scripts: improve `CLAMAV_MESSAGE_SIZE_LIMIT` usage (#3332)

* add sanity check for Clam size & adjusted MaxScanSize

The second part is of special importance! See
<https://askubuntu.com/a/1448525>, which explains that the maximum scan
size is important as well. We previously just set the maximum file size,
which actually is pretty insecure as we silently not scan mile bigger
than `MaxScanSize`. This is corrected now.

* add SlamAV size configuration to Rspamd
This commit is contained in:
Georg Lauterbach 2023-05-12 16:04:41 +02:00 committed by GitHub
parent 3340b80972
commit 78b7f0cbea
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 33 additions and 2 deletions

View File

@ -10,4 +10,5 @@ ClamAV {
scan_mime_parts = false;
symbol = "CLAM_VIRUS";
log_clean = true;
max_size = 25000000;
}

View File

@ -186,8 +186,18 @@ function __setup__security__clamav
if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]
then
_log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"
sedfile -i \
"s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" \
# do a short sanity checks; ClamAV stops scanning at more that 4GB file size
if [[ $(numfmt --from=si "${CLAMAV_MESSAGE_SIZE_LIMIT}") -gt $(numfmt --from=si 4G) ]]
then
_log 'warn' "You set 'CLAMAV_MESSAGE_SIZE_LIMIT' to a value larger than 4 Gigabyte which ClamAV does not support - you should correct your configuration"
fi
sedfile -i -E \
"s|^(MaxFileSize).*|\1 ${CLAMAV_MESSAGE_SIZE_LIMIT}|" \
/etc/clamav/clamd.conf
sedfile -i -E \
"s|^(MaxScanSize).*|\1 ${CLAMAV_MESSAGE_SIZE_LIMIT}|" \
/etc/clamav/clamd.conf
fi
else

View File

@ -164,6 +164,14 @@ function __rspamd__setup_clamav
sedfile -i -E 's|^(enabled).*|\1 = true;|g' "${RSPAMD_LOCAL_D}/antivirus.conf"
# Rspamd uses ClamAV's UNIX socket, and to be able to read it, it must be in the same group
usermod -a -G clamav _rspamd
if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]
then
local SIZE_IN_BYTES
SIZE_IN_BYTES=$(numfmt --from=si "${CLAMAV_MESSAGE_SIZE_LIMIT}")
__rspamd__log 'trace' "Adjusting maximum size for ClamAV to ${SIZE_IN_BYTES} bytes (${CLAMAV_MESSAGE_SIZE_LIMIT})"
sedfile -i -E "s|(.*max_size =).*|\1 ${SIZE_IN_BYTES};|" "${RSPAMD_LOCAL_D}/antivirus.conf"
fi
else
__rspamd__log 'debug' 'Rspamd will not use ClamAV (which has not been enabled)'
fi

View File

@ -20,6 +20,7 @@ function setup_file() {
--env ENABLE_OPENDMARC=0
--env ENABLE_POLICYD_SPF=0
--env ENABLE_POSTGREY=0
--env CLAMAV_MESSAGE_SIZE_LIMIT=42M
--env PERMIT_DOCKER=host
--env LOG_LEVEL=trace
--env MOVE_SPAM_TO_JUNK=1
@ -78,6 +79,7 @@ function teardown_file() { _default_teardown ; }
run docker logs "${CONTAINER_NAME}"
assert_success
assert_line --partial 'Enabling ClamAV integration'
assert_line --partial 'Adjusting maximum size for ClamAV to 42000000 bytes (42M)'
assert_line --partial 'Setting up intelligent learning of spam and ham'
assert_line --partial 'Enabling greylisting'
assert_line --partial 'Hfilter (group) module is enabled'
@ -96,6 +98,11 @@ function teardown_file() { _default_teardown ; }
_service_log_should_contain_string 'rspamd' 'lua module metric_exporter is disabled in the configuration'
}
@test 'antivirus maximum size was adjusted' {
_run_in_container grep 'max_size = 42000000' /etc/rspamd/local.d/antivirus.conf
assert_success
}
@test 'normal mail passes fine' {
_service_log_should_contain_string 'rspamd' 'F \(no action\)'

View File

@ -57,6 +57,11 @@ function teardown_file() { _default_teardown ; }
assert_line --partial 'Disabling Hfilter (group) module'
}
@test 'antivirus maximum size was not adjusted unnecessarily' {
_run_in_container grep 'max_size = 25000000' /etc/rspamd/local.d/antivirus.conf
assert_success
}
@test 'learning is properly disabled' {
for FILE in learn-{ham,spam}.{sieve,svbin}
do