mirror of
https://blitiri.com.ar/repos/chasquid
synced 2025-12-19 14:57:04 +00:00
a1ca50ab57
The example post-data hook was missing a quote around a sub-shell execution. This is harmless because the content itself is admin-provided and not related to user input, but this commit fixes the quote for defense in depth and consistency.
94 lines
2.5 KiB
Bash
Executable File
94 lines
2.5 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# This file is an example post-data hook that will run standard filtering
|
|
# utilities if they are available.
|
|
#
|
|
# - greylist (from greylistd) to do greylisting.
|
|
# - spamc (from Spamassassin) to filter spam.
|
|
# - rspamc (from rspamd) to filter spam.
|
|
# - clamdscan (from ClamAV) to filter virus.
|
|
# - dkimsign (from driusan/dkim) to do DKIM signing.
|
|
#
|
|
# If it exits with code 20, it will be considered a permanent error.
|
|
# Otherwise, temporary.
|
|
|
|
set -e
|
|
|
|
|
|
# Note greylistd needs you to add the user to the "greylist" group:
|
|
# usermod -a -G greylist mail
|
|
if [ "$AUTH_AS" == "" ] && [ "$SPF_PASS" == "0" ] && \
|
|
command -v greylist >/dev/null && \
|
|
groups | grep -q greylist;
|
|
then
|
|
REMOTE_IP=$(echo "$REMOTE_ADDR" | rev | cut -d : -f 2- | rev)
|
|
if ! greylist update "$REMOTE_IP" "$MAIL_FROM" 1>&2; then
|
|
echo "greylisted, please try again"
|
|
exit 75 # temporary error
|
|
fi
|
|
echo "X-Greylist: pass"
|
|
fi
|
|
|
|
|
|
TF="$(mktemp --tmpdir post-data-XXXXXXXXXX)"
|
|
trap 'rm "$TF"' EXIT
|
|
|
|
# Save the message to the temporary file, so we can pass it on to the various
|
|
# filters.
|
|
cat > "$TF"
|
|
|
|
|
|
if command -v spamc >/dev/null; then
|
|
if ! SL=$(spamc -c - < "$TF") ; then
|
|
echo "spam detected"
|
|
exit 20 # permanent
|
|
fi
|
|
echo "X-Spam-Score: $SL"
|
|
fi
|
|
|
|
|
|
if command -v rspamc >/dev/null; then
|
|
ACTION=$( rspamc < "$TF" 2>/dev/null | grep Action: | cut -d " " -f 2- )
|
|
case "$ACTION" in
|
|
greylist)
|
|
echo "greylisted, please try again"
|
|
exit 75 # temporary error
|
|
;;
|
|
reject)
|
|
echo "spam detected"
|
|
exit 20 # permanent error
|
|
;;
|
|
esac
|
|
echo "X-Spam-Action:" "$ACTION"
|
|
fi
|
|
|
|
|
|
if command -v clamdscan >/dev/null; then
|
|
if ! clamdscan --no-summary --infected - < "$TF" 1>&2 ; then
|
|
echo "virus detected"
|
|
exit 20 # permanent
|
|
fi
|
|
echo "X-Virus-Scanned: pass"
|
|
fi
|
|
|
|
# DKIM sign with https://github.com/driusan/dkim.
|
|
#
|
|
# Do it only if all the following are true:
|
|
# - User has authenticated.
|
|
# - dkimsign binary exists.
|
|
# - domains/$DOMAIN/dkim_selector file exists.
|
|
# - certs/$DOMAIN/dkim_privkey.pem file exists.
|
|
#
|
|
# Note this has not been thoroughly tested, so might need further adjustments.
|
|
if [ "$AUTH_AS" != "" ] && command -v dkimsign; then
|
|
DOMAIN=$( echo "$MAIL_FROM" | cut -d '@' -f 2 )
|
|
if [ -f "domains/$DOMAIN/dkim_selector" ] \
|
|
&& [ -f "certs/$DOMAIN/dkim_privkey.pem" ]; then
|
|
dkimsign -n -hd \
|
|
-key "certs/$DOMAIN/dkim_privkey.pem" \
|
|
-s "$(cat "domains/$DOMAIN/dkim_selector")" \
|
|
-d "$DOMAIN" \
|
|
< "$TF"
|
|
fi
|
|
fi
|