kopano-dev/kopano-core/blob/master/ECtools/spamd/kopano_spamd/__init__.py#L104 line 104 onwards) on the files as they’re already owned by kopano:kopano. So, this way the original problem discussed in this thread isn’t triggered (that’s just what I think). Of course it works the other way round if you add amavis to the kopano group and then run inotify-spamlearn as user amavis. This way the user amavis has read and write permissions on the files as the user is member of the kopano group. Just my two cents.

And please don’t mix up spamd and inotify-spamlearn. These are two different things.

BMWfan

@ashceryth thanks for your opinion. You are right i think. I added kopano as described in my post before in the amavis group but the problem exists still if i configure this sa_group = amavis.
I can execute this manually sudo -H -u kopano chown kopano:amavis /var/lib/kopano/spamd/spam/9DFD4A4E633343C081465B7B8EDBCBE4.eml but the script gives us the following error if it has to execute it triggerd by the mail displacements in Kopano Webapp.

PermissionError: [Errno 1] Operation not permitted: '/var/lib/kopano/spamd/spam/9DFD4A4E633343C081465B7B8EDBCBE4.eml'

BMWfan

@mark-dufour do you need more informations to reproduce this issue?

fbartels

This ultimately seems to be an issue with/experienced through systemd. The permission denied when chown’ing comes from systemd denying it.

We will still need to think about alternative approaches for this.

BMWfan

@fbartels thanks for your answer. Should i open a request anywhere or what are the next steps?

fbartels

@cblaha @ckruijntjens @BMWfan Did some further thinking today and the simplest approach is probably the easiest.

Could you try the following (assuming you need your eml files to be kopano:amavis in the end):

in spamd.cfg
-> set run_as_group to amavis
-> sa_group should then be amavis as well

make sure kopano is member of the amavis group (writing this out i am not 100% this is really a requirement)
make sure that /var/lib/kopano/spamd (recursively) is owned by kopano:amavis

If this works for you as well, then we will remove the sa_group option and its related mechanism from kopano-spamd and adopt documentation accordingly.

cblaha

@fbartels : I will try it tomorrow

cblaha

@fbartels: Sorry, that I am reporting so late. Your solution works perfect for me. Thank you

for me this is also working. Except i am using rspamd so for me the group is _rspamd

This works as expected!

weini

Works for me too!
Many thanks for your support!

pschoond

I had the same problem on CentOS 7.

I think I solved this easily by:

adding the amavis user to the group kopano.
Since amavis/sa-learn is now able to read the files in /var/lib/kopano/spamd/spam, it is no longer necessary to do a chow or chmod in kopano-spamd. So I commented these two lines (106,107) out in /usr/lib/python2.7/site-packages/kopano_spamd/init.py, like this:
#os.chown(emlfilename, uid, gid)
#os.chmod(emlfilename, 0o660)
By increasing the loglevel to Info in /etc/kopano/spamd.cfg I could verify that the results are now as expected in the systemlog:

aug 02 07:33:33 server03.xxxxx.local kopano-spamd[17541]: 2019-08-02 07:33:33,488 - spamd - INFO - Learning message as SPAM, entryid: 0000000000D9DA0165C843EBB498FB6BD1E7C5820100000005000000519FE396E2274687B6E78B016896BC6000000000

I’m not sure though if sa-learn is automatically triggered within kopano-spamd on CentOS.

Paul