Commit 5064da85 authored by nimrod's avatar nimrod
Browse files

Spamd limited user and updates.

- Run as a limited user.
- Use a higher number port (for the limited user).
- Compile rules for better performance.
- Add a script to update the rules, recompile and reload the daemon.
parent 8ebf0b13
Loading
Loading
Loading
Loading
+1 −0
Original line number Diff line number Diff line
@daily docker exec mail_clamd_1 clamd-update
@daily docker exec mail_spamd_1 spamd-learn
@daily docker exec mail_spamd_1 spamd-update
+1 −0
Original line number Diff line number Diff line
@@ -2,3 +2,4 @@
!entrypoint
!spamd-ping
!spamd-learn
!spamd-update
+13 −6
Original line number Diff line number Diff line
@@ -4,16 +4,23 @@ RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        gnupg \
        libmail-spf-perl \
        sa-compile \
        spamassassin \
        spamc \
    && \
    sa-update && \
    usermod --append --groups mail debian-spamd && \
    install -m 640 -o debian-spamd -g debian-spamd /dev/null /var/run/spamd.pid && \
    install -d -m 750 -o debian-spamd -g debian-spamd /run/spamd && \
    install -d -m 750 -o debian-spamd -g debian-spamd /var/backups/sa-learn && \
    rm -rf /run/spamd/* /var/backups/sa-learn/* && \
    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
COPY --chown=root:root spamd-ping spamd-learn /usr/local/bin/
COPY --chown=root:root entrypoint /entrypoint
EXPOSE 783
COPY --chown=root:root entrypoint spamd-ping spamd-learn spamd-update /usr/local/bin/
USER debian-spamd
WORKDIR /var/lib/spamassassin
RUN spamd-update
EXPOSE 7783
VOLUME /run/spamd
VOLUME /var/backups/sa-learn
ENTRYPOINT [ "/entrypoint" ]
CMD [ "spamd", "--create-prefs", "--max-children=5", "--helper-home-dir", "--listen=0.0.0.0:783", "--socketpath=/var/run/spamd/spamd.sock", "--syslog=stderr" ]
ENTRYPOINT [ "entrypoint" ]
CMD [ "spamd", "--create-prefs", "--max-children=5", "--helper-home-dir", "--listen=0.0.0.0:7783", "--socketpath=/var/run/spamd/spamd.sock", "--syslog=stderr", "--pidfile=/var/run/spamd.pid" ]
HEALTHCHECK CMD spamd-ping
+5 −1
Original line number Diff line number Diff line
@@ -4,7 +4,7 @@

## Exposed interfaces

The daemon is accessible over TCP at port 783 and over the `spamd.sock` Unix
The daemon is accessible over TCP at port 7783 and over the `spamd.sock` Unix
socket in the `/run/spamd` volume.

## Training the Bayesian classifier
@@ -16,6 +16,10 @@ database from that volume. To update the database run `spamd-learn` from inside
the container with `docker exec` (there's no need to restart the container
afterwards). For an example see the [Cron image](../crond) inside this project.

## Updating the rules

Use the `spamd-update` script in the image.

## License

This software is licensed under the MIT license (see `LICENSE.txt`).
+4 −4
Original line number Diff line number Diff line
#!/bin/sh
set -eux

install -d -m 750 -o debian-spamd -g debian-spamd /run/spamd
install -d -m 750 -o debian-spamd -g debian-spamd /var/backups/sa-learn

if [ -f /var/backups/sa-learn/backup.txt ]
then
    sh -c 'sleep 60; sa-learn --restore /var/backups/sa-learn/backup.txt' &
fi

eval exec "$@"
Loading