HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Is it possible for root user to read Dovecot IMAP users' email messages? (http://www.howtoforge.com/forums/showthread.php?t=58223)

cbj4074 9th August 2012 17:43

Is it possible for root user to read Dovecot IMAP users' email messages?
 
I am wondering if it is possible for the root user to read individual Dovecot IMAP users' email messages, without knowing each user's password.

We have a need to follow-up on customer complaints related to SPAM. Basically, we need to see the SpamAssassin headers for the messages in question.

If there is a way to do this that does not require access to the user's IMAP account?

It seems like this information could be acquired from a log instead, but sifting through log entries (especially after log rotation has occurred) seems like a nightmare. Furthermore, I can't seem to find a SpamAssassin log anywhere. Is logging off by default? And if so, does spamd need to be enabled to use it?

Code:

# Change to one to enable spamd
ENABLED=0

How do other folks handle this situation?

Thanks for any insight!

pititis 9th August 2012 19:05

Hello,

you can set quarantine for each spamfilter policy. When you add en email domain you set the default spamfilter policy.

First, set the spamfilter policy for the email domain. After that go to Email->Spamfilter->Policy and click on the policy name.

In quarantine tab you can set the email address where spam will be forwarded. i.e abuse@yourdomain.com

Next, set your tag level. What level? Well, it's your choice. I'm using tag2 4.5 and kill level 6. Also I set spam tag level to -999 to ensure that every email is analyzed.

You will get a full report for every spam/virus email that match with your tag level. Simple and powerful!

Cheers!

cbj4074 9th August 2012 20:14

1 Attachment(s)
Thank you for the reply, Pititis.

I am already doing exactly as you suggested; the problem is the messages that score below the "kill level" ($sa_kill_level_deflt), but are likely to be spam. These messages are not quarantined, so I do not have a chance to inspect them. (To be clear, messages are not quarantined until their scores are >= $sa_kill_level_deflt, if a quarantine is configured.)

Part of the challenge is that we have set the following directive in /etc/amavis/conf.d/50-user

Code:

$final_spam_destiny = D_DISCARD;
which means that messages scoring over the "kill level" (set at 13 within ISPConfig) are discarded entirely.

Your kill level (6) is quite low, but one has to assume that you are using

Code:

$final_spam_destiny = D_PASS;
so as not to discard legitimate email accidentally.

In other words, the strategy that you describe will work well, but only as long as the final destiny is D_PASS (and not D_DISCARD).

Upon double-checking my policy settings in ISPConfig, I did notice that the "SPAM quarantine cutoff level" is set to zero, however. Is this a problem?

I'm a little confused because the ISPConfig manual states:

Quote:

SPAM quarantine cutoff level: This is the spam score beyond which quarantine is off. Use a low score (e.g. 0) if you don't want quarantine.
Yet, a different resource ( http://www200.pair.com/mecham/spam/a...-settings.html ) states:

Quote:

If you quarantine spam, but you would like to delete high scoring spam (therefore reducing the number of items in the quarantine) this setting allows you to discard quarantined spam at this level and above.
So, what is the effect of setting this value to zero?

It doesn't seem to be that quarantine is disabled, because I still receive quarantined messages. Perhaps using zero means, "Send all qualifying emails to quarantine (don't discard them, no matter how high their scores)," in which case the ISPConfig manual should be corrected.

Two other points of note:

1.) Quarantined messages have the following in the basic header information:

Code:

Subject: Many languages can be learned very quickly
Not quarantined.

Why does the quarantined message say "Not quarantined"? This makes no sense; the message is obviously quarantined, as it is coming to the mailbox specified for quarantined messages.

2.) Quarantined messages also contain the following:

Code:

Content analysis details:  (16.8 points, 5.0 required)
From where is the "5.0 required" coming? I am not using the score 5.0 anywhere. I realize that this is Spam Assassin's default delineation point for "ham" vs. "spam", so it must be defined somewhere (even if as the default), but my question is, "Why is this value not being overridden somewhere [e.g., from within ISPConfig]?"

Thanks again.

pititis 9th August 2012 22:35

ok, check your spamfilter users list. ( spamfilter->user/domain) and be sure that the mailboxes/domains are using the policy you want.

Yes, with the quarantine cutoff you can set at what level the email is forwarded to the quarantine admin. 0 = Notification off

The score 5.0? Sure, it must be a score of one policy. Default's scores are in the database and in the 50-user file (but this file is patched for ispconfig's install/update, and scores are pretty high)

Cheers!

cbj4074 10th August 2012 17:16

I double-checked the Spamfilter -> User / Domain list and everything looks correct there. I am assigning my custom "default policy" to each domain, at the domain level only.

Hmm, that explanation of the quarantine cut-off value doesn't seem consistent with the observed behavior. As can be seen in the screenshot attached to my previous post, this value has been set at zero, yet I do receive quarantine emails for messages with scores >= "SPAM kill level".

I have tried hunting-down the 5.0 score, and it's not in 50-user. I see the defined defaults there, however:

Code:

# Default settings, we st this very high to not filter aut emails accidently
$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = 20.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 60.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 60.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 100;  # spam level beyond which a DSN is not sent

I have double-checked all policies in ISPConfig and none of them use the score 5.0. So, where's it coming from, I wonder?

All of this said, I still don't have a viable strategy for reviewing messages with scores that straddle the ham/spam line.

Is there any means by which to receive a "digest" of the day's spam activity and scores?

I've seen a Perl script ( http://comments.gmane.org/gmane.mail...vis.user/14590 ), but it's pretty old.

I'm willing to write a script to parse the log, but that's another issue entirely. I don't see detailed SpamAssassin information in /var/log/syslog (on Debian). I asked this question in my initial post: does one have to use Spam Assassin in daemon mode to enable detailed logging?

till 10th August 2012 17:25

If you set the amavis logging in 50-user to be more verbose, then you should get detailedlog entrys about all actions and scrores in the sylog or mail.log.

till 10th August 2012 17:27

And reagrding your original message, all emails are stored as plain text files in the maildir folders of the mail accounts, so you can see the scores in the headers as root user with any text editor or search the files with grep and sed, no need to use imap.

cbj4074 10th August 2012 17:44

Brilliant, Till. Thank you!

Per your advice, I turned Amavis's logging level up to "2" and now I do see detailed Spam Assassin scoring data.

Code:

<user1@example.com> -> <user2@example.com>, No, score=-0.011 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Perfect.

Also, thanks for clarifying that I can access user mailboxes with any text-editor; great to know.


All times are GMT +2. The time now is 18:32.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.