[Bug 1442087] Re: don't run as root by default
Yes, thanks for the link and thoughts. I'm currently investigating if I can leave all the SA, amavis and clamav code out of my setup by using the blacklist feature of postscreen*. * http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1442087 Title: don't run as root by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1442087/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1442087] Re: don't run as root by default
This user switching is for reading per-user configurations only and I think can be mitigated by making the per-user config world readable. Furthermore from the README.spamd.gz you've mentioned If a fault is found in spamd or spamassassin code, any third party linked-libraries or imported perl modules there is the potential for abuse of both the running uid of spamd, and the uid of the username supplied by spamc (and this could be any user). I'm not sure how many LOC but there is quite a slew of extra code with all the plugins that ship with SA. I question if all this code is maintained with the same attention and security awareness as other parts of the mail stack. I know all other parts are not executed as root. Of course statistics wouldn't have hurt ;-). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1442087 Title: don't run as root by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1442087/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1442087] [NEW] don't run as root by default
Public bug reported: I was surprised that after following https://help.ubuntu.com/14.04/serverguide/mail-filtering.html this leaves me with the spamassassin daemon running as root. This is not of the same standard compared with the secure defaults that Postfix and Dovecot use. I think this undermines the whole setup and comes a bit unexpected. I would suggest to create a separate unprivileged user (maybe spamd?) for running spamd only and keep the user debian-spamd for updating the rules. ** Affects: spamassassin (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1442087 Title: don't run as root by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1442087/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 720071] Re: munin-node amavis spam stats
Simon, I have never seen the string Passed SPAMMY in my logs, are you also using amavisd-new 1:2.6.4-1ubuntu5 shipped with 10.04 and are these strings appearing in your /var/log/mail.log? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to munin in Ubuntu. https://bugs.launchpad.net/bugs/720071 Title: munin-node amavis spam stats To manage notifications about this bug go to: https://bugs.launchpad.net/munin/+bug/720071/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 715056] Re: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade
I happened to have a 10.10 server in my VirtualBox and can confirm this latest package does not change the postfix configuration. root@ubuntu:/etc# git status # On branch master nothing to commit (working directory clean) root@ubuntu:/etc# apt-get install dovecot-common Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: dovecot-imapd dovecot-pop3d Suggested packages: ntp The following packages will be upgraded: dovecot-common dovecot-imapd dovecot-pop3d 3 upgraded, 0 newly installed, 0 to remove and 17 not upgraded. Need to get 7,866kB of archives. After this operation, 0B of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://archive.ubuntu.com/ubuntu/ maverick-proposed/main dovecot-pop3d amd64 1:1.2.12-1ubuntu8.3 [1,097kB] Get:2 http://archive.ubuntu.com/ubuntu/ maverick-proposed/main dovecot-imapd amd64 1:1.2.12-1ubuntu8.3 [1,204kB] Get:3 http://archive.ubuntu.com/ubuntu/ maverick-proposed/main dovecot-common amd64 1:1.2.12-1ubuntu8.3 [5,565kB] Fetched 7,866kB in 8s (980kB/s) (Reading database ... 42297 files and directories currently installed.) Preparing to replace dovecot-pop3d 1:1.2.12-1ubuntu8.2 (using .../dovecot-pop3d_1%3a1.2.12-1ubuntu8.3_amd64.deb) ... Unpacking replacement dovecot-pop3d ... Preparing to replace dovecot-imapd 1:1.2.12-1ubuntu8.2 (using .../dovecot-imapd_1%3a1.2.12-1ubuntu8.3_amd64.deb) ... Unpacking replacement dovecot-imapd ... Preparing to replace dovecot-common 1:1.2.12-1ubuntu8.2 (using .../dovecot-common_1%3a1.2.12-1ubuntu8.3_amd64.deb) ... dovecot stop/waiting Unpacking replacement dovecot-common ... Processing triggers for ureadahead ... Processing triggers for ufw ... Processing triggers for man-db ... Setting up dovecot-common (1:1.2.12-1ubuntu8.3) ... You already have ssl certs for dovecot. dovecot start/running, process 3434 Setting up dovecot-pop3d (1:1.2.12-1ubuntu8.3) ... Setting up dovecot-imapd (1:1.2.12-1ubuntu8.3) ... root@ubuntu:/etc# git status # On branch master nothing to commit (working directory clean) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in Ubuntu. https://bugs.launchpad.net/bugs/715056 Title: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/715056/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 715056] Re: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade
the new package installed nice, without changing my configuration so it looks like this patch fixes the bug. Note: I get standard errors about an unconfigured nsd3 everytime I use apt which is related to another bug. Anyway, the dovecot installation went fine, without any problems and did not change my mail configuration as can be seen by etckeeper/git. root@lock:/etc# git status # On branch master nothing to commit (working directory clean) root@lock:/etc# sudo apt-get install dovecot Reading package lists... Done Building dependency tree Reading state information... Done Package dovecot is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source However the following packages replace it: dovecot-common E: Package dovecot has no installation candidate root@lock:/etc# sudo apt-get install dovecot-common Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: dovecot-imapd dovecot-pop3d Suggested packages: ntp The following packages will be upgraded: dovecot-common dovecot-imapd dovecot-pop3d 3 upgraded, 0 newly installed, 0 to remove and 14 not upgraded. 1 not fully installed or removed. Need to get 7,805kB of archives. After this operation, 0B of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://archive.ubuntu.com/ubuntu/ lucid-proposed/main dovecot-pop3d 1:1.2.9-1ubuntu6.5 [1,093kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-proposed/main dovecot-imapd 1:1.2.9-1ubuntu6.5 [1,202kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-proposed/main dovecot-common 1:1.2.9-1ubuntu6.5 [5,510kB] Fetched 7,805kB in 6s (1,234kB/s) (Reading database ... 27371 files and directories currently installed.) Preparing to replace dovecot-pop3d 1:1.2.9-1ubuntu6.4 (using .../dovecot-pop3d_1%3a1.2.9-1ubuntu6.5_amd64.deb) ... * Stopping IMAP/POP3 mail server dovecot ...done. Unpacking replacement dovecot-pop3d ... * Starting IMAP/POP3 mail server dovecot ...done. Preparing to replace dovecot-imapd 1:1.2.9-1ubuntu6.4 (using .../dovecot-imapd_1%3a1.2.9-1ubuntu6.5_amd64.deb) ... * Stopping IMAP/POP3 mail server dovecot ...done. Unpacking replacement dovecot-imapd ... * Starting IMAP/POP3 mail server dovecot ...done. Preparing to replace dovecot-common 1:1.2.9-1ubuntu6.4 (using .../dovecot-common_1%3a1.2.9-1ubuntu6.5_amd64.deb) ... * Stopping IMAP/POP3 mail server dovecot ...done. Unpacking replacement dovecot-common ... Processing triggers for ufw ... Rules updated for profile 'Dovecot Secure IMAP' Rules updated for profile 'OpenSSH' Rules updated for profile 'Postfix' Rules updated for profile 'Postfix Submission' Skipped reloading firewall Processing triggers for ureadahead ... Processing triggers for man-db ... Setting up nsd3 (3.2.4-1) ... * Starting nsd3... invoke-rc.d: initscript nsd3, action start failed. dpkg: error processing nsd3 (--configure): subprocess installed post-installation script returned error exit status 1 Setting up dovecot-common (1:1.2.9-1ubuntu6.5) ... You already have ssl certs for dovecot. update-rc.d: warning: dovecot stop runlevel arguments (1) do not match LSB Default-Stop values (0 1 6) * Starting IMAP/POP3 mail server dovecot ...done. Setting up dovecot-pop3d (1:1.2.9-1ubuntu6.5) ... * Restarting IMAP/POP3 mail server dovecot ...done. Setting up dovecot-imapd (1:1.2.9-1ubuntu6.5) ... * Restarting IMAP/POP3 mail server dovecot ...done. Errors were encountered while processing: nsd3 E: Sub-process /usr/bin/dpkg returned an error code (1) root@lock:/etc# git status # On branch master nothing to commit (working directory clean) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in Ubuntu. https://bugs.launchpad.net/bugs/715056 Title: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/715056/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 720071] Re: munin-node amavis spam stats
reported to munin-monitoring.org bug tracker: http://munin- monitoring.org/ticket/1104 ** Bug watch added: munin-monitoring.org/ #1104 http://munin-monitoring.org/ticket/1104 ** Also affects: munin via http://munin-monitoring.org/ticket/1104 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to munin in Ubuntu. https://bugs.launchpad.net/bugs/720071 Title: munin-node amavis spam stats To manage notifications about this bug go to: https://bugs.launchpad.net/munin/+bug/720071/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 720071] Re: munin-node amavis spam stats
the previous attachment was a reverse patch, now it should apply. ** Attachment removed: change graph label https://bugs.launchpad.net/ubuntu/+source/munin/+bug/720071/+attachment/1865698/+files/amavis_label.patch ** Patch added: more objective labels https://bugs.launchpad.net/ubuntu/+source/munin/+bug/720071/+attachment/2163639/+files/amavis_labal.patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to munin in Ubuntu. https://bugs.launchpad.net/bugs/720071 Title: munin-node amavis spam stats To manage notifications about this bug go to: https://bugs.launchpad.net/munin/+bug/720071/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 715056] Re: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade
Last night, the same issue happened again. The automatically installed security update misconfigured my postfix/main.cf file with exactly the same values as posted earlier. Will Ante Karamatić patch be included in Lucid? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in Ubuntu. https://bugs.launchpad.net/bugs/715056 Title: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 715056] Re: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade
@eiver: It looks like I can't change the Importance value of this bug. It's greyd-out and I see no edit options.. ** Changed in: dovecot (Ubuntu Lucid) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in Ubuntu. https://bugs.launchpad.net/bugs/715056 Title: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 720071] Re: munin-node amavis spam stats
Tim, do you feel like forwarding it to the upstream tracker at http ://munin-monitoring.org/newticket (requires an account there), or should I do this for you? Daniel, the reason I didn't submit it there was idd because I had to register and didn't find any links to do so at the time. So launchpad was easier for me. Please submit it overthere if you have an account. Would it be possible to get the barrier for spam easily from the amavis conf, and then use this for the maybe spam pattern? I'm not aware of any utilities to extract a config-item like this, but I'm pretty new to Debian/Ubuntu and can imagine they have tools for it.. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to munin in ubuntu. https://bugs.launchpad.net/bugs/720071 Title: munin-node amavis spam stats -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 720071] Re: munin-node amavis spam stats
I'm using Ubuntu 10.04.1 and munin-node 1.4.4-1ubuntu1 from the default repositories without customizations. as a side note. I think it would be more appropriate to change the line in the graph containing surely spam to blocked as spam, see the attached patch. ** Patch added: change graph label https://bugs.launchpad.net/ubuntu/+source/munin/+bug/720071/+attachment/1865698/+files/amavis_label.patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to munin in ubuntu. https://bugs.launchpad.net/bugs/720071 Title: munin-node amavis spam stats -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 720071] [NEW] munin-node amavis spam stats
Public bug reported: Binary package hint: munin The amavis plugin of munin-node displays 0 for probably spam and surely spam statistics. This is because it does the wrong `grep` on the mail log file. The included patch has 2 altered grep statements sure spam is a grep for 'Blocked SPAM' and probably spam is a grep for messages with a Hits score between 4 and 10 The default Ubuntu SpamAssassin configuration will tag messages with a score above 2.0 and mark messages as Blocked SPAM if it has a score above 6.31. ** Affects: munin (Ubuntu) Importance: Undecided Status: New ** Tags: amavis spam statistics -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to munin in ubuntu. https://bugs.launchpad.net/bugs/720071 Title: munin-node amavis spam stats -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 720071] Re: munin-node amavis spam stats
** Attachment added: altered grep for probably and surely spam https://bugs.launchpad.net/bugs/720071/+attachment/1853838/+files/amavis.patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to munin in ubuntu. https://bugs.launchpad.net/bugs/720071 Title: munin-node amavis spam stats -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 715056] [NEW] invalid ssl-certificates in /etc/postfix/main.cf after security upgrade
Public bug reported: Binary package hint: dovecot-postfix After dovecot-postfix was automatically upgraded this morning (http://www.ubuntu.com/usn/usn-1059-1) the config in /etc/postfix/main.cf was changed. Replacing my certificates with invalid ones. Discovered it by Thunderbird complaining about an invalid certificate when try to send mail via the smtp-server. Changes made by automatic upgrade: diff --git a/postfix/main.cf b/postfix/main.cf index ee075a3..b6c0119 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -57,10 +57,15 @@ smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes -smtpd_tls_cert_file = /etc/ssl/certs/x.crt -smtpd_tls_key_file = /etc/ssl/private/x.key +smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem +smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level = may smtp_tls_CAfile = /etc/ssl/certs/netsend_nl_chain.crt smtp_tls_note_starttls_offer = yes +home_mailbox = Maildir/ +smtpd_sasl_authenticated_header = yes +smtpd_sasl_security_options = noanonymous +smtpd_use_tls = yes +smtp_use_tls = yes Errors in /var/log/mail.log: Feb 8 09:25:27 lock postfix/smtpd[10607]: connect from x.versatel.nl[xx.xx.xx.xx] Feb 8 09:25:27 lock postfix/smtpd[10607]: setting up TLS connection from x.versatel.nl[xx.xx.xx.xx] Feb 8 09:25:27 lock postfix/smtpd[10607]: SSL_accept error from x.versatel.nl[xx.xx.xx.xx]: 0 Feb 8 09:25:27 lock postfix/smtpd[10607]: warning: TLS library problem: 10607:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1093:SSL alert number 48: Feb 8 09:25:27 lock postfix/smtpd[10607]: lost connection after CONNECT from x.versatel.nl[xx.xx.xx.xx] Feb 8 09:25:27 lock postfix/smtpd[10607]: disconnect from x.versatel.nl[xx.xx.xx.xx] ** Affects: dovecot (Ubuntu) Importance: Undecided Status: New ** Tags: certificate dovecot main.cf postfix -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. https://bugs.launchpad.net/bugs/715056 Title: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 715056] Re: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade
The git diff I posted before is a complete diff from the /etc directory before the upgrade, and after the upgrade (using the package etckeeper). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. https://bugs.launchpad.net/bugs/715056 Title: invalid ssl-certificates in /etc/postfix/main.cf after security upgrade -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs