github-com-docker-mailserver/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2024-01-19 02:48:50 +00:00
Code Issues Projects Releases Wiki Activity

Rspamd: add check for DKIM private key files' permissions (#3627)

Browse source 
* added check for Rspamd DKIM on startup

The newly added function `__rspamd__check_dkim_permissions` performs a
check on DKIM private key files. This is useful to prevent issues
like #3621 in the future. The function is deliberately kept simple and
may not catch every single misconfiguration in terms of permissions and
ownership, but it should be quite accurate.

Please note that the Rspamd setup does NOT change at all, and the checks
will not abort the setup in case they fail. A simple warning is emmited.

* add more documentation to Rspamd functions

* Apply suggestions from code review

* improve `__do_as_rspamd_user`

* rework check similar to review suggestion

see https://github.com/docker-mailserver/docker-mailserver/pull/3627#discussion_r1388697547

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
This commit is contained in:
Georg Lauterbach 2023-11-13 12:34:46 +01:00 committed by GitHub
parent 26214491ef
commit 5f2fb72c9c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 53 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
target/bin/rspamd-dkim
View file

@ -62,13 +62,6 @@ ${ORANGE}EXIT STATUS${RESET}
" "
} }
function __do_as_rspamd_user() {
local COMMAND=${1:?Command required when using __do_as_rspamd_user}
_log 'trace' "Running '${*}' as user '_rspamd' now"
shift 1
su -l '_rspamd' -s "$(command -v "${COMMAND}")" -- "${@}"
}
function _parse_arguments() { function _parse_arguments() {
FORCE=0 FORCE=0
KEYTYPE='rsa' KEYTYPE='rsa'

12
target/scripts/helpers/rspamd.sh
View file

@ -2,6 +2,18 @@
# shellcheck disable=SC2034 # VAR appears unused. # shellcheck disable=SC2034 # VAR appears unused.
# Perform a specific command as the Rspamd user (`_rspamd`). This is useful
# in case you want to have correct permissions on newly created files or if
# you want to check whether Rspamd can perform a specific action.
function __do_as_rspamd_user() {
_log 'trace' "Running '${*}' as user '_rspamd'"
su _rspamd -s /bin/bash -c "${*}"
}
# Calling this function brings common Rspamd-related environment variables
# into the current context. The environment variables are `readonly`, i.e.
# they cannot be modified. Use this function when you require common directory
# names, file names, etc.
function _rspamd_get_envs() { function _rspamd_get_envs() {
readonly RSPAMD_LOCAL_D='/etc/rspamd/local.d' readonly RSPAMD_LOCAL_D='/etc/rspamd/local.d'
readonly RSPAMD_OVERRIDE_D='/etc/rspamd/override.d' readonly RSPAMD_OVERRIDE_D='/etc/rspamd/override.d'

41
target/scripts/startup/setup.d/security/rspamd.sh
View file

@ -23,6 +23,9 @@ function _setup_rspamd() {
__rspamd__setup_check_authenticated __rspamd__setup_check_authenticated
_rspamd_handle_user_modules_adjustments # must run last _rspamd_handle_user_modules_adjustments # must run last
# only performing checks, no further setup handled from here onwards
__rspamd__check_dkim_permissions
__rspamd__log 'trace' '---------- Setup finished ----------' __rspamd__log 'trace' '---------- Setup finished ----------'
else else
_log 'debug' 'Rspamd is disabled' _log 'debug' 'Rspamd is disabled'
@ -280,6 +283,12 @@ function __rspamd__setup_hfilter_group() {
fi fi
} }
# If 'RSPAMD_CHECK_AUTHENTICATED' is enabled, then content checks for all users, i.e.
# also for authenticated users, are performed.
#
# The default that DMS ships does not check authenticated users. In case the checks are
# enabled, this function will remove the part of the Rspamd configuration that disables
# checks for authenticated users.
function __rspamd__setup_check_authenticated() { function __rspamd__setup_check_authenticated() {
local MODULE_FILE="${RSPAMD_LOCAL_D}/settings.conf" local MODULE_FILE="${RSPAMD_LOCAL_D}/settings.conf"
readonly MODULE_FILE readonly MODULE_FILE
@ -294,3 +303,35 @@ function __rspamd__setup_check_authenticated() {
"${MODULE_FILE}" "${MODULE_FILE}"
fi fi
} }
# This function performs a simple check: go through DKIM configuration files, acquire
# all private key file locations and check whether they exist and whether they can be
# accessed by Rspamd.
function __rspamd__check_dkim_permissions() {
local DKIM_CONF_FILES DKIM_KEY_FILES
[[ -f ${RSPAMD_LOCAL_D}/dkim_signing.conf ]] && DKIM_CONF_FILES+=("${RSPAMD_LOCAL_D}/dkim_signing.conf")
[[ -f ${RSPAMD_OVERRIDE_D}/dkim_signing.conf ]] && DKIM_CONF_FILES+=("${RSPAMD_OVERRIDE_D}/dkim_signing.conf")
# Here, we populate DKIM_KEY_FILES which we later iterate over. DKIM_KEY_FILES
# contains all keys files configured by the user.
local FILE
for FILE in "${DKIM_CONF_FILES[@]}"; do
readarray -t DKIM_KEY_FILES_TMP < <(grep -o -E 'path = .*' "${FILE}" | cut -d '=' -f 2 | tr -d ' ";')
DKIM_KEY_FILES+=("${DKIM_KEY_FILES_TMP[@]}")
done
for FILE in "${DKIM_KEY_FILES[@]}"; do
if [[ -f ${FILE} ]]; then
__rspamd__log 'trace' "Checking DKIM file '${FILE}'"
# See https://serverfault.com/a/829314 for an explanation on `-exec false {} +`
# We additionally resolve symbolic links to check the permissions of the actual files
if find "$(realpath -eL "${FILE}")" -user _rspamd -or -group _rspamd -or -perm -o=r -exec false {} +; then
__rspamd__log 'warn' "Rspamd DKIM private key file '${FILE}' does not appear to have correct permissions/ownership for Rspamd to use it"
else
__rspamd__log 'trace' "DKIM file '${FILE}' permissions and ownership appear correct"
fi
else
__rspamd__log 'warn' "Rspamd DKIM private key file '${FILE}' is configured for usage, but does not appear to exist"
fi
done
}