exim4 doesn't run the local_scan function after upgrade to 19.04
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
exim4 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Disco |
Fix Released
|
High
|
Bryce Harrington | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Regression causing breakage of spam filtering for Exim4 users when using sa-exim for spamassassin integration.
[Test Case]
$ lxc launch ubuntu:19.04/amd64 exim-19-008-1
$ lxc exec exim-19-008-1 bash
### Pre-requisites ###
# apt update
# apt-get install -y exim4 exim4-daemon-light
# apt-get install -y spamassassin
# apt-get install -y sa-exim
### Startup spamassassin ###
# service spamassassin start
# lsof -i :783
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
spamd 10552 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd (LISTEN)
spamd 10552 root 6u IPv4 2384099 0t0 TCP localhost:spamd (LISTEN)
spamd\x20 10553 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd (LISTEN)
spamd\x20 10553 root 6u IPv4 2384099 0t0 TCP localhost:spamd (LISTEN)
spamd\x20 10554 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd (LISTEN)
spamd\x20 10554 root 6u IPv4 2384099 0t0 TCP localhost:spamd (LISTEN)
# service spamassassin status | grep Active
Active: active (running) since [...]
### Configure exim4 for sa-exim ###
# ls -l /usr/lib/
-rw-r--r-- 1 root root 43576 Aug 2 2016 /usr/lib/
# OPTION=
# sed -i.bak "/MAIN CONFIG/a ${OPTION}" /etc/exim4/
# sed -i.bak 's/^SAEximRunCond: 0/SAEximRunCond: 1/' /etc/exim4/
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
### Perform RED test
# echo "test" | mail -s testing root
# ls -l /var/spool/
-rw------- 1 mail mail 629 Jun 4 04:29 /var/spool/
# tail /var/log/
[...]
[...] 1hXwGX-00011P-Ay <= <email address hidden> U=root P=local S=454
[...] 1hXwGX-00011P-Ay => /var/mail/mail <email address hidden> R=mail4root T=address_file
[...] 1hXwGX-00011P-Ay Completed
# grep "SA: Action" /var/log/
FAIL
### Install fix
# add-apt-repository -yu 'deb http://
### Or: add-apt-repository -yu ppa:bryce/
# apt install -y exim4 exim4-daemon-light
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
### Perform GREEN test
# echo "test" | mail -s testing root
# tail /var/log/
[...]
[...] 1hXwGX-00011P-Ay <= <email address hidden> U=root P=local S=454
[...] 1hXwGX-00011P-Ay => /var/mail/mail <email address hidden> R=mail4root T=address_file
[...] 1hXwGX-00011P-Ay Completed
# grep "SA: Action" /var/log/
[...] 1hY18c-000349-Vz SA: Action: scanned but message isn't spam: score=0.7 required=5.0 (scanned in 4/4 secs | Message-Id: [...]@exim-
PASS
# exit
$ lxc stop exim-19-008-1
$ lxc delete exim-19-008-1
[Regression Potential]
Low.
The 'local_scan' function was removed due to concerns it might allow rewriting of emails in invalid situations. However, this risk has been equally present in previous exim4 releases Ubuntu has shipped, thus does not create any new issues, just restores behavior to what it has been in the past.
This is not a default behavior, so whether it is enabled or not should have no impact on "regular" exim4 users.
Things to watch for in testing would be severe breakage when using the local_scan functionality in ways that worked properly in bionic. Note that with sa-exim no longer actively maintained, and with exim4 discouraging use of local_scan, it is to be expected that some irregularities may crop up in certain use cases, but general usage that has worked previously should be expected to continue similarly.
[Discussion]
Upstream dropped support for a 'local_scan' function in 4.92, that sa-exim requires; Debian restored support for this capability in 4.92-7, but disco is shipping 4.92-4ubuntu1 without the restored support.
The reason upstream dropped the support was out of concern that changes in how emails are handled internally will break rewriting in certain circumstances. Unfortunately this breaks compatibility with sa-exim, which uses local_scan to do spamassassin checking to reject spam emails pre-acceptance.
This SRU is a one-line change to enable HAVE_LOCAL_SCAN in exim4's template configuration file, "EDITME". Ubuntu has already been carrying the 90_localscan_
[Original Report]
It seems like after upgrade to 19.04 that exim is not running the local_scan function (in my case the sa-exim /usr/lib/
So I now don't have the spam-scan I am used to(I have enabled scanning by the way of an RCPT_ACL for now)
Hope this can fixed despite sa-exim being very old
Description: Ubuntu 19.04
Release: 19.04
exim4-daemon-heavy:
Installed: 4.92-4ubuntu1
Candidate: 4.92-4ubuntu1
Version table:
*** 4.92-4ubuntu1 500
500 http://
100 /var/lib/
I expect to see in /var/log/
2019-05-12 20:01:54 1hPsnJ-000285-Jj SA: Debug: check succeeded, running spamc
2019-05-12 20:02:01 1hPsnJ-000285-Jj SA: Action: scanned but message isn't spam: score=2.5 required=5.0 (scanned in 7/7 secs | Message-Id: DuXuFV23y44bFKU
I don't see that after upgrading to 19.04 this saturday
Changed in exim4 (Ubuntu Disco): | |
status: | Triaged → Fix Committed |
tags: | added: server-next |
Changed in exim4 (Ubuntu Disco): | |
status: | Fix Committed → Triaged |
description: | updated |
Changed in exim4 (Ubuntu Disco): | |
importance: | Undecided → High |
assignee: | nobody → Bryce Harrington (bryce) |
milestone: | none → disco-updates |
description: | updated |
tags: | added: regression-release |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: |
added: verification-done-disco removed: verification-needed-disco |
tags: |
added: verification-done removed: verification-needed |
Thanks for your report. I've been able to reproduce the issue and by digging a bit deeper I found two relevant bugs in Debian [1,2]. Also relevant is the changelog of the Debian exim4 package [3].
In my understanding this is what happened:
* exim4 4.92 broke the compatibility with sa-exim [4]. patch sa-exim 4.2.1-17 is made compatible with exim4 4.92.
* exim4 4.92-5 (Debian package) dropped the patch to enable local_scan and has been
declared incompatible ("Conflicts:") with sa-exim [3].
* By including api-limitation.
* exim4 4.92-7 is uploaded to Debian unstable with local_scan enabled again and the
incompatibility with sa-exim removed.
The newer packages are already in Ubuntu Eoan (currently in development).
This bug can be fixed in Disco by porting those packages back.
[1] https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 925982 /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 926952 /metadata. ftp-master. debian. org/changelogs/ /main/e/ exim4/exim4_ 4.92-7_ changelog /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 926952# 19
[2] https:/
[3] https:/
[4] https:/