From 44eb50368159e02bfb58cd42982a944491b1aa2f Mon Sep 17 00:00:00 2001
From: georglauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Mon, 27 Nov 2023 20:48:00 +0100
Subject: [PATCH 1/4] fix #3665

---
 CHANGELOG.md                                      | 10 +++++++++-
 docs/content/config/environment.md                |  2 ++
 mailserver.env                                    |  2 ++
 target/rspamd/local.d/settings.conf               |  2 +-
 target/scripts/startup/setup.d/security/rspamd.sh |  2 +-
 5 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 71c9de3f44f..5373c9f09d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,14 @@ All notable changes to this project will be documented in this file. The format
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+## [v13.0.1](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.0.1)
+
+### Fixed
+
+- This patch release fixes two bugs that Rspamd users encounter on `v13.0.0` - Big thanks to the those that helped to identify these issues!
+  1. The check for correct permission on the private key when signing e-mails with DKIM was flawed. The result was that a false warning was emitted.
+  2. When `RSPAMD_CHECK_AUTHENTICATED=0`, DKIM signing for outbound e-mail was disabled, which is undesirable.
+
 ## [v13.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.0.0)
 
 ### Breaking
@@ -78,7 +86,7 @@ All notable changes to this project will be documented in this file. The format
   - `logrotate` setup + Rspamd log path + tests log helper fallback path ([#3576](https://github.com/docker-mailserver/docker-mailserver/pull/3576))
   - Setup during container startup is now more resilient ([#3578](https://github.com/docker-mailserver/docker-mailserver/pull/3578))
   - Changed DKIM default config location ([#3597](https://github.com/docker-mailserver/docker-mailserver/pull/3597))
-  - Removed the symlink for the `override.d/` directory in favor of using `cp`, integrated into the changedetector service, , added a `--force` option for the Rspamd DKIM management, and provided a dedicated helper script for common ENV variables ([#3599](https://github.com/docker-mailserver/docker-mailserver/pull/3599))
+  - Removed the symlink for the `override.d/` directory in favor of using `cp`, integrated into the changedetector service, added a `--force` option for the Rspamd DKIM management, and provided a dedicated helper script for common ENV variables ([#3599](https://github.com/docker-mailserver/docker-mailserver/pull/3599))
   - Required permissions are now verified for DKIM private key files ([#3627](https://github.com/docker-mailserver/docker-mailserver/pull/3627))
 - **Documentation:**
   - Documentation aligned to Compose v2 conventions, `docker-compose` command changed to `docker compose`, `docker-compose.yaml` to `compose.yaml` ([#3295](https://github.com/docker-mailserver/docker-mailserver/pull/3295))
diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
index 284549f13b7..291cb55390a 100644
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@@ -366,6 +366,8 @@ The purpose of this setting is to opt-out of starting an internal Redis instance
 
 This settings controls whether checks should be performed on emails coming from authenticated users (i.e. most likely outgoing emails). The default value is `0` in order to align better with SpamAssassin. **We recommend** reading through [the Rspamd documentation on scanning outbound emails][rspamd-scanning-outbound] though to decide for yourself whether you need and want this feature.
 
+Note that not all groups are disabled: DKIM signing of e-mails will still happen.
+
 - **0** => No checks will be performed for authenticated users
 - 1 => All default checks will be performed for authenticated users
 
diff --git a/mailserver.env b/mailserver.env
index 957a632e128..631d1e777ca 100644
--- a/mailserver.env
+++ b/mailserver.env
@@ -153,6 +153,8 @@ RSPAMD_LEARN=0
 # is `0` in order to align better with SpamAssassin. We recommend reading
 # through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
 # decide for yourself whether you need and want this feature.
+#
+# Note that not all groups are disabled: DKIM signing of e-mails will still happen.
 RSPAMD_CHECK_AUTHENTICATED=0
 
 # Controls whether the Rspamd Greylisting module is enabled.
diff --git a/target/rspamd/local.d/settings.conf b/target/rspamd/local.d/settings.conf
index 4f635e749cd..10c4de88d03 100644
--- a/target/rspamd/local.d/settings.conf
+++ b/target/rspamd/local.d/settings.conf
@@ -6,7 +6,7 @@ authenticated {
     priority = high;
     authenticated = yes;
     apply {
-        groups_enabled = [];
+        groups_enabled = [dkim];
     }
 }
 # DMS::SED_TAG::1::END
diff --git a/target/scripts/startup/setup.d/security/rspamd.sh b/target/scripts/startup/setup.d/security/rspamd.sh
index 239397e5925..86786932393 100644
--- a/target/scripts/startup/setup.d/security/rspamd.sh
+++ b/target/scripts/startup/setup.d/security/rspamd.sh
@@ -325,7 +325,7 @@ function __rspamd__check_dkim_permissions() {
       __rspamd__log 'trace' "Checking DKIM file '${FILE}'"
       # See https://serverfault.com/a/829314 for an explanation on `-exec false {} +`
       # We additionally resolve symbolic links to check the permissions of the actual files
-      if find "$(realpath -eL "${FILE}")" -user _rspamd -or -group _rspamd -or -perm -o=r -exec false {} +; then
+      if find "$(realpath -eL "${FILE}")" \( -user _rspamd -or -group _rspamd -or -perm -o=r \) -exec false {} +; then
         __rspamd__log 'warn' "Rspamd DKIM private key file '${FILE}' does not appear to have correct permissions/ownership for Rspamd to use it"
       else
         __rspamd__log 'trace' "DKIM file '${FILE}' permissions and ownership appear correct"

From 09fbd61c6befff631c304956f8ddcd3ff4df12f8 Mon Sep 17 00:00:00 2001
From: georglauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Mon, 27 Nov 2023 22:20:20 +0100
Subject: [PATCH 2/4] adjust tests

---
 test/tests/parallel/set1/spam_virus/rspamd_full.bats | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/tests/parallel/set1/spam_virus/rspamd_full.bats b/test/tests/parallel/set1/spam_virus/rspamd_full.bats
index 09d42d46ed1..ba8a23f59c8 100644
--- a/test/tests/parallel/set1/spam_virus/rspamd_full.bats
+++ b/test/tests/parallel/set1/spam_virus/rspamd_full.bats
@@ -307,5 +307,5 @@ function teardown_file() { _default_teardown ; }
   _run_in_container grep -E -A 6 'authenticated \{' "${MODULE_FILE}"
   assert_success
   assert_output --partial 'authenticated = yes;'
-  assert_output --partial 'groups_enabled = [];'
+  assert_output --partial 'groups_enabled = [dkim];'
 }

From f331456e81df951bb59feeef564b6a93b861561d Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Mon, 27 Nov 2023 23:50:29 +0100
Subject: [PATCH 3/4] Apply suggestions from code review

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
---
 CHANGELOG.md                       | 10 +++++++---
 docs/content/config/environment.md |  4 +++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5373c9f09d5..1d929268a36 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,11 +8,15 @@ All notable changes to this project will be documented in this file. The format
 
 ## [v13.0.1](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.0.1)
 
+This patch release fixes two bugs that Rspamd users encounter on `v13.0.0`. Big thanks to the those that helped to identify these issues!
+
 ### Fixed
 
-- This patch release fixes two bugs that Rspamd users encounter on `v13.0.0` - Big thanks to the those that helped to identify these issues!
-  1. The check for correct permission on the private key when signing e-mails with DKIM was flawed. The result was that a false warning was emitted.
-  2. When `RSPAMD_CHECK_AUTHENTICATED=0`, DKIM signing for outbound e-mail was disabled, which is undesirable.
+- **Rspamd:**
+  - The check for correct permission on the private key when signing e-mails with DKIM was flawed. The result was that a false warning was emitted ([#3669](https://github.com/docker-mailserver/docker-mailserver/pull/3669))
+  - When [`RSPAMD_CHECK_AUTHENTICATED=0`][docs::env-rspamd-check-auth], DKIM signing for outbound e-mail was disabled, which is undesirable ([#3669](https://github.com/docker-mailserver/docker-mailserver/pull/3669))
+
+[docs::env-rspamd-check-auth]: https://docker-mailserver.github.io/docker-mailserver/v13.0/config/environment/#rspamd_check_authenticated
 
 ## [v13.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.0.0)
 
diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
index 291cb55390a..8ca31b813bd 100644
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@@ -366,7 +366,9 @@ The purpose of this setting is to opt-out of starting an internal Redis instance
 
 This settings controls whether checks should be performed on emails coming from authenticated users (i.e. most likely outgoing emails). The default value is `0` in order to align better with SpamAssassin. **We recommend** reading through [the Rspamd documentation on scanning outbound emails][rspamd-scanning-outbound] though to decide for yourself whether you need and want this feature.
 
-Note that not all groups are disabled: DKIM signing of e-mails will still happen.
+!!! note "Not all groups are disabled"
+
+    DKIM signing of e-mails will still happen.
 
 - **0** => No checks will be performed for authenticated users
 - 1 => All default checks will be performed for authenticated users

From bc59f51b695f4532bf3232629f02f6989b668172 Mon Sep 17 00:00:00 2001
From: georglauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Mon, 27 Nov 2023 23:58:52 +0100
Subject: [PATCH 4/4] improve wording

---
 CHANGELOG.md                       | 2 +-
 docs/content/config/environment.md | 2 +-
 mailserver.env                     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1d929268a36..a8544b808be 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,7 +14,7 @@ This patch release fixes two bugs that Rspamd users encounter on `v13.0.0`. Big
 
 - **Rspamd:**
   - The check for correct permission on the private key when signing e-mails with DKIM was flawed. The result was that a false warning was emitted ([#3669](https://github.com/docker-mailserver/docker-mailserver/pull/3669))
-  - When [`RSPAMD_CHECK_AUTHENTICATED=0`][docs::env-rspamd-check-auth], DKIM signing for outbound e-mail was disabled, which is undesirable ([#3669](https://github.com/docker-mailserver/docker-mailserver/pull/3669))
+  - When [`RSPAMD_CHECK_AUTHENTICATED=0`][docs::env-rspamd-check-auth], DKIM signing for outbound e-mail was disabled, which is undesirable ([#3669](https://github.com/docker-mailserver/docker-mailserver/pull/3669)). **Make sure to check the documentation of [`RSPAMD_CHECK_AUTHENTICATED`][docs::env-rspamd-check-auth]**!
 
 [docs::env-rspamd-check-auth]: https://docker-mailserver.github.io/docker-mailserver/v13.0/config/environment/#rspamd_check_authenticated
 
diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
index 8ca31b813bd..b8e257cca33 100644
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@@ -366,7 +366,7 @@ The purpose of this setting is to opt-out of starting an internal Redis instance
 
 This settings controls whether checks should be performed on emails coming from authenticated users (i.e. most likely outgoing emails). The default value is `0` in order to align better with SpamAssassin. **We recommend** reading through [the Rspamd documentation on scanning outbound emails][rspamd-scanning-outbound] though to decide for yourself whether you need and want this feature.
 
-!!! note "Not all groups are disabled"
+!!! note "Not all checks and actions are disabled"
 
     DKIM signing of e-mails will still happen.
 
diff --git a/mailserver.env b/mailserver.env
index 631d1e777ca..6878622499a 100644
--- a/mailserver.env
+++ b/mailserver.env
@@ -154,7 +154,7 @@ RSPAMD_LEARN=0
 # through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
 # decide for yourself whether you need and want this feature.
 #
-# Note that not all groups are disabled: DKIM signing of e-mails will still happen.
+# Note that DKIM signing of e-mails will still happen.
 RSPAMD_CHECK_AUTHENTICATED=0
 
 # Controls whether the Rspamd Greylisting module is enabled.