From d2d74a29a705ec9df088a8b86f3daca40016b1a2 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Tue, 18 Feb 2025 09:02:35 +1300 Subject: [PATCH 01/15] fix: Ensure `/var/log/mail` permissions + ownership are correct (#4374) --- CHANGELOG.md | 2 +- target/scripts/start-mailserver.sh | 1 - target/scripts/startup/setup-stack.sh | 33 +++++++++++++++++++ target/scripts/startup/setup.d/log.sh | 10 ------ .../scripts/startup/setup.d/security/misc.sh | 7 ---- 5 files changed, 34 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 36e51e41..57adc33d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,7 +59,7 @@ All notable changes to this project will be documented in this file. The format - The main `mail.log` (_which is piped to stdout via `tail`_) now correctly begins from the first log line of the active container run. Previously some daemon logs and potential warnings/errors were omitted ([#4146](https://github.com/docker-mailserver/docker-mailserver/pull/4146)) - `start-mailserver.sh` removed unused `shopt -s inherit_errexit` ([#4161](https://github.com/docker-mailserver/docker-mailserver/pull/4161)) - Fixed a regression introduced in DMS v14 where `postfix-main.cf` appended `stderr` output into `/etc/postfix/main.cf`, causing Postfix startup to fail ([#4147](https://github.com/docker-mailserver/docker-mailserver/pull/4147)) - - Fixed a regression introduced in DMS v14 to better support running `start-mailserver.sh` with container restarts, which now only skip calling `_setup()` ([#4323](https://github.com/docker-mailserver/docker-mailserver/pull/4323#issuecomment-2629559254)) + - Fixed a regression introduced in DMS v14 to better support running `start-mailserver.sh` with container restarts, which now only skip calling `_setup()` ([#4323](https://github.com/docker-mailserver/docker-mailserver/pull/4323#issuecomment-2629559254), [#4374](https://github.com/docker-mailserver/docker-mailserver/pull/4374)) - The command `swaks --help` is now functional ([#4282](https://github.com/docker-mailserver/docker-mailserver/pull/4282)) - **Rspamd:** - DKIM private key path checking is now performed only on paths that do not contain `$` ([#4201](https://github.com/docker-mailserver/docker-mailserver/pull/4201)) diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh index b0fc0bd5..a7b86f70 100755 --- a/target/scripts/start-mailserver.sh +++ b/target/scripts/start-mailserver.sh @@ -43,7 +43,6 @@ function _register_functions() { # ? >> Setup _register_setup_function '_setup_vmail_id' - _register_setup_function '_setup_logs_general' _register_setup_function '_setup_timezone' if [[ ${SMTP_ONLY} -ne 1 ]]; then diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index 789dc0c7..d000c28b 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -82,6 +82,8 @@ function _setup_timezone() { fi } +# Misc checks and fixes migrated here until next refactor: +# NOTE: `start-mailserver.sh` runs this along with `mail-state.sh` during container restarts function _setup_directory_and_file_permissions() { _log 'trace' 'Removing leftover PID files from a stop/start' find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete @@ -101,6 +103,8 @@ function _setup_directory_and_file_permissions() { _log 'debug' "Ensuring '${RSPAMD_DMS_DKIM_D}' is owned by '_rspamd:_rspamd'" chown -R _rspamd:_rspamd "${RSPAMD_DMS_DKIM_D}" fi + + __log_fixes } function _setup_run_user_patches() { @@ -113,3 +117,32 @@ function _setup_run_user_patches() { _log 'trace' "No optional '${USER_PATCHES}' provided" fi } + +function __log_fixes() { + _log 'debug' 'Ensuring /var/log/mail owneership + permissions are correct' + + # File/folder permissions are fine when using docker volumes, but may be wrong + # when file system folders are mounted into the container. + # Set the expected values and create missing folders/files just in case. + mkdir -p /var/log/{mail,supervisor} + + # TODO: Remove these lines in a future release once concerns are resolved: + # https://github.com/docker-mailserver/docker-mailserver/pull/4370#issuecomment-2661762043 + chown syslog:root /var/log/mail + + if [[ ${ENABLE_CLAMAV} -eq 1 ]]; then + # TODO: Consider assigning /var/log/mail a writable non-root group for other processes like ClamAV? + # - Check if ClamAV is capable of creating files itself when they're missing? + # - Alternatively a symlink to /var/log/mail from the original intended location would allow write access + # as a user to the symlink location, while keeping ownership as root at /var/log/mail + # - `LogSyslog false` for clamd.conf + freshclam.conf could possibly be enabled instead of log files? + # However without better filtering in place (once Vector is adopted), this should be avoided. + touch /var/log/mail/{clamav,freshclam}.log + chown clamav:adm /var/log/mail/{clamav,freshclam}.log + fi + + # Volume permissions should be corrected: + # https://github.com/docker-mailserver/docker-mailserver-helm/issues/137 + chmod 755 /var/log/mail/ + chmod 640 /var/log/mail/* +} diff --git a/target/scripts/startup/setup.d/log.sh b/target/scripts/startup/setup.d/log.sh index 06aa679d..b76413be 100644 --- a/target/scripts/startup/setup.d/log.sh +++ b/target/scripts/startup/setup.d/log.sh @@ -1,15 +1,5 @@ #!/bin/bash -function _setup_logs_general() { - _log 'debug' 'Setting up general log files' - - # File/folder permissions are fine when using docker volumes, but may be wrong - # when file system folders are mounted into the container. - # Set the expected values and create missing folders/files just in case. - mkdir -p /var/log/{mail,supervisor} - chown syslog:root /var/log/mail -} - function _setup_logrotate() { _log 'debug' 'Setting up logrotate' diff --git a/target/scripts/startup/setup.d/security/misc.sh b/target/scripts/startup/setup.d/security/misc.sh index 444589df..87ed85b6 100644 --- a/target/scripts/startup/setup.d/security/misc.sh +++ b/target/scripts/startup/setup.d/security/misc.sh @@ -155,13 +155,6 @@ function __setup__security__clamav() { if [[ ${ENABLE_CLAMAV} -eq 1 ]]; then _log 'debug' 'Enabling and configuring ClamAV' - local FILE - for FILE in /var/log/mail/{clamav,freshclam}.log; do - touch "${FILE}" - chown clamav:adm "${FILE}" - chmod 640 "${FILE}" - done - if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]; then _log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'" From 41dd0727e48a517b640da03bba6cc0874dd401d6 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Fri, 21 Feb 2025 20:48:17 +1300 Subject: [PATCH 02/15] docs(rspamd): Fix Web UI link (#4384) --- docs/content/config/security/rspamd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/rspamd.md b/docs/content/config/security/rspamd.md index 45f94c65..e4d419b0 100644 --- a/docs/content/config/security/rspamd.md +++ b/docs/content/config/security/rspamd.md @@ -139,7 +139,7 @@ To use the web interface you will need to configure a password, [otherwise you w --- - **Related:** A minimal Rspamd `compose.yaml` [example with a reverse-proxy for web access][gh-dms:guide::rspamd-web]. + **Related:** A minimal Rspamd `compose.yaml` [example with a reverse-proxy for web access][gh-dms::guide::rspamd-web]. ### DNS From ef66dd5d12c4f0efa2b2e345ffdce796e3a7df03 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:14:57 +0100 Subject: [PATCH 03/15] release: v15.0.0 (#4373) Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> --- CHANGELOG.md | 7 +++-- demo-setups/fetchmail-compose.yaml | 6 ++-- demo-setups/relay-compose.yaml | 8 +++--- .../advanced/mail-forwarding/relay-hosts.md | 2 +- docs/content/config/security/rspamd.md | 4 +-- .../examples/tutorials/dovecot-solr.md | 28 ++++++++++--------- target/scripts/helpers/rspamd.sh | 8 ------ 7 files changed, 30 insertions(+), 33 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 57adc33d..eae261ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,10 +2,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v14.0.0...HEAD) +## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v15.0.0...HEAD) > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes. +## [v15.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.0) + ### Breaking - **saslauthd** mechanism support via ENV `SASLAUTHD_MECHANISMS` with `pam`, `shadow`, `mysql` values has been removed. Only `ldap` and `rimap` remain supported ([#4259](https://github.com/docker-mailserver/docker-mailserver/pull/4259)) @@ -17,6 +19,7 @@ All notable changes to this project will be documented in this file. The format - This has been corrected to `/var/lib/getmail` (_if you have mounted a DMS State Volume to `/var/mail-state`, `/var/lib/getmail` will be symlinked to `/var/mail-state/lib-getmail`_). - To preserve this state when upgrading to DMS v15, **you must manually migrate `getmail/` from the _DMS Config Volume_ to `lib-getmail/` in the _DMS State Volume_.** - `setup email delete ` now requires explicit confirmation if the mailbox data should be deleted ([#4365](https://github.com/docker-mailserver/docker-mailserver/pull/4365)). +- **Rspamd:** Removed deprecated file path check (_DMS config volume: `./rspamd-modules.conf` => `./rspamd/custom-commands.conf`_) ([#4373](https://github.com/docker-mailserver/docker-mailserver/pull/4373)) ### Added @@ -26,7 +29,7 @@ All notable changes to this project will be documented in this file. The format ### Updates -**Internal:** +- **Internal:** - **Removed `VERSION` file** from the repo. Releases of DMS prior to v13 (Nov 2023) would check this to detect new releases ([#3677](https://github.com/docker-mailserver/docker-mailserver/issues/3677), [#4321](https://github.com/docker-mailserver/docker-mailserver/pull/4321)) - During image build, ensure a secure connection when downloading the `fail2ban` package ([#4080](https://github.com/docker-mailserver/docker-mailserver/pull/4080)) - **Documentation:** diff --git a/demo-setups/fetchmail-compose.yaml b/demo-setups/fetchmail-compose.yaml index d8632228..f6e1ddb9 100644 --- a/demo-setups/fetchmail-compose.yaml +++ b/demo-setups/fetchmail-compose.yaml @@ -1,10 +1,10 @@ -# Docs: https://docker-mailserver.github.io/docker-mailserver/v14.0/config/advanced/mail-fetchmail +# Docs: https://docker-mailserver.github.io/docker-mailserver/v15.0/config/advanced/mail-fetchmail # Additional context, with CLI commands for verification: # https://github.com/orgs/docker-mailserver/discussions/3994#discussioncomment-9290570 services: dms-fetch: - image: ghcr.io/docker-mailserver/docker-mailserver:latest # :14.0 + image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0 hostname: mail.example.test environment: ENABLE_FETCHMAIL: 1 @@ -26,7 +26,7 @@ services: target: /tmp/docker-mailserver/fetchmail.cf dms-remote: - image: ghcr.io/docker-mailserver/docker-mailserver:latest # :14.0 + image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0 hostname: mail.remote.test environment: # Allows for us send a test mail easily by trusting any mail client run within this container (`swaks`): diff --git a/demo-setups/relay-compose.yaml b/demo-setups/relay-compose.yaml index cb4f0846..7bbc9f21 100644 --- a/demo-setups/relay-compose.yaml +++ b/demo-setups/relay-compose.yaml @@ -1,11 +1,11 @@ -# Docs: https://docker-mailserver.github.io/docker-mailserver/v14.0/config/advanced/mail-forwarding/relay-hosts/ +# Docs: https://docker-mailserver.github.io/docker-mailserver/v15.0/config/advanced/mail-forwarding/relay-hosts/ # Additional context, with CLI commands for verification: # https://github.com/docker-mailserver/docker-mailserver/issues/4136#issuecomment-2253693490 services: # This would represent your actual DMS container: dms-sender: - image: mailserver/docker-mailserver:latest # :14.0 + image: mailserver/docker-mailserver:latest # :15.0 hostname: mail.example.test environment: # All outbound mail will be relayed through this host @@ -37,7 +37,7 @@ services: # Pretend this is your third-party relay service: dms-relay: - image: mailserver/docker-mailserver:latest # :14.0 + image: mailserver/docker-mailserver:latest # :15.0 hostname: smtp.relay-service.test environment: # WORKAROUND: Bypass security checks from the mail-client (dms-sender container) @@ -58,7 +58,7 @@ services: # Pretend this is another mail server that your target recipient belongs to (like Gmail): dms-destination: - image: mailserver/docker-mailserver:latest # :14.0 + image: mailserver/docker-mailserver:latest # :15.0 hostname: mail.destination.test # WORKAROUND: dms-relay must be able to resolve DNS for `@destination.test` to the IP of this container: # Normally a MX record would direct mail to the MTA (eg: `mail.destination.test`) diff --git a/docs/content/config/advanced/mail-forwarding/relay-hosts.md b/docs/content/config/advanced/mail-forwarding/relay-hosts.md index 7ef8238c..3d13e93b 100644 --- a/docs/content/config/advanced/mail-forwarding/relay-hosts.md +++ b/docs/content/config/advanced/mail-forwarding/relay-hosts.md @@ -151,6 +151,6 @@ We provide this support via two config files: [wikipedia::smarthost]: https://en.wikipedia.org/wiki/Smart_host [docs::env-relay]: ../../environment.md#relay-host -[dms-repo::helpers-relay]: https://github.com/docker-mailserver/docker-mailserver/blob/v14.0.0/target/scripts/helpers/relay.sh +[dms-repo::helpers-relay]: https://github.com/docker-mailserver/docker-mailserver/blob/v15.0.0/target/scripts/helpers/relay.sh [dms-gh::pr-3607]: https://github.com/docker-mailserver/docker-mailserver/issues/3607 [dms-gh::relay-example]: https://github.com/docker-mailserver/docker-mailserver/issues/3842#issuecomment-1913380639 diff --git a/docs/content/config/security/rspamd.md b/docs/content/config/security/rspamd.md index e4d419b0..7492e285 100644 --- a/docs/content/config/security/rspamd.md +++ b/docs/content/config/security/rspamd.md @@ -353,8 +353,8 @@ While _Abusix_ can be integrated into Postfix, Postscreen and a multitude of oth [abusix-docs::rspamd-integration]: https://abusix.com/docs/rspamd/ [spamhaus::faq::dnsbl-usage]: https://www.spamhaus.org/faq/section/DNSBL%20Usage#365 -[dms-repo::rspamd-actions-config]: https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd/local.d/actions.conf -[dms-repo::default-rspamd-configuration]: https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd +[dms-repo::rspamd-actions-config]: https://github.com/docker-mailserver/docker-mailserver/tree/v15.0.0/target/rspamd/local.d/actions.conf +[dms-repo::default-rspamd-configuration]: https://github.com/docker-mailserver/docker-mailserver/tree/v15.0.0/target/rspamd [gh-dms::guide::valkey]: https://github.com/docker-mailserver/docker-mailserver/issues/4001#issuecomment-2652596692 [gh-dms::guide::rspamd-web]: https://github.com/orgs/docker-mailserver/discussions/4269#discussioncomment-11329588 diff --git a/docs/content/examples/tutorials/dovecot-solr.md b/docs/content/examples/tutorials/dovecot-solr.md index be4c91f6..13a9f0e7 100644 --- a/docs/content/examples/tutorials/dovecot-solr.md +++ b/docs/content/examples/tutorials/dovecot-solr.md @@ -24,39 +24,41 @@ As the official DMS image does not provide `dovecot-solr`, you'll need to includ !!! quote "" === "`user-patches.sh`" - + If you'd prefer to avoid a custom image build. This approach is simpler but with the caveat that any time the container is restarted, you'll have a delay as the package is installed each time. - + ```bash #!/bin/bash - + apt-get update && apt-get install dovecot-solr ``` - + === "`compose.yaml`" - + A custom DMS image does not add much friction. You do not need a separate `Dockerfile` as Docker Compose supports building from an inline `Dockerfile` in your `compose.yaml`. - + The `image` key of the service is swapped for the `build` key instead, as shown below: - + ```yaml services: mailserver: hostname: mail.example.com # The `image` setting now represents the tag for the local build configured below: - image: local/dms:14.0 + image: local/dms:${DMS_TAG?Must set DMS image tag} # Local build (no need to try pull `image` remotely): pull_policy: build # Add this `build` section to your real `compose.yaml` for your DMS service: build: dockerfile_inline: | - FROM docker.io/mailserver/docker-mailserver:14.0 + FROM docker.io/mailserver/docker-mailserver:${DMS_TAG?Must set DMS image tag} RUN apt-get update && apt-get install dovecot-solr ``` - - - Just run `docker compose up` and it will pull DMS and build your custom image to run a container. - - Updating to a new DMS release is straight-forward, just adjust the version tag as you normally would. If you make future changes that don't apply, you may need to force a rebuild. - - This approach only needs to install the package once with the image build itself. This minimizes delay of container startup. + + This approach only needs to install the package once with the image build itself which minimizes the delay of container startup. + + - Just run `DMS_TAG='14.0' docker compose up` and it will pull the DMS image, then build your custom DMS image to run a new container instance. + - Updating to a new DMS release is straight-forward, just adjust the `DMS_TAG` ENV value or change the image tag directly in `compose.yaml` as you normally would to upgrade an image. + - If you make future changes to the `dockerfile_inline` that don't seem to be applied, you may need to force a rebuild with `DMS_TAG='14.0' docker compose up --build`. !!! note "Why doesn't DMS include `dovecot-solr`?" diff --git a/target/scripts/helpers/rspamd.sh b/target/scripts/helpers/rspamd.sh index 1d3e1417..1de0fb6a 100644 --- a/target/scripts/helpers/rspamd.sh +++ b/target/scripts/helpers/rspamd.sh @@ -111,14 +111,6 @@ function _rspamd_handle_user_modules_adjustments() { fi } - # We check for usage of the previous location of the commands file. - # TODO This can be removed after the release of v14.0.0. - local RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD="${RSPAMD_DMS_D}-modules.conf" - readonly RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD - if [[ -f ${RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD} ]]; then - _dms_panic__general "Old custom command file location '${RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD}' is deprecated (use '${RSPAMD_DMS_CUSTOM_COMMANDS_F}' now)" 'Rspamd setup' - fi - if [[ -f "${RSPAMD_DMS_CUSTOM_COMMANDS_F}" ]]; then __rspamd__log 'debug' "Found file '${RSPAMD_DMS_CUSTOM_COMMANDS_F}' - parsing and applying it" From 309b5a90862039ff06f9895e6160b1ea006ac056 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 1 Mar 2025 12:24:47 +0000 Subject: [PATCH 04/15] chore(deps): Bump docker/build-push-action from 6.13.0 to 6.14.0 (#4389) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.13.0 to 6.14.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v6.13.0...v6.14.0) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> --- .github/workflows/generic_build.yml | 2 +- .github/workflows/generic_publish.yml | 2 +- .github/workflows/generic_test.yml | 2 +- .github/workflows/generic_vulnerability-scan.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/generic_build.yml b/.github/workflows/generic_build.yml index 30d8df46..a8acd03b 100644 --- a/.github/workflows/generic_build.yml +++ b/.github/workflows/generic_build.yml @@ -80,7 +80,7 @@ jobs: # NOTE: AMD64 can build within 2 minutes - name: 'Build images' - uses: docker/build-push-action@v6.13.0 + uses: docker/build-push-action@v6.14.0 with: context: . # Build at least the AMD64 image (which runs against the test suite). diff --git a/.github/workflows/generic_publish.yml b/.github/workflows/generic_publish.yml index 72228d51..5b331617 100644 --- a/.github/workflows/generic_publish.yml +++ b/.github/workflows/generic_publish.yml @@ -67,7 +67,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: 'Build and publish images' - uses: docker/build-push-action@v6.13.0 + uses: docker/build-push-action@v6.14.0 with: context: . build-args: | diff --git a/.github/workflows/generic_test.yml b/.github/workflows/generic_test.yml index 1303c8ad..98c568d7 100644 --- a/.github/workflows/generic_test.yml +++ b/.github/workflows/generic_test.yml @@ -43,7 +43,7 @@ jobs: # Importing from the cache should create the image within approx 30 seconds: # NOTE: `qemu` step is not needed as we only test for AMD64. - name: 'Build AMD64 image from cache' - uses: docker/build-push-action@v6.13.0 + uses: docker/build-push-action@v6.14.0 with: context: . tags: mailserver-testing:ci diff --git a/.github/workflows/generic_vulnerability-scan.yml b/.github/workflows/generic_vulnerability-scan.yml index 511ade7a..438a0f03 100644 --- a/.github/workflows/generic_vulnerability-scan.yml +++ b/.github/workflows/generic_vulnerability-scan.yml @@ -42,7 +42,7 @@ jobs: # Importing from the cache should create the image within approx 30 seconds: # NOTE: `qemu` step is not needed as we only test for AMD64. - name: 'Build AMD64 image from cache' - uses: docker/build-push-action@v6.13.0 + uses: docker/build-push-action@v6.14.0 with: context: . tags: mailserver-testing:ci From 5686a4097ae5719d41afda33d3523d47b5a36b4d Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Sun, 2 Mar 2025 01:55:13 +1300 Subject: [PATCH 05/15] fix: `setup email restrict` configs should only prepend once (#4379) * fix: `setup email restrict` configs should only prepend once * chore: Prepend to our custom parameter variant to retain applying to all `smtpd` ports --------- Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> --- target/postfix/main.cf | 5 +++-- target/scripts/startup/setup.d/postfix.sh | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/target/postfix/main.cf b/target/postfix/main.cf index d501eec0..518e2dc5 100644 --- a/target/postfix/main.cf +++ b/target/postfix/main.cf @@ -68,9 +68,10 @@ smtpd_forbid_bare_newline = yes # smtpd_forbid_bare_newline_exclusions = $mynetworks # Custom defined parameters for DMS: -# reject_unknown_sender_domain: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234 +# Custom sender restrictions overview: https://github.com/docker-mailserver/docker-mailserver/pull/4379#issuecomment-2670365917 +# `reject_unknown_sender_domain`: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234 dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain -# Submission ports 587 and 465 support for SPOOF_PROTECTION=1 +# `SPOOF_PROTECTION=1` support requires prepending `reject_authenticated_sender_login_mismatch` mua_sender_restrictions = reject_authenticated_sender_login_mismatch, $dms_smtpd_sender_restrictions # Postscreen settings to drop zombies/open relays/spam early diff --git a/target/scripts/startup/setup.d/postfix.sh b/target/scripts/startup/setup.d/postfix.sh index e99e6607..9e9370ab 100644 --- a/target/scripts/startup/setup.d/postfix.sh +++ b/target/scripts/startup/setup.d/postfix.sh @@ -93,13 +93,17 @@ EOF function _setup_postfix_late() { _log 'debug' 'Configuring Postfix (late setup)' + # These two config files are `access` database tables managed via `setup email restrict`: + # NOTE: Prepends to existing restrictions, thus has priority over other permit/reject policies that follow. + # https://www.postfix.org/postconf.5.html#smtpd_sender_restrictions + # https://www.postfix.org/access.5.html __postfix__log 'trace' 'Configuring user access' if [[ -f /tmp/docker-mailserver/postfix-send-access.cf ]]; then - sed -i -E 's|(smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf + sed -i -E 's|^(dms_smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf fi if [[ -f /tmp/docker-mailserver/postfix-receive-access.cf ]]; then - sed -i -E 's|(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf + sed -i -E 's|^(dms_smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf fi __postfix__log 'trace' 'Configuring relay host' From dd595e0a0564a41a42f4491e680753d9c99c0dcb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Mar 2025 21:47:59 +0100 Subject: [PATCH 06/15] chore(deps): Bump docker/metadata-action from 5.6.1 to 5.7.0 (#4395) --- .github/workflows/generic_publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/generic_publish.yml b/.github/workflows/generic_publish.yml index 5b331617..39dcf86f 100644 --- a/.github/workflows/generic_publish.yml +++ b/.github/workflows/generic_publish.yml @@ -23,7 +23,7 @@ jobs: - name: 'Prepare tags' id: prep - uses: docker/metadata-action@v5.6.1 + uses: docker/metadata-action@v5.7.0 with: images: | ${{ secrets.DOCKER_REPOSITORY }} From 3c833d8ee818534401b09063f04a1cac99ca3528 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Mar 2025 20:50:17 +0000 Subject: [PATCH 07/15] chore(deps): Bump docker/setup-buildx-action from 3.9.0 to 3.10.0 (#4394) --- .github/workflows/generic_build.yml | 2 +- .github/workflows/generic_publish.yml | 2 +- .github/workflows/generic_test.yml | 2 +- .github/workflows/generic_vulnerability-scan.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/generic_build.yml b/.github/workflows/generic_build.yml index a8acd03b..7c29f0ff 100644 --- a/.github/workflows/generic_build.yml +++ b/.github/workflows/generic_build.yml @@ -76,7 +76,7 @@ jobs: platforms: arm64 - name: 'Set up Docker Buildx' - uses: docker/setup-buildx-action@v3.9.0 + uses: docker/setup-buildx-action@v3.10.0 # NOTE: AMD64 can build within 2 minutes - name: 'Build images' diff --git a/.github/workflows/generic_publish.yml b/.github/workflows/generic_publish.yml index 39dcf86f..16bd2dcf 100644 --- a/.github/workflows/generic_publish.yml +++ b/.github/workflows/generic_publish.yml @@ -40,7 +40,7 @@ jobs: platforms: arm64 - name: 'Set up Docker Buildx' - uses: docker/setup-buildx-action@v3.9.0 + uses: docker/setup-buildx-action@v3.10.0 # Try get the cached build layers from a prior `generic_build.yml` job. # NOTE: Until adopting `type=gha` scoped cache exporter (in `docker/build-push-action`), diff --git a/.github/workflows/generic_test.yml b/.github/workflows/generic_test.yml index 98c568d7..db75c3eb 100644 --- a/.github/workflows/generic_test.yml +++ b/.github/workflows/generic_test.yml @@ -38,7 +38,7 @@ jobs: # Ensures consistent BuildKit version (not coupled to Docker Engine), # and increased compatibility of the build cache vs mixing buildx drivers. - name: 'Set up Docker Buildx' - uses: docker/setup-buildx-action@v3.9.0 + uses: docker/setup-buildx-action@v3.10.0 # Importing from the cache should create the image within approx 30 seconds: # NOTE: `qemu` step is not needed as we only test for AMD64. diff --git a/.github/workflows/generic_vulnerability-scan.yml b/.github/workflows/generic_vulnerability-scan.yml index 438a0f03..9a435aee 100644 --- a/.github/workflows/generic_vulnerability-scan.yml +++ b/.github/workflows/generic_vulnerability-scan.yml @@ -37,7 +37,7 @@ jobs: # Ensures consistent BuildKit version (not coupled to Docker Engine), # and increased compatibility of the build cache vs mixing buildx drivers. - name: 'Set up Docker Buildx' - uses: docker/setup-buildx-action@v3.9.0 + uses: docker/setup-buildx-action@v3.10.0 # Importing from the cache should create the image within approx 30 seconds: # NOTE: `qemu` step is not needed as we only test for AMD64. From 0fbbc44dd36a87366bde2a510b8f64722f9923a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Mar 2025 20:52:28 +0000 Subject: [PATCH 08/15] chore(deps): Bump docker/build-push-action from 6.14.0 to 6.15.0 (#4393) --- .github/workflows/generic_build.yml | 2 +- .github/workflows/generic_publish.yml | 2 +- .github/workflows/generic_test.yml | 2 +- .github/workflows/generic_vulnerability-scan.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/generic_build.yml b/.github/workflows/generic_build.yml index 7c29f0ff..0f1cf43b 100644 --- a/.github/workflows/generic_build.yml +++ b/.github/workflows/generic_build.yml @@ -80,7 +80,7 @@ jobs: # NOTE: AMD64 can build within 2 minutes - name: 'Build images' - uses: docker/build-push-action@v6.14.0 + uses: docker/build-push-action@v6.15.0 with: context: . # Build at least the AMD64 image (which runs against the test suite). diff --git a/.github/workflows/generic_publish.yml b/.github/workflows/generic_publish.yml index 16bd2dcf..f5de50df 100644 --- a/.github/workflows/generic_publish.yml +++ b/.github/workflows/generic_publish.yml @@ -67,7 +67,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: 'Build and publish images' - uses: docker/build-push-action@v6.14.0 + uses: docker/build-push-action@v6.15.0 with: context: . build-args: | diff --git a/.github/workflows/generic_test.yml b/.github/workflows/generic_test.yml index db75c3eb..b487925b 100644 --- a/.github/workflows/generic_test.yml +++ b/.github/workflows/generic_test.yml @@ -43,7 +43,7 @@ jobs: # Importing from the cache should create the image within approx 30 seconds: # NOTE: `qemu` step is not needed as we only test for AMD64. - name: 'Build AMD64 image from cache' - uses: docker/build-push-action@v6.14.0 + uses: docker/build-push-action@v6.15.0 with: context: . tags: mailserver-testing:ci diff --git a/.github/workflows/generic_vulnerability-scan.yml b/.github/workflows/generic_vulnerability-scan.yml index 9a435aee..c55eb6c2 100644 --- a/.github/workflows/generic_vulnerability-scan.yml +++ b/.github/workflows/generic_vulnerability-scan.yml @@ -42,7 +42,7 @@ jobs: # Importing from the cache should create the image within approx 30 seconds: # NOTE: `qemu` step is not needed as we only test for AMD64. - name: 'Build AMD64 image from cache' - uses: docker/build-push-action@v6.14.0 + uses: docker/build-push-action@v6.15.0 with: context: . tags: mailserver-testing:ci From 807f4f711897b39ecb49ff626360544d0a1d1278 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Mar 2025 21:58:58 +0100 Subject: [PATCH 09/15] chore(deps): Bump docker/setup-qemu-action from 3.4.0 to 3.6.0 (#4392) --- .github/workflows/generic_build.yml | 2 +- .github/workflows/generic_publish.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/generic_build.yml b/.github/workflows/generic_build.yml index 0f1cf43b..e27693b1 100644 --- a/.github/workflows/generic_build.yml +++ b/.github/workflows/generic_build.yml @@ -71,7 +71,7 @@ jobs: cache-buildx- - name: 'Set up QEMU' - uses: docker/setup-qemu-action@v3.4.0 + uses: docker/setup-qemu-action@v3.6.0 with: platforms: arm64 diff --git a/.github/workflows/generic_publish.yml b/.github/workflows/generic_publish.yml index f5de50df..bf21e8f8 100644 --- a/.github/workflows/generic_publish.yml +++ b/.github/workflows/generic_publish.yml @@ -35,7 +35,7 @@ jobs: type=semver,pattern={{major}}.{{minor}}.{{patch}} - name: 'Set up QEMU' - uses: docker/setup-qemu-action@v3.4.0 + uses: docker/setup-qemu-action@v3.6.0 with: platforms: arm64 From 1756ba04fbf8097e8edfefc4d7e7fb0226d9b5b9 Mon Sep 17 00:00:00 2001 From: "Dmitry R." Date: Tue, 4 Mar 2025 03:28:15 +0600 Subject: [PATCH 10/15] fix: Support `chmod` on `/var/log/mail/*` when dir is empty (#4391) Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ target/scripts/startup/setup-stack.sh | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eae261ac..39af02b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ All notable changes to this project will be documented in this file. The format > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes. +### Fixes + +- **Postfix:** + - `setup email restrict` generated configs now only prepend to `dms_smtpd_sender_restrictions` ([#4379](https://github.com/docker-mailserver/docker-mailserver/pull/4379)) +- **Internal:** + - A permissions fix for `/var/log/mail` that was [added in DMS v15]((https://github.com/docker-mailserver/docker-mailserver/pull/4374)) no longer encounters an error when no log files are present during a container restart, such as with a `tmpfs` volume mount ([#4391](https://github.com/docker-mailserver/docker-mailserver/pull/4391)) + ## [v15.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.0) ### Breaking diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index d000c28b..9a99398a 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -144,5 +144,5 @@ function __log_fixes() { # Volume permissions should be corrected: # https://github.com/docker-mailserver/docker-mailserver-helm/issues/137 chmod 755 /var/log/mail/ - chmod 640 /var/log/mail/* + find /var/log/mail/ -type f -exec chmod 640 {} + } From d0629f4cb6cd336e222195c0881ed1b3613b7dc8 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Tue, 4 Mar 2025 10:58:42 +1300 Subject: [PATCH 11/15] chore: Revise utility install scripts + add Smallstep `step` CLI (#4376) Changes: - `jaq` should probably live in `/usr/local/bin` with other third-party sourced binaries. - `swaks` install properly with just `tar`, no `mv` + `rm` needed. - Added Smallstep `step` CLI. This serves similar purpose to `openssl` commands, but is generally nicer for usage with generation and inspection of certs/keys. I've talked up using in DMS a few times in the past for our TLS helper and unifying DKIM support (_instead of separate OpenDKIM/Rspamd generators_). - Including `step` for both AMD64 / ARM64 archs needs the alternate naming convention that it's published to GH releases with. - Added commentary about the `tar` usage. The ownership is a common concern with GH release sources, technically a non-issue when running as `root` --- CHANGELOG.md | 10 +++++++++ target/scripts/build/packages.sh | 36 +++++++++++++++++++++++++++----- 2 files changed, 41 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 39af02b7..8b041d7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,11 @@ All notable changes to this project will be documented in this file. The format > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes. +### Added + +- **Internal:** + - Added the Smallstep `step` CLI command for future internal usage ([#4376](https://github.com/docker-mailserver/docker-mailserver/pull/4376)) + ### Fixes - **Postfix:** @@ -13,6 +18,11 @@ All notable changes to this project will be documented in this file. The format - **Internal:** - A permissions fix for `/var/log/mail` that was [added in DMS v15]((https://github.com/docker-mailserver/docker-mailserver/pull/4374)) no longer encounters an error when no log files are present during a container restart, such as with a `tmpfs` volume mount ([#4391](https://github.com/docker-mailserver/docker-mailserver/pull/4391)) +### Updates + +- **Internal:** + - Minor improvements to `_install_utils()` in `packages.sh` ([#4376](https://github.com/docker-mailserver/docker-mailserver/pull/4376)) + ## [v15.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.0) ### Breaking diff --git a/target/scripts/build/packages.sh b/target/scripts/build/packages.sh index bcfdcbcb..cfd510de 100644 --- a/target/scripts/build/packages.sh +++ b/target/scripts/build/packages.sh @@ -36,20 +36,46 @@ function _pre_installation_steps() { apt-get "${QUIET}" install --no-install-recommends "${EARLY_PACKAGES[@]}" 2>/dev/null } +# Install third-party commands to /usr/local/bin function _install_utils() { + local ARCH_A + ARCH_A=$(uname --machine) + # Alternate naming convention support: x86_64 (amd64) / aarch64 (arm64) + # https://en.wikipedia.org/wiki/X86-64#Industry_naming_conventions + local ARCH_B + case "${ARCH_A}" in + ( 'x86_64' ) ARCH_B='amd64' ;; + ( 'aarch64' ) ARCH_B='arm64' ;; + ( * ) + _log 'error' "Unsupported arch: '${ARCH_A}'" + return 1 + ;; + esac + + # TIP: `*.tar.gz` releases tend to forget to reset UID/GID ownership when archiving. + # When extracting with `tar` as `root` the archived UID/GID is kept, unless using `--no-same-owner`. + # Likewise when the binary is in a nested location the full archived path + # must be provided + `--strip-components` to extract the file to the target directory. + # Doing this avoids the need for (`mv` + `rm`) or (`--to-stdout` + `chmod +x`) _log 'debug' 'Installing utils sourced from Github' + _log 'trace' 'Installing jaq' local JAQ_TAG='v2.1.0' - curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/bin/jaq - chmod +x /usr/bin/jaq + curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/local/bin/jaq + chmod +x /usr/local/bin/jaq + + _log 'trace' 'Installing step' + local STEP_RELEASE='0.28.2' + curl -sSfL "https://github.com/smallstep/cli/releases/download/v${STEP_RELEASE}/step_linux_${STEP_RELEASE}_${ARCH_B}.tar.gz" \ + | tar -xz --directory /usr/local/bin --no-same-owner --strip-components=2 "step_${STEP_RELEASE}/bin/step" _log 'trace' 'Installing swaks' + # `perl-doc` is required for `swaks --help` to work: apt-get "${QUIET}" install --no-install-recommends perl-doc local SWAKS_VERSION='20240103.0' local SWAKS_RELEASE="swaks-${SWAKS_VERSION}" - curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" | tar -xz - mv "${SWAKS_RELEASE}/swaks" /usr/local/bin - rm -r "${SWAKS_RELEASE}" + curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" \ + | tar -xz --directory /usr/local/bin --no-same-owner --strip-components=1 "${SWAKS_RELEASE}/swaks" } function _install_postfix() { From 02f068b2b243759b8505056bc267a17e561bd9b6 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Wed, 5 Mar 2025 11:00:06 +1300 Subject: [PATCH 12/15] fix: Use correct Postfix parameter for `postfix-receive-access.cf` (#4399) --- target/scripts/startup/setup.d/postfix.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/target/scripts/startup/setup.d/postfix.sh b/target/scripts/startup/setup.d/postfix.sh index 9e9370ab..ac9c23e7 100644 --- a/target/scripts/startup/setup.d/postfix.sh +++ b/target/scripts/startup/setup.d/postfix.sh @@ -99,11 +99,13 @@ function _setup_postfix_late() { # https://www.postfix.org/access.5.html __postfix__log 'trace' 'Configuring user access' if [[ -f /tmp/docker-mailserver/postfix-send-access.cf ]]; then + # Prefer to prepend to our specialized variant instead: + # https://github.com/docker-mailserver/docker-mailserver/pull/4379 sed -i -E 's|^(dms_smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf fi if [[ -f /tmp/docker-mailserver/postfix-receive-access.cf ]]; then - sed -i -E 's|^(dms_smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf + sed -i -E 's|^(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf fi __postfix__log 'trace' 'Configuring relay host' From 6b1a5664979528064672f056bf0dd8fe0c421952 Mon Sep 17 00:00:00 2001 From: Lasslos <81803114+Lasslos@users.noreply.github.com> Date: Thu, 6 Mar 2025 08:29:39 +0100 Subject: [PATCH 13/15] docs: Fail2Ban - Add example with required ENV to enable (#4402) --- docs/content/config/security/fail2ban.md | 44 ++++++++++++++++++++---- 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md index 08852274..8efb2fca 100644 --- a/docs/content/config/security/fail2ban.md +++ b/docs/content/config/security/fail2ban.md @@ -14,18 +14,48 @@ hide: ## Configuration -!!! warning +Enabling Fail2Ban support can be done via ENV, but also requires granting at least the `NET_ADMIN` capability to interact with the kernel and ban IP addresses. - DMS must be launched with the `NET_ADMIN` capability in order to be able to install the NFTables rules that actually ban IP addresses. Thus, either include `--cap-add=NET_ADMIN` in the `docker run` command, or the equivalent in the `compose.yaml`: +!!! example - ```yaml - cap_add: - - NET_ADMIN - ``` + === "Docker Compose" + + ```yaml title="compose.yaml" + services: + mailserver: + environment: + - ENABLE_FAIL2BAN=1 + cap_add: + - NET_ADMIN + ``` + + === "Docker CLI" + + ```bash + docker run --rm -it \ + --cap-add=NET_ADMIN \ + --env ENABLE_FAIL2BAN=1 + ``` + +!!! warning "Security risk of adding non-default capabilties" + + DMS bundles F2B into the image for convenience to simplify integration and deployment. + + The [`NET_ADMIN`][security::cap-net-admin] and [`NET_RAW`][security::cap-net-raw] capabilities are not granted by default to the container root user, as they can be used to compromise security. + + If this risk concerns you, it may be wiser to instead prefer only granting these capabilities to a dedicated Fail2Ban container ([example][lsio:f2b-image]). !!! bug "Running Fail2Ban on Older Kernels" - DMS configures F2B to use NFTables, not IPTables (legacy). We have observed that older systems, for example NAS systems, do not support the modern NFTables rules. You will need to configure F2B to use legacy IPTables again, for example with the [``fail2ban-jail.cf``][github-file-f2bjail], see the [section on configuration further down below](#custom-files). + DMS configures F2B to use [NFTables][network::nftables], not [IPTables (legacy)][network::iptables-legacy]. + + We have observed that older systems (for example NAS systems), do not support the modern NFTables rules. You will need to configure F2B to use legacy IPTables again, for example with the [`fail2ban-jail.cf`][github-file-f2bjail], see the [section on configuration further down below](#custom-files). + +[security::cap-net-admin]: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_net_admin +[security::cap-net-raw]: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_net_raw +[lsio:f2b-image]: https://docs.linuxserver.io/images/docker-fail2ban +[network::nftables]: https://en.wikipedia.org/wiki/Nftables +[network::iptables-legacy]: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#two_variants_of_the_iptables_command ### DMS Defaults From a156c2c0311a4ca5ec40b1f225b36ddf76a3e409 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Sun, 16 Mar 2025 21:04:32 +1300 Subject: [PATCH 14/15] docs: Update Dovecot link in `mailserver.env` (#4415) --- mailserver.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mailserver.env b/mailserver.env index 141b607a..8cb1cae2 100644 --- a/mailserver.env +++ b/mailserver.env @@ -508,7 +508,7 @@ DOVECOT_MAILBOX_FORMAT=maildir # empty => no # yes => Allow bind authentication for LDAP -# https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds +# https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#authentication-bind DOVECOT_AUTH_BIND= # ----------------------------------------------- From 7c680a0fbc34c3b7f013b85a5d42d43277962c54 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Mon, 17 Mar 2025 03:34:51 +1300 Subject: [PATCH 15/15] fix: `start-mailserver.sh` requires `mail_state.sh` to be sourced on restarts (#4417) --- target/scripts/start-mailserver.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh index a7b86f70..a6295ed8 100755 --- a/target/scripts/start-mailserver.sh +++ b/target/scripts/start-mailserver.sh @@ -181,6 +181,9 @@ if [[ -f /CONTAINER_START ]]; then # We cannot skip all setup routines because some need to run _after_ # the initial setup (and hence, they cannot be moved to the check stack). _setup_directory_and_file_permissions + + # shellcheck source=./startup/setup.d/mail_state.sh + source /usr/local/bin/setup.d/mail_state.sh _setup_adjust_state_permissions else _setup