Skip to content
Snippets Groups Projects
Commit 5064da85 authored by nimrod's avatar nimrod
Browse files

Spamd limited user and updates.

- Run as a limited user.
- Use a higher number port (for the limited user).
- Compile rules for better performance.
- Add a script to update the rules, recompile and reload the daemon.
parent 8ebf0b13
No related branches found
No related tags found
No related merge requests found
@daily docker exec mail_clamd_1 clamd-update @daily docker exec mail_clamd_1 clamd-update
@daily docker exec mail_spamd_1 spamd-learn @daily docker exec mail_spamd_1 spamd-learn
@daily docker exec mail_spamd_1 spamd-update
...@@ -2,3 +2,4 @@ ...@@ -2,3 +2,4 @@
!entrypoint !entrypoint
!spamd-ping !spamd-ping
!spamd-learn !spamd-learn
!spamd-update
...@@ -4,16 +4,23 @@ RUN apt-get update && \ ...@@ -4,16 +4,23 @@ RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
gnupg \ gnupg \
libmail-spf-perl \ libmail-spf-perl \
sa-compile \
spamassassin \ spamassassin \
spamc \ spamc \
&& \ && \
sa-update && \ usermod --append --groups mail debian-spamd && \
install -m 640 -o debian-spamd -g debian-spamd /dev/null /var/run/spamd.pid && \
install -d -m 750 -o debian-spamd -g debian-spamd /run/spamd && \
install -d -m 750 -o debian-spamd -g debian-spamd /var/backups/sa-learn && \
rm -rf /run/spamd/* /var/backups/sa-learn/* && \
rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/* rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
COPY --chown=root:root spamd-ping spamd-learn /usr/local/bin/ COPY --chown=root:root entrypoint spamd-ping spamd-learn spamd-update /usr/local/bin/
COPY --chown=root:root entrypoint /entrypoint USER debian-spamd
EXPOSE 783 WORKDIR /var/lib/spamassassin
RUN spamd-update
EXPOSE 7783
VOLUME /run/spamd VOLUME /run/spamd
VOLUME /var/backups/sa-learn VOLUME /var/backups/sa-learn
ENTRYPOINT [ "/entrypoint" ] ENTRYPOINT [ "entrypoint" ]
CMD [ "spamd", "--create-prefs", "--max-children=5", "--helper-home-dir", "--listen=0.0.0.0:783", "--socketpath=/var/run/spamd/spamd.sock", "--syslog=stderr" ] CMD [ "spamd", "--create-prefs", "--max-children=5", "--helper-home-dir", "--listen=0.0.0.0:7783", "--socketpath=/var/run/spamd/spamd.sock", "--syslog=stderr", "--pidfile=/var/run/spamd.pid" ]
HEALTHCHECK CMD spamd-ping HEALTHCHECK CMD spamd-ping
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
## Exposed interfaces ## Exposed interfaces
The daemon is accessible over TCP at port 783 and over the `spamd.sock` Unix The daemon is accessible over TCP at port 7783 and over the `spamd.sock` Unix
socket in the `/run/spamd` volume. socket in the `/run/spamd` volume.
## Training the Bayesian classifier ## Training the Bayesian classifier
...@@ -16,6 +16,10 @@ database from that volume. To update the database run `spamd-learn` from inside ...@@ -16,6 +16,10 @@ database from that volume. To update the database run `spamd-learn` from inside
the container with `docker exec` (there's no need to restart the container the container with `docker exec` (there's no need to restart the container
afterwards). For an example see the [Cron image](../crond) inside this project. afterwards). For an example see the [Cron image](../crond) inside this project.
## Updating the rules
Use the `spamd-update` script in the image.
## License ## License
This software is licensed under the MIT license (see `LICENSE.txt`). This software is licensed under the MIT license (see `LICENSE.txt`).
......
#!/bin/sh #!/bin/sh
set -eux set -eux
install -d -m 750 -o debian-spamd -g debian-spamd /run/spamd if [ -f /var/backups/sa-learn/backup.txt ]
install -d -m 750 -o debian-spamd -g debian-spamd /var/backups/sa-learn then
sh -c 'sleep 60; sa-learn --restore /var/backups/sa-learn/backup.txt' & sh -c 'sleep 60; sa-learn --restore /var/backups/sa-learn/backup.txt' &
fi
eval exec "$@" eval exec "$@"
...@@ -5,9 +5,14 @@ set -eux ...@@ -5,9 +5,14 @@ set -eux
for user in $(find /var/mail -maxdepth 1 -mindepth 1 -type d) for user in $(find /var/mail -maxdepth 1 -mindepth 1 -type d)
do do
sa-learn --spam --mbox --forget "$user/Junk" || true sa-learn --spam --mbox --forget "$user/Junk" || true
find "$user" -maxdepth 1 -type f -print0 | \ find "$user" \
grep -Zv 'Drafts\|Inbox\|Junk\|Sent' | \ -maxdepth 1 \
xargs -0rn1 -- sa-learn --ham --mbox --forget || true -type f \
\! -name Junk \
\! -name Inbox \
\! -name Sent \
-execdir sa-learn --ham --mbox --forget "{}" \;
done done
sa-learn --sync
sa-learn --backup > /var/backups/sa-learn/backup.txt sa-learn --backup > /var/backups/sa-learn/backup.txt
...@@ -2,5 +2,5 @@ ...@@ -2,5 +2,5 @@
set -eux set -eux
sa-check_spamd --verbose --socketpath /run/spamd/spamd.sock || exit 1 sa-check_spamd --verbose --socketpath /run/spamd/spamd.sock || exit 1
sa-check_spamd --verbose --hostname localhost || exit 1 sa-check_spamd --verbose --hostname localhost --port 7783 || exit 1
exit 0 exit 0
#!/bin/sh
set -eux
sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys --verbose || exitcode="$?"
if [ "${exitcode:-0}" -eq '0' ]
then
echo 'Successful update, recompiling rules and reloading spamd.' >&2
sa-compile || true
kill -HUP "$(cat /var/run/spamd.pid)" || true
elif [ "${exitcode}" -eq '1' ]
then
echo 'No updates were available, exiting.' >&2
exit 0
else
echo "Update failed, exit code $exitcode." >&2
exit "$exitcode"
fi
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment