scripts: Rspamd stabilization pt. 1 (#3261)

* added checks whether OpenDKIM/OpenDMARC/policyd-spf are enabled * added functions to check if VAR is 0/0 or an int and also added tests. I also adjusted the test file to not run in a container, because there is no need. This also decreases test time, which, in turn, increases maintainers' happiness. * added more checks to Rspamd setup I added the helpers from the previous commit to the Rspamd setup to make the whole setup more robust, and indicate to the user that an ENV variable's value is incorrect. While we did not issues for this in the past, I believe it to be worthwhile for the future. * added canonical directory for users to place files in This dir is canonical with DMS's optional configuration dirs, as it lives in well-known volume mounts. Hence, users will not need to adjust `/etc/rspamd/override.d` manually anymore, or mount a volume to this place. The docs explain this now, but the DKIM page needs a slight update on this too I guess. I will follow-up here. * misc minor improvements * use variables for common directories
2025-08-03 17:44:49 +02:00 · 2023-04-23 12:22:54 +02:00 · 2023-04-23 12:22:54 +02:00 · 638975922e
commit 638975922e
parent 88cd244e47
6 changed files with 147 additions and 33 deletions
--- a/target/scripts/helpers/utils.sh
+++ b/target/scripts/helpers/utils.sh
@ -114,3 +114,34 @@ function _replace_by_env_in_file
    sed -i -E "s#^${ESCAPED_KEY}[[:space:]]*=.*#${ESCAPED_KEY} =${ESCAPED_VALUE}#g" "${CONFIG_FILE}"
  done < <(env | grep "^${ENV_PREFIX}")
 }
+
+# Check if an environment variable's value is zero or one. This aids in checking variables
+# that act as "booleans" for enabling or disabling a service, configuration option, etc.
+#
+# This function will log a warning and return with exit code 1 in case the variable's value
+# is not zero or one.
+#
+# @param ${1} = name of the ENV variable to check
+function _env_var_expect_zero_or_one
+{
+  local ENV_VAR_NAME=${1:?ENV var name must be provided to _env_var_expect_zero_or_one}
+
+  [[ ${!ENV_VAR_NAME} =~ ^(0|1)$ ]] && return 0
+  _log 'warn' "The value of '${ENV_VAR_NAME}' is not zero or one ('${!ENV_VAR_NAME}'), but was expected to be"
+  return 1
+}
+
+# Check if an environment variable's value is an integer.
+#
+# This function will log a warning and return with exit code 1 in case the variable's value
+# is not an integer.
+#
+# @param ${1} = name of the ENV variable to check
+function _env_var_expect_integer
+{
+  local ENV_VAR_NAME=${1:?ENV var name must be provided to _env_var_expect_integer}
+
+  [[ ${!ENV_VAR_NAME} =~ ^-?[0-9][0-9]*$ ]] && return 0
+  _log 'warn' "The value of '${ENV_VAR_NAME}' is not an integer ('${!ENV_VAR_NAME}'), but was expected to be"
+  return 1
+}
--- a/target/scripts/startup/setup.d/security/rspamd.sh
+++ b/target/scripts/startup/setup.d/security/rspamd.sh
@ -3,10 +3,11 @@
 # Function called during global setup to handle the complete setup of Rspamd.
 function _setup_rspamd
 {
-  if [[ ${ENABLE_RSPAMD} -eq 1 ]]
+  if _env_var_expect_zero_or_one 'ENABLE_RSPAMD' && [[ ${ENABLE_RSPAMD} -eq 1 ]]
  then
    _log 'warn' 'Rspamd integration is work in progress - expect changes at any time'
    _log 'debug' 'Enabling and configuring Rspamd'
+    __rspamd__log 'trace' '----------  Setup started  ----------'

    __rspamd__run_early_setup_and_checks        # must run first
    __rspamd__setup_redis
@ -18,7 +19,7 @@ function _setup_rspamd
    __rspamd__setup_hfilter_group
    __rspamd__handle_user_modules_adjustments   # must run last

-    _log 'trace' 'Rspamd setup finished'
+    __rspamd__log 'trace' '----------  Setup finished  ----------'
  else
    _log 'debug' 'Rspamd is disabled'
  fi
@ -65,23 +66,61 @@ EOF
 # or checking for other anti-spam/anti-virus software.
 function __rspamd__run_early_setup_and_checks
 {
+  # Note: Variables not marked with `local` are
+  # used in other functions as well.
+  RSPAMD_LOCAL_D='/etc/rspamd/local.d'
+  RSPAMD_OVERRIDE_D='/etc/rspamd/override.d'
+  RSPAMD_DMS_D='/tmp/docker-mailserver/rspamd'
+  local RSPAMD_DMS_OVERRIDE_D="${RSPAMD_DMS_D}/override.d/"
+
  mkdir -p /var/lib/rspamd/
  : >/var/lib/rspamd/stats.ucl

+  if [[ -d ${RSPAMD_DMS_OVERRIDE_D} ]]
+  then
+    __rspamd__log 'debug' "Found directory '${RSPAMD_DMS_OVERRIDE_D}' - linking it to '${RSPAMD_OVERRIDE_D}'"
+    if rmdir "${RSPAMD_OVERRIDE_D}"
+    then
+      ln -s "${RSPAMD_DMS_OVERRIDE_D}" "${RSPAMD_OVERRIDE_D}"
+    else
+      __rspamd__log 'warn' "Could not remove '${RSPAMD_OVERRIDE_D}' - not linking '${RSPAMD_DMS_OVERRIDE_D}'"
+    fi
+  fi
+
  if [[ ${ENABLE_AMAVIS} -eq 1 ]] || [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
  then
    __rspamd__log 'warn' 'Running Amavis/SA & Rspamd at the same time is discouraged'
  fi
+
+  if [[ ${ENABLE_OPENDKIM} -eq 1 ]]
+  then
+    __rspamd__log 'warn' 'Running OpenDKIM & Rspamd at the same time is discouraged - we recommend Rspamd for DKIM checks (enabled with Rspamd by default) & signing'
+  fi
+
+  if [[ ${ENABLE_OPENDMARC} -eq 1 ]]
+  then
+    __rspamd__log 'warn' 'Running OpenDMARC & Rspamd at the same time is discouraged - we recommend Rspamd for DMARC checks (enabled with Rspamd by default)'
+  fi
+
+  if [[ ${ENABLE_POLICYD_SPF} -eq 1 ]]
+  then
+    __rspamd__log 'warn' 'Running policyd-spf & Rspamd at the same time is discouraged - we recommend Rspamd for SPF checks (enabled with Rspamd by default)'
+  fi
+
+  if [[ ${ENABLE_POSTGREY} -eq 1 ]] && [[ ${RSPAMD_GREYLISTING} -eq 1 ]]
+  then
+    __rspamd__log 'warn' 'Running Postgrey & Rspamd at the same time is discouraged - we recommend Rspamd for greylisting'
+  fi
 }

 # Sets up Redis. In case the user does not use a dedicated Redis instance, we
 # supply a configuration for our local Redis instance which is started later.
 function __rspamd__setup_redis
 {
-  if [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]]
+  if _env_var_expect_zero_or_one 'ENABLE_RSPAMD_REDIS' && [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]]
  then
    __rspamd__log 'debug' 'Internal Redis is enabled, adding configuration'
-    cat >/etc/rspamd/local.d/redis.conf << "EOF"
+    cat >"${RSPAMD_LOCAL_D}/redis.conf" << "EOF"
 # documentation: https://rspamd.com/doc/configuration/redis.html

 servers = "127.0.0.1:6379";
@ -120,10 +159,10 @@ function __rspamd__setup_postfix
 # If ClamAV is enabled, we will integrate it into Rspamd.
 function __rspamd__setup_clamav
 {
-  if [[ ${ENABLE_CLAMAV} -eq 1 ]]
+  if _env_var_expect_zero_or_one 'ENABLE_CLAMAV' && [[ ${ENABLE_CLAMAV} -eq 1 ]]
  then
    __rspamd__log 'debug' 'Enabling ClamAV integration'
-    sedfile -i -E 's|^(enabled).*|\1 = true;|g' /etc/rspamd/local.d/antivirus.conf
+    sedfile -i -E 's|^(enabled).*|\1 = true;|g' "${RSPAMD_LOCAL_D}/antivirus.conf"
    # Rspamd uses ClamAV's UNIX socket, and to be able to read it, it must be in the same group
    usermod -a -G clamav _rspamd
  else
@ -165,7 +204,7 @@ function __rspamd__setup_default_modules
 #    from or to the "Junk" folder, and learning them as ham or spam.
 function __rspamd__setup_learning
 {
-  if [[ ${RSPAMD_LEARN} -eq 1 ]]
+  if _env_var_expect_zero_or_one 'RSPAMD_LEARN' && [[ ${RSPAMD_LEARN} -eq 1 ]]
  then
    __rspamd__log 'debug' 'Setting up intelligent learning of spam and ham'

@ -210,10 +249,10 @@ EOF
 # https://rspamd.com/doc/modules/greylisting.html).
 function __rspamd__setup_greylisting
 {
-  if [[ ${RSPAMD_GREYLISTING} -eq 1 ]]
+  if _env_var_expect_zero_or_one 'RSPAMD_GREYLISTING' && [[ ${RSPAMD_GREYLISTING} -eq 1 ]]
  then
    __rspamd__log 'debug' 'Enabling greylisting'
-    sedfile -i -E "s|(enabled =).*|\1 true;|g" /etc/rspamd/local.d/greylist.conf
+    sedfile -i -E "s|(enabled =).*|\1 true;|g" "${RSPAMD_LOCAL_D}/greylist.conf"
  else
    __rspamd__log 'debug' 'Greylisting is disabled'
  fi
@ -225,15 +264,12 @@ function __rspamd__setup_greylisting
 # succeeds.
 function __rspamd__setup_hfilter_group
 {
-  local MODULE_FILE='/etc/rspamd/local.d/hfilter_group.conf'
-  if [[ ${RSPAMD_HFILTER} -eq 1 ]]
+  local MODULE_FILE="${RSPAMD_LOCAL_D}/hfilter_group.conf"
+  if _env_var_expect_zero_or_one 'RSPAMD_HFILTER' && [[ ${RSPAMD_HFILTER} -eq 1 ]]
  then
    __rspamd__log 'debug' 'Hfilter (group) module is enabled'
    # Check if we received a number first
-    if [[ ! ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE} =~ ^[0-9][1-9]*$ ]]
-    then
-      __rspamd__log 'warn' "'RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE' is not a number (${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE}) but was expected to be!"
-    elif [[ ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE} -ne 6 ]]
+    if _env_var_expect_integer 'RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE' && [[ ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE} -ne 6 ]]
    then
      __rspamd__log 'trace' "Adjusting score for 'HFILTER_HOSTNAME_UNKNOWN' in Hfilter group module to ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE}"
      sed -i -E \
@ -275,7 +311,7 @@ function __rspamd__handle_user_modules_adjustments
    # remove possible whitespace at the end (e.g., in case ${ARGUMENT3} is empty)
    VALUE=${VALUE% }

-    local FILE="/etc/rspamd/override.d/${MODULE_FILE}"
+    local FILE="${RSPAMD_OVERRIDE_D}/${MODULE_FILE}"
    [[ -f ${FILE} ]] || touch "${FILE}"

    if grep -q -E "${OPTION}.*=.*" "${FILE}"