filter-rspamd
filter-rspamd copied to clipboard
poolpOrg
Optionally connect to rspamd with unix socket
Hello Gilles,
I usually use unix sockets to connect to local services and I would like to do the same with rspamd1. However I can not use your filter this way.
Indeed filter-rspamd -url unix:///run/rspamd/normal.sock doesn't work, even with appropriate permissions, so I guess unix socket are not supported, or my syntax is incorrect ?
Kévin.
@shaohme In case that could work for you, both open PR solves this —with https://github.com/poolpOrg/filter-rspamd/pull/39 being the recommended one I think.
Sure, but I would like to add some socket clean up at exit if you dont mind. #40
I’m not sure this is the role of the opensmtpd filter to remove the socket. That should be handled by rspamd instead, no?
I’m not sure this is the role of the opensmtpd filter to remove the socket. That should be handled by rspamd instead, no?
Sorry, nevermind. I found a different solution for my problem. I'll accept #39 Early morning I guess... ;-)
When building and installing the new version, and configuring rspamd worker-normal to listen on sockets instead smtpd crashes the moment an incoming MTA delivers an email.
worker-normal.inc
bind_socket = "/var/run/rspamd/worker-normal.sock mode=0660 owner=_smtpd";
smtpd -dv output:
2ada0b92f64d4f82 smtp connected address=... host=...
debug: dispatcher: rsae_priv_enc
2ada0b92f64d4f82 smtp tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
debug: smtp: SIZE in MAIL FROM command
debug: aliases_get: returned 1 aliases
smtp: 0x746d32cc000: fd 26 from queue
smtp: 0x746d32cc000: message fd 26
smtp: 0x746d32cc000: fd 27 from lka
smtp: 0x746d32cc000: filter fd 27
smtp: 0x746d32cc000: message begin
warn: lost processor: rspamd exited abnormally
debug: clearing p=ca, fd=5, pid=77913
debug: ca -> parent: pipe closed
debug: clearing p=dispatcher, fd=8, pid=29379
debug: ca agent exiting
debug: clearing p=control, fd=6, pid=35022
debug: dispatcher -> parent: pipe closed
debug: dispatcher agent exiting
debug: clearing p=lka, fd=7, pid=62131
debug: lka -> dispatcher: pipe closed
debug: queue -> dispatcher: pipe closed
debug: lookup agent exiting
debug: clearing p=scheduler, fd=10, pid=82027
debug: queue agent exiting
debug: clearing p=queue, fd=9, pid=95218
debug: scheduler -> queue: pipe closed
debug: scheduler agent exiting
debug: control -> crypto: pipe closed
debug: control agent exiting
Exiting
'rspamd' is the filter name in smtpd.conf
I can share parts of it
...
filter "rspamd" proc-exec "filter-rspamd -url /var/run/rspamd/worker-normal.sock"
...
listen on all port smtp tls pki "default" filter { "rspamd", "rdns", "sshguard" }
...
Also found this in OpenBSD dmesg
filter-rspamd[40711]: pledge "unix", syscall 97
filter-rspamd[11387]: pledge "unix", syscall 97
filter-rspamd[88775]: pledge "unix", syscall 97
There you go, it's pledge missing "unix" which causes the process to be aborted on OpenBSD when accessing the unix socket, I've committed a fix, care to try again ?
Sure.
No crash, and no new pledge errors in dmesg, but another new error.
ceae8789cf0797ac smtp connected address=... host=...
debug: dispatcher: rsae_priv_enc
ceae8789cf0797ac smtp tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
debug: smtp: SIZE in MAIL FROM command
debug: aliases_get: returned 1 aliases
smtp: 0x2c0235d6000: fd 26 from queue
smtp: 0x2c0235d6000: message fd 26
smtp: 0x2c0235d6000: fd 27 from lka
smtp: 0x2c0235d6000: filter fd 27
smtp: 0x2c0235d6000: message begin
rspamd: failed to receive a response from daemon
ceae8789cf0797ac smtp failed-command command="DATA" result="421 server internal error"
ceae8789cf0797ac smtp disconnected reason=quit
Can't seem to find any other relevant errors in logs yet.
I'll investigate the error further. It seems I consistently get error:
rspamd: failed to receive a response from daemon. err: 'Post "http://localhost/checkv2": dial unix /var/run/rspamd/worker-normal.sock: connect: no such file or directory'
I have written code that extend the logging and checks the sockets existense during main() which doesn't fail yet.
Perhaps filter-spamd or parts of it is chrooted in /var/spool/smtpd or elsewhere and cannot see the socket when invoking rspamd?
I have worked a bit more on the plugin and managed to get it working with altered pledges #43
Please review and comment, and hopefully accept :-)
I have running an email instance with #43 patch applied without failure so far.
Just bumping this for attention 😀
Hey Gilles, your email guide for OpenBSD is a fantastic read. :) Thank you for putting your thoughts out there and helping many people understand all of those little steps and tweaks they need to set up a great self-hosted email server, and for writing software that moves them toward that goal.
I'm wondering how much benefit you can see in making small adjustments to your filter so it plays nicely with Unix sockets. With those adjustments, it allows Rspamd to operate with some enhanced security, because it allows Rspamd to listen only on Unix sockets. Without any adjustments, Rspamd currently has to be run on localhost due to that 421 server internal error, and some people may see that as more insecure because any user on the system is allowed to connect to Rspamd.
Unfortunately, I'm unfamiliar with Go in particular, so my personal contribution to your project here could only ever be limited. I could tell you that reviewing #43 and implementing a similar change could be quite helpful for the reasons above, but I know that doing things right sometimes takes a little time.
Have a wonderful New Year. :)
the pull request from @shaohme was merged today, thanks and sorry for the delay.