misc: final Rspamd adjustments for v13 (#3599)

* outsource Rspamd ENVs into explicit helper This will allow us to uniformly source the helper and get the values from everywhere consistently. This is more than desirable since we will be using these values not only for the Rspamd setup, but also for DKIM management and during change-detection. * integrate Rspamd into changedetection We outsource one more function to reside in the helper script for Rspamd so that we can call this function from the Rspamd setup and from the changedetection functionality too. * realize deprecation of old commands file for Rspamd THIS IS A BREAKING CHANGE! This change realizes the log message: "Using old file location now (deprecated) - this will prevent startup in v13.0.0" Startup will now fail. * added '--force' option to Rspamd DKIM script * use new helper to get ENVs for Rspamd in DKIM script * remove the need for linking directories This was unnecessary, as explained in https://github.com/docker-mailserver/docker-mailserver/pull/3597#discussion_r1369413599 * Apply suggestions from code review review by @polarathene * apply more review feedback from @polarathene - <https://github.com/docker-mailserver/docker-mailserver/pull/3599#discussion_r1370885519> - <https://github.com/docker-mailserver/docker-mailserver/pull/3599#discussion_r1370904201> * update documentation --------- Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2025-08-04 10:05:00 +02:00 · 2023-10-30 10:20:37 +01:00 · 2023-10-30 10:20:37 +01:00 · f674232f71
commit f674232f71
parent 5efd249786
10 changed files with 205 additions and 156 deletions
--- a/target/bin/rspamd-dkim
+++ b/target/bin/rspamd-dkim
@ -27,9 +27,10 @@ ${ORANGE}DESCRIPTION${RESET}

 ${ORANGE}OPTIONS${RESET}
    ${BLUE}Generic Program Information${RESET}
-        -v        Enable verbose logging (setting the log level to 'debug').
-        -vv       Enable very verbose logging (setting the log level to 'trace').
-        help      Print the usage information.
+        -f | --force  Overwrite existing files if there are any
+        -v            Enable verbose logging (setting the log level to 'debug').
+        -vv           Enable very verbose logging (setting the log level to 'trace').
+        help          Print the usage information.

    ${BLUE}Configuration adjustments${RESET}
        keytype   Set the type of key you want to use.
@ -69,6 +70,7 @@ function __do_as_rspamd_user() {
 }

 function _parse_arguments() {
+  FORCE=0
  KEYTYPE='rsa'
  KEYSIZE='2048'
  SELECTOR='mail'
@ -112,6 +114,12 @@ function _parse_arguments() {
        exit 0
        ;;

+      ( '-f' | '--force' )
+        FORCE=1
+        shift 1
+        continue
+        ;;
+
      ( '-vv' )
        # shellcheck disable=SC2034
        LOG_LEVEL='trace'
@ -132,7 +140,6 @@ function _parse_arguments() {
        __usage
        _exit_with_error "Unknown option(s) '${1}' ${2:+"and '${2}'"}"
        ;;
-
    esac

    shift 2
@ -150,34 +157,10 @@ function _preflight_checks() {
    _log 'warn' "The directory '/tmp/docker-mailserver' does not seem to be mounted by a volume - the Rspamd (DKIM) configuration will not be persisted"
  fi

-  # Note: Variables not marked with `local` are used
-  # in other functions (after this function was called).
-  # Also keep in sync with: target/scripts/startup/setup.d/security/rspamd.sh:__rspamd__run_early_setup_and_checks
-  local RSPAMD_DMS_D='/tmp/docker-mailserver/rspamd'
-  local RSPAMD_OVERRIDE_D='/etc/rspamd/override.d'
-  readonly RSPAMD_DMS_DKIM_D="${RSPAMD_DMS_D}/dkim"
-  readonly RSPAMD_DMS_OVERRIDE_D="${RSPAMD_DMS_D}/override.d"
+  _rspamd_get_envs

  mkdir -p "${RSPAMD_DMS_DKIM_D}" "${RSPAMD_DMS_OVERRIDE_D}"
  chown _rspamd:_rspamd "${RSPAMD_DMS_DKIM_D}"
-
-  # Mimmick target/scripts/startup/setup.d/security/rspamd.sh:__rspamd__run_early_setup_and_checks where
-  # ${RSPAMD_OVERRIDE_D} is linked to ${RSPAMD_DMS_OVERRIDE_D}, but not if
-  #
-  # 1. ${RSPAMD_OVERRIDE_D} has already been linked to ${RSPAMD_DMS_OVERRIDE_D}
-  # 2. ${RSPAMD_OVERRIDE_D} has contents already
-  #
-  # If 1. is true, then we're good since DMS' default setup linked the directory already and we will save
-  # a persisted location in every case. If 1. is false, 2. should be false as well since by default,
-  # ${RSPAMD_OVERRIDE_D} has no contents - we're good as well. What should logically never happen is
-  # that 1. is false but 2. is true; this case is caught nevertheless and a warning is emitted.
-  if [[ ! -h "${RSPAMD_OVERRIDE_D}" ]]; then
-    if rmdir "${RSPAMD_OVERRIDE_D}" &>/dev/null; then
-      ln -s "${RSPAMD_DMS_OVERRIDE_D}" "${RSPAMD_OVERRIDE_D}"
-    else
-      _log 'warn' "Could not link '${RSPAMD_OVERRIDE_D}' to '${RSPAMD_DMS_OVERRIDE_D}' (as '${RSPAMD_OVERRIDE_D}' does not appear to be empty, which is unexpected) - you will need to restart DMS for changes to take effect"
-    fi
-  fi
 }

 function _create_keys() {
@ -195,6 +178,16 @@ function _create_keys() {
  PUBLIC_KEY_DNS_FILE="${BASE_FILE_NAME}.public.dns.txt"
  PRIVATE_KEY_FILE="${BASE_FILE_NAME}.private.txt"

+  if [[ -f ${PUBLIC_KEY_FILE} ]] || [[ -f ${PUBLIC_KEY_DNS_FILE} ]] || [[ -f ${PRIVATE_KEY_FILE} ]]; then
+    if [[ ${FORCE} -eq 0 ]]; then
+      _log 'error' "Not overwriting existing files (use '--force' to overwrite existing files)"
+      exit 1
+    else
+      _log 'info' "Overwriting existing files as the '--force' option was supplied"
+      rm "${PUBLIC_KEY_FILE}" "${PUBLIC_KEY_DNS_FILE}" "${PRIVATE_KEY_FILE}"
+    fi
+  fi
+
  # shellcheck disable=SC2310
  if __do_as_rspamd_user rspamadm \
      dkim_keygen                 \
@ -226,7 +219,7 @@ function _check_permissions() {
 function _setup_default_signing_conf() {
  local DEFAULT_CONFIG_FILE="${RSPAMD_DMS_OVERRIDE_D}/dkim_signing.conf"
  if [[ -f ${DEFAULT_CONFIG_FILE} ]]; then
-    _log 'debug' "'${DEFAULT_CONFIG_FILE}' exists, not supplying a default"
+    _log 'info' "'${DEFAULT_CONFIG_FILE}' exists, not supplying a default ('--force' does not overwrite this file, manual adjustment required)"
  else
    _log 'info' "Supplying a default configuration (to '${DEFAULT_CONFIG_FILE}')"
    cat >"${DEFAULT_CONFIG_FILE}" << EOF
@ -253,7 +246,15 @@ domain {
 }

 EOF
-    chown _rspamd:_rspamd "${DEFAULT_CONFIG_FILE}"
+
+    # We copy here immediately in order to not rely on the changedetector - this way, users
+    # can immediately use the new keys. The file should not already exist in ${RSPAMD_OVERRIDE_D}
+    # since it would have been copied already.
+    cp "${DEFAULT_CONFIG_FILE}" "${RSPAMD_OVERRIDE_D}/dkim_signing.conf"
+    chown _rspamd:_rspamd "${DEFAULT_CONFIG_FILE}" "${RSPAMD_OVERRIDE_D}/dkim_signing.conf"
+
+    _log 'debug' 'Restarting Rspamd as initial DKIM configuration was suppplied'
+    supervisorctl restart rspamd
  fi
 }