** Description changed:
[Impact]
Regression causing breakage of spam filtering for Exim4 users when using
sa-exim for spamassassin integration.
[Test Case]
- $ lxc launch ubuntu:19.04/amd64 exim-19-006-1
- $ lxc exec exim-19-006-1 bash
+ $ lxc launch ubuntu:19.04/amd64 exim-19-008-1
+ $ lxc exec exim-19-008-1 bash
### Pre-requisites ###
# apt update
# apt install -y exim4 exim4-daemon-light
# apt install -y spamassassin
# apt install -y sa-exim
### Startup spamassassin ###
# service spamassassin start
# lsof -i :783
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
spamd 10552 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd
(LISTEN)
spamd 10552 root 6u IPv4 2384099 0t0 TCP localhost:spamd
(LISTEN)
spamd\x20 10553 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd
(LISTEN)
spamd\x20 10553 root 6u IPv4 2384099 0t0 TCP localhost:spamd
(LISTEN)
spamd\x20 10554 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd
(LISTEN)
spamd\x20 10554 root 6u IPv4 2384099 0t0 TCP localhost:spamd
(LISTEN)
# service spamassassin status | grep Active
Active: active (running) since [...]
### Configure exim4 for sa-exim ###
# ls -l /usr/lib/exim4/local_scan/sa-exim.so
-rw-r--r-- 1 root root 43576 Aug 2 2016
/usr/lib/exim4/local_scan/sa-exim.so
# OPTION="local_scan_path = \/usr\/lib\/exim4\/local_scan\/sa-exim\.so"
# sed -i.bak "/MAIN CONFIG/a ${OPTION}" /etc/exim4/exim4.conf.template
# sed -i.bak 's/^SAEximRunCond: 0/SAEximRunCond: 1/' /etc/exim4/sa-exim.conf
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
### Perform RED test
# echo "test" | mail -s testing root
# ls -l /var/spool/mail/mail
-rw------- 1 mail mail 629 Jun 4 04:29 /var/spool/mail/mail
# tail /var/log/exim4/mainlog
[...]
[...] 1hXwGX-00011P-Ay <= [email protected] U=root P=local S=454
[...] 1hXwGX-00011P-Ay => /var/mail/mail <[email protected]>
R=mail4root T=address_file
[...] 1hXwGX-00011P-Ay Completed
# grep "SA: Action" /var/log/exim4/mainlog || echo "FAIL"
FAIL
### Install fix
- Enable disco-proposed (Or: add-apt-repository -yu ppa:bryce/exim-19-006-1)
+ Enable disco-proposed (Or: add-apt-repository -yu ppa:bryce/exim-19-006-1)
# apt install -y exim4 exim4-daemon-light
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
### Perform GREEN test
# echo "test" | mail -s testing root
# tail /var/log/exim4/mainlog
[...]
[...] 1hXwGX-00011P-Ay <= [email protected] U=root P=local S=454
[...] 1hXwGX-00011P-Ay => /var/mail/mail <[email protected]>
R=mail4root T=address_file
[...] 1hXwGX-00011P-Ay Completed
# grep "SA: Action" /var/log/exim4/mainlog && echo "PASS"
[...] 1hY18c-000349-Vz SA: Action: scanned but message isn't spam:
score=0.7 required=5.0 (scanned in 4/4 secs | Message-Id:
[...]@exim-19-006-1.lxd). From <[email protected]> (local) for
[email protected]
PASS
[Regression Potential]
Low.
The 'local_scan' function was removed due to concerns it might allow
rewriting of emails in invalid situations. However, this risk has been
equally present in previous exim4 releases Ubuntu has shipped, thus does
not create any new issues, just restores behavior to what it has been in
the past.
This is not a default behavior, so whether it is enabled or not should
have no impact on "regular" exim4 users.
Things to watch for in testing would be severe breakage when using the
local_scan functionality in ways that worked properly in bionic. Note
that with sa-exim no longer actively maintained, and with exim4
discouraging use of local_scan, it is to be expected that some
irregularities may crop up in certain use cases, but general usage that
has worked previously should be expected to continue similarly.
[Discussion]
Upstream dropped support for a 'local_scan' function in 4.92, that sa-exim
requires; Debian restored support for this capability in 4.92-7, but disco is
shipping 4.92-4ubuntu1 without the restored support.
The reason upstream dropped the support was out of concern that changes
in how emails are handled internally will break rewriting in certain
circumstances. Unfortunately this breaks compatibility with sa-exim,
which uses local_scan to do spamassassin checking to reject spam emails
pre-acceptance.
This SRU is a one-line change to enable HAVE_LOCAL_SCAN in exim4's
template configuration file, "EDITME". Ubuntu has already been carrying
the 90_localscan_dlopen.dpatch that implements the necessary
functionality, however due to upstream changes it is now necessary to
define HAVE_LOCAL_SCAN in the local config (it is off by default). With
this change, the functionality of 90_localscan_dlopen.dpatch will again
be effective.
[Original Report]
It seems like after upgrade to 19.04 that exim is not running the local_scan
function (in my case the sa-exim /usr/lib/exim4/local_scan/sa-exim.so)
So I now don't have the spam-scan I am used to(I have enabled scanning
by the way of an RCPT_ACL for now)
Hope this can fixed despite sa-exim being very old
Description: Ubuntu 19.04
Release: 19.04
exim4-daemon-heavy:
Installed: 4.92-4ubuntu1
Candidate: 4.92-4ubuntu1
Version table:
*** 4.92-4ubuntu1 500
500 http://dk.archive.ubuntu.com/ubuntu disco/main amd64 Packages
100 /var/lib/dpkg/status
I expect to see in /var/log/exim4/mainlog lines like this as I saw before:
2019-05-12 20:01:54 1hPsnJ-000285-Jj SA: Debug: check succeeded, running spamc
2019-05-12 20:02:01 1hPsnJ-000285-Jj SA: Action: scanned but message isn't
spam: score=2.5 required=5.0 (scanned in 7/7 secs | Message-Id:
duxufv23y44bfkuepz1f4naeoavbh7xtz_es_rsbndc.erur4y-b0k2tn61ykllctsv6z3yzr3hqkm9umv94...@devotestream.icu).
From <[email protected]> (host=NULL [185.254.236.42]) for <masked email>
I don't see that after upgrading to 19.04 this saturday
** Description changed:
[Impact]
Regression causing breakage of spam filtering for Exim4 users when using
sa-exim for spamassassin integration.
[Test Case]
$ lxc launch ubuntu:19.04/amd64 exim-19-008-1
$ lxc exec exim-19-008-1 bash
### Pre-requisites ###
# apt update
- # apt install -y exim4 exim4-daemon-light
- # apt install -y spamassassin
- # apt install -y sa-exim
+ # apt-get install -y exim4 exim4-daemon-light
+ # apt-get install -y spamassassin
+ # apt-get install -y sa-exim
### Startup spamassassin ###
# service spamassassin start
# lsof -i :783
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
spamd 10552 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd
(LISTEN)
spamd 10552 root 6u IPv4 2384099 0t0 TCP localhost:spamd
(LISTEN)
spamd\x20 10553 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd
(LISTEN)
spamd\x20 10553 root 6u IPv4 2384099 0t0 TCP localhost:spamd
(LISTEN)
spamd\x20 10554 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd
(LISTEN)
spamd\x20 10554 root 6u IPv4 2384099 0t0 TCP localhost:spamd
(LISTEN)
# service spamassassin status | grep Active
Active: active (running) since [...]
### Configure exim4 for sa-exim ###
# ls -l /usr/lib/exim4/local_scan/sa-exim.so
-rw-r--r-- 1 root root 43576 Aug 2 2016
/usr/lib/exim4/local_scan/sa-exim.so
# OPTION="local_scan_path = \/usr\/lib\/exim4\/local_scan\/sa-exim\.so"
# sed -i.bak "/MAIN CONFIG/a ${OPTION}" /etc/exim4/exim4.conf.template
# sed -i.bak 's/^SAEximRunCond: 0/SAEximRunCond: 1/' /etc/exim4/sa-exim.conf
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
### Perform RED test
# echo "test" | mail -s testing root
# ls -l /var/spool/mail/mail
-rw------- 1 mail mail 629 Jun 4 04:29 /var/spool/mail/mail
# tail /var/log/exim4/mainlog
[...]
[...] 1hXwGX-00011P-Ay <= [email protected] U=root P=local S=454
[...] 1hXwGX-00011P-Ay => /var/mail/mail <[email protected]>
R=mail4root T=address_file
[...] 1hXwGX-00011P-Ay Completed
# grep "SA: Action" /var/log/exim4/mainlog || echo "FAIL"
FAIL
### Install fix
Enable disco-proposed (Or: add-apt-repository -yu ppa:bryce/exim-19-006-1)
# apt install -y exim4 exim4-daemon-light
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
### Perform GREEN test
# echo "test" | mail -s testing root
# tail /var/log/exim4/mainlog
[...]
[...] 1hXwGX-00011P-Ay <= [email protected] U=root P=local S=454
[...] 1hXwGX-00011P-Ay => /var/mail/mail <[email protected]>
R=mail4root T=address_file
[...] 1hXwGX-00011P-Ay Completed
# grep "SA: Action" /var/log/exim4/mainlog && echo "PASS"
[...] 1hY18c-000349-Vz SA: Action: scanned but message isn't spam:
score=0.7 required=5.0 (scanned in 4/4 secs | Message-Id:
[...]@exim-19-006-1.lxd). From <[email protected]> (local) for
[email protected]
PASS
[Regression Potential]
Low.
The 'local_scan' function was removed due to concerns it might allow
rewriting of emails in invalid situations. However, this risk has been
equally present in previous exim4 releases Ubuntu has shipped, thus does
not create any new issues, just restores behavior to what it has been in
the past.
This is not a default behavior, so whether it is enabled or not should
have no impact on "regular" exim4 users.
Things to watch for in testing would be severe breakage when using the
local_scan functionality in ways that worked properly in bionic. Note
that with sa-exim no longer actively maintained, and with exim4
discouraging use of local_scan, it is to be expected that some
irregularities may crop up in certain use cases, but general usage that
has worked previously should be expected to continue similarly.
[Discussion]
Upstream dropped support for a 'local_scan' function in 4.92, that sa-exim
requires; Debian restored support for this capability in 4.92-7, but disco is
shipping 4.92-4ubuntu1 without the restored support.
The reason upstream dropped the support was out of concern that changes
in how emails are handled internally will break rewriting in certain
circumstances. Unfortunately this breaks compatibility with sa-exim,
which uses local_scan to do spamassassin checking to reject spam emails
pre-acceptance.
This SRU is a one-line change to enable HAVE_LOCAL_SCAN in exim4's
template configuration file, "EDITME". Ubuntu has already been carrying
the 90_localscan_dlopen.dpatch that implements the necessary
functionality, however due to upstream changes it is now necessary to
define HAVE_LOCAL_SCAN in the local config (it is off by default). With
this change, the functionality of 90_localscan_dlopen.dpatch will again
be effective.
[Original Report]
It seems like after upgrade to 19.04 that exim is not running the local_scan
function (in my case the sa-exim /usr/lib/exim4/local_scan/sa-exim.so)
So I now don't have the spam-scan I am used to(I have enabled scanning
by the way of an RCPT_ACL for now)
Hope this can fixed despite sa-exim being very old
Description: Ubuntu 19.04
Release: 19.04
exim4-daemon-heavy:
Installed: 4.92-4ubuntu1
Candidate: 4.92-4ubuntu1
Version table:
*** 4.92-4ubuntu1 500
500 http://dk.archive.ubuntu.com/ubuntu disco/main amd64 Packages
100 /var/lib/dpkg/status
I expect to see in /var/log/exim4/mainlog lines like this as I saw before:
2019-05-12 20:01:54 1hPsnJ-000285-Jj SA: Debug: check succeeded, running spamc
2019-05-12 20:02:01 1hPsnJ-000285-Jj SA: Action: scanned but message isn't
spam: score=2.5 required=5.0 (scanned in 7/7 secs | Message-Id:
duxufv23y44bfkuepz1f4naeoavbh7xtz_es_rsbndc.erur4y-b0k2tn61ykllctsv6z3yzr3hqkm9umv94...@devotestream.icu).
From <[email protected]> (host=NULL [185.254.236.42]) for <masked email>
I don't see that after upgrading to 19.04 this saturday
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1829292
Title:
exim4 doesn't run the local_scan function after upgrade to 19.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1829292/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
