exim4 doesn't run the local_scan function after upgrade to 19.04

Bug #1829292 reported by Hasse Hagen Johansen on 2019-05-15
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
exim4 (Ubuntu)
Undecided
Unassigned
Disco
High
Bryce Harrington
Eoan
Undecided
Unassigned

Bug Description

[Impact]
Regression causing breakage of spam filtering for Exim4 users when using sa-exim for spamassassin integration.

[Test Case]
$ lxc launch ubuntu:19.04/amd64 exim-19-008-1
$ lxc exec exim-19-008-1 bash
  ### Pre-requisites ###
  # apt update
  # apt-get install -y exim4 exim4-daemon-light
  # apt-get install -y spamassassin
  # apt-get install -y sa-exim

  ### Startup spamassassin ###
  # service spamassassin start
  # lsof -i :783
  COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
  spamd 10552 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd (LISTEN)
  spamd 10552 root 6u IPv4 2384099 0t0 TCP localhost:spamd (LISTEN)
  spamd\x20 10553 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd (LISTEN)
  spamd\x20 10553 root 6u IPv4 2384099 0t0 TCP localhost:spamd (LISTEN)
  spamd\x20 10554 root 5u IPv6 2384097 0t0 TCP ip6-localhost:spamd (LISTEN)
  spamd\x20 10554 root 6u IPv4 2384099 0t0 TCP localhost:spamd (LISTEN)
  # service spamassassin status | grep Active
  Active: active (running) since [...]

  ### Configure exim4 for sa-exim ###
  # ls -l /usr/lib/exim4/local_scan/sa-exim.so
  -rw-r--r-- 1 root root 43576 Aug 2 2016 /usr/lib/exim4/local_scan/sa-exim.so
  # OPTION="local_scan_path = \/usr\/lib\/exim4\/local_scan\/sa-exim\.so"
  # sed -i.bak "/MAIN CONFIG/a ${OPTION}" /etc/exim4/exim4.conf.template
  # sed -i.bak 's/^SAEximRunCond: 0/SAEximRunCond: 1/' /etc/exim4/sa-exim.conf
  # update-exim4.conf || echo "Error"
  # service exim4 restart
  # service exim4 status | grep Active
  Active: active (running) since [...]

  ### Perform RED test
  # echo "test" | mail -s testing root
  # ls -l /var/spool/mail/mail
  -rw------- 1 mail mail 629 Jun 4 04:29 /var/spool/mail/mail
  # tail /var/log/exim4/mainlog
  [...]
  [...] 1hXwGX-00011P-Ay <= <email address hidden> U=root P=local S=454
  [...] 1hXwGX-00011P-Ay => /var/mail/mail <email address hidden> R=mail4root T=address_file
  [...] 1hXwGX-00011P-Ay Completed
  # grep "SA: Action" /var/log/exim4/mainlog || echo "FAIL"
  FAIL

  ### Install fix
  # add-apt-repository -yu 'deb http://archive.ubuntu.com/ubuntu disco-proposed main'
  ### Or: add-apt-repository -yu ppa:bryce/exim-19-008-1
  # apt install -y exim4 exim4-daemon-light
  # service exim4 restart
  # service exim4 status | grep Active
  Active: active (running) since [...]

  ### Perform GREEN test
  # echo "test" | mail -s testing root
  # tail /var/log/exim4/mainlog
  [...]
  [...] 1hXwGX-00011P-Ay <= <email address hidden> U=root P=local S=454
  [...] 1hXwGX-00011P-Ay => /var/mail/mail <email address hidden> R=mail4root T=address_file
  [...] 1hXwGX-00011P-Ay Completed
  # grep "SA: Action" /var/log/exim4/mainlog && echo "PASS"
  [...] 1hY18c-000349-Vz SA: Action: scanned but message isn't spam: score=0.7 required=5.0 (scanned in 4/4 secs | Message-Id: [...]@exim-19-006-1.lxd). From <email address hidden> (local) for <email address hidden>
  PASS
  # exit
$ lxc stop exim-19-008-1
$ lxc delete exim-19-008-1

[Regression Potential]
Low.

The 'local_scan' function was removed due to concerns it might allow rewriting of emails in invalid situations. However, this risk has been equally present in previous exim4 releases Ubuntu has shipped, thus does not create any new issues, just restores behavior to what it has been in the past.

This is not a default behavior, so whether it is enabled or not should have no impact on "regular" exim4 users.

Things to watch for in testing would be severe breakage when using the local_scan functionality in ways that worked properly in bionic. Note that with sa-exim no longer actively maintained, and with exim4 discouraging use of local_scan, it is to be expected that some irregularities may crop up in certain use cases, but general usage that has worked previously should be expected to continue similarly.

[Discussion]
Upstream dropped support for a 'local_scan' function in 4.92, that sa-exim requires; Debian restored support for this capability in 4.92-7, but disco is shipping 4.92-4ubuntu1 without the restored support.

The reason upstream dropped the support was out of concern that changes in how emails are handled internally will break rewriting in certain circumstances. Unfortunately this breaks compatibility with sa-exim, which uses local_scan to do spamassassin checking to reject spam emails pre-acceptance.

This SRU is a one-line change to enable HAVE_LOCAL_SCAN in exim4's template configuration file, "EDITME". Ubuntu has already been carrying the 90_localscan_dlopen.dpatch that implements the necessary functionality, however due to upstream changes it is now necessary to define HAVE_LOCAL_SCAN in the local config (it is off by default). With this change, the functionality of 90_localscan_dlopen.dpatch will again be effective.

[Original Report]
It seems like after upgrade to 19.04 that exim is not running the local_scan function (in my case the sa-exim /usr/lib/exim4/local_scan/sa-exim.so)

So I now don't have the spam-scan I am used to(I have enabled scanning by the way of an RCPT_ACL for now)

Hope this can fixed despite sa-exim being very old

Description: Ubuntu 19.04
Release: 19.04

exim4-daemon-heavy:
  Installed: 4.92-4ubuntu1
  Candidate: 4.92-4ubuntu1
  Version table:
 *** 4.92-4ubuntu1 500
        500 http://dk.archive.ubuntu.com/ubuntu disco/main amd64 Packages
        100 /var/lib/dpkg/status

I expect to see in /var/log/exim4/mainlog lines like this as I saw before:
2019-05-12 20:01:54 1hPsnJ-000285-Jj SA: Debug: check succeeded, running spamc
2019-05-12 20:02:01 1hPsnJ-000285-Jj SA: Action: scanned but message isn't spam: score=2.5 required=5.0 (scanned in 7/7 secs | Message-Id: DuXuFV23y44bFKUePZ1f4NaeoavBH7Xtz_eS_RSBnDc<email address hidden>). From <email address hidden> (host=NULL [185.254.236.42]) for <masked email>

I don't see that after upgrading to 19.04 this saturday

Paride Legovini (legovini) wrote :

Thanks for your report. I've been able to reproduce the issue and by digging a bit deeper I found two relevant bugs in Debian [1,2]. Also relevant is the changelog of the Debian exim4 package [3].

In my understanding this is what happened:

 * exim4 4.92 broke the compatibility with sa-exim [4].
 * exim4 4.92-5 (Debian package) dropped the patch to enable local_scan and has been
   declared incompatible ("Conflicts:") with sa-exim [3].
 * By including api-limitation.patch sa-exim 4.2.1-17 is made compatible with exim4 4.92.
 * exim4 4.92-7 is uploaded to Debian unstable with local_scan enabled again and the
   incompatibility with sa-exim removed.

The newer packages are already in Ubuntu Eoan (currently in development).
This bug can be fixed in Disco by porting those packages back.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925982
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926952
[3] https://metadata.ftp-master.debian.org/changelogs//main/e/exim4/exim4_4.92-7_changelog
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926952#19

Changed in exim4 (Ubuntu Eoan):
status: New → Fix Released
Changed in exim4 (Ubuntu Disco):
status: New → Triaged
Changed in exim4 (Ubuntu Disco):
status: Triaged → Fix Committed
tags: added: server-next
Changed in exim4 (Ubuntu Disco):
status: Fix Committed → Triaged
Bryce Harrington (bryce) on 2019-05-17
description: updated
Changed in exim4 (Ubuntu Disco):
importance: Undecided → High
assignee: nobody → Bryce Harrington (bryce)
milestone: none → disco-updates
Bryce Harrington (bryce) on 2019-05-23
description: updated
Bryce Harrington (bryce) wrote :

SRU: Minimal patch for disco is attached, with cherrypick of Debian's implementation of the fix.

This includes some fuzz from Debian's update of the patch, which I've preserved as harmless.

Robie Basak (racb) on 2019-05-30
tags: added: regression-release
Bryce Harrington (bryce) on 2019-05-30
description: updated
Łukasz Zemczak (sil2100) wrote :

Thank you for the SRU upload! For us to be able to review and accept the new version, we would need a clear test case defined in the template (right now it's marked as 'TBD'). Without that information we cannot process the SRU.

Bryce Harrington (bryce) wrote :

Test case has been added.

description: updated

Hello Hasse, or anyone else affected,

Accepted exim4 into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/exim4/4.92-4ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in exim4 (Ubuntu Disco):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-disco
Bryce Harrington (bryce) on 2019-06-04
description: updated
Bryce Harrington (bryce) on 2019-06-05
description: updated
description: updated
Bryce Harrington (bryce) on 2019-06-05
description: updated
Bryce Harrington (bryce) wrote :

Fwiw, I've re-verified the test case steps myself, against disco-proposed in a fresh lxc container and can confirm it passes with disco-proposed.

Bryce Harrington (bryce) on 2019-06-05
tags: added: verification-done-disco
removed: verification-needed-disco
tags: added: verification-done
removed: verification-needed

exim4-daemon-heavy version 4.92-4ubuntu1.1 seems to have fixed the problem

Thank you!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.92-4ubuntu1.1

---------------
exim4 (4.92-4ubuntu1.1) disco-proposed; urgency=medium

  * d/EDITME.exim4.light.diff: Set HAVE_LOCAL_SCAN=yes in EDITME.
    Backport from Debian to enable local_scan. (LP: #1829292)

 -- Bryce Harrington <email address hidden> Wed, 29 May 2019 17:59:06 -0700

Changed in exim4 (Ubuntu Disco):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for exim4 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.