From ed33cb5f57d24f1c46ba4f43039a702961b6ddfb Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 21 Jul 2017 11:03:35 +0200 Subject: [PATCH] [Rspamd] ARC: Disallow login/domain mismatch --- data/Dockerfiles/acme/docker-entrypoint.sh | 6 +++--- data/conf/rspamd/local.d/arc.conf | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh index f20da206..616a6b81 100755 --- a/data/Dockerfiles/acme/docker-entrypoint.sh +++ b/data/Dockerfiles/acme/docker-entrypoint.sh @@ -147,14 +147,14 @@ while true; do exit 0 fi - ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${MAILCOW_HOSTNAME} | tr ' ' '\n' | sort | uniq -u )) + ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${ALL_VALIDATED[*]} | tr ' ' '\n' | sort | uniq -u )) if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then DATE=$(date +%Y-%m-%d_%H_%M_%S) echo "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..." mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/ [[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/ - mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/ - mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/ + [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/ + [[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/ cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records fi diff --git a/data/conf/rspamd/local.d/arc.conf b/data/conf/rspamd/local.d/arc.conf index 578056f9..e8d95871 100644 --- a/data/conf/rspamd/local.d/arc.conf +++ b/data/conf/rspamd/local.d/arc.conf @@ -5,7 +5,7 @@ allow_hdrfrom_mismatch = false; # If true, multiple from headers are allowed (but only first is used) allow_hdrfrom_multiple = true; # If true, username does not need to contain matching domain -allow_username_mismatch = true; +allow_username_mismatch = false; # If false, messages from authenticated users are not selected for signing auth_only = true; # Default path to key, can include '$domain' and '$selector' variables