mirror/docker-mailserver.docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2025-08-02 09:05:14 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

scripts: improve CLAMAV_MESSAGE_SIZE_LIMIT usage (#3332)

Browse source 
* add sanity check for Clam size & adjusted MaxScanSize

The second part is of special importance! See
<https://askubuntu.com/a/1448525>, which explains that the maximum scan
size is important as well. We previously just set the maximum file size,
which actually is pretty insecure as we silently not scan mile bigger
than `MaxScanSize`. This is corrected now.

* add SlamAV size configuration to Rspamd
This commit is contained in:
Georg Lauterbach 2023-05-12 16:04:41 +02:00 committed by GitHub
parent 3340b80972
commit 78b7f0cbea
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 33 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

14
target/scripts/startup/setup.d/security/misc.sh
View file

@ -186,8 +186,18 @@ function __setup__security__clamav
if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]
then
_log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
sedfile -i \
"s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" \
# do a short sanity checks; ClamAV stops scanning at more that 4GB file size
if [[ $(numfmt --from=si "${CLAMAV_MESSAGE_SIZE_LIMIT}") -gt $(numfmt --from=si 4G) ]]
then
_log 'warn' "You set 'CLAMAV_MESSAGE_SIZE_LIMIT' to a value larger than 4 Gigabyte which ClamAV does not support - you should correct your configuration"
fi
sedfile -i -E \
"s|^(MaxFileSize).*|\1 ${CLAMAV_MESSAGE_SIZE_LIMIT}|" \
/etc/clamav/clamd.conf
sedfile -i -E \
"s|^(MaxScanSize).*|\1 ${CLAMAV_MESSAGE_SIZE_LIMIT}|" \
/etc/clamav/clamd.conf
fi
else

8
target/scripts/startup/setup.d/security/rspamd.sh
View file

@ -164,6 +164,14 @@ function __rspamd__setup_clamav
sedfile -i -E 's|^(enabled).*|\1 = true;|g' "${RSPAMD_LOCAL_D}/antivirus.conf"
# Rspamd uses ClamAV's UNIX socket, and to be able to read it, it must be in the same group
usermod -a -G clamav _rspamd
if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]
then
local SIZE_IN_BYTES
SIZE_IN_BYTES=$(numfmt --from=si "${CLAMAV_MESSAGE_SIZE_LIMIT}")
__rspamd__log 'trace' "Adjusting maximum size for ClamAV to ${SIZE_IN_BYTES} bytes (${CLAMAV_MESSAGE_SIZE_LIMIT})"
sedfile -i -E "s|(.*max_size =).*|\1 ${SIZE_IN_BYTES};|" "${RSPAMD_LOCAL_D}/antivirus.conf"
fi
else
__rspamd__log 'debug' 'Rspamd will not use ClamAV (which has not been enabled)'
fi