diff --git a/.github/workflows/generic_build.yml b/.github/workflows/generic_build.yml index 30d8df46..e27693b1 100644 --- a/.github/workflows/generic_build.yml +++ b/.github/workflows/generic_build.yml @@ -71,16 +71,16 @@ jobs: cache-buildx- - name: 'Set up QEMU' - uses: docker/setup-qemu-action@v3.4.0 + uses: docker/setup-qemu-action@v3.6.0 with: platforms: arm64 - name: 'Set up Docker Buildx' - uses: docker/setup-buildx-action@v3.9.0 + uses: docker/setup-buildx-action@v3.10.0 # NOTE: AMD64 can build within 2 minutes - name: 'Build images' - uses: docker/build-push-action@v6.13.0 + uses: docker/build-push-action@v6.15.0 with: context: . # Build at least the AMD64 image (which runs against the test suite). diff --git a/.github/workflows/generic_publish.yml b/.github/workflows/generic_publish.yml index 72228d51..bf21e8f8 100644 --- a/.github/workflows/generic_publish.yml +++ b/.github/workflows/generic_publish.yml @@ -23,7 +23,7 @@ jobs: - name: 'Prepare tags' id: prep - uses: docker/metadata-action@v5.6.1 + uses: docker/metadata-action@v5.7.0 with: images: | ${{ secrets.DOCKER_REPOSITORY }} @@ -35,12 +35,12 @@ jobs: type=semver,pattern={{major}}.{{minor}}.{{patch}} - name: 'Set up QEMU' - uses: docker/setup-qemu-action@v3.4.0 + uses: docker/setup-qemu-action@v3.6.0 with: platforms: arm64 - name: 'Set up Docker Buildx' - uses: docker/setup-buildx-action@v3.9.0 + uses: docker/setup-buildx-action@v3.10.0 # Try get the cached build layers from a prior `generic_build.yml` job. # NOTE: Until adopting `type=gha` scoped cache exporter (in `docker/build-push-action`), @@ -67,7 +67,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: 'Build and publish images' - uses: docker/build-push-action@v6.13.0 + uses: docker/build-push-action@v6.15.0 with: context: . build-args: | diff --git a/.github/workflows/generic_test.yml b/.github/workflows/generic_test.yml index 1303c8ad..b487925b 100644 --- a/.github/workflows/generic_test.yml +++ b/.github/workflows/generic_test.yml @@ -38,12 +38,12 @@ jobs: # Ensures consistent BuildKit version (not coupled to Docker Engine), # and increased compatibility of the build cache vs mixing buildx drivers. - name: 'Set up Docker Buildx' - uses: docker/setup-buildx-action@v3.9.0 + uses: docker/setup-buildx-action@v3.10.0 # Importing from the cache should create the image within approx 30 seconds: # NOTE: `qemu` step is not needed as we only test for AMD64. - name: 'Build AMD64 image from cache' - uses: docker/build-push-action@v6.13.0 + uses: docker/build-push-action@v6.15.0 with: context: . tags: mailserver-testing:ci diff --git a/.github/workflows/generic_vulnerability-scan.yml b/.github/workflows/generic_vulnerability-scan.yml index 511ade7a..c55eb6c2 100644 --- a/.github/workflows/generic_vulnerability-scan.yml +++ b/.github/workflows/generic_vulnerability-scan.yml @@ -37,12 +37,12 @@ jobs: # Ensures consistent BuildKit version (not coupled to Docker Engine), # and increased compatibility of the build cache vs mixing buildx drivers. - name: 'Set up Docker Buildx' - uses: docker/setup-buildx-action@v3.9.0 + uses: docker/setup-buildx-action@v3.10.0 # Importing from the cache should create the image within approx 30 seconds: # NOTE: `qemu` step is not needed as we only test for AMD64. - name: 'Build AMD64 image from cache' - uses: docker/build-push-action@v6.13.0 + uses: docker/build-push-action@v6.15.0 with: context: . tags: mailserver-testing:ci diff --git a/CHANGELOG.md b/CHANGELOG.md index 2bf8fa2a..1133bdda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,10 +2,29 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v14.0.0...HEAD) +## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v15.0.0...HEAD) > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes. +### Added + +- **Internal:** + - Added the Smallstep `step` CLI command for future internal usage ([#4376](https://github.com/docker-mailserver/docker-mailserver/pull/4376)) + +### Fixes + +- **Postfix:** + - `setup email restrict` generated configs now only prepend to `dms_smtpd_sender_restrictions` ([#4379](https://github.com/docker-mailserver/docker-mailserver/pull/4379)) +- **Internal:** + - A permissions fix for `/var/log/mail` that was [added in DMS v15]((https://github.com/docker-mailserver/docker-mailserver/pull/4374)) no longer encounters an error when no log files are present during a container restart, such as with a `tmpfs` volume mount ([#4391](https://github.com/docker-mailserver/docker-mailserver/pull/4391)) + +### Updates + +- **Internal:** + - Minor improvements to `_install_utils()` in `packages.sh` ([#4376](https://github.com/docker-mailserver/docker-mailserver/pull/4376)) + +## [v15.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.0) + ### Breaking - **saslauthd** mechanism support via ENV `SASLAUTHD_MECHANISMS` with `pam`, `shadow`, `mysql` values has been removed. Only `ldap` and `rimap` remain supported ([#4259](https://github.com/docker-mailserver/docker-mailserver/pull/4259)) @@ -17,6 +36,7 @@ All notable changes to this project will be documented in this file. The format - This has been corrected to `/var/lib/getmail` (_if you have mounted a DMS State Volume to `/var/mail-state`, `/var/lib/getmail` will be symlinked to `/var/mail-state/lib-getmail`_). - To preserve this state when upgrading to DMS v15, **you must manually migrate `getmail/` from the _DMS Config Volume_ to `lib-getmail/` in the _DMS State Volume_.** - `setup email delete ` now requires explicit confirmation if the mailbox data should be deleted ([#4365](https://github.com/docker-mailserver/docker-mailserver/pull/4365)). +- **Rspamd:** Removed deprecated file path check (_DMS config volume: `./rspamd-modules.conf` => `./rspamd/custom-commands.conf`_) ([#4373](https://github.com/docker-mailserver/docker-mailserver/pull/4373)) ### Added @@ -26,7 +46,7 @@ All notable changes to this project will be documented in this file. The format ### Updates -**Internal:** +- **Internal:** - **Removed `VERSION` file** from the repo. Releases of DMS prior to v13 (Nov 2023) would check this to detect new releases ([#3677](https://github.com/docker-mailserver/docker-mailserver/issues/3677), [#4321](https://github.com/docker-mailserver/docker-mailserver/pull/4321)) - During image build, ensure a secure connection when downloading the `fail2ban` package ([#4080](https://github.com/docker-mailserver/docker-mailserver/pull/4080)) - Refactored `setup config dkim` (`open-dkim`) ([#4375](https://github.com/docker-mailserver/docker-mailserver/pull/4375)) @@ -60,7 +80,7 @@ All notable changes to this project will be documented in this file. The format - The main `mail.log` (_which is piped to stdout via `tail`_) now correctly begins from the first log line of the active container run. Previously some daemon logs and potential warnings/errors were omitted ([#4146](https://github.com/docker-mailserver/docker-mailserver/pull/4146)) - `start-mailserver.sh` removed unused `shopt -s inherit_errexit` ([#4161](https://github.com/docker-mailserver/docker-mailserver/pull/4161)) - Fixed a regression introduced in DMS v14 where `postfix-main.cf` appended `stderr` output into `/etc/postfix/main.cf`, causing Postfix startup to fail ([#4147](https://github.com/docker-mailserver/docker-mailserver/pull/4147)) - - Fixed a regression introduced in DMS v14 to better support running `start-mailserver.sh` with container restarts, which now only skip calling `_setup()` ([#4323](https://github.com/docker-mailserver/docker-mailserver/pull/4323#issuecomment-2629559254)) + - Fixed a regression introduced in DMS v14 to better support running `start-mailserver.sh` with container restarts, which now only skip calling `_setup()` ([#4323](https://github.com/docker-mailserver/docker-mailserver/pull/4323#issuecomment-2629559254), [#4374](https://github.com/docker-mailserver/docker-mailserver/pull/4374)) - The command `swaks --help` is now functional ([#4282](https://github.com/docker-mailserver/docker-mailserver/pull/4282)) - **Rspamd:** - DKIM private key path checking is now performed only on paths that do not contain `$` ([#4201](https://github.com/docker-mailserver/docker-mailserver/pull/4201)) diff --git a/demo-setups/fetchmail-compose.yaml b/demo-setups/fetchmail-compose.yaml index d8632228..f6e1ddb9 100644 --- a/demo-setups/fetchmail-compose.yaml +++ b/demo-setups/fetchmail-compose.yaml @@ -1,10 +1,10 @@ -# Docs: https://docker-mailserver.github.io/docker-mailserver/v14.0/config/advanced/mail-fetchmail +# Docs: https://docker-mailserver.github.io/docker-mailserver/v15.0/config/advanced/mail-fetchmail # Additional context, with CLI commands for verification: # https://github.com/orgs/docker-mailserver/discussions/3994#discussioncomment-9290570 services: dms-fetch: - image: ghcr.io/docker-mailserver/docker-mailserver:latest # :14.0 + image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0 hostname: mail.example.test environment: ENABLE_FETCHMAIL: 1 @@ -26,7 +26,7 @@ services: target: /tmp/docker-mailserver/fetchmail.cf dms-remote: - image: ghcr.io/docker-mailserver/docker-mailserver:latest # :14.0 + image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0 hostname: mail.remote.test environment: # Allows for us send a test mail easily by trusting any mail client run within this container (`swaks`): diff --git a/demo-setups/relay-compose.yaml b/demo-setups/relay-compose.yaml index cb4f0846..7bbc9f21 100644 --- a/demo-setups/relay-compose.yaml +++ b/demo-setups/relay-compose.yaml @@ -1,11 +1,11 @@ -# Docs: https://docker-mailserver.github.io/docker-mailserver/v14.0/config/advanced/mail-forwarding/relay-hosts/ +# Docs: https://docker-mailserver.github.io/docker-mailserver/v15.0/config/advanced/mail-forwarding/relay-hosts/ # Additional context, with CLI commands for verification: # https://github.com/docker-mailserver/docker-mailserver/issues/4136#issuecomment-2253693490 services: # This would represent your actual DMS container: dms-sender: - image: mailserver/docker-mailserver:latest # :14.0 + image: mailserver/docker-mailserver:latest # :15.0 hostname: mail.example.test environment: # All outbound mail will be relayed through this host @@ -37,7 +37,7 @@ services: # Pretend this is your third-party relay service: dms-relay: - image: mailserver/docker-mailserver:latest # :14.0 + image: mailserver/docker-mailserver:latest # :15.0 hostname: smtp.relay-service.test environment: # WORKAROUND: Bypass security checks from the mail-client (dms-sender container) @@ -58,7 +58,7 @@ services: # Pretend this is another mail server that your target recipient belongs to (like Gmail): dms-destination: - image: mailserver/docker-mailserver:latest # :14.0 + image: mailserver/docker-mailserver:latest # :15.0 hostname: mail.destination.test # WORKAROUND: dms-relay must be able to resolve DNS for `@destination.test` to the IP of this container: # Normally a MX record would direct mail to the MTA (eg: `mail.destination.test`) diff --git a/docs/content/config/advanced/mail-forwarding/relay-hosts.md b/docs/content/config/advanced/mail-forwarding/relay-hosts.md index 7ef8238c..3d13e93b 100644 --- a/docs/content/config/advanced/mail-forwarding/relay-hosts.md +++ b/docs/content/config/advanced/mail-forwarding/relay-hosts.md @@ -151,6 +151,6 @@ We provide this support via two config files: [wikipedia::smarthost]: https://en.wikipedia.org/wiki/Smart_host [docs::env-relay]: ../../environment.md#relay-host -[dms-repo::helpers-relay]: https://github.com/docker-mailserver/docker-mailserver/blob/v14.0.0/target/scripts/helpers/relay.sh +[dms-repo::helpers-relay]: https://github.com/docker-mailserver/docker-mailserver/blob/v15.0.0/target/scripts/helpers/relay.sh [dms-gh::pr-3607]: https://github.com/docker-mailserver/docker-mailserver/issues/3607 [dms-gh::relay-example]: https://github.com/docker-mailserver/docker-mailserver/issues/3842#issuecomment-1913380639 diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md index 08852274..8efb2fca 100644 --- a/docs/content/config/security/fail2ban.md +++ b/docs/content/config/security/fail2ban.md @@ -14,18 +14,48 @@ hide: ## Configuration -!!! warning +Enabling Fail2Ban support can be done via ENV, but also requires granting at least the `NET_ADMIN` capability to interact with the kernel and ban IP addresses. - DMS must be launched with the `NET_ADMIN` capability in order to be able to install the NFTables rules that actually ban IP addresses. Thus, either include `--cap-add=NET_ADMIN` in the `docker run` command, or the equivalent in the `compose.yaml`: +!!! example - ```yaml - cap_add: - - NET_ADMIN - ``` + === "Docker Compose" + + ```yaml title="compose.yaml" + services: + mailserver: + environment: + - ENABLE_FAIL2BAN=1 + cap_add: + - NET_ADMIN + ``` + + === "Docker CLI" + + ```bash + docker run --rm -it \ + --cap-add=NET_ADMIN \ + --env ENABLE_FAIL2BAN=1 + ``` + +!!! warning "Security risk of adding non-default capabilties" + + DMS bundles F2B into the image for convenience to simplify integration and deployment. + + The [`NET_ADMIN`][security::cap-net-admin] and [`NET_RAW`][security::cap-net-raw] capabilities are not granted by default to the container root user, as they can be used to compromise security. + + If this risk concerns you, it may be wiser to instead prefer only granting these capabilities to a dedicated Fail2Ban container ([example][lsio:f2b-image]). !!! bug "Running Fail2Ban on Older Kernels" - DMS configures F2B to use NFTables, not IPTables (legacy). We have observed that older systems, for example NAS systems, do not support the modern NFTables rules. You will need to configure F2B to use legacy IPTables again, for example with the [``fail2ban-jail.cf``][github-file-f2bjail], see the [section on configuration further down below](#custom-files). + DMS configures F2B to use [NFTables][network::nftables], not [IPTables (legacy)][network::iptables-legacy]. + + We have observed that older systems (for example NAS systems), do not support the modern NFTables rules. You will need to configure F2B to use legacy IPTables again, for example with the [`fail2ban-jail.cf`][github-file-f2bjail], see the [section on configuration further down below](#custom-files). + +[security::cap-net-admin]: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_net_admin +[security::cap-net-raw]: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_net_raw +[lsio:f2b-image]: https://docs.linuxserver.io/images/docker-fail2ban +[network::nftables]: https://en.wikipedia.org/wiki/Nftables +[network::iptables-legacy]: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#two_variants_of_the_iptables_command ### DMS Defaults diff --git a/docs/content/config/security/rspamd.md b/docs/content/config/security/rspamd.md index 45f94c65..7492e285 100644 --- a/docs/content/config/security/rspamd.md +++ b/docs/content/config/security/rspamd.md @@ -139,7 +139,7 @@ To use the web interface you will need to configure a password, [otherwise you w --- - **Related:** A minimal Rspamd `compose.yaml` [example with a reverse-proxy for web access][gh-dms:guide::rspamd-web]. + **Related:** A minimal Rspamd `compose.yaml` [example with a reverse-proxy for web access][gh-dms::guide::rspamd-web]. ### DNS @@ -353,8 +353,8 @@ While _Abusix_ can be integrated into Postfix, Postscreen and a multitude of oth [abusix-docs::rspamd-integration]: https://abusix.com/docs/rspamd/ [spamhaus::faq::dnsbl-usage]: https://www.spamhaus.org/faq/section/DNSBL%20Usage#365 -[dms-repo::rspamd-actions-config]: https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd/local.d/actions.conf -[dms-repo::default-rspamd-configuration]: https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd +[dms-repo::rspamd-actions-config]: https://github.com/docker-mailserver/docker-mailserver/tree/v15.0.0/target/rspamd/local.d/actions.conf +[dms-repo::default-rspamd-configuration]: https://github.com/docker-mailserver/docker-mailserver/tree/v15.0.0/target/rspamd [gh-dms::guide::valkey]: https://github.com/docker-mailserver/docker-mailserver/issues/4001#issuecomment-2652596692 [gh-dms::guide::rspamd-web]: https://github.com/orgs/docker-mailserver/discussions/4269#discussioncomment-11329588 diff --git a/docs/content/examples/tutorials/dovecot-solr.md b/docs/content/examples/tutorials/dovecot-solr.md index be4c91f6..13a9f0e7 100644 --- a/docs/content/examples/tutorials/dovecot-solr.md +++ b/docs/content/examples/tutorials/dovecot-solr.md @@ -24,39 +24,41 @@ As the official DMS image does not provide `dovecot-solr`, you'll need to includ !!! quote "" === "`user-patches.sh`" - + If you'd prefer to avoid a custom image build. This approach is simpler but with the caveat that any time the container is restarted, you'll have a delay as the package is installed each time. - + ```bash #!/bin/bash - + apt-get update && apt-get install dovecot-solr ``` - + === "`compose.yaml`" - + A custom DMS image does not add much friction. You do not need a separate `Dockerfile` as Docker Compose supports building from an inline `Dockerfile` in your `compose.yaml`. - + The `image` key of the service is swapped for the `build` key instead, as shown below: - + ```yaml services: mailserver: hostname: mail.example.com # The `image` setting now represents the tag for the local build configured below: - image: local/dms:14.0 + image: local/dms:${DMS_TAG?Must set DMS image tag} # Local build (no need to try pull `image` remotely): pull_policy: build # Add this `build` section to your real `compose.yaml` for your DMS service: build: dockerfile_inline: | - FROM docker.io/mailserver/docker-mailserver:14.0 + FROM docker.io/mailserver/docker-mailserver:${DMS_TAG?Must set DMS image tag} RUN apt-get update && apt-get install dovecot-solr ``` - - - Just run `docker compose up` and it will pull DMS and build your custom image to run a container. - - Updating to a new DMS release is straight-forward, just adjust the version tag as you normally would. If you make future changes that don't apply, you may need to force a rebuild. - - This approach only needs to install the package once with the image build itself. This minimizes delay of container startup. + + This approach only needs to install the package once with the image build itself which minimizes the delay of container startup. + + - Just run `DMS_TAG='14.0' docker compose up` and it will pull the DMS image, then build your custom DMS image to run a new container instance. + - Updating to a new DMS release is straight-forward, just adjust the `DMS_TAG` ENV value or change the image tag directly in `compose.yaml` as you normally would to upgrade an image. + - If you make future changes to the `dockerfile_inline` that don't seem to be applied, you may need to force a rebuild with `DMS_TAG='14.0' docker compose up --build`. !!! note "Why doesn't DMS include `dovecot-solr`?" diff --git a/mailserver.env b/mailserver.env index 141b607a..8cb1cae2 100644 --- a/mailserver.env +++ b/mailserver.env @@ -508,7 +508,7 @@ DOVECOT_MAILBOX_FORMAT=maildir # empty => no # yes => Allow bind authentication for LDAP -# https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds +# https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#authentication-bind DOVECOT_AUTH_BIND= # ----------------------------------------------- diff --git a/target/postfix/main.cf b/target/postfix/main.cf index d501eec0..518e2dc5 100644 --- a/target/postfix/main.cf +++ b/target/postfix/main.cf @@ -68,9 +68,10 @@ smtpd_forbid_bare_newline = yes # smtpd_forbid_bare_newline_exclusions = $mynetworks # Custom defined parameters for DMS: -# reject_unknown_sender_domain: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234 +# Custom sender restrictions overview: https://github.com/docker-mailserver/docker-mailserver/pull/4379#issuecomment-2670365917 +# `reject_unknown_sender_domain`: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234 dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain -# Submission ports 587 and 465 support for SPOOF_PROTECTION=1 +# `SPOOF_PROTECTION=1` support requires prepending `reject_authenticated_sender_login_mismatch` mua_sender_restrictions = reject_authenticated_sender_login_mismatch, $dms_smtpd_sender_restrictions # Postscreen settings to drop zombies/open relays/spam early diff --git a/target/scripts/build/packages.sh b/target/scripts/build/packages.sh index bcfdcbcb..cfd510de 100644 --- a/target/scripts/build/packages.sh +++ b/target/scripts/build/packages.sh @@ -36,20 +36,46 @@ function _pre_installation_steps() { apt-get "${QUIET}" install --no-install-recommends "${EARLY_PACKAGES[@]}" 2>/dev/null } +# Install third-party commands to /usr/local/bin function _install_utils() { + local ARCH_A + ARCH_A=$(uname --machine) + # Alternate naming convention support: x86_64 (amd64) / aarch64 (arm64) + # https://en.wikipedia.org/wiki/X86-64#Industry_naming_conventions + local ARCH_B + case "${ARCH_A}" in + ( 'x86_64' ) ARCH_B='amd64' ;; + ( 'aarch64' ) ARCH_B='arm64' ;; + ( * ) + _log 'error' "Unsupported arch: '${ARCH_A}'" + return 1 + ;; + esac + + # TIP: `*.tar.gz` releases tend to forget to reset UID/GID ownership when archiving. + # When extracting with `tar` as `root` the archived UID/GID is kept, unless using `--no-same-owner`. + # Likewise when the binary is in a nested location the full archived path + # must be provided + `--strip-components` to extract the file to the target directory. + # Doing this avoids the need for (`mv` + `rm`) or (`--to-stdout` + `chmod +x`) _log 'debug' 'Installing utils sourced from Github' + _log 'trace' 'Installing jaq' local JAQ_TAG='v2.1.0' - curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/bin/jaq - chmod +x /usr/bin/jaq + curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/local/bin/jaq + chmod +x /usr/local/bin/jaq + + _log 'trace' 'Installing step' + local STEP_RELEASE='0.28.2' + curl -sSfL "https://github.com/smallstep/cli/releases/download/v${STEP_RELEASE}/step_linux_${STEP_RELEASE}_${ARCH_B}.tar.gz" \ + | tar -xz --directory /usr/local/bin --no-same-owner --strip-components=2 "step_${STEP_RELEASE}/bin/step" _log 'trace' 'Installing swaks' + # `perl-doc` is required for `swaks --help` to work: apt-get "${QUIET}" install --no-install-recommends perl-doc local SWAKS_VERSION='20240103.0' local SWAKS_RELEASE="swaks-${SWAKS_VERSION}" - curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" | tar -xz - mv "${SWAKS_RELEASE}/swaks" /usr/local/bin - rm -r "${SWAKS_RELEASE}" + curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" \ + | tar -xz --directory /usr/local/bin --no-same-owner --strip-components=1 "${SWAKS_RELEASE}/swaks" } function _install_postfix() { diff --git a/target/scripts/helpers/rspamd.sh b/target/scripts/helpers/rspamd.sh index 1d3e1417..1de0fb6a 100644 --- a/target/scripts/helpers/rspamd.sh +++ b/target/scripts/helpers/rspamd.sh @@ -111,14 +111,6 @@ function _rspamd_handle_user_modules_adjustments() { fi } - # We check for usage of the previous location of the commands file. - # TODO This can be removed after the release of v14.0.0. - local RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD="${RSPAMD_DMS_D}-modules.conf" - readonly RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD - if [[ -f ${RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD} ]]; then - _dms_panic__general "Old custom command file location '${RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD}' is deprecated (use '${RSPAMD_DMS_CUSTOM_COMMANDS_F}' now)" 'Rspamd setup' - fi - if [[ -f "${RSPAMD_DMS_CUSTOM_COMMANDS_F}" ]]; then __rspamd__log 'debug' "Found file '${RSPAMD_DMS_CUSTOM_COMMANDS_F}' - parsing and applying it" diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh index b0fc0bd5..a6295ed8 100755 --- a/target/scripts/start-mailserver.sh +++ b/target/scripts/start-mailserver.sh @@ -43,7 +43,6 @@ function _register_functions() { # ? >> Setup _register_setup_function '_setup_vmail_id' - _register_setup_function '_setup_logs_general' _register_setup_function '_setup_timezone' if [[ ${SMTP_ONLY} -ne 1 ]]; then @@ -182,6 +181,9 @@ if [[ -f /CONTAINER_START ]]; then # We cannot skip all setup routines because some need to run _after_ # the initial setup (and hence, they cannot be moved to the check stack). _setup_directory_and_file_permissions + + # shellcheck source=./startup/setup.d/mail_state.sh + source /usr/local/bin/setup.d/mail_state.sh _setup_adjust_state_permissions else _setup diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index 789dc0c7..9a99398a 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -82,6 +82,8 @@ function _setup_timezone() { fi } +# Misc checks and fixes migrated here until next refactor: +# NOTE: `start-mailserver.sh` runs this along with `mail-state.sh` during container restarts function _setup_directory_and_file_permissions() { _log 'trace' 'Removing leftover PID files from a stop/start' find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete @@ -101,6 +103,8 @@ function _setup_directory_and_file_permissions() { _log 'debug' "Ensuring '${RSPAMD_DMS_DKIM_D}' is owned by '_rspamd:_rspamd'" chown -R _rspamd:_rspamd "${RSPAMD_DMS_DKIM_D}" fi + + __log_fixes } function _setup_run_user_patches() { @@ -113,3 +117,32 @@ function _setup_run_user_patches() { _log 'trace' "No optional '${USER_PATCHES}' provided" fi } + +function __log_fixes() { + _log 'debug' 'Ensuring /var/log/mail owneership + permissions are correct' + + # File/folder permissions are fine when using docker volumes, but may be wrong + # when file system folders are mounted into the container. + # Set the expected values and create missing folders/files just in case. + mkdir -p /var/log/{mail,supervisor} + + # TODO: Remove these lines in a future release once concerns are resolved: + # https://github.com/docker-mailserver/docker-mailserver/pull/4370#issuecomment-2661762043 + chown syslog:root /var/log/mail + + if [[ ${ENABLE_CLAMAV} -eq 1 ]]; then + # TODO: Consider assigning /var/log/mail a writable non-root group for other processes like ClamAV? + # - Check if ClamAV is capable of creating files itself when they're missing? + # - Alternatively a symlink to /var/log/mail from the original intended location would allow write access + # as a user to the symlink location, while keeping ownership as root at /var/log/mail + # - `LogSyslog false` for clamd.conf + freshclam.conf could possibly be enabled instead of log files? + # However without better filtering in place (once Vector is adopted), this should be avoided. + touch /var/log/mail/{clamav,freshclam}.log + chown clamav:adm /var/log/mail/{clamav,freshclam}.log + fi + + # Volume permissions should be corrected: + # https://github.com/docker-mailserver/docker-mailserver-helm/issues/137 + chmod 755 /var/log/mail/ + find /var/log/mail/ -type f -exec chmod 640 {} + +} diff --git a/target/scripts/startup/setup.d/log.sh b/target/scripts/startup/setup.d/log.sh index 06aa679d..b76413be 100644 --- a/target/scripts/startup/setup.d/log.sh +++ b/target/scripts/startup/setup.d/log.sh @@ -1,15 +1,5 @@ #!/bin/bash -function _setup_logs_general() { - _log 'debug' 'Setting up general log files' - - # File/folder permissions are fine when using docker volumes, but may be wrong - # when file system folders are mounted into the container. - # Set the expected values and create missing folders/files just in case. - mkdir -p /var/log/{mail,supervisor} - chown syslog:root /var/log/mail -} - function _setup_logrotate() { _log 'debug' 'Setting up logrotate' diff --git a/target/scripts/startup/setup.d/postfix.sh b/target/scripts/startup/setup.d/postfix.sh index e99e6607..ac9c23e7 100644 --- a/target/scripts/startup/setup.d/postfix.sh +++ b/target/scripts/startup/setup.d/postfix.sh @@ -93,13 +93,19 @@ EOF function _setup_postfix_late() { _log 'debug' 'Configuring Postfix (late setup)' + # These two config files are `access` database tables managed via `setup email restrict`: + # NOTE: Prepends to existing restrictions, thus has priority over other permit/reject policies that follow. + # https://www.postfix.org/postconf.5.html#smtpd_sender_restrictions + # https://www.postfix.org/access.5.html __postfix__log 'trace' 'Configuring user access' if [[ -f /tmp/docker-mailserver/postfix-send-access.cf ]]; then - sed -i -E 's|(smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf + # Prefer to prepend to our specialized variant instead: + # https://github.com/docker-mailserver/docker-mailserver/pull/4379 + sed -i -E 's|^(dms_smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf fi if [[ -f /tmp/docker-mailserver/postfix-receive-access.cf ]]; then - sed -i -E 's|(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf + sed -i -E 's|^(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf fi __postfix__log 'trace' 'Configuring relay host' diff --git a/target/scripts/startup/setup.d/security/misc.sh b/target/scripts/startup/setup.d/security/misc.sh index 444589df..87ed85b6 100644 --- a/target/scripts/startup/setup.d/security/misc.sh +++ b/target/scripts/startup/setup.d/security/misc.sh @@ -155,13 +155,6 @@ function __setup__security__clamav() { if [[ ${ENABLE_CLAMAV} -eq 1 ]]; then _log 'debug' 'Enabling and configuring ClamAV' - local FILE - for FILE in /var/log/mail/{clamav,freshclam}.log; do - touch "${FILE}" - chown clamav:adm "${FILE}" - chmod 640 "${FILE}" - done - if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]; then _log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"