Rspamd: add check for DKIM private key files' permissions (#3627)

* added check for Rspamd DKIM on startup The newly added function `__rspamd__check_dkim_permissions` performs a check on DKIM private key files. This is useful to prevent issues like #3621 in the future. The function is deliberately kept simple and may not catch every single misconfiguration in terms of permissions and ownership, but it should be quite accurate. Please note that the Rspamd setup does NOT change at all, and the checks will not abort the setup in case they fail. A simple warning is emmited. * add more documentation to Rspamd functions * Apply suggestions from code review * improve `__do_as_rspamd_user` * rework check similar to review suggestion see https://github.com/docker-mailserver/docker-mailserver/pull/3627#discussion_r1388697547 --------- Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2025-07-02 21:44:51 +02:00 · 2023-11-13 12:34:46 +01:00 · 2023-11-13 12:34:46 +01:00 · 5f2fb72c9c
commit 5f2fb72c9c
parent 26214491ef
3 changed files with 53 additions and 7 deletions
--- a/target/scripts/helpers/rspamd.sh
+++ b/target/scripts/helpers/rspamd.sh
@ -2,6 +2,18 @@

 # shellcheck disable=SC2034 # VAR appears unused.

+# Perform a specific command as the Rspamd user (`_rspamd`). This is useful
+# in case you want to have correct permissions on newly created files or if
+# you want to check whether Rspamd can perform a specific action.
+function __do_as_rspamd_user() {
+  _log 'trace' "Running '${*}' as user '_rspamd'"
+  su _rspamd -s /bin/bash -c "${*}"
+}
+
+# Calling this function brings common Rspamd-related environment variables
+# into the current context. The environment variables are `readonly`, i.e.
+# they cannot be modified. Use this function when you require common directory
+# names, file names, etc.
 function _rspamd_get_envs() {
  readonly RSPAMD_LOCAL_D='/etc/rspamd/local.d'
  readonly RSPAMD_OVERRIDE_D='/etc/rspamd/override.d'