SPAMAssassin: Fix

[rhyswilliamsza]

Operating System (OS/VERSION):

Debian X

VestaCP Version:

All of Them

Installed Software (what you got with the installer):

All of them

Steps to Reproduce:

Install spamassassin

Related Issues/Forum Threads:

None

Other Notes:

Hi There, When installing spamassassin using either the self-installer or the manual method, the following library needs to also be installed. Without it, spamassassin will report all messages DKIM reports as false,

libmail-dkim-perl

This can be installed through a simple call of: apt-get install libmail-dkim-perl

Rhys

[dpeca]

Hmmm, I'm using Debian8 with latest Vesta on many servers, never had that problem :/ I'll check if that library automatically installed on my servers, and when. Can you paste here a error log?

[rhyswilliamsza]

Hi There!

Unfortunately do not have an error log as I managed to sort out the issue before posting here :/ The issue lies with spamassassin missing the perl dkim library. Might be that it was auto installed with debian (I was running a minimal version to begin with).

Rhys

[dpeca]

I'm always starting with Debian minimal - so that is not difference. I'll check what's going on.

[iamra]

I can confirm this is not installed on my server. Debian 8.5, large instance Vesta 0.9.8 16, with spamassasin.

How do I know if this is actually required. where should the false errors be found?

[rhyswilliamsza]

Hi There,

For debugging sake, please would you try run the following command on your system :) If it's anything like mine, you will get an error log on one of your mail reports. This includes the following for me - "dbg: dkim: cannot load Mail::DKIM module, DKIM checks disabled: Can't locate Mail/DKIM/Verifier.pm in @INC (you may need to install the Mail::DKIM::Verifier module)".

This means that every single dkim check that happens will report that DKIM has not passed, regardless if it is valid or not.

If you head into 
**/home/_<user>_/mail/_<domain>_/_<ext>_/cur/**

Try run the following command on any mail item there:

spamassassin -D dkim < _<mail item here>_

Hope that helps! Rhys

[dpeca]

Yes, I get it too. OK, now it's clear. I'll fix this issue.

In what log file you saw this error?

[iamra]

@Rhyswilliamsza, thank you for bringing this issue up. Yes I get this: dbg: dkim: cannot load Mail::DKIM module, DKIM checks disabled: Can't locate Mail/DKIM/Verifier.pm in @INC (you may need to install the Mail::DKIM::Verifier module) (@INC contains: /var/lib/spamassassin/compiled/5.020/3.004000 /var/lib/spamassassin/compiled/5.020/3.004000/auto /usr/share/perl5 /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.20.2 /usr/local/share/perl/5.20.2 /usr/lib/x86_64-linux-gnu/perl5/5.20 /usr/lib/x86_64-linux-gnu/perl/5.20 /usr/share/perl/5.20 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm line 624.

Would installing libmail-dkim-perl be sufficient or does it require further configuration?

[rhyswilliamsza]

@dpeca - it is visible in the output upon running the above file. First noticed the issue after my dkim-signed messages were being classified as 'dkim - failed'.

@iamra - merely installing the library solves the issue! Not a single bit of config required :)

[dpeca]

And there is no error in some error logs, exim logs, spamassassin logs?

What is a implication of missing this library, I mean, what is NOT happening if it's not installed, did you noticed that Spamassassin is not working fine somehow? Does spamassassin uses DKIM information when it calculate spam score?

[dpeca]

Even I dont have that library, in Exim mainlog I can find this type of logs: 2016-10-17 08:55:37 1bw1ph-0001q5-OM DKIM: d=somedomain.com s=default c=relaxed/relaxed a=rsa-sha256 [verification succeeded]

[rhyswilliamsza]

Upon spam score calculation, DKIM is used to check whether a mail is valid. If the 'dkim test fails, then the spam score is automatically increased (therefore increasing the sense that the mail is spam).

You won't find this in any logs. If you check one of your incoming mails, you will see in the header a spamassassin score report. Here you will notice that, without the library, the dkim test fails (regardless of whether the dkim is valid or not). With the library, this check passes for 'dkim valid mail. Hope that makes sense?

For you, it seems the verification works. No idea why, because for me without it, it does not. Try checking one of your mail headers just to confirm

[iamra]

Ok, interesting, in a message source code, I do not see a failure notice, but I find this: X-Spam-Score: 10 X-Spam-Bar: + X-Spam-Report: Spam detection software, running on the system "one.sacred.network", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details.

I installed went ahead and installed the libmail-dkim-perl Now the command spamassassin -D dkim < ### outputs:

Oct 18 08:38:46.583 [31596] dbg: dkim: using Mail::DKIM version 0.4
Oct 18 08:38:46.585 [31596] dbg: dkim: performing public key lookup and signature verification
Oct 18 08:38:46.610 [31596] dbg: dkim: DKIM, i=@gmail.com, d=gmail.com, s=20120113, a=rsa-sha256, c=relaxed/relaxed, pass, matches author domain
Oct 18 08:38:46.611 [31596] dbg: dkim: signature verification result: PASS
Oct 18 08:38:46.611 [31596] dbg: dkim: adsp not retrieved, author domain signature is valid
Oct 18 08:38:46.611 [31596] dbg: dkim: adsp result: - (valid a. d. signature), author domain 'gmail.com'
Oct 18 08:38:46.616 [31596] dbg: dkim: VALID signature by gmail.com, author abommg8521@gmail.com, no valid matches
Oct 18 08:38:46.617 [31596] dbg: dkim: author #####@gmail.com, not in any dkim whitelist

Looks much cleaner at least.

Not sure how this impacts system overall and am not sure if there are any assassin failures I am correcting aside from the message output above.

@Rhyswilliamsza still thank you for pointing this out.

I am curious to know if anyone else can confirm this. I want to include this library in my future server provisions, unless it gets included into Vesta install script / update directly.

[dpeca]

It's not problem to include this library in installation script, at least it will not eat anything (I guess :trollface: ) But I would like to hear a thinking of Vesta core developers here... I'm new here, and I can not decide yet what additional libraries will be installed by default.

At least, we don't see errors in logs, and on my server I even see DKIM successful results in logs, even I dont have that library installed.

cc @serghey-rodin @anton-reutov @naumov-socolov

[dpeca]

Confirmed. Spamassassin generates different output when this library is installed, and affect spamscore for 0.1 point. I'll add this library to debian installer script.