Rspamd / dovecot sieve permissions

jigster

Verified User
Joined
Jul 23, 2021
Messages
79
I've set up Rspamd with dovecot sieve to learn_spam/ham when a user moves an email to Junk or out of Junk. It's working (using the steps here with some modifications), but I've had to modify the ownership/permissions below. My question is whether this poses any security risks?

/usr/local/bin/dovecot-sieve/learn-spam.sh (and learn-ham.sh) looks like:
#!/bin/bash
inputmail=`/usr/bin/cat`
echo "${inputmail}" | rspamc -h /var/run/rspamd/rspamd_controller.sock learn_spam

When an email is moved and triggers the sieve action, /usr/local/bin/dovecot-sieve/learn-spam.sh (or learn-ham.sh) is run as user:mail and was failing with 'permission denied'. To fix this I changed:
chown mail. /usr/local/bin/dovecot-sieve/learn-{spam,ham}.sh;
chmod 750 /usr/local/bin/dovecot-sieve/learn-{spam,ham}.sh;

Then, the rspamc command in the script was failing with 'permission denied' because /etc/rspamd/local.d/worker-controller.inc sets 'bind_socket = "/var/run/rspamd/rspamd_controller.sock mode=0600 owner=_rspamd";' (and the rspamc command is being run as user:mail). To fix this I changed it to:
bind_socket = "/var/run/rspamd/rspamd_controller.sock mode=0622 owner=_rspamd";

I fear that changing the rspamd bind_socket permission allows unauthorised users too much access? Can anyone see any issues with the permission changes above, or have any better ideas to get this working without permissions changes? Thanks
 
Last edited:
Are your modification identical to those mentioned here in this topic:

Would be great to have this picture / integration complete for everybody else too. :)
 
Back
Top