github-com-docker-mailserver/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2024-01-19 02:48:50 +00:00
Code Issues Projects Releases Wiki Activity

scripts: improve CLAMAV_MESSAGE_SIZE_LIMIT usage (#3332)

Browse source 
* add sanity check for Clam size & adjusted MaxScanSize

The second part is of special importance! See
<https://askubuntu.com/a/1448525>, which explains that the maximum scan
size is important as well. We previously just set the maximum file size,
which actually is pretty insecure as we silently not scan mile bigger
than `MaxScanSize`. This is corrected now.

* add SlamAV size configuration to Rspamd
This commit is contained in:
Georg Lauterbach 2023-05-12 16:04:41 +02:00 committed by GitHub
parent 3340b80972
commit 78b7f0cbea
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 33 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
target/rspamd/local.d/antivirus.conf
View file

@ -10,4 +10,5 @@ ClamAV {
scan_mime_parts = false; scan_mime_parts = false;
symbol = "CLAM_VIRUS"; symbol = "CLAM_VIRUS";
log_clean = true; log_clean = true;
max_size = 25000000;
} }

14
target/scripts/startup/setup.d/security/misc.sh
View file

@ -186,8 +186,18 @@ function __setup__security__clamav
if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]
then then
_log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'" _log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
sedfile -i \
"s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" \ # do a short sanity checks; ClamAV stops scanning at more that 4GB file size
if [[ $(numfmt --from=si "${CLAMAV_MESSAGE_SIZE_LIMIT}") -gt $(numfmt --from=si 4G) ]]
then
_log 'warn' "You set 'CLAMAV_MESSAGE_SIZE_LIMIT' to a value larger than 4 Gigabyte which ClamAV does not support - you should correct your configuration"
fi
sedfile -i -E \
"s|^(MaxFileSize).*|\1 ${CLAMAV_MESSAGE_SIZE_LIMIT}|" \
/etc/clamav/clamd.conf
sedfile -i -E \
"s|^(MaxScanSize).*|\1 ${CLAMAV_MESSAGE_SIZE_LIMIT}|" \
/etc/clamav/clamd.conf /etc/clamav/clamd.conf
fi fi
else else

8
target/scripts/startup/setup.d/security/rspamd.sh
View file

@ -164,6 +164,14 @@ function __rspamd__setup_clamav
sedfile -i -E 's|^(enabled).*|\1 = true;|g' "${RSPAMD_LOCAL_D}/antivirus.conf" sedfile -i -E 's|^(enabled).*|\1 = true;|g' "${RSPAMD_LOCAL_D}/antivirus.conf"
# Rspamd uses ClamAV's UNIX socket, and to be able to read it, it must be in the same group # Rspamd uses ClamAV's UNIX socket, and to be able to read it, it must be in the same group
usermod -a -G clamav _rspamd usermod -a -G clamav _rspamd
if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]
then
local SIZE_IN_BYTES
SIZE_IN_BYTES=$(numfmt --from=si "${CLAMAV_MESSAGE_SIZE_LIMIT}")
__rspamd__log 'trace' "Adjusting maximum size for ClamAV to ${SIZE_IN_BYTES} bytes (${CLAMAV_MESSAGE_SIZE_LIMIT})"
sedfile -i -E "s|(.*max_size =).*|\1 ${SIZE_IN_BYTES};|" "${RSPAMD_LOCAL_D}/antivirus.conf"
fi
else else
__rspamd__log 'debug' 'Rspamd will not use ClamAV (which has not been enabled)' __rspamd__log 'debug' 'Rspamd will not use ClamAV (which has not been enabled)'
fi fi

7
test/tests/parallel/set1/spam_virus/rspamd_full.bats
View file

@ -20,6 +20,7 @@ function setup_file() {
--env ENABLE_OPENDMARC=0 --env ENABLE_OPENDMARC=0
--env ENABLE_POLICYD_SPF=0 --env ENABLE_POLICYD_SPF=0
--env ENABLE_POSTGREY=0 --env ENABLE_POSTGREY=0
--env CLAMAV_MESSAGE_SIZE_LIMIT=42M
--env PERMIT_DOCKER=host --env PERMIT_DOCKER=host
--env LOG_LEVEL=trace --env LOG_LEVEL=trace
--env MOVE_SPAM_TO_JUNK=1 --env MOVE_SPAM_TO_JUNK=1
@ -78,6 +79,7 @@ function teardown_file() { _default_teardown ; }
run docker logs "${CONTAINER_NAME}" run docker logs "${CONTAINER_NAME}"
assert_success assert_success
assert_line --partial 'Enabling ClamAV integration' assert_line --partial 'Enabling ClamAV integration'
assert_line --partial 'Adjusting maximum size for ClamAV to 42000000 bytes (42M)'
assert_line --partial 'Setting up intelligent learning of spam and ham' assert_line --partial 'Setting up intelligent learning of spam and ham'
assert_line --partial 'Enabling greylisting' assert_line --partial 'Enabling greylisting'
assert_line --partial 'Hfilter (group) module is enabled' assert_line --partial 'Hfilter (group) module is enabled'
@ -96,6 +98,11 @@ function teardown_file() { _default_teardown ; }
_service_log_should_contain_string 'rspamd' 'lua module metric_exporter is disabled in the configuration' _service_log_should_contain_string 'rspamd' 'lua module metric_exporter is disabled in the configuration'
} }
@test 'antivirus maximum size was adjusted' {
_run_in_container grep 'max_size = 42000000' /etc/rspamd/local.d/antivirus.conf
assert_success
}
@test 'normal mail passes fine' { @test 'normal mail passes fine' {
_service_log_should_contain_string 'rspamd' 'F \(no action\)' _service_log_should_contain_string 'rspamd' 'F \(no action\)'

5
test/tests/parallel/set1/spam_virus/rspamd_partly.bats
View file

@ -57,6 +57,11 @@ function teardown_file() { _default_teardown ; }
assert_line --partial 'Disabling Hfilter (group) module' assert_line --partial 'Disabling Hfilter (group) module'
} }
@test 'antivirus maximum size was not adjusted unnecessarily' {
_run_in_container grep 'max_size = 25000000' /etc/rspamd/local.d/antivirus.conf
assert_success
}
@test 'learning is properly disabled' { @test 'learning is properly disabled' {
for FILE in learn-{ham,spam}.{sieve,svbin} for FILE in learn-{ham,spam}.{sieve,svbin}
do do