RE: Problem with sa-update via proxy
The folder location is correct for Ubuntu. I checked the files this morning and they all updated ok. It looks like it is curl that was causing the problem. Curl is used to download the gpg keys, if that fails, the rest fails. Copying the .curlrc file with the proxy settings to /var/lib/spamassassin (Debian-spamd's home folder) seems to have helped. I will leave it A few days more to ensure its working ok. Peter Hutchison MCP Senior Network Systems SpecialistS S 01484 473716 Networks Team University of Huddersfield | Queensgate | Huddersfield | HD1 3DH > -Original Message- > From: Bill Cole [mailto:sausers-20150...@billmail.scconsult.com] > Sent: 07 June 2018 06:11 > To: Spam Assassin > Subject: Re: Problem with sa-update via proxy > > On 5 Jun 2018, at 4:24, Peter Hutchison wrote: > > > I have recently upgraded my mail mta servers from Ubuntu 14.04 to > > Ubuntu 16.04 but the daily spamassassin cron job is failing to update > > the database in > > /usr/lib/spamassassin/3.9004001/update_spamassassin_org folder. > > That's a very odd version number. Is that an Ubuntu thing? > > > I have made sure that the cron job has the proxy env variables set and > > also updated /etc/wgetrc But it still regularly fails with this > > error. I have even configured .curlrc file in root profile with proxy > > settings. > > > > > > /etc/cron.daily/spamassassin: > > > > channel: could not find working mirror, channel failed sa-update > > failed for unknown reasons I can manually update it ok, but not via a > > cron job. What else do I need to configure to ensure it works every > > time? > > Impossible to say for sure. Adding "-D" to the actual sa-update > invocation in /etc/cron.daily/spamassassin would provide more extensive > detail about what's happening. University of Huddersfield inspiring tomorrow's professionals. [http://marketing.hud.ac.uk/_HOSTED/EmailSig2014/EmailSigFooter.jpg] This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
Re: Problem with sa-update via proxy
On 5 Jun 2018, at 4:24, Peter Hutchison wrote: I have recently upgraded my mail mta servers from Ubuntu 14.04 to Ubuntu 16.04 but the daily spamassassin cron job is failing to update the database in /usr/lib/spamassassin/3.9004001/update_spamassassin_org folder. That's a very odd version number. Is that an Ubuntu thing? I have made sure that the cron job has the proxy env variables set and also updated /etc/wgetrc But it still regularly fails with this error. I have even configured .curlrc file in root profile with proxy settings. /etc/cron.daily/spamassassin: channel: could not find working mirror, channel failed sa-update failed for unknown reasons I can manually update it ok, but not via a cron job. What else do I need to configure to ensure it works every time? Impossible to say for sure. Adding "-D" to the actual sa-update invocation in /etc/cron.daily/spamassassin would provide more extensive detail about what's happening.
Re: Problem with sa-update via proxy
On 05.06.18 08:24, Peter Hutchison wrote: I have recently upgraded my mail mta servers from Ubuntu 14.04 to Ubuntu 16.04 but the daily spamassassin cron job is failing to update the database in /usr/lib/spamassassin/3.9004001/update_spamassassin_org folder. I have made sure that the cron job has the proxy env variables set and also updated /etc/wgetrc But it still regularly fails with this error. I have even configured .curlrc file in root profile with proxy settings. /etc/cron.daily/spamassassin: channel: could not find working mirror, channel failed sa-update failed for unknown reasons I can manually update it ok, but not via a cron job. What else do I need to configure to ensure it works every time? manually? the /usr/lib/spamassassin/3.9004001/update_spamassassin_org should belong to user spamassassin, and the /etc/cron.daily/spamassassin should switch to this user as well. do you run manually /etc/cron.daily/spamassassin or sa-update? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton
Problem with sa-update via proxy
I have recently upgraded my mail mta servers from Ubuntu 14.04 to Ubuntu 16.04 but the daily spamassassin cron job is failing to update the database in /usr/lib/spamassassin/3.9004001/update_spamassassin_org folder. I have made sure that the cron job has the proxy env variables set and also updated /etc/wgetrc But it still regularly fails with this error. I have even configured .curlrc file in root profile with proxy settings. /etc/cron.daily/spamassassin: channel: could not find working mirror, channel failed sa-update failed for unknown reasons I can manually update it ok, but not via a cron job. What else do I need to configure to ensure it works every time? Peter Hutchison MCP Senior Network Systems Specialist * 01484 473716 Networks Team University of Huddersfield | Queensgate | Huddersfield | HD1 3DH [logo_lftcert_sysadmin_small] [MCP_logo_small] [ITIL Foundation small] University of Huddersfield inspiring tomorrow's professionals. [http://marketing.hud.ac.uk/_HOSTED/EmailSig2014/EmailSigFooter.jpg] This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
Re: sa-update through proxy
John Hardin wrote:
> Ian Zimmerman wrote:
> > John Hardin wrote:
> > > > alias sa-update='env http_proxy=http://myserver:myport/
> > > > https_proxy=http://myserver:myport/ sa-update'
> > >
> > > Lose the "env"?
> >
> > Why? Apart from using an extra process, this should work exactly the same.
>
> {reads man page} Ah, I wasn't aware env did that, I thought it was just a
> dump utility (or, at least, that's the only way I've ever used it). I'm used
> to just prepending local env sets before the command.
I will just jump in her long enough to say that using 'env' like that
is the idiomatic way to avoid differences in shells between sh and csh
(and therefore between bash, dash, posh, ash, ksh, mksh, zsh, and I
think you get the idea). It is a way to guarentee the ability to set
variables regardless of shell. This make documenting things easier.
Bob
Re: sa-update through proxy
On Wed, 4 May 2016 08:57:59 -0400 Reinier Carmona Lizana wrote: > Hi > > Someone has managed to sa-update through a proxy? It should work if you have full internet DNS access, some networks behind proxies only have local DNS. If in doubt try this: $ dig +short mirrors.updates.spamassassin.org txt "http://spamassassin.apache.org/updates/MIRRORED.BY; Also try running sa-update -D for more information > I tried the following ways : > > > 1- I set on my /etc/bash.bashrc > > export HTTP_PROXY=http://myserver:myport/ > export FTP_PROXY=http://myserver:myport/ > > Another way: > > 2- I set on my > > alias sa-update='env http_proxy=http://myserver:myport/ > https_proxy=http://myserver:myport/ sa-update' IIRC it uses curl, wget or fetch if it finds one of them, and will fall-back to perl. I'm guessing there's a reason for not preferring perl. I think curl and wget use the lower-case versions and fetch prefers upper-case, but should fall-back to lower.
Re: sa-update through proxy
On Wed, 4 May 2016, Ian Zimmerman wrote:
On 2016-05-04 08:13 -0700, John Hardin wrote:
alias sa-update='env http_proxy=http://myserver:myport/
https_proxy=http://myserver:myport/ sa-update'
Lose the "env"?
Why? Apart from using an extra process, this should work exactly the same.
{reads man page} Ah, I wasn't aware env did that, I thought it was just a
dump utility (or, at least, that's the only way I've ever used it). I'm
used to just prepending local env sets before the command.
No idea why that wouldn't work, then.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
---
4 days until the 71st anniversary of VE day
Re: sa-update through proxy
On 2016-05-04 08:13 -0700, John Hardin wrote: > > alias sa-update='env http_proxy=http://myserver:myport/ > > https_proxy=http://myserver:myport/ sa-update' > > Lose the "env"? Why? Apart from using an extra process, this should work exactly the same. -- Please *no* private copies of mailing list or newsgroup messages. Rule 420: All persons more than eight miles high to leave the court.
Re: sa-update through proxy
On Wed, 4 May 2016, Reinier Carmona Lizana wrote: Hi Someone has managed to sa-update through a proxy? I tried the following ways : 1- I set on my /etc/bash.bashrc export HTTP_PROXY=http://myserver:myport/ export FTP_PROXY=http://myserver:myport/ Try lowercase variable names there. Another way: 2- I set on my alias sa-update='env http_proxy=http://myserver:myport/ https_proxy=http://myserver:myport/ sa-update' Lose the "env"? And nothing, any suggestion? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim XXXVII: There is no 'overkill.' There is only 'open fire' and 'time to reload.' --- 4 days until the 71st anniversary of VE day
sa-update through proxy
Hi Someone has managed to sa-update through a proxy? I tried the following ways : 1- I set on my /etc/bash.bashrc export HTTP_PROXY=http://myserver:myport/ export FTP_PROXY=http://myserver:myport/ Another way: 2- I set on my alias sa-update='env http_proxy=http://myserver:myport/ https_proxy=http://myserver:myport/ sa-update' And nothing, any suggestion?
Re: Sa-update and proxy servers
Michael Scheidell wrote: [...] I now need to set a proxy server to do sa-updates through, but could not find any information on settings for a proxy server. [...] Added cmd options: -x --proxy -U --proxy-user -P --proxy-password -t --connect-timeout. [...] Hi, just found this old thread regarding the proxy capabilities of sa-update. I wonder why Michael's patch hasn't been included to the official source. We've got a customer that wants to use sa-update through a proxy but using a custom patch to provide such a feature is kind of weird. Would it be possible to make the patch official? At least it'd be great if one could specify username and password in addition to the proxy url by using environment variables for LWP::Agent. Any comments on this? Daniel -- View this message in context: http://old.nabble.com/Sa-update-and-proxy-servers-tp5026430p30957142.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Sa-update and proxy servers
On 2/17/2011 11:44 PM, Daniel Lemke wrote: Michael Scheidell wrote: [...] I now need to set a proxy server to do sa-updates through, but could not find any information on settings for a proxy server. [...] Added cmd options: -x --proxy -U --proxy-user -P --proxy-password -t --connect-timeout. [...] Hi, just found this old thread regarding the proxy capabilities of sa-update. I wonder why Michael's patch hasn't been included to the official source. We've got a customer that wants to use sa-update through a proxy but using a custom patch to provide such a feature is kind of weird. Would it be possible to make the patch official? At least it'd be great if one could specify username and password in addition to the proxy url by using environment variables for LWP::Agent. Any comments on this? Daniel Was this ever filed as a bug with the suggested patch attached? Nothing gets in the code without a bug filed. Warren
sa-update with proxy
Hi, spamassassin.apache.org Now I try to update rule of spamassassin through proxy. I inserted http://proxy:port in /etc/wgetrc already but when I type command #sa-update -D I see this : check: is spam? score=0 required=5[8931] dbg: check: tests=[8931] dbg: check: subtests=[8931] dbg: generic: lint check of site pre files succeeded, continuing with channel updates[8931] dbg: channel: no MIRRORED.BY file available[8931] dbg: http: GET request, spamassassin.apache.org/updates/MIRRORED.BY[8931] dbg: http: request failed, retrying: 500 Can't connect to spamassassin.apache.org:80 (connect: timeout): 500 Can't connect to spamassassin.apache.org:80 (connect: timeout) http: request failed: 500 Can't connect to spamassassin.apache.org:80 (connect: timeout): 500 Can't connect to spamassassin.apache.org:80 (connect: timeout) error: no mirror data available for channel updates.spamassassin.orgchannel: MIRRORED.BY contents were missing, channel failed[8931] dbg: generic: cleaning up temporary directory/files[8931] dbg: diag: updates complete, exiting with code 4 - [8931] dbg: channel: no MIRRORED.BY file available---what should I do [8931] dbg: http: request failed, retrying: 500 Can't connect to spamassassin.apache.org:80 ---what should I do error: no mirror data available for channel updates.spamassassin.org---what should I do Should I edit something in /usr/bin/sa-update??? Thank you, Alang Chang All the best for the coming year beyond - alangchang - o,o Let me think ( ';'),about that... c()() love youI. - . - . ! L , , UO . OV E Y _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
Re: sa-update with proxy
Alangchang Zuuzuu wrote: I inserted _http://proxy:port_ in /etc/wgetrc already but when I type command sa-update doesn't use wget. *what should I do* Try setting the environment variable http_proxy to whatever address your proxy uses before calling sa-update. *Should I edit something in /usr/bin/sa-update???* No. AFAICT sa-update (at least the one that came with the freebsd port of SA 3.2.5 here) enables LWP::UserAgenmt to fetch proxy settings from environment. ** ? Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: sa-update with proxy
Hi Alangchang, At 06:40 21-09-2008, Alangchang Zuuzuu wrote: Now I try to update rule of spamassassin through proxy. I inserted http://proxy:porthttp://proxy:port in /etc/wgetrc already but when I type command #sa-update -D I see this : [snip] [8931] dbg: channel: no MIRRORED.BY file available [8931] dbg: http: GET request, spamassassin.apache.org/updates/MIRRORED.BY [8931] dbg: http: request failed, retrying: 500 Can't connect to spamassassin.apache.org:80 (connect: timeout): 500 Can't connect to spamassassin.apache.org:80 (connect: timeout) sa-update does not use wget to download updates. From http://wiki.apache.org/spamassassin/RuleUpdates sa-update uses the LWP::UserAgent module, which allows certain environment variables to be set so that requests use defined proxy servers. The main one of interest is http_proxy, which should be set to an URL defining the proxy. ie: export http_proxy='http://proxy.example.com:8080/' Regards, -sm
Re: sa-update with proxy
Hi, spamassassin.apache.org Now I try to update rule of spamassassin through proxy. I inserted http://proxy:port http://proxy:port in /etc/wgetrc already but when I type command don¹t know if sa-update uses wget. on freebsd, we just set http_proxy environment variable. (yes, I submitted patches a while back for sa-update to directly support proxy command line options.. If its needed, google for them) -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
sa-update and Proxy firewall
Sorry to be late to the dance, but is there a relatively simple way to have sa-update traverse a proxy based firewall? We'd need to provide username / password to get out. Thanks! Leonard Gray Groupware and Email Administration Information Technology Services, Washington Savannah River Company Internet: [EMAIL PROTECTED] Phone: (803) 725-6022
Re: sa-update and Proxy firewall
On Mon, Aug 21, 2006 at 11:53:40AM -0400, [EMAIL PROTECTED] wrote: Sorry to be late to the dance, but is there a relatively simple way to have sa-update traverse a proxy based firewall? We'd need to provide username / password to get out. Hrm. sa-update uses LWP for doing http requests, and setting things like http_proxy is allowed. However, looking at the docs quickly, there doesn't appear to be a way to authenticate to the proxy using LWP, so there won't be a way via sa-update either. -- Randomly Generated Tagline: I'd love to, but there's a disturbance in the Force. pgpBXHslim4HO.pgp Description: PGP signature
Re: Sa-update and proxy servers
Michael Scheidell [EMAIL PROTECTED] [24-06-2006 17:28]: [...] I now need to set a proxy server to do sa-updates through, but could not find any information on settings for a proxy server. echo 'alias sa-update=http_proxy=http://login:[EMAIL PROTECTED]:port/ ' \ 'sa-update' ~/.profile ? -- Radosław Zieliński [EMAIL PROTECTED] pgpduYYm9le1E.pgp Description: PGP signature
RE: Sa-update and proxy servers
Wonder if that would help the cronjob. Guess that might do it. Especially since sa-update does use the LWP libaries. That's just like *NIX utilities. 57 varaties of how to do the same job.
Sa-update and proxy servers
I think I noticed small change in sa-update for 3.13.
It is now using port 8090 for outgoing connections. (or did it always?)
This happened to make it immediately fail on servers in the DMZ which
have a strict set of outgoing egress rules.
I now need to set a proxy server to do sa-updates through, but could not
find any information on settings for a proxy server.
I could either open up that port, use a proxy, or suggest a proxy
setting for sa-update.
Opening up the port means days if not weeks of change requests.
(and this might be the same in larger organizations, especially under
government security regs)
Steps include updating security policy, firewall rule policy then doing
a firewall rules change request.
Setting up a proxy globally would mean all requests from that host
(clamav updates, etc) would be forced to go through the proxy.
A replacement sa-update script to set a temporary proxy, and than
sa-update seems to work. (without forcing everything through a proxy
server)
Since sa-update is a perl script, and uses the LWP library, it honored
the http_proxy environment settings.
my $ua = LWP::UserAgent-new();
$ua-agent(sa-update/$VERSION);
$ua-timeout(60); # a good long timeout; 10 is too short for Coral!
$ua-env_proxy;
Also, since it is a LWP library, I was wondering if there could not be a
rc or ini file associated with sa-update to use a specific proxy server
for it. (Similar to how clamav does it)
I also have intermittent failures, and it seems in some environments
maybe a larger timeout would help.
Proxy issues include:
Proxy url, proxy port, authentication (user/password), etc.
*remember, I don't want to force everything through a proxy server,
normal port 80 and port 443 traffic are normally allowed out many
corporate DMZ's and lans. Increasingly, SOC, HIPAA, GLBA, ISO audits
are making security departments re evaluate firewall egress rules. Best
practices says 'block everything and only allow that which is required
by security use policy, and that only with a defined business case'.
Added cmd options:
-x --proxy
-U --proxy-user
-P --proxy-password
-t --connect-timeout.
Cmdline overrides http_proxy* environment variables.
I recognize -U and -P could be security vulnerabilities and recommend a
protected .rc file.
Extensive testing has not been performed (My proxy server doesn't
require authentication, and doesn't' fail if I give it phony
authenticating).
LWP proxy string is created as http://user:[EMAIL PROTECTED]:port
With user/password and port optional
--proxy can be specified at http://proxy or proxy or http://proxy:port
or proxy:port
I updated help a little (for -h) but not the individual items.
Patch attached. (works here(tm))
--
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts: http://www.secnap.com/news
--- sa-update.orig Sat Jun 17 09:22:43 2006
+++ sa-update Sat Jun 24 11:15:00 2006
@@ -138,6 +138,10 @@
'gpgkeyfile=s' = \$opt{'gpgkeyfile'},
'channelfile=s' = \$opt{'channelfile'},
'updatedir=s'= \$opt{'updatedir'},
+ 'proxy|x:s' = \$opt{'proxy'},
+ 'proxy-user|U:s' = \$opt{'proxy-user'},
+ 'proxy-password|P:s' = \$opt{'proxy-password'},
+ 'connect-timeout|t:s'= \$opt{'connect-timeout'},
'gpg!' = \$GPG_ENABLED,
# backward compatibility
@@ -309,9 +312,51 @@
my $ua = LWP::UserAgent-new();
$ua-agent(sa-update/$VERSION);
-$ua-timeout(60); # a good long timeout; 10 is too short for Coral!
-$ua-env_proxy;
+if (defined $opt{'connect-timeout'}) {
+ $ua-timeout($opt{'connect-timeout'});
+}
+else {
+ $ua-timeout(60); # a good long timeout; 10 is too short for Coral!
+}
+# deal with proxy
+if (!defined $opt{'proxy'}) {
+ $ua-env_proxy;
+ if(defined $opt{'proxy-password'} || defined $opt{'proxy-user'}) {
+die Missing --proxy definition with $opt{'proxy-password'}
$opt{'proxy-user'}\n;
+ }
+}
+else {
+#parse proxy. CB: 1.1.1.1/ http://1.1.1.1 http://1.1.1.1:8080
+# or http://user:[EMAIL PROTECTED]:8080
+ my ($proxy,$http_proxy,$proxy_port);
+ if ($opt{'proxy'} =~ m'(http://)(.*)') {
+$proxy=$2;$http_proxy=$1;
+ }
+ else {
+$http_proxy=http://;$proxy=$opt{'proxy'};
+ }
+ if ($proxy =~ m'(.*):(.*)$') {
+$proxy=$1;$proxy_port=$2;
+ }
+ else {
+$proxy_port=3128;
+ }
+ $proxy=$proxy.:.$proxy_port;
+
+ if (defined $opt{'proxy-user'} || defined $opt{'proxy-password'}) {
+if (!defined $opt{'proxy-user'} || !defined $opt{'proxy-password'}) {
+ die Missing proxy-user or proxy-password with $opt{'proxy-password'}
$opt{'proxy-user'}\n;
+}
+else {
+ die $http_proxy.$opt{'proxy-user'}.':'.$opt{'proxy-password'}.'@'.$proxy;
+ $ua-proxy(http =
$http_proxy.$opt{'proxy
RE: Sa-update and proxy servers
-Original Message- From: Michael Scheidell Sent: Saturday, June 24, 2006 11:28 AM To: users@spamassassin.apache.org Subject: Sa-update and proxy servers Patch attached. (works here(tm)) In fact, my nightly cronjob runs 'sa-cover' script: (exit code 4 is for timeouts) Just in case. #!/bin/sh /usr/local/bin/sa-update if [ $? -eq 4 ];then /usr/local/bin/sa-update -x proxyserver:port fi exit $?
