Overriding rspamd forbidden_file_extension.map doesn't work as documented

[pcelati]

Environment & Version

The host is Ubuntu 22.04

Environment

• docker compose
• kubernetes
• docker swarm

Version

• Version: 2.0

Description

My forbidden_file_extension.map placed in overrides/rspamd/ is ignored and the default file is used instead.

Replication Steps

With a Mailu 2.0 instance, follow the instructions for changing allowed attachments. Change overrides/rspamd/forbidden_file_extension.map and add/remove some lines, then run docker compose restart antispam. Re-run the docker compose exec antispam cat /etc/rspamd/local.d/forbidden_file_extension.map command to see the file used by rspamd.

Observed behaviour

I get the output of core/rspamd/conf/forbidden_file_extension.map from the Mailu distribution. Indeed, attachments allowed are still in line with this file, rather than the new changed file.

Expected behaviour

I'd expect the modified forbidden_file_extension.map in the overrides/rspamd directory is taken into account. For instance, if I remove js from the list, I should be able to send an attachment with the js extension.

My diagnosis

The overridden file is available at /overrides/forbidden_file_extension.map in the antispam container, as expected. However, core/rspamd/start.py adds forbidden_file_extension.map to the config_files variable so the override file at /overrides/forbidden_file_extension.map is ignored and not copied over. The start script runs Jinja on /conf/forbidden_file_extension.map but since there's no directives it's just copied verbatim to /etc/rspamd/local.d/. This default file is what rspamd reads. The multimap.conf file references the map file, but that has no directive for overriding the path of the map file so overriding multimap.conf doesn't help.

Possible solution

To get the expected behaviour (my override file is copied to /etc/rspamd/local.d/ instead of the default file), I suspect the start script needs to be altered. I'm unsure how this was intended to be done originally, but I'd probably modify the start script so an administrator can specify whether certain override configuration files should be copied despite being on the config_files list. A pleasant way to still keep Jinja flexibility is for the copied override configuration files to be processed as templates too. For instance I could copy the multimap.conf template to a file in the overrides directory, change it and let the start script process the new template. This is nicely used in Kolla Ansible for instance. If it's something relatively straightforward like this I'd be happy to make a PR for it, but might take some time since it's my first issue/PR.

[Diman0]

This is indeed a defect. Those instructions will not work. You are correct that original configuration files are not overridden. This is by design. They should not be overwritten. For all *.conf files the rspamd native import mechanism is used.

forbidden_file_extension.map is an exception to the rule that this file must have the possibility to be overridden.
It is sufficient to create an exception for this map in start.py file that it can be overridden.

I will create a fix for this.