From 2da3e1b02224b25703ba5cfaf552a8b2f4e68824 Mon Sep 17 00:00:00 2001
From: Casper <casperklein@users.noreply.github.com>
Date: Sun, 12 Mar 2023 12:10:45 +0100
Subject: [PATCH] fix: SRS setup (#3158)

---
 Dockerfile                                   |  2 -
 target/scripts/build/packages.sh             | 10 +++
 target/scripts/startup/setup.d/mail_state.sh | 69 ++++++++++++++------
 target/scripts/startup/setup.d/postfix.sh    | 15 +----
 4 files changed, 60 insertions(+), 36 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2e49b332..acadbe54 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -242,8 +242,6 @@ RUN <<EOF
   rm -rf /usr/share/man/*
   rm -rf /usr/share/doc/*
   update-locale
-  rm /etc/postsrsd.secret
-  rm /etc/cron.daily/00logwatch
 EOF
 
 COPY VERSION /
diff --git a/target/scripts/build/packages.sh b/target/scripts/build/packages.sh
index f99abb40..74dc5ed2 100644
--- a/target/scripts/build/packages.sh
+++ b/target/scripts/build/packages.sh
@@ -201,6 +201,15 @@ function _install_fail2ban
   sedfile -i -r 's/^_nft_add_set = .+/_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \\{ type <addr_type>\\; flags interval\\; \\}/' /etc/fail2ban/action.d/nftables.conf
 }
 
+function _remove_data_after_package_installations
+{
+  _log 'debug' 'Deleting sensitive files (secrets)'
+  rm /etc/postsrsd.secret
+
+  _log 'debug' 'Deleting default logwatch cronjob'
+  rm /etc/cron.daily/00logwatch
+}
+
 function _post_installation_steps
 {
   _log 'debug' 'Running post-installation steps (cleanup)'
@@ -216,4 +225,5 @@ _install_packages
 _install_dovecot
 _install_rspamd
 _install_fail2ban
+_remove_data_after_package_installations
 _post_installation_steps
diff --git a/target/scripts/startup/setup.d/mail_state.sh b/target/scripts/startup/setup.d/mail_state.sh
index 6a2d3ec6..b96a457c 100644
--- a/target/scripts/startup/setup.d/mail_state.sh
+++ b/target/scripts/startup/setup.d/mail_state.sh
@@ -4,7 +4,7 @@
 # (/var/mail-state) to allow persistence using docker volumes
 function _setup_save_states
 {
-  local STATEDIR FILE FILES
+  local DEST DESTDIR STATEDIR SERVICEDIR SERVICEDIRS SERVICEFILE SERVICEFILES
 
   STATEDIR='/var/mail-state'
 
@@ -13,7 +13,7 @@ function _setup_save_states
     _log 'debug' "Consolidating all state onto ${STATEDIR}"
 
     # Always enabled features:
-    FILES=(
+    SERVICEDIRS=(
       lib/logrotate
       lib/postfix
       spool/postfix
@@ -21,38 +21,65 @@ function _setup_save_states
 
     # Only consolidate state for services that are enabled
     # Notably avoids copying over 200MB for the ClamAV database
-    [[ ${ENABLE_AMAVIS}       -eq 1 ]] && FILES+=('lib/amavis')
-    [[ ${ENABLE_CLAMAV}       -eq 1 ]] && FILES+=('lib/clamav')
-    [[ ${ENABLE_FAIL2BAN}     -eq 1 ]] && FILES+=('lib/fail2ban')
-    [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && FILES+=('lib/fetchmail')
-    [[ ${ENABLE_POSTGREY}     -eq 1 ]] && FILES+=('lib/postgrey')
-    [[ ${ENABLE_RSPAMD}       -eq 1 ]] && FILES+=('lib/rspamd')
-    [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && FILES+=('lib/redis')
-    [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && FILES+=('lib/spamassassin')
-    [[ ${SMTP_ONLY}           -ne 1 ]] && FILES+=('lib/dovecot')
+    [[ ${ENABLE_AMAVIS}       -eq 1 ]] && SERVICEDIRS+=('lib/amavis')
+    [[ ${ENABLE_CLAMAV}       -eq 1 ]] && SERVICEDIRS+=('lib/clamav')
+    [[ ${ENABLE_FAIL2BAN}     -eq 1 ]] && SERVICEDIRS+=('lib/fail2ban')
+    [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && SERVICEDIRS+=('lib/fetchmail')
+    [[ ${ENABLE_POSTGREY}     -eq 1 ]] && SERVICEDIRS+=('lib/postgrey')
+    [[ ${ENABLE_RSPAMD}       -eq 1 ]] && SERVICEDIRS+=('lib/rspamd')
+    [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && SERVICEDIRS+=('lib/redis')
+    [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && SERVICEDIRS+=('lib/spamassassin')
+    [[ ${ENABLE_SRS}          -eq 1 ]] && SERVICEDIRS+=('lib/postsrsd')
+    [[ ${SMTP_ONLY}           -ne 1 ]] && SERVICEDIRS+=('lib/dovecot')
 
-    for FILE in "${FILES[@]}"
+    # Single service files
+    [[ ${ENABLE_SRS}          -eq 1 ]] && SERVICEFILES+=('/etc/postsrsd.secret')
+
+    for SERVICEFILE in "${SERVICEFILES[@]}";
     do
-      DEST="${STATEDIR}/${FILE//\//-}"
-      FILE="/var/${FILE}"
+      DEST="${STATEDIR}/${SERVICEFILE}"
+      DESTDIR="${DEST%/*}"
+
+      mkdir -p "${DESTDIR}"
+      if [[ -f ${DEST} ]]
+      then
+        _log 'trace' "Destination ${DEST} exists, linking ${SERVICEFILE} to it"
+        # Original content from image no longer relevant, remove it:
+        rm -f "${SERVICEFILE}"
+      elif [[ -f "${SERVICEFILE}" ]]
+      then
+        _log 'trace' "Moving ${SERVICEFILE} to ${DEST}"
+        # Empty volume was mounted, or new content from enabling a feature ENV:
+        mv "${SERVICEFILE}" "${DEST}"
+      fi
+
+      # Symlink the original file in the container ($SERVICEFILE) to be
+      # sourced from assocaiated path in /var/mail-state/ ($DEST):
+      ln -s "${DEST}" "${SERVICEFILE}"
+    done
+
+    for SERVICEDIR in "${SERVICEDIRS[@]}"
+    do
+      DEST="${STATEDIR}/${SERVICEDIR//\//-}"
+      SERVICEDIR="/var/${SERVICEDIR}"
 
       # If relevant content is found in /var/mail-state (presumably a volume mount),
       # use it instead. Otherwise copy over any missing directories checked.
       if [[ -d ${DEST} ]]
       then
-        _log 'trace' "Destination ${DEST} exists, linking ${FILE} to it"
+        _log 'trace' "Destination ${DEST} exists, linking ${SERVICEDIR} to it"
         # Original content from image no longer relevant, remove it:
-        rm -rf "${FILE}"
-      elif [[ -d ${FILE} ]]
+        rm -rf "${SERVICEDIR}"
+      elif [[ -d ${SERVICEDIR} ]]
       then
-        _log 'trace' "Moving contents of ${FILE} to ${DEST}"
+        _log 'trace' "Moving contents of ${SERVICEDIR} to ${DEST}"
         # Empty volume was mounted, or new content from enabling a feature ENV:
-        mv "${FILE}" "${DEST}"
+        mv "${SERVICEDIR}" "${DEST}"
       fi
 
-      # Symlink the original path in the container ($FILE) to be
+      # Symlink the original path in the container ($SERVICEDIR) to be
       # sourced from assocaiated path in /var/mail-state/ ($DEST):
-      ln -s "${DEST}" "${FILE}"
+      ln -s "${DEST}" "${SERVICEDIR}"
     done
 
     # This ensures the user and group of the files from the external mount have their
diff --git a/target/scripts/startup/setup.d/postfix.sh b/target/scripts/startup/setup.d/postfix.sh
index 4d1bbf6f..12a2f8b6 100644
--- a/target/scripts/startup/setup.d/postfix.sh
+++ b/target/scripts/startup/setup.d/postfix.sh
@@ -151,13 +151,11 @@ function _setup_SRS
     )
   }
 
-  local POSTSRSD_SECRET_FILE POSTSRSD_STATE_DIR POSTSRSD_STATE_SECRET_FILE
+  local POSTSRSD_SECRET_FILE
 
   sed -i "s/localdomain/${SRS_DOMAINNAME}/g" /etc/default/postsrsd
 
   POSTSRSD_SECRET_FILE='/etc/postsrsd.secret'
-  POSTSRSD_STATE_DIR='/var/mail-state/etc-postsrsd'
-  POSTSRSD_STATE_SECRET_FILE="${POSTSRSD_STATE_DIR}/postsrsd.secret"
 
   if [[ -n ${SRS_SECRET} ]]
   then
@@ -166,16 +164,7 @@ function _setup_SRS
       echo "${SRS_SECRET}" | tr ',' '\n' >"${POSTSRSD_SECRET_FILE}"
     )
   else
-    if [[ ${ONE_DIR} -eq 1 ]]
-    then
-      if [[ ! -f ${POSTSRSD_STATE_SECRET_FILE} ]]
-      then
-        install -d -m 0775 "${POSTSRSD_STATE_DIR}"
-        __generate_secret "${POSTSRSD_STATE_SECRET_FILE}"
-      fi
-
-      install -m 0400 "${POSTSRSD_STATE_SECRET_FILE}" "${POSTSRSD_SECRET_FILE}"
-    elif [[ ! -f ${POSTSRSD_SECRET_FILE} ]]
+    if [[ ! -f ${POSTSRSD_SECRET_FILE} ]]
     then
       __generate_secret "${POSTSRSD_SECRET_FILE}"
     fi