fix: SRS setup (#3158)

2024-01-19 02:48:50 +00:00 · 2023-03-12 12:10:45 +01:00 · 2023-03-12 12:10:45 +01:00 · 2da3e1b022
parent 0baf82f7d0
commit 2da3e1b022
4 changed files with 60 additions and 36 deletions
--- a/2
+++ b/2
@ -242,8 +242,6 @@ RUN <<EOF
  rm -rf /usr/share/man/*
  rm -rf /usr/share/doc/*
  update-locale
-  rm /etc/postsrsd.secret
-  rm /etc/cron.daily/00logwatch
 EOF

 COPY VERSION /
--- a/target/scripts/build/packages.sh
+++ b/target/scripts/build/packages.sh
@ -201,6 +201,15 @@ function _install_fail2ban
  sedfile -i -r 's/^_nft_add_set = .+/_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \\{ type <addr_type>\\; flags interval\\; \\}/' /etc/fail2ban/action.d/nftables.conf
 }

+function _remove_data_after_package_installations
+{
+  _log 'debug' 'Deleting sensitive files (secrets)'
+  rm /etc/postsrsd.secret
+
+  _log 'debug' 'Deleting default logwatch cronjob'
+  rm /etc/cron.daily/00logwatch
+}
+
 function _post_installation_steps
 {
  _log 'debug' 'Running post-installation steps (cleanup)'
@ -216,4 +225,5 @@ _install_packages
 _install_dovecot
 _install_rspamd
 _install_fail2ban
+_remove_data_after_package_installations
 _post_installation_steps
--- a/target/scripts/startup/setup.d/mail_state.sh
+++ b/target/scripts/startup/setup.d/mail_state.sh
@ -4,7 +4,7 @@
 # (/var/mail-state) to allow persistence using docker volumes
 function _setup_save_states
 {
-  local STATEDIR FILE FILES
+  local DEST DESTDIR STATEDIR SERVICEDIR SERVICEDIRS SERVICEFILE SERVICEFILES

  STATEDIR='/var/mail-state'

@ -13,7 +13,7 @@ function _setup_save_states
    _log 'debug' "Consolidating all state onto ${STATEDIR}"

    # Always enabled features:
-    FILES=(
+    SERVICEDIRS=(
      lib/logrotate
      lib/postfix
      spool/postfix
@ -21,38 +21,65 @@ function _setup_save_states

    # Only consolidate state for services that are enabled
    # Notably avoids copying over 200MB for the ClamAV database
-    [[ ${ENABLE_AMAVIS}       -eq 1 ]] && FILES+=('lib/amavis')
-    [[ ${ENABLE_CLAMAV}       -eq 1 ]] && FILES+=('lib/clamav')
-    [[ ${ENABLE_FAIL2BAN}     -eq 1 ]] && FILES+=('lib/fail2ban')
-    [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && FILES+=('lib/fetchmail')
-    [[ ${ENABLE_POSTGREY}     -eq 1 ]] && FILES+=('lib/postgrey')
-    [[ ${ENABLE_RSPAMD}       -eq 1 ]] && FILES+=('lib/rspamd')
-    [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && FILES+=('lib/redis')
-    [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && FILES+=('lib/spamassassin')
-    [[ ${SMTP_ONLY}           -ne 1 ]] && FILES+=('lib/dovecot')
+    [[ ${ENABLE_AMAVIS}       -eq 1 ]] && SERVICEDIRS+=('lib/amavis')
+    [[ ${ENABLE_CLAMAV}       -eq 1 ]] && SERVICEDIRS+=('lib/clamav')
+    [[ ${ENABLE_FAIL2BAN}     -eq 1 ]] && SERVICEDIRS+=('lib/fail2ban')
+    [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && SERVICEDIRS+=('lib/fetchmail')
+    [[ ${ENABLE_POSTGREY}     -eq 1 ]] && SERVICEDIRS+=('lib/postgrey')
+    [[ ${ENABLE_RSPAMD}       -eq 1 ]] && SERVICEDIRS+=('lib/rspamd')
+    [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && SERVICEDIRS+=('lib/redis')
+    [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && SERVICEDIRS+=('lib/spamassassin')
+    [[ ${ENABLE_SRS}          -eq 1 ]] && SERVICEDIRS+=('lib/postsrsd')
+    [[ ${SMTP_ONLY}           -ne 1 ]] && SERVICEDIRS+=('lib/dovecot')

-    for FILE in "${FILES[@]}"
+    # Single service files
+    [[ ${ENABLE_SRS}          -eq 1 ]] && SERVICEFILES+=('/etc/postsrsd.secret')
+
+    for SERVICEFILE in "${SERVICEFILES[@]}";
    do
-      DEST="${STATEDIR}/${FILE//\//-}"
-      FILE="/var/${FILE}"
+      DEST="${STATEDIR}/${SERVICEFILE}"
+      DESTDIR="${DEST%/*}"
+
+      mkdir -p "${DESTDIR}"
+      if [[ -f ${DEST} ]]
+      then
+        _log 'trace' "Destination ${DEST} exists, linking ${SERVICEFILE} to it"
+        # Original content from image no longer relevant, remove it:
+        rm -f "${SERVICEFILE}"
+      elif [[ -f "${SERVICEFILE}" ]]
+      then
+        _log 'trace' "Moving ${SERVICEFILE} to ${DEST}"
+        # Empty volume was mounted, or new content from enabling a feature ENV:
+        mv "${SERVICEFILE}" "${DEST}"
+      fi
+
+      # Symlink the original file in the container ($SERVICEFILE) to be
+      # sourced from assocaiated path in /var/mail-state/ ($DEST):
+      ln -s "${DEST}" "${SERVICEFILE}"
+    done
+
+    for SERVICEDIR in "${SERVICEDIRS[@]}"
+    do
+      DEST="${STATEDIR}/${SERVICEDIR//\//-}"
+      SERVICEDIR="/var/${SERVICEDIR}"

      # If relevant content is found in /var/mail-state (presumably a volume mount),
      # use it instead. Otherwise copy over any missing directories checked.
      if [[ -d ${DEST} ]]
      then
-        _log 'trace' "Destination ${DEST} exists, linking ${FILE} to it"
+        _log 'trace' "Destination ${DEST} exists, linking ${SERVICEDIR} to it"
        # Original content from image no longer relevant, remove it:
-        rm -rf "${FILE}"
-      elif [[ -d ${FILE} ]]
+        rm -rf "${SERVICEDIR}"
+      elif [[ -d ${SERVICEDIR} ]]
      then
-        _log 'trace' "Moving contents of ${FILE} to ${DEST}"
+        _log 'trace' "Moving contents of ${SERVICEDIR} to ${DEST}"
        # Empty volume was mounted, or new content from enabling a feature ENV:
-        mv "${FILE}" "${DEST}"
+        mv "${SERVICEDIR}" "${DEST}"
      fi

-      # Symlink the original path in the container ($FILE) to be
+      # Symlink the original path in the container ($SERVICEDIR) to be
      # sourced from assocaiated path in /var/mail-state/ ($DEST):
-      ln -s "${DEST}" "${FILE}"
+      ln -s "${DEST}" "${SERVICEDIR}"
    done

    # This ensures the user and group of the files from the external mount have their
--- a/target/scripts/startup/setup.d/postfix.sh
+++ b/target/scripts/startup/setup.d/postfix.sh
@ -151,13 +151,11 @@ function _setup_SRS
    )
  }

-  local POSTSRSD_SECRET_FILE POSTSRSD_STATE_DIR POSTSRSD_STATE_SECRET_FILE
+  local POSTSRSD_SECRET_FILE

  sed -i "s/localdomain/${SRS_DOMAINNAME}/g" /etc/default/postsrsd

  POSTSRSD_SECRET_FILE='/etc/postsrsd.secret'
-  POSTSRSD_STATE_DIR='/var/mail-state/etc-postsrsd'
-  POSTSRSD_STATE_SECRET_FILE="${POSTSRSD_STATE_DIR}/postsrsd.secret"

  if [[ -n ${SRS_SECRET} ]]
  then
@ -166,16 +164,7 @@ function _setup_SRS
      echo "${SRS_SECRET}" | tr ',' '\n' >"${POSTSRSD_SECRET_FILE}"
    )
  else
-    if [[ ${ONE_DIR} -eq 1 ]]
-    then
-      if [[ ! -f ${POSTSRSD_STATE_SECRET_FILE} ]]
-      then
-        install -d -m 0775 "${POSTSRSD_STATE_DIR}"
-        __generate_secret "${POSTSRSD_STATE_SECRET_FILE}"
-      fi
-
-      install -m 0400 "${POSTSRSD_STATE_SECRET_FILE}" "${POSTSRSD_SECRET_FILE}"
-    elif [[ ! -f ${POSTSRSD_SECRET_FILE} ]]
+    if [[ ! -f ${POSTSRSD_SECRET_FILE} ]]
    then
      __generate_secret "${POSTSRSD_SECRET_FILE}"
    fi