I have a bunch of DKIM signing keys in /etc/pki/dkim. Can rspamd still read those after those changes take effect?

They need to be readable by the rspamd user. Maybe this should be mentioned in the changelog.

They need to be readable by the rspamd user.

Is that a new requirement created by this PR? I was under the impression that it needs to be this way since, like, forever.

ProtectSystem=strict mounts / as ro, so reading something in /etc should work as before.

That sounds good. In that case, I am basically in favor of this change. I do think it's necessary to do a good deal of testing before it's merged, though, because the consequences of accidentally breaking the mail system are really bad.

They need to be readable by the rspamd user.

Is that a new requirement created by this PR? I was under the impression that it needs to be this way since, like, forever.

I have not tested but I saw that this pr changes from letting the service them-self dropping privileges to starting as a user in the first place. Some services take the opportunity to read secret files before dropping privileges. If that is not the case ignore my comment.

Regarding testing, I suggest to add those hardening options to https://github.com/rspamd/rspamd/blob/master/rspamd.service as well and let the rspamd maintainers have a look at it in a pr. We don't need to wait from them to merge it, but they usually have better ideas about the internals. We did something similar for netdata: netdata/netdata#9234
If they merge it we can take it from there and they hopefully update & maintain it according to the privileges rspamd needs.

Cosmetics fixed. I will create an upstream PR for the hardening options.

Some services take the opportunity to read secret files before dropping privileges.

From my experience this was a common pattern in software developed back in the 90s-2000s which start as root and then drop privileges, so a very relevant comment 👍

@tnias remind if in a few days. If upstream does not want to review it, we just go ahead.

Someone also tested this on archlinux according to the thread.
@dasJ did you had another rspamd instance to test this on?

@Mic92 I didn't really look over this PR, but my setup runs pretty well with #87661 and these additional overrides:

{
      serviceConfig = {
        ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} -c /etc/rspamd/rspamd.conf -f";
        Restart = "always";

        User = "rspamd";
        Group = "rspamd";

        StateDirectory = "rspamd";
        RuntimeDirectory = "rspamd";

        MemoryDenyWriteExecute = false;
        SystemCallFilter = "@basic-io @file-system @network-io @system-service"; # @system-service is **probably** enough
        PrivateNetwork = false;
        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
      };
}

@Mic92 I didn't really look over this PR, but my setup runs pretty well with #87661 and these additional overrides:

{
      serviceConfig = {
        ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} -c /etc/rspamd/rspamd.conf -f";
        Restart = "always";

        User = "rspamd";
        Group = "rspamd";

        StateDirectory = "rspamd";
        RuntimeDirectory = "rspamd";

        MemoryDenyWriteExecute = false;
        SystemCallFilter = "@basic-io @file-system @network-io @system-service"; # @system-service is **probably** enough

@System-service includes the other 3.

    PrivateNetwork = false;
    RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
  };

}

@GrahamcOfBorg test rspamd

The postfixIntegration test broke with this PR.

@tnias are you still interested in fixing postfix integration?

@Mic92 I have not yet found a way I really like. I think in my current setup the socket is accessible to world, but that is not really an elegant solution.

If anyone has ideas or a patches I'd be happy to see and integrate those. Or if anyone wants to take over I would be good with that, too. :)

@Mic92 I have not yet found a way I really like. I think in my current setup the socket is accessible to world, but that is not really an elegant solution.

If anyone has ideas or a patches I'd be happy to see and integrate those. Or if anyone wants to take over I would be good with that, too. :)

acl might be able to solve this, but this might not work on all filesystems, we support.

As the upstream seems unwilling to move forward, what needs to be resolved to merger this downstream?

@mweinelt postfix integration needs to be fixed #93293 (comment)

I fixed postfix integration.

Some of the other nixos tests are still broken.

All tests are fixed now.

Thx 😍

Simple nixos mailserver tests still pass.

For some reason I cannot merge this

For some reason I cannot merge this

Usually a reload helps. It happens when someone else has merged something just before you and github has not yet checked if the code can be merged.