IMAPSieve - permission issues (learn from user)

I think that something like that (but for me still don't work):


Code:
#!/bin/bash
inputmail=`/usr/bin/cat`
sudo bash -c 'echo "${inputmail}" | rspamc -h /var/run/rspamd/rspamd_controller.sock learn_spam'
 
The error (user for .sh scripts and sieve scripts is mail:mail), you mean sudo for "mail" user?

Code:
2024-10-10 20:10:42 #1609377(controller) <e02481>; csession; rspamd_controller_check_password: allow unauthorized connection from a unix socket
 
Hello everyone,

I've been working on integrating Dovecot's learning feature with the Rspamd controller socket, and I ran into the common IO write error: Connection refused problem.

Like many others, I found a quick solution on forums that suggested changing the controller socket permissions to 0622.

The Quick Fix (But Insecure):In /etc/rspamd/local.d/worker-controller.inc, set:

Ini, TOML

<span>bind_socket</span> = <span>"/var/run/rspamd/rspamd_controller.sock mode=0622 owner=_rspamd"</span><span>;</span><br>
While this does work, I realized it creates a significant security risk. I wanted to share a better, more secure method that follows the Principle of Least Privilege.

The Problem with​

The permission 0622 translates to rw--w--w-. The last w means the socket is world-writable.

This allows any user or process on the server to send commands to your Rspamd controller. For example, if a website on the server gets compromised (e.g., a vulnerable WordPress plugin), the attacker (running as user apache or the website owner) could:
  • Poison your filter: Teach Rspamd that their phishing emails are legitimate ("ham").
  • Cause a Denial of Service: Teach Rspamd that emails from Google or Microsoft are "spam," blocking legitimate mail for all your users.
It's like leaving the door to your mail server's control room unlocked.


The Secure Solution: Using Group Permissions​

The correct way to solve this is to give access only to the process that needs it: Dovecot. We can do this by making the dovecot group the owner of the socket. This method is more secure and completely removes the need for sudo.

Here are the steps:

Step 1: Add the _rspamd User to the dovecot GroupThe Rspamd process needs permission to assign the socket file to the dovecot group. We grant this by making the _rspamd user a member of that group.

Bash
usermod -a -G dovecot _rspamd<br>
Step 2: Configure the Rspamd Controller with Group PermissionsEdit your /etc/rspamd/local.d/worker-controller.inc file. This configuration is secure and enables learning.

Ini, TOML
<span># /etc/rspamd/local.d/worker-controller.inc</span><br><br><span># owner=_rspamd: The user who owns the socket.</span><br><span># group=dovecot: The group who owns the socket.</span><br><span># mode=0660: Allows read/write for the owner AND the group, but NO ONE else.</span><br><span>bind_socket</span> = <span>"/var/run/rspamd/rspamd_controller.sock owner=_rspamd group=dovecot mode=0660"</span><span>;</span><br><br><span># Also, ensure learning is explicitly enabled.</span><br><span>allow_learn</span> = <span>true</span><span>;</span><br>
Step 3: Simplify Your Learning Script (No sudo needed!)Since the Dovecot process (running as a user who is part of the dovecot group) now has direct permission to write to the socket, you can remove sudo from your learning script entirely. This is much cleaner and safer.

Your rspamd-learn.sh script can be as simple as this:

Bash
<span>#!/bin/bash</span><br><span># A simple, secure learning script without sudo</span><br><br>SOCKET_PATH=<span>"/var/run/rspamd/rspamd_controller.sock"</span><br>ACTION=<span>"<span>$1</span>"</span><br><br><span>if</span> [ <span>"<span>$ACTION</span>"</span> = <span>"spam"</span> ]; <span>then</span><br> <span># Execute rspamc directly as the email user</span><br> cat | /usr/bin/rspamc -c <span>"<span>$SOCKET_PATH</span>"</span> learn_spam &gt;/dev/null 2&gt;&amp;1<br><span>elif</span> [ <span>"<span>$ACTION</span>"</span> = <span>"ham"</span> ]; <span>then</span><br> cat | /usr/bin/rspamc -c <span>"<span>$SOCKET_PATH</span>"</span> learn_ham &gt;/dev/null 2&gt;&amp;1<br><span>fi</span><br>
Step 4: Restart RspamdFinally, restart Rspamd for the new user group and configuration to take effect.

Bash
systemctl restart rspamd<br>
Now, your setup is not only functional but also secure. The socket is only accessible by Rspamd and Dovecot, just as it should be.

Hope this helps others build a more secure and robust mail server!
 
Well. Better next time copy and paste it to notepad or wordpad before pasting here. Almost unreadable this way with al the html code.
To be fair, I know there's a bit of HTML that needs to be stripped there, but this post is a bit more useful than some other, let's say, "AI" posts we get 😁😉
 
A more readable version from the same user can be found here:

 
Back
Top