filter container (Rspamd) fails to sign DKIM due to read_only: true and volume permission conflicts #641
Description
Describe the bug
The filter container (Rspamd) fails to sign outgoing emails with DKIM. This is caused by two overlapping issues in the default deployment configuration:
- The
filterservice is set toread_only: true, which prevents Rspamd from writing essential internal files (stats, tokens, and PID files) to/var/lib/rspamd. - The named volume
data-filteris created withrootownership on the host, but the container runs as a non-root user (UID 11333), leading to "Permission Denied" errors when accessing DKIM keys or writing stats.
To Reproduce
Steps to reproduce the behavior:
- Deploy
docker-mailserverusing the provideddeploy/composeYAML files. - Generate a DKIM key via the Management UI.
- Send an authenticated outgoing email.
- Observe the
filterlogs:cfg; rspamd_controller_store_saved_stats: cannot open for writing... Permission denied. - Check email headers:
DKIM-Signatureis missing or validation fails.
Expected behavior
Rspamd should have sufficient write permissions to its data directory to initialize the signing module and successfully attach a DKIM signature to outgoing mail from authorized users.
Screenshots
N/A (Logs provided in additional context).
Docker environment:
- Output of
docker ps -a: (Filter service shows "Up" but Rspamd process inside is often crashed or partially initialized). - Output of
docker info:
Client: Docker Engine - Community
Version: 29.1.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.30.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v5.0.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 18
Running: 16
Paused: 0
Stopped: 2
Images: 37
Server Version: 29.1.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc version: v1.3.4-0-gd6d73eb8
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 5.15.0-164-generic
Operating System: Ubuntu 22.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.751GiB
Name: vmd95810.contaboserver.net
ID: PIJD:H4JC:CYIC:ZGRX:YIJE:I662:34GY:QQLR:QOMR:S6OG:HA5N:W6SU
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
Firewall Backend: iptables
- Output of
docker-compose version:
docker-compose version 1.29.2, build unknown
docker-py version: 5.0.3
CPython version: 3.10.12
OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
Additional context
Logs from the filter container:
filter-1 | 2026-01-01 15:49:04 #19(controller) <muk8in>; cfg; rspamd_controller_store_saved_stats: cannot open for writing controller stats from /var/lib/rspamd/stats.ucl.XXHASII3: Permission denied
Fixes applied:
- Changed
read_only: truetofalseindeploy/compose/filter.yaml. - Adjusted host-side volume permissions to
11333:11333.
With this change, the DKIM setting was finally signed.