sa-update on 5.x

[su_A_ve]

We've been hit with the DNS_FROM_OPENWHOIS issue and instead of trying to play catch up as with the other issue from January, I figured let's get sa-update working.

Installed spamassassin rpm and (as zimbra) imported the gpg key from dostech.net to add the SARE channels.

As zimbra, I ran:

Code:

/usr/bin/sa-update --channelfile /usr/local/etc/SARE-sa-update-channels.txt --gpgkey 856AA88A --updatedir /opt/zimbra/conf/spamassassin --gpghomedir /opt/zimbra/conf/spamassassin

The SARE-sa-update-channels.txt is:

Code:

updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net

This created a directory for each of the above entries, and the corresponding cf, ie:

Code:

drwxr-x---  2 zimbra zimbra 4096 Mar 26 16:28 updates_spamassassin_org
-rw-r-----  1 zimbra zimbra 2431 Mar 26 16:28 updates_spamassassin_org.cf

But it seems the top level files are still being in use instead of the new ones inside these directories. After running zmamavisctl reload or zmantispamctl reload, I still am getting the old rules:

Code:

X-Spam-Status: No, score=1.681 tagged_above=-10 required=6.6
	tests=[ALL_TRUSTED=-1.8, AWL=-0.000, BAYES_00=-2.599,
	DNS_FROM_OPENWHOIS=1.13, FH_DATE_PAST_20XX=3.188,
	MISSING_SUBJECT=1.762]

Any ideas???

[uxbod]

Check to ensure you have no errors in your configuration

Code:

/usr/bin/spamassassin -p /opt/zimbra/conf/salocal.cf --siteconfigpath /opt/zimbra/conf/spamassassin -D --lint > /tmp/sacheck.txt 2>&1

Then view the sacheck.txt file and see whether the rules are being pulled in.

[su_A_ve]

OK - Lookikng at the output from the check above, (and this might sound stoopid) but I now assume the existing rules in the top level /opt/zimbra/conf/spamassassin need to be removed?

I'm currently reading from:

[24761] dbg: config: using "/usr/share/spamassassin" for sys rules pre files
[24761] dbg: config: using "/usr/share/spamassassin" for default rules dir
[24761] dbg: config: using "/opt/zimbra/conf/spamassassin" for site rules dir
[24761] dbg: config: using "/opt/zimbra/conf/salocal.cf" for user prefs file

[uxbod]

Further down the output you should see it pulling in the updates ? Are you able to post the whole log please ?

[su_A_ve]

Quote:

Originally Posted by uxbod

Further down the output you should see it pulling in the updates ? Are you able to post the whole log please ?

Attaching the whole log file. It seems to be including the updates as I see several one of each of these for them:

[24761] dbg: config: fixed relative path: /opt/zimbra/conf/spamassassin/updates_spamassassin_org/80_additional.cf
[24761] dbg: config: using "/opt/zimbra/conf/spamassassin/updates_spamassassin_org/80_additional.cf" for included file
[24761] dbg: config: read file /opt/zimbra/conf/spamassassin/updates_spamassassin_org/80_additional.cf

But from doing some testing, I still see some of rules that came with Zimbra still being used, such as the DNS_FROM_OPENWHOIS:

X-Spam-Status: No, score=0.087 tagged_above=-10 required=6.6
tests=[ALL_TRUSTED=-1.8, AWL=1.594, BAYES_00=-2.599,
DNS_FROM_OPENWHOIS=1.13, MISSING_SUBJECT=1.762]

I was under the impression that enabling sa-update would actually update the SA rules, however, it seems that these are getting merged with the zimbra stock ones. I do notice the FH_DATE_PAST_20XX is not being triggered. On my original post, this rule was effective, but at the time I hadn't done a full zmcontrol stop/start.

[uxbod]

Would you be able to do a

Code:

su - zimbra
zmamavisdctl stop

Once that is done please check that all amavis processes have died

Code:

ps aux | grep -i amavis

and if they have then start up again

Code:

su - zimbra
zmamavisdctl start

I am just wondering whether a rogue amavis process is still running.

[su_A_ve]

Verified that amavis was down, however, I'm still picking up the DNS_FROM_OPENWHOIS rule.

This rule is present in the original 72_actvie.cf with the zimbra stock SA. The updated version of this file inside the updates_spamassassin_org directory no longer has the rule.

Again, I think both of them are merged...

[su_A_ve]

Bump ?????

[uxbod]

Hmmm, as a intermediary step move the downloaded rules into the top level and see if that resolves the problem.

[su_A_ve]

Quote:

Originally Posted by uxbod

Hmmm, as a intermediary step move the downloaded rules into the top level and see if that resolves the problem.

After some long testing, it seems we need to remove all ??_*.cf files from the top directory as these are replaced with the ones inside the sub directories.

Hope this is ok - not sure how to actually run a lint using the stock spamassassin...