JDunphy-SA-Upgrade: Difference between revisions
m (→Introduction) |
m (→Introduction) |
||
Line 3: | Line 3: | ||
{{WIP}} | {{WIP}} | ||
= Introduction = | = Introduction = | ||
Updating Spamassassin to a newer version from say 3.4.1 which is the current version for 8.7.11. Note: rules are only on main branch in SA github so we grab those first. I am using this in production as there are a few DoS against the SA versions that Zimbra ships in production. If you are hit with one of these email bombs, you can expect to see amavisd's that are 100% CPU bound and will takes about 15 minutes to timeout. You will also see postfix disconnect with END-OF-MESSAGE followed by a disconnect. After 15 mins, the email will be moved to the deferred queue. Amavisd will respond after 15 mins with a log message that it | Updating Spamassassin to a newer version from say 3.4.1 which is the current version for 8.7.11. Note: rules are only on main branch in SA github so we grab those first. I am using this in production as there are a few DoS against the SA versions that Zimbra ships in production. If you are hit with one of these email bombs, you can expect to see amavisd's that are 100% CPU bound and will takes about 15 minutes to timeout. You will also see postfix disconnect with END-OF-MESSAGE followed by a disconnect. After 15 mins, the email will be moved to the deferred queue. Amavisd will respond after 15 mins with a log message that it lost connection with 127.0.0.0 while sending data - message may be sent more than once". A previous version of this article was for SA 3.4.2 and this is updated for the latest SA 3.4.4 | ||
= Backup Current Version = | = Backup Current Version = |
Revision as of 18:54, 18 October 2020
Upgrade SA to newer release
Introduction
Updating Spamassassin to a newer version from say 3.4.1 which is the current version for 8.7.11. Note: rules are only on main branch in SA github so we grab those first. I am using this in production as there are a few DoS against the SA versions that Zimbra ships in production. If you are hit with one of these email bombs, you can expect to see amavisd's that are 100% CPU bound and will takes about 15 minutes to timeout. You will also see postfix disconnect with END-OF-MESSAGE followed by a disconnect. After 15 mins, the email will be moved to the deferred queue. Amavisd will respond after 15 mins with a log message that it lost connection with 127.0.0.0 while sending data - message may be sent more than once". A previous version of this article was for SA 3.4.2 and this is updated for the latest SA 3.4.4
Backup Current Version
Files are located under /opt/zimbra/common/lib/perl5/Mail/Spamassassin and /opt/zimbra/data/spamassassin/ Note: the '*' with tar as we are grabbing both the spamassassin.pm and the directory spamassassin.
Here is what the general structure looks like with Zimbra/SA:
/opt/zimbra/common/lib/perl5/Mail/SpamAssassin/ /opt/zimbra/common/lib/perl5/Mail/SpamAssassin/SpamAssassin.pm /opt/zimbra/data/spamassassin/localrules/ /opt/zimbra/data/spamassassin/rules/* ---- rules with the distribution /opt/zimbra/data/spamassassin/state/ ---- rules from sa-update /opt/zimbra/data/spamassassin/state/{3.00400|3.00401}/updates_spamassassin_org/ /opt/zimbra/data/spamassassin/state/3.004001/updates_spamassassin_org /opt/zimbra/data/spamassassin/state/3.004001/updates_spamassassin_org.cf # --- rules to include run tar as root or zimbra because need GPG stuff and all keys in that directory are 700 perms rwx------ zimbra/zimbra 0 2019-05-21 10:00 opt/zimbra/data/spamassassin/localrules/sa-update-keys/ --- /opt/zimbra/commong/lib/perl5/Mail/Spamassassin ---- perms: root:root /opt/zimbra/data/spamassassin perms: zimbra:zimbra
with this command to backup existing should you need to revert back:
su - zimbra -c "tar zcvf /tmp/SA_backup.tar.gz /opt/zimbra/common/lib/perl5/Mail/SpamAssassin* \ /opt/zimbra/data/spamassassin \ /opt/zimbra/common/bin/sa-check_spamd \ /opt/zimbra/common/bin/sa-update \ /opt/zimbra/common/bin/spamassassin \ /opt/zimbra/common/bin/sa-learn \ /opt/zimbra/common/bin/sa-compile \ /opt/zimbra/common/bin/spamc \ /opt/zimbra/common/share/man/man1/sa-compile.1 \ /opt/zimbra/common/share/man/man1/spamc.1 \ /opt/zimbra/common/share/man/man1/sa-awl.1 \ /opt/zimbra/common/share/man/man1/sa-learn.1 \ /opt/zimbra/common/share/man/man1/sa-update.1 \ /opt/zimbra/common/share/man/man1/spamd.1 \ /opt/zimbra/common/share/man/man1/spamassassin-run.1 \ /opt/zimbra/common/share/man/man3/Mail::SpamAssassin* \ /opt/zimbra/common/share/man/man3/spamassassin-run.3pm"
Get and Install newer version
git clone https://github.com/apache/spamassassin.git cd spamassassin tar cvf ../rules.tar rules* git checkout spamassassin_release_3_4_4 tar xvf ../rules.tar
where build_zimbra.sh is:
#!/bin/bash export PERL5LIB=/opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi:/opt/zimbra/common/lib/perl5 export PERLLIB=/opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi:/opt/zimbra/common/lib/perl5 /usr/bin/perl Makefile.PL \ PREFIX=/opt/zimbra/common \ LIB=/opt/zimbra/common/lib/perl5 \ DATADIR=/opt/zimbra/data/spamassassin/rules \ CONFDIR=/opt/zimbra/data/spamassassin/localrules \ LOCALSTATEDIR=/opt/zimbra/data/spamassassin/state make make install chown -R zimbra:zimbra /opt/zimbra/common/lib/perl5/Mail/SpamAssassin* chown -R zimbra:zimbra /opt/zimbra/data/spamassassin/
Verify rules still update
Rules are updated by cron. Run this command to verify that still works. You will have a state/3.004004 directory
/opt/zimbra/common/bin/sa-update -v --allowplugins --refreshmirrors
General Notes
#Default configuration data is loaded from the first existing directory in: # # /opt/zimbra/data/spamassassin/state/3.004002 # /opt/zimbra/data/spamassassin/rules # /opt/zimbra/common/share/spamassassin # /usr/local/share/spamassassin # /usr/share/spamassassin # Site-specific configuration data is used to override any values which # had already been set. This is loaded from the first existing directory in: # # /opt/zimbra/data/spamassassin/localrules # /opt/zimbra/common/etc/mail/spamassassin # /opt/zimbra/common/etc/spamassassin # /usr/local/etc/spamassassin # /usr/pkg/etc/spamassassin # /usr/etc/spamassassin # /etc/mail/spamassassin # /etc/spamassassin # From those 3 directories, SpamAssassin will first read file ending in ".pre" in lexical order # and then read files ending in ".cf" in lexical order. # In other words, it will read init.pre first, then 10_default_prefs.cf # before 50_scores.cf and 20_body_tests.cf before 20_head_tests.cf. # SA 4.0 requires newer perl version that exists with RHEL6/Centos6
Script to install if you don't want to install in the buildZimbra.sh step
#!/bin/bash export PERL5LIB=/opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi:/opt/zimbra/common/lib/perl5 export PERLLIB=/opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi:/opt/zimbra/common/lib/perl5 #As root make install chown -R zimbra:zimbra /opt/zimbra/data/spamassassin
This is from memory so please go slowly and verify before issuing that make install in the build_zimbra.sh script.
More articles written by me, https://wiki.zimbra.com/wiki/JDunphy-Notes