UPDATE: Resolved. Pyzor was found to be functional, but the SpamAssassin 4.0 perl module for it introduced hard-coded limits for number of spam/ham report metrics that result in ignoring Pyzor from contributing to the spam score when those limits are exceeded.

Subject

Something else that requires developers attention

Description

This investigation was motivated by the associated Dockerfile content.

We don't have much context on relevance / demand for these packages and their inclusion into DMS, beyond several maintenance issues.

@casperklein since you use Amavis + SpamAssassin this may be relevant to you. I'm not sure how important these packages are (they apparently were of value at least 20 years ago 😅 )

No immediate action required, this is just public documentation of my notes when looking into this area of DMS.

Pyzor integration broken since DMS v14?

Reference: Pyzor docs

I assume not much thought was given to these packages and the original DMS author just added them by following some guide online for Amavis + SpamAssassin at the time.

It doesn't seem like razor is necessary for pyzor at a glance, but I've only observed Pyzor being included by SpamAssassin scan results, which our docs show an example of (direct link to docs source):

However I've also noticed that I cannot reproduce this PYZOR_CHECK=1.985 addition from DMS v14 onwards (v14 changelog), something has presumably changed?

I know I documented the SpamAssassin changes with Debian 12 rather heavily, but installing spamd package and running it with /etc/init.d/spamd start (/etc/init.d/spamassassin start on Debian 11 / DMS v13.3.1) didn't make a difference.

services:
  dms:
    image: ghcr.io/docker-mailserver/docker-mailserver:13.3.1
    hostname: mail.example.test
    environment:
      ENABLE_AMAVIS: 1
      ENABLE_SPAMASSASSIN: 1
      # For running swaks command (skips postscreen 6s delay by trusting connections from container IP):
      PERMIT_DOCKER: container
    configs:
      - source: dms-accounts
        target: /tmp/docker-mailserver/postfix-accounts.cf

configs:
  dms-accounts:
    content: |
      [email protected]|{SHA512-CRYPT}$$6$$sbgFRCmQ.KWS5ryb$$EsWrlYosiadgdUOxCBHY0DQ3qFbeudDhNMqHs6jZt.8gmxUwiLVy738knqkHD4zj4amkb296HFqQ3yDq4UXt8.

docker compose up -d --force-recreate
docker compose exec -it dms bash

# Send mail (doesn't qualify as actual spam):
swaks --server 0.0.0.0 --to [email protected] --body 'spam'

# View the mail:
less /var/mail/example.test/john.doe/new/*

# Send a spam mail (GTUBE test pattern):
swaks --server localhost --to [email protected] --body 'XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X'

less /var/mail/example.test/john.doe/.Junk/new/*

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.example.test
        by mail.example.test with LMTP
        id zUb8EOm3qWeiEAAAUi6ngw
        (envelope-from <[email protected]>)
        for <[email protected]>; Mon, 10 Feb 2025 08:25:13 +0000
Received: from localhost (localhost [127.0.0.1])
        by mail.example.test (Postfix) with ESMTP id 322011A3D0C
        for <[email protected]>; Mon, 10 Feb 2025 08:25:13 +0000 (UTC)
X-Quarantine-ID: <gyXeL7wz45n5>
X-Spam-Flag: YES
X-Spam-Score: 1000.985
X-Spam-Level: ****************************************************************
X-Spam-Status: Yes, score=1000.985 tagged_above=2 required=6.31
        tests=[ALL_TRUSTED=-1, GTUBE=1000, PYZOR_CHECK=1.985]
        autolearn=no autolearn_force=no
Received: from mail.example.test (localhost [IPv6:::1])
        by mail.example.test (Postfix) with ESMTP id 6118A1A3CAD
        for <[email protected]>; Mon, 10 Feb 2025 08:25:08 +0000 (UTC)
Date: Mon, 10 Feb 2025 08:25:08 +0000
To: [email protected]
From: [email protected]
Subject: ***SPAM*** test Mon, 10 Feb 2025 08:25:08 +0000
Message-Id: <[email protected]>

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.example.test
        by mail.example.test with LMTP
        id RrbgErDQqWdwAwAAUi6ngw
        (envelope-from <[email protected]>)
        for <[email protected]>; Mon, 10 Feb 2025 10:10:56 +0000
Received: from localhost (localhost [127.0.0.1])
        by mail.example.test (Postfix) with ESMTP id 300911A3CB5
        for <[email protected]>; Mon, 10 Feb 2025 10:10:56 +0000 (UTC)
X-Quarantine-ID: <NTL2rqm0XTRx>
X-Spam-Flag: YES
X-Spam-Score: 999
X-Spam-Level: ****************************************************************
X-Spam-Status: Yes, score=999 tagged_above=2 required=6.31
 tests=[ALL_TRUSTED=-1, GTUBE=1000] autolearn=no autolearn_force=no
Received: from mail.example.test (localhost [IPv6:::1])
        by mail.example.test (Postfix) with ESMTP id 5AA991A3C6E
        for <[email protected]>; Mon, 10 Feb 2025 10:10:53 +0000 (UTC)
Date: Mon, 10 Feb 2025 10:10:53 +0000
To: [email protected]
From: [email protected]
Subject: test Mon, 10 Feb 2025 10:10:53 +0000
Message-Id: <[email protected]>

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

The score is 999 (GTUBE 1000, minus one point for trust), while v13.3.1 had almost 2 more points contributed by Pyzor. Unclear why it's not run in DMS v14, although python3 --version difference is 3.9.2 vs 3.11.2, and Pyzor 1.0.0 (2014) may have a compatibility issue there, replacing it with Pyzor 1.1.2 (Sep 2024) may fix it. The project development history hasn't been too encouraging.

There's been no reports since DMS v14 release regarding the Pyzor regression.

Initial investigation

These two packages (pyzor + razor) are included as part of our SpamAssassin support, which we only invoke through Amavis:

#1756 (comment) (Jan 2021) introduced this ugly workaround in Dockerfile:

As this apparently failed in CI often enough due to some network request failing during image build?:

su - amavis -c "razor-admin -create && sleep 3 && razor-admin -register"

Pyzor (about page) + Razor seems like it was originally introduced into DMS in April 2016? Not much context available and packages were already committed prior: #149

Later during a base image switch from Ubuntu 16.04 to Debian 9 (Stretch, slim variant) in Jan 2018, the Pyzor discover command was no longer valid (as per PR description) which has a related Sep 2017 issue for more context. Prior to that issue there was a problem with discover reported in Nov 2016, likely related.

Additionally, consideration may be needed for razor-admin -register? (which the workaround in question is related to): #1815 (comment)

Registers a new identity, used for authenticating with Razor Nomination Servers. Identities are a user + password pair stored in "/identity-".
The first time "razor-admin -register" exits successfully, a symlink "identity" is created to point to the active "identity-" file.

Probably not ideal that we have that during the image build, some of our CI tests for spam may be engaging with that unintentionally? 🤷‍♂

These plugins are enabled by default for SpamAssassin in the config /etc/spamassassin/v310.pre (DMS has no involvement with these configs):

# Pyzor - perform Pyzor message checks.
#
loadplugin Mail::SpamAssassin::Plugin::Pyzor

# Razor2 - perform Razor2 message checks.
#
loadplugin Mail::SpamAssassin::Plugin::Razor2

Pyzor release 1.0.0 was in Dec 2014, with a new release (1.1.2) released in Sep 2024 that mostly addresses Python 3 compatibility.