From a11951e39801dac78628a5ad15d2bc15d4f24e7e Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Tue, 28 Nov 2023 10:33:29 +0100
Subject: [PATCH] hotfix: solve #3665 (#3669)

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
---
 CHANGELOG.md                                       | 14 +++++++++++++-
 docs/content/config/environment.md                 |  4 ++++
 mailserver.env                                     |  2 ++
 target/rspamd/local.d/settings.conf                |  2 +-
 target/scripts/startup/setup.d/security/rspamd.sh  |  2 +-
 .../parallel/set1/spam_virus/rspamd_full.bats      |  2 +-
 6 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 71c9de3f..a8544b80 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,18 @@ All notable changes to this project will be documented in this file. The format
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+## [v13.0.1](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.0.1)
+
+This patch release fixes two bugs that Rspamd users encounter on `v13.0.0`. Big thanks to the those that helped to identify these issues!
+
+### Fixed
+
+- **Rspamd:**
+  - The check for correct permission on the private key when signing e-mails with DKIM was flawed. The result was that a false warning was emitted ([#3669](https://github.com/docker-mailserver/docker-mailserver/pull/3669))
+  - When [`RSPAMD_CHECK_AUTHENTICATED=0`][docs::env-rspamd-check-auth], DKIM signing for outbound e-mail was disabled, which is undesirable ([#3669](https://github.com/docker-mailserver/docker-mailserver/pull/3669)). **Make sure to check the documentation of [`RSPAMD_CHECK_AUTHENTICATED`][docs::env-rspamd-check-auth]**!
+
+[docs::env-rspamd-check-auth]: https://docker-mailserver.github.io/docker-mailserver/v13.0/config/environment/#rspamd_check_authenticated
+
 ## [v13.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.0.0)
 
 ### Breaking
@@ -78,7 +90,7 @@ All notable changes to this project will be documented in this file. The format
   - `logrotate` setup + Rspamd log path + tests log helper fallback path ([#3576](https://github.com/docker-mailserver/docker-mailserver/pull/3576))
   - Setup during container startup is now more resilient ([#3578](https://github.com/docker-mailserver/docker-mailserver/pull/3578))
   - Changed DKIM default config location ([#3597](https://github.com/docker-mailserver/docker-mailserver/pull/3597))
-  - Removed the symlink for the `override.d/` directory in favor of using `cp`, integrated into the changedetector service, , added a `--force` option for the Rspamd DKIM management, and provided a dedicated helper script for common ENV variables ([#3599](https://github.com/docker-mailserver/docker-mailserver/pull/3599))
+  - Removed the symlink for the `override.d/` directory in favor of using `cp`, integrated into the changedetector service, added a `--force` option for the Rspamd DKIM management, and provided a dedicated helper script for common ENV variables ([#3599](https://github.com/docker-mailserver/docker-mailserver/pull/3599))
   - Required permissions are now verified for DKIM private key files ([#3627](https://github.com/docker-mailserver/docker-mailserver/pull/3627))
 - **Documentation:**
   - Documentation aligned to Compose v2 conventions, `docker-compose` command changed to `docker compose`, `docker-compose.yaml` to `compose.yaml` ([#3295](https://github.com/docker-mailserver/docker-mailserver/pull/3295))
diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
index 284549f1..b8e257cc 100644
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@@ -366,6 +366,10 @@ The purpose of this setting is to opt-out of starting an internal Redis instance
 
 This settings controls whether checks should be performed on emails coming from authenticated users (i.e. most likely outgoing emails). The default value is `0` in order to align better with SpamAssassin. **We recommend** reading through [the Rspamd documentation on scanning outbound emails][rspamd-scanning-outbound] though to decide for yourself whether you need and want this feature.
 
+!!! note "Not all checks and actions are disabled"
+
+    DKIM signing of e-mails will still happen.
+
 - **0** => No checks will be performed for authenticated users
 - 1 => All default checks will be performed for authenticated users
 
diff --git a/mailserver.env b/mailserver.env
index 957a632e..68786224 100644
--- a/mailserver.env
+++ b/mailserver.env
@@ -153,6 +153,8 @@ RSPAMD_LEARN=0
 # is `0` in order to align better with SpamAssassin. We recommend reading
 # through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
 # decide for yourself whether you need and want this feature.
+#
+# Note that DKIM signing of e-mails will still happen.
 RSPAMD_CHECK_AUTHENTICATED=0
 
 # Controls whether the Rspamd Greylisting module is enabled.
diff --git a/target/rspamd/local.d/settings.conf b/target/rspamd/local.d/settings.conf
index 4f635e74..10c4de88 100644
--- a/target/rspamd/local.d/settings.conf
+++ b/target/rspamd/local.d/settings.conf
@@ -6,7 +6,7 @@ authenticated {
     priority = high;
     authenticated = yes;
     apply {
-        groups_enabled = [];
+        groups_enabled = [dkim];
     }
 }
 # DMS::SED_TAG::1::END
diff --git a/target/scripts/startup/setup.d/security/rspamd.sh b/target/scripts/startup/setup.d/security/rspamd.sh
index 239397e5..86786932 100644
--- a/target/scripts/startup/setup.d/security/rspamd.sh
+++ b/target/scripts/startup/setup.d/security/rspamd.sh
@@ -325,7 +325,7 @@ function __rspamd__check_dkim_permissions() {
       __rspamd__log 'trace' "Checking DKIM file '${FILE}'"
       # See https://serverfault.com/a/829314 for an explanation on `-exec false {} +`
       # We additionally resolve symbolic links to check the permissions of the actual files
-      if find "$(realpath -eL "${FILE}")" -user _rspamd -or -group _rspamd -or -perm -o=r -exec false {} +; then
+      if find "$(realpath -eL "${FILE}")" \( -user _rspamd -or -group _rspamd -or -perm -o=r \) -exec false {} +; then
         __rspamd__log 'warn' "Rspamd DKIM private key file '${FILE}' does not appear to have correct permissions/ownership for Rspamd to use it"
       else
         __rspamd__log 'trace' "DKIM file '${FILE}' permissions and ownership appear correct"
diff --git a/test/tests/parallel/set1/spam_virus/rspamd_full.bats b/test/tests/parallel/set1/spam_virus/rspamd_full.bats
index 09d42d46..ba8a23f5 100644
--- a/test/tests/parallel/set1/spam_virus/rspamd_full.bats
+++ b/test/tests/parallel/set1/spam_virus/rspamd_full.bats
@@ -307,5 +307,5 @@ function teardown_file() { _default_teardown ; }
   _run_in_container grep -E -A 6 'authenticated \{' "${MODULE_FILE}"
   assert_success
   assert_output --partial 'authenticated = yes;'
-  assert_output --partial 'groups_enabled = [];'
+  assert_output --partial 'groups_enabled = [dkim];'
 }