I'm sure this is a very dumb question, because I have seen several posts about it, all of which imply that there is some simple solution.
I am trying to use spamassassin by running everything through /etc/procmail, and I get the following in /var/log/procmail:
"Group mismatch error. Mailman expected the mail wrapper script to be executed as one of the following groups: [mail, postfix, mailman, nobody, daemon], but the system's mail server executed the mail script as group: "baron". Try tweaking the mail server to run the script as one of these groups: [mail, postfix, mailman, nobody, daemon],"
The dumb question is: "What is the 'mail server'?" I thought it was sendmail, but I have no idea where "baron" comes from. baron is just a user on the system. The various IDs for mailman are set to sjdm.org in the configuration file. I installed it as "root" from a Fedora RPM, and the name "baron" had no part of that. So far as I can tell, NOTHING in this system is owned by "baron" except my own account (which is, however, included in several groups).
Jon
Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron
On 5/15/22 16:35, Jon Baron wrote:
I'm sure this is a very dumb question, because I have seen several posts about it, all of which imply that there is some simple solution.
I am trying to use spamassassin by running everything through /etc/procmail, and I get the following in /var/log/procmail:
"Group mismatch error. Mailman expected the mail wrapper script to be executed as one of the following groups: [mail, postfix, mailman, nobody, daemon], but the system's mail server executed the mail script as group: "baron". Try tweaking the mail server to run the script as one of these groups: [mail, postfix, mailman, nobody, daemon],"
The dumb question is: "What is the 'mail server'?"
Probably procmail in this case.
I thought it was sendmail, but I have no idea where "baron" comes from. baron is just a user on the system. The various IDs for mailman are set to sjdm.org in the configuration file. I installed it as "root" from a Fedora RPM, and the name "baron" had no part of that. So far as I can tell, NOTHING in this system is owned by "baron" except my own account (which is, however, included in several groups).
And you are probably running the procmail process as yourself. You need to run it as one of the groups mail, postfix, mailman, nobody or daemon
Thanks to both. But I'm afraid that this advice does not help, and I am giving up.
I suspect that what I am trying to do is impossible. And I also think I was going about it wrong. I was trying to use /etc/aliases to get the mail to go to procmail, with lines like this:
Method 1 jdm-society: "|/usr/bin/procmail -m /etc/procmailrc"
or
Method 2 jdm-society-owner: "|/usr/lib/mailman/mail/mailman owner jdm-society"
And then /etc/procmail had lines like this:
:0
- To:.*jdm-society-owner@sjdm.org
| /etc/smrsh/mailman owner jdm-society
and /etc/smrsh has a soft links to /usr/bin/procmail and to ../../usr/lib/mailman/mail/mailm
(I don't know why the ../../ is there.)
Method 2 is what yielded the group mismatch.
Method 1 just said user not found.
I still have no idea where "baron" is coming from. I thought if I could figure that out it would lead to a solution. procmail is not "running". It is not listed in any version of "ps". It is evoked by sendmail or by /etc/aliases.db. sendmail and aliases.db are both owned by root and smmsp. I tried to change the owner of aliases.db to mail rather than root, but it got changed back when I ran newaliases.
So I am giving up. We will just deal with the spam by hand. The list is moderated, so none of it actually gets posted, and we discourage some of it with a small captcha. (The really fancy ones are impossible. I can't do them myself.)
I did read the link below, but I had not gotten up to trying to modify the code. It seems to be written mainly for some other system than what I have. (I'm using the last available Fedora RPM. I don't think they are going to update Mailman 2, or fix the bug. I do not have time to compile from source, since it is a major change - everything is in a different place. And I won't change to Mailman 3 because, so far as I can tell, we would not want any of its features and configuration would also take a lot of time. I will leave all this to my successor. Right now, everything works except the spam.)
https://wiki.list.org/DOC/4.23%20How%20do%20I%20use%20SpamAssassin%20with%20...
Thanks for trying.
Jon
On 05/16/22 00:45, Bruce Johnson wrote:
Are any of the processes being run by that user? like cron jobs?
Look throughthe mailman logs or other logs (it’s been a very long time; I cannot remember if procmail and spamassasin have their own logs or they get dumped into /var/log/messages (for RH-style systems; I forget what the general syslog file is called in Debian style)
Answers: No. No. Nothing in the logs (several of them.)
On May 15, 2022, at 4:35 PM, Jon Baron jonathanbaron7@gmail.com wrote:
I'm sure this is a very dumb question, because I have seen several posts about it, all of which imply that there is some simple solution.
I am trying to use spamassassin by running everything through /etc/procmail, and I get the following in /var/log/procmail:
"Group mismatch error. Mailman expected the mail wrapper script to be executed as one of the following groups: [mail, postfix, mailman, nobody, daemon], but the system's mail server executed the mail script as group: "baron". Try tweaking the mail server to run the script as one of these groups: [mail, postfix, mailman, nobody, daemon],"
The dumb question is: "What is the 'mail server'?" I thought it was sendmail, but I have no idea where "baron" comes from. baron is just a user on the system. The various IDs for mailman are set to sjdm.org in the configuration file. I installed it as "root" from a Fedora RPM, and the name "baron" had no part of that. So far as I can tell, NOTHING in this system is owned by "baron" except my own account (which is, however, included in several groups).
Jon
Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron
On 5/16/2022 3:42 AM, Jon Baron wrote:
procmail is not "running". It is not listed in any version of "ps". It is evoked by sendmail or by /etc/aliases.db. sendmail and aliases.db are both owned by root and smmsp.
It is "run" or "envoked" on-demand by sendmail to execute the line in the alias file; you'll only see it in ps when actually running.
the procmail man file states -m [...] If the rcfile is an absolute path starting with /etc/procmailrcs/ without backward references (i.e. the parent directory cannot be mentioned) procmail will, only if no security violations are found, take on the identity of the owner of the rcfile (or symbolic link). [...]
[that path may change in different versions of procmail]
That last sentence is important- check the ownership of /etc/procmailrc, I'm betting it's "baron"; that can happen easily when editing.
z!
On Sun, 15 May 2022, Jon Baron wrote:
I am trying to use spamassassin by running everything through /etc/procmail,
Sorru, I do not understand what procmail and spamassassin, intended to process INCOMING mail, have to do with mailman which is SENDING OUT mail.
I still have a few almost-dead mailman lists on my machine, and I do use procmail to filter my personal incoming mail. It is a long time we have abandoned (been forced to abandon) spamassassin, but that was running on the institute MX, not on my own machine.
As far as I remember (after a first trial) spamassassin was run as a milter in sendmail.cf (the sendmail doc had s[pecial instructions).
Procmail instead is run (by me only on my own machine) via my own ~/.procmailrc (no need to pass through /etc/aliases or amy other system file). That occurs definining it as default deliveryi agent for the local mailer in sendmail.cf (see also sendmail doc).
My sendmail.cf has a section starting with
Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn09, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, A=procmail -a $h -d $u
The default aliases needed for the mailman lists are kept in a separate alias file, and sendmail.cf concatenates it with the system one
O AliasFile=/etc/aliases,/etc/mail/mailman.aliases
(do NOT use the sendmail.cf lines I quote as they are ... go through the proper sendmail configuration)
On 2022-05-16 at 12:32:54 UTC-0400 (Mon, 16 May 2022 18:32:54 +0200 (CEST)) Lucio Chiappetti lucio@lambrate.inaf.it is rumored to have said:
On Sun, 15 May 2022, Jon Baron wrote:
I am trying to use spamassassin by running everything through
/etc/procmail,
Sorru, I do not understand what procmail and spamassassin, intended to process INCOMING mail, have to do with mailman which is SENDING OUT mail.
It is fairly common for SpamAssassin to be used on both incoming and outgoing mail, but obviously outgoing would need to use something other than procmail to call it.
I still have a few almost-dead mailman lists on my machine, and I do use procmail to filter my personal incoming mail. It is a long time we have abandoned (been forced to abandon) spamassassin, but that was running on the institute MX, not on my own machine.
As far as I remember (after a first trial) spamassassin was run as a milter in sendmail.cf (the sendmail doc had s[pecial instructions).
SpamAssassin can be used as a milter during the SMTP transaction or as a filter in the delivery pipeline via a delivery agent like procmail. Using procmail is generally suboptimal, but it may be the only mechanism available for an end user to deploy SA for their own mail without root access.
Also: procmail is antique abandonware that no one should use in 2022, but it can be very hard to replace.
On 2022-05-16 3:31 PM, Bill Cole wrote: ...
SpamAssassin can be used as a milter during the SMTP transaction or as a filter in the delivery pipeline via a delivery agent like procmail. Using procmail is generally suboptimal, but it may be the only mechanism available for an end user to deploy SA for their own mail without root access.
You also get per-user thresholds and Bayes training etc.
Also: procmail is antique abandonware that no one should use in 2022, but it can be very hard to replace.
Courier maildrop works and has a somewhat saner syntax. However what does this have to do with mailman? -- IIRC I had to add an extra python file, edit something in another, and add a config setting, to have spamassassin work with MM2.
Dima
Also: procmail is antique abandonware that no one should use in 2022, but it can be very hard to replace.
I have a massive time investment in working procmail rules. Use is not abandoned here. "If it aint broke dont fix it." ;-)
Cheers,
Julian Stacey http://berklix.com/jhs/ http://stolenVotes.uk Arm Ukraine, Zap killer Putin, grain & fuel loss hits poorest.
Lucio Chiappetti writes:
On Sun, 15 May 2022, Jon Baron wrote:
I am trying to use spamassassin by running everything through /etc/procmail,
Sorru, I do not understand what procmail and spamassassin, intended to process INCOMING mail, have to do with mailman which is SENDING OUT mail.
I assumed the OP knows procmail fairly well, doesn't understand milters (or whatever the equivalent is for $MTA), and is using a pipeline like
sendmail | procmail | spamassassin && mailman
since the error message implied that mailman was started by procmail. procmail may not be the tool of choice these days, but it should work.
Note that the error message mentions postfix several times; I'm not sure that a sendmail cf is of much use to the OP.
Steve
Going back to the original email-
On 5/15/2022 4:35 PM, Jon Baron wrote:
"Group mismatch error. Mailman expected the mail wrapper script to be executed as one of the following groups: [mail, postfix, mailman, nobody, daemon], but the system's mail server executed the mail script as group: "baron". Try tweaking the mail server to run the script as one of these groups: [mail, postfix, mailman, nobody, daemon],"
_Something_ (possibly procmail) was executing the mailman wrapper which produced the message above. When it was exec'd, for some reason the GID it was started under wasn't good.
One thing is odd about the message above, it says "one of the groups" whereas some versions (eg 2.1.25) have "Mailman expected the %s wrapper to be executed as group" (singular). Could be that the OP's version is rather old.
Later,
z!
On 5/16/22 16:18, Carl Zwanzig wrote:
One thing is odd about the message above, it says "one of the groups" whereas some versions (eg 2.1.25) have "Mailman expected the %s wrapper to be executed as group" (singular). Could be that the OP's version is rather old.
That's a Debian 'feature'.
On 5/16/22 19:27, Carl Zwanzig wrote:
On 5/16/2022 4:31 PM, Mark Sapiro wrote:
That's a Debian 'feature'.
Which then makes me wonder if there are other Debian "features" getting in the way.
No. It's a simple group mismatch. The OP has to arrange for the process that pipes the mail to Mailman to run with an effective group of one of mail, postfix, mailman, nobody or daemon.
I would like to thank everyone for all the ideas about my group-mismatch problem.
As it happens, nothing helped. Moreover, almost all of the speculations about what I was doing or not doing, using or not using, know or do not know, were incorrect.
I found another way to fix the main problem, which was, in any case, not all that serious.
I am not going to respond anymore to this thread.
Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron
Ah so…
You found another way to fix the main problem - but you do not tell us?
You know that in a mailing list everyone should help if he can and not only consume?
So then, please unsubscribe here.
Thank you Christian
Hilfe fuer Strassenkinder in Ghana: https://www.chance-for-children.org > Am 17.05.2022 um 11:02 schrieb Jon Baron jonathanbaron7@gmail.com: > > I would like to thank everyone for all the ideas about my > group-mismatch problem. > > As it happens, nothing helped. Moreover, almost all of the > speculations about what I was doing or not doing, using or not using, > know or do not know, were incorrect. > > I found another way to fix the main problem, which was, in any case, > not all that serious. > > I am not going to respond anymore to this thread. > -- > Jonathan Baron, Professor of Psychology, University of Pennsylvania > Home page: https://www.sas.upenn.edu/~baron > ------------------------------------------------------ > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-leave@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ > https://mail.python.org/archives/list/mailman-users@python.org/
Christian Buser via Mailman-Users writes:
You know that in a mailing list everyone should help if he can and not only consume?
Technically correct, but please don't be so antagonistic.
So then, please unsubscribe here.
What you do with your own filters is your business, but for the mailing list this is outright wrong.
Mailing lists are easy to abuse, as we all know. We put a lot of effort into minimizing the damage and closing as many vulnerabilities as we can, but the bad folks are out there developing new ones 9-5 every day, and some of them can't be closed without destroying Mailman's main feature: the convenient discoverable interface for managing list mail flows. I hope that every Mailman 2 admin is subscribing and continues to subscribe to this list, so that we can help them serve the subscribers, and when necessary address vulnerabilities and help them upgrade.
Steve
In view of Stephen Turnbull's comments, I changed my mind and will respond to the list. I was the "original poster" (OP?) about the strange "group mismatch" error in my log. It complained about the user "baron" (my own account on the server) not matching the required list of groups. Several people made suggestions about where "baron" was coming from: usually saying that baron was an owner of one file or another file that was trying to send something to mailman. None of these suggestions was correct. The only "baron" that had anything to do with the mailing was as a moderator/owner, and the other moderator/owner was never mentioned in the error message. Thus, the original problem is, and will remain, unsolved.
What I was trying to do was very specific to my setup. It was Fedora, not Debian. And I was using the mailman RPM (2.1.34-3), without the patches that have been recommended since then, since the layout is very different from what you get if you install from source. And I did not want to install from source while everything is running, and working quite well. I don't have the time for that anyway, and certainly not to switch to Mailman 3, which does not seem particularly helpful for the sort of very mundane things we do. Thus, I am errant and untypical, so my problem and any solution to it would probably be of little use to others. I should not have posted. (What encouraged me were other posts about group mismatch, going back several years, none of which helped solve my problem.)
The problem was spam coming to jdm-society-owner. Some of this was NOT the result of trying to submit to the list. Some people just had the idea that this was a good place to send spam (along with other addresses on the server like webmaster). It isn't that bad. I just delete it.
But I'm trying another solution. It seems that -owner is used by mailman only to send mail to the list owners, e.g., when someone submits something to the list. So I replaced this line in /etc/aliases
jdm-society-owner: "|/usr/lib/mailman/mail/mailman owner jdm-society"
with
jdm-society-owner: "|/usr/bin/procmail /etc/procmailrc"
(I might try the -m after procmail, but I do other addresses without it, like "webmaster", and that works.)
Then in /etc/procmailrc, I say (and this is new):
:0
- To:.*jdm-society-owner@sjdm.org
! [address of owner 1],[address of owner 2]
This came after a lot of spam filtering in /etc/procmailrc, not just by spamassassin but also by various words that need not be spam to anyone else but are perfect indicators for us, e.g., "purchase". I check the spam file every day or two.
Note that, if anything arrives at -owner from a list post, it is already submitted and waiting for approval in /var/lib/mailman/data
I don't know if this works yet. If it does, it should largely solve the problem. We will still get some spam posts to the lists, but they are a drop in the bucket of other stuff that we need to reject even though it isn't spam.
If it doesn't work, I'll just go back to rejecting the spam by hand.
Jon
Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org)
-
Bill Cole -
Carl Zwanzig -
Christian Buser -
dmitri maziuk -
Jon Baron -
Julian H. Stacey -
Lucio Chiappetti -
Mark Sapiro -
Stephen J. Turnbull