docker-mailserver: bug report: Test on rspamd private key files not working as expected
๐ Preliminary Checks
- I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.
๐ What Happened?
target/scripts/startup/setup.d/security/rspamd.sh
if find "$(realpath -eL "${FILE}")" -user _rspamd -or -group _rspamd -or -perm -o=r -exec false {} +; then
Should likely be:
if find "$(realpath -eL "${FILE}")" \( -user _rspamd -or -group _rspamd -or -perm -o=r \) -exec false {} +; then
As it currently stands the test does not appear to work correctly, failing to -exec false when conditions are true - which causes โdoes not appear to have correct permissions/ownership for Rspamd to use itโ message in logs.
๐ Reproduction Steps
-r--r--r--. 1 _rspamd _rspamd 1704 Oct 5 13:47 rsa-2048-mail-nine-hells.net.private.txt
Causes โdoes not appear to have correct permissions/ownership for Rspamd to use itโ message in logs.
๐ DMS Version
v13.0.0
๐ป Operating System and Architecture
Fedora 39 x86_64
โ๏ธ Container configuration files
[Container]
Image=docker.io/mailserver/docker-mailserver:latest
ContainerName=mailserver
Environment=TZ=Australia/Sydney PERMIT_DOCKER=none SSL_TYPE=letsencrypt POSTMASTER_ADDRESS=mike@nine-hells.net ENABLE_RSPAMD=1 ENABLE_OPENDKIM=0 ENABLE_OPENDMARC=0 ENABLE_POLICYD_SPF=0 ENABLE_AMAVIS=0 ENABLE_SPAMASSASSIN=0 POSTFIX_INET_PROTOCOLS=ipv4 DOVECOT_INET_PROTOCOLS=ipv4 ENABLE_FAIL2BAN=1
Label=io.containers.autoupdate=registry
#Network=default.network
Network=pasta:-I,eth0
PublishPort=5025:25
PublishPort=5465:465
PublishPort=5587:587
PublishPort=5993:993
PublishPort=11334:11334
Volume=/storage/docker/mailserver/config/:/tmp/docker-mailserver/
Volume=/storage/docker/mailserver/config/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf
Volume=/storage/docker/mailserver/mail-data/:/var/mail/
Volume=/storage/docker/mailserver/mail-state/:/var/mail-state/
Volume=/storage/docker/mailserver/mail-logs/:/var/log/mail/
Volume=/storage/docker/mailserver/statistic.conf:/etc/rspamd/statistic.conf
Volume=/etc/localtime:/etc/localtime:ro
Volume=/storage/docker/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.nine-hells.net/mail.nine-hells.net.crt:/etc/letsencrypt/live/mail.nine-hells.net/fullchain.pem
Volume=/storage/docker/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.nine-hells.net/mail.nine-hells.net.key:/etc/letsencrypt/live/mail.nine-hells.net/privkey.pem
PodmanArgs=--hostname mail.nine-hells.net --cap-add=NET_ADMIN
[Service]
Restart=always
[Install]
WantedBy=default.target
๐ Relevant log output
[ WARNING ] (Rspamd setup) Rspamd DKIM private key file '/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-nine-hells.net.private.txt' does not appear to have correct permissions/ownership for Rspamd to use it
[ WARNING ] (Rspamd setup) Rspamd DKIM private key file '/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-nine-hells.net.private.txt' does not appear to have correct permissions/ownership for Rspamd to use it
About this issue
- Original URL
- State: closed
- Created 7 months ago
- Reactions: 2
- Comments: 37 (17 by maintainers)
Commits related to this issue
- fix #3665 — committed to docker-mailserver/docker-mailserver by georglauterbach 7 months ago
- fix #3665 — committed to docker-mailserver/docker-mailserver by georglauterbach 7 months ago
- hotfix: solve #3665 (#3669) Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> — committed to docker-mailserver/docker-mailserver by georglauterbach 7 months ago
I can also confirm this bug. I was on โlatestโ and got the v13 update overnight. Saw the DKIM permissions/ownership warning in the log, checked outgoing messages, they were not signed anymore. Tried to revert to 12.1.0 but messages were still not signed, tried to revert the changes in dkim_signing config file manually but this also did not solve it. In the end I reverted to yesterdays backup and fixed the version to 12.1, as I unfortunately donโt have the time to debug it today. (DKIM signing works as expected with 12.1) If there is a fix to be tested, I volunteer since I now know my rollback option works fine ๐
Everything worked fine so far and this is the first bug I encountered which is impressive with a project this size ๐ So thanks to you all for your great work!
@polarathene: Thanks, image is ready, DKIM is working. Logfiles still shows
Welcome to docker-mailserver 13.0.0on start ๐v13.0.1 is released. Sorry for the delay, CI is building the new image release and should be available shortly.
Thank you for the fix! Mails are signed with
:edge.Sorry for the delay; working on PR feedback took longer than anticipated. We want to ship a proper release; I will try to get it done today.
I will provide a PR today (tonight) and release v13.0.1. Keep the outputs of the commands I posted flowing in ๐
Good!
Yes, no worries ๐
Perfect - I have gathered all data to provide a PR that fixes the two issues posted here.
I assume OpenDKIM is working fine, if anyone can chime in on that? Is it only rspamd dkim support affected in v13?
There was quite a bit of DKIM related churn, mostly related to rspamd IIRC. v13 was a bit of a long release cycle but the changelog should highlight most of it as either dkim or rspamd changes.
They were meant to be fixes however, and last I knew those affected had confirmed their issues were fixed, with no other concerns raised.
dkim_signing.conflocation was changed: https://github.com/docker-mailserver/docker-mailserver/pull/3597Some other earlier fixes were related to Postfix config for the DKIM milter.
Perhaps we missed a migration concern that youโve run into, that wouldnโt apply to a fresh install + setup? ๐ฌ (tad tricky for us to test for)
Apologies for the mishap here, when I can find enough time the test suite will get an overhaul which should make it easier to add better test coverage for issues like this.
I have been advocating for simplifying the DKIM management related scripts, since a fair bit of OpenDKIM and Rspamd support is roughly the same logic.
When that support is unified, both will share a common DKIM files location in the config volume, and copy over to an internal location IIRC. Their configs generated at runtime allowing for easy switching.
Staying on v12.1 for now is probably best until someone has time to investigate.
I just noticed this issue on my DMS instance. Nice to see that there is a fix available so quickly! Keep up the good work ๐
Whoops! Looks like I missed a spot ๐ฌ
Iโve addressed that here: https://github.com/docker-mailserver/docker-mailserver/pull/3676
I donโt think it warrants a new patch release, but if anyone does have an issue with the slight inaccuracy with that log message let me know.
When #3666 and #3669 are merged, v13.0.1 will be released as a hotfix.
I knew it - damn. Okay @medebb please do me one more favor (1 sec):
OK, I changed RSPAMD_CHECK_AUTHENTICATED=1 in mailserver.env and restarted the container. Now mails are signed ๐
Just do it inside your container:
docker exec -it mail chown _rspamd:_rspamd /tmp/docker-mailserver/rspamd/dkim/private.keychange container name and private key file nameI tested this issue with a fresh installation of dms:
Did switch to rspamd yesterday during upgrade to v13. Tried until midnight to get around the WARN message in the log file about DKIM private key file ๐. I can confirm that my mails arenโt DKIM signed any longer. Thanks for your hard work despite this bug.
Correct me if I am wrong, but my understanding was that this change would produce a warning message only and wouldnโt impact the actual dkim functionality? Were there any other dkim changes for v13.0.0 that might have prevented dkim signing?
Edit: I rolled back to v12.1.0 and dkim signing is definitely working properly there and not in v13.0.0 with the same config.