Merge branch 'master' into refactor/setup-cli-opendkim

2025-03-18 09:45:21 +13:00 · 2025-03-18 09:45:21 +13:00 · 0b8cdd70b9
parent 7eed5d1db4 7c680a0fbc
commit 0b8cdd70b9
20 changed files with 176 additions and 81 deletions
--- a/.github/workflows/generic_build.yml
+++ b/.github/workflows/generic_build.yml
@ -71,16 +71,16 @@ jobs:
            cache-buildx-
      - name: 'Set up QEMU'
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.6.0
        with:
          platforms: arm64
      - name: 'Set up Docker Buildx'
-        uses: docker/setup-buildx-action@v3.9.0
+        uses: docker/setup-buildx-action@v3.10.0
      # NOTE: AMD64 can build within 2 minutes
      - name: 'Build images'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
        with:
          context: .
          # Build at least the AMD64 image (which runs against the test suite).
--- a/.github/workflows/generic_publish.yml
+++ b/.github/workflows/generic_publish.yml
@ -23,7 +23,7 @@ jobs:
      - name: 'Prepare tags'
        id: prep
-        uses: docker/metadata-action@v5.6.1
+        uses: docker/metadata-action@v5.7.0
        with:
          images: |
            ${{ secrets.DOCKER_REPOSITORY }}
@ -35,12 +35,12 @@ jobs:
            type=semver,pattern={{major}}.{{minor}}.{{patch}}
      - name: 'Set up QEMU'
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.6.0
        with:
          platforms: arm64
      - name: 'Set up Docker Buildx'
-        uses: docker/setup-buildx-action@v3.9.0
+        uses: docker/setup-buildx-action@v3.10.0
      # Try get the cached build layers from a prior `generic_build.yml` job.
      # NOTE: Until adopting `type=gha` scoped cache exporter (in `docker/build-push-action`),
@ -67,7 +67,7 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: 'Build and publish images'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
        with:
          context: .
          build-args: |
--- a/.github/workflows/generic_test.yml
+++ b/.github/workflows/generic_test.yml
@ -38,12 +38,12 @@ jobs:
      # Ensures consistent BuildKit version (not coupled to Docker Engine),
      # and increased compatibility of the build cache vs mixing buildx drivers.
      - name: 'Set up Docker Buildx'
-        uses: docker/setup-buildx-action@v3.9.0
+        uses: docker/setup-buildx-action@v3.10.0
      # Importing from the cache should create the image within approx 30 seconds:
      # NOTE: `qemu` step is not needed as we only test for AMD64.
      - name: 'Build AMD64 image from cache'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
        with:
          context: .
          tags: mailserver-testing:ci
--- a/.github/workflows/generic_vulnerability-scan.yml
+++ b/.github/workflows/generic_vulnerability-scan.yml
@ -37,12 +37,12 @@ jobs:
      # Ensures consistent BuildKit version (not coupled to Docker Engine),
      # and increased compatibility of the build cache vs mixing buildx drivers.
      - name: 'Set up Docker Buildx'
-        uses: docker/setup-buildx-action@v3.9.0
+        uses: docker/setup-buildx-action@v3.10.0
      # Importing from the cache should create the image within approx 30 seconds:
      # NOTE: `qemu` step is not needed as we only test for AMD64.
      - name: 'Build AMD64 image from cache'
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
        with:
          context: .
          tags: mailserver-testing:ci
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,10 +2,29 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v14.0.0...HEAD)
+## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v15.0.0...HEAD)
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 ### Added
 - **Internal:**
  - Added the Smallstep `step` CLI command for future internal usage ([#4376](https://github.com/docker-mailserver/docker-mailserver/pull/4376))
 ### Fixes
 - **Postfix:**
  - `setup email restrict` generated configs now only prepend to `dms_smtpd_sender_restrictions` ([#4379](https://github.com/docker-mailserver/docker-mailserver/pull/4379))
 - **Internal:**
  - A permissions fix for `/var/log/mail` that was [added in DMS v15]((https://github.com/docker-mailserver/docker-mailserver/pull/4374)) no longer encounters an error when no log files are present during a container restart, such as with a `tmpfs` volume mount ([#4391](https://github.com/docker-mailserver/docker-mailserver/pull/4391))
 ### Updates
 - **Internal:**
  - Minor improvements to `_install_utils()` in `packages.sh` ([#4376](https://github.com/docker-mailserver/docker-mailserver/pull/4376))
 ## [v15.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.0)
 ### Breaking
 - **saslauthd** mechanism support via ENV `SASLAUTHD_MECHANISMS` with `pam`, `shadow`, `mysql` values has been removed. Only `ldap` and `rimap` remain supported ([#4259](https://github.com/docker-mailserver/docker-mailserver/pull/4259))
@ -17,6 +36,7 @@ All notable changes to this project will be documented in this file. The format
    - This has been corrected to `/var/lib/getmail` (_if you have mounted a DMS State Volume to `/var/mail-state`, `/var/lib/getmail` will be symlinked to `/var/mail-state/lib-getmail`_).
    - To preserve this state when upgrading to DMS v15, **you must manually migrate `getmail/` from the _DMS Config Volume_ to `lib-getmail/` in the _DMS State Volume_.**
  - `setup email delete <EMAIL ADDRESS>` now requires explicit confirmation if the mailbox data should be deleted ([#4365](https://github.com/docker-mailserver/docker-mailserver/pull/4365)).
 - **Rspamd:** Removed deprecated file path check (_DMS config volume: `./rspamd-modules.conf` => `./rspamd/custom-commands.conf`_) ([#4373](https://github.com/docker-mailserver/docker-mailserver/pull/4373))
 ### Added
@ -26,7 +46,7 @@ All notable changes to this project will be documented in this file. The format
 ### Updates
-**Internal:**
+- **Internal:**
  - **Removed `VERSION` file** from the repo. Releases of DMS prior to v13 (Nov 2023) would check this to detect new releases ([#3677](https://github.com/docker-mailserver/docker-mailserver/issues/3677), [#4321](https://github.com/docker-mailserver/docker-mailserver/pull/4321))
  - During image build, ensure a secure connection when downloading the `fail2ban` package ([#4080](https://github.com/docker-mailserver/docker-mailserver/pull/4080))
  - Refactored `setup config dkim` (`open-dkim`) ([#4375](https://github.com/docker-mailserver/docker-mailserver/pull/4375))
@ -60,7 +80,7 @@ All notable changes to this project will be documented in this file. The format
  - The main `mail.log` (_which is piped to stdout via `tail`_) now correctly begins from the first log line of the active container run. Previously some daemon logs and potential warnings/errors were omitted ([#4146](https://github.com/docker-mailserver/docker-mailserver/pull/4146))
  - `start-mailserver.sh` removed unused `shopt -s inherit_errexit` ([#4161](https://github.com/docker-mailserver/docker-mailserver/pull/4161))
  - Fixed a regression introduced in DMS v14 where `postfix-main.cf` appended `stderr` output into `/etc/postfix/main.cf`, causing Postfix startup to fail ([#4147](https://github.com/docker-mailserver/docker-mailserver/pull/4147))
-  - Fixed a regression introduced in DMS v14 to better support running `start-mailserver.sh` with container restarts, which now only skip calling `_setup()` ([#4323](https://github.com/docker-mailserver/docker-mailserver/pull/4323#issuecomment-2629559254))
+  - Fixed a regression introduced in DMS v14 to better support running `start-mailserver.sh` with container restarts, which now only skip calling `_setup()` ([#4323](https://github.com/docker-mailserver/docker-mailserver/pull/4323#issuecomment-2629559254), [#4374](https://github.com/docker-mailserver/docker-mailserver/pull/4374))
  - The command `swaks --help` is now functional ([#4282](https://github.com/docker-mailserver/docker-mailserver/pull/4282))
 - **Rspamd:**
  - DKIM private key path checking is now performed only on paths that do not contain `$` ([#4201](https://github.com/docker-mailserver/docker-mailserver/pull/4201))
--- a/demo-setups/fetchmail-compose.yaml
+++ b/demo-setups/fetchmail-compose.yaml
@ -1,10 +1,10 @@
-# Docs: https://docker-mailserver.github.io/docker-mailserver/v14.0/config/advanced/mail-fetchmail
+# Docs: https://docker-mailserver.github.io/docker-mailserver/v15.0/config/advanced/mail-fetchmail
 # Additional context, with CLI commands for verification:
 # https://github.com/orgs/docker-mailserver/discussions/3994#discussioncomment-9290570
 services:
  dms-fetch:
-    image: ghcr.io/docker-mailserver/docker-mailserver:latest # :14.0
+    image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0
    hostname: mail.example.test
    environment:
      ENABLE_FETCHMAIL: 1
@ -26,7 +26,7 @@ services:
        target: /tmp/docker-mailserver/fetchmail.cf
  dms-remote:
-    image: ghcr.io/docker-mailserver/docker-mailserver:latest # :14.0
+    image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0
    hostname: mail.remote.test
    environment:
      # Allows for us send a test mail easily by trusting any mail client run within this container (`swaks`):
--- a/demo-setups/relay-compose.yaml
+++ b/demo-setups/relay-compose.yaml
@ -1,11 +1,11 @@
-# Docs: https://docker-mailserver.github.io/docker-mailserver/v14.0/config/advanced/mail-forwarding/relay-hosts/
+# Docs: https://docker-mailserver.github.io/docker-mailserver/v15.0/config/advanced/mail-forwarding/relay-hosts/
 # Additional context, with CLI commands for verification:
 # https://github.com/docker-mailserver/docker-mailserver/issues/4136#issuecomment-2253693490
 services:
  # This would represent your actual DMS container:
  dms-sender:
-    image: mailserver/docker-mailserver:latest # :14.0
+    image: mailserver/docker-mailserver:latest # :15.0
    hostname: mail.example.test
    environment:
      # All outbound mail will be relayed through this host
@ -37,7 +37,7 @@ services:
  # Pretend this is your third-party relay service:
  dms-relay:
-    image: mailserver/docker-mailserver:latest # :14.0
+    image: mailserver/docker-mailserver:latest # :15.0
    hostname: smtp.relay-service.test
    environment:
      # WORKAROUND: Bypass security checks from the mail-client (dms-sender container)
@ -58,7 +58,7 @@ services:
  # Pretend this is another mail server that your target recipient belongs to (like Gmail):
  dms-destination:
-    image: mailserver/docker-mailserver:latest # :14.0
+    image: mailserver/docker-mailserver:latest # :15.0
    hostname: mail.destination.test
    # WORKAROUND: dms-relay must be able to resolve DNS for `@destination.test` to the IP of this container:
    # Normally a MX record would direct mail to the MTA (eg: `mail.destination.test`)
--- a/docs/content/config/advanced/mail-forwarding/relay-hosts.md
+++ b/docs/content/config/advanced/mail-forwarding/relay-hosts.md
@ -151,6 +151,6 @@ We provide this support via two config files:
 [wikipedia::smarthost]: https://en.wikipedia.org/wiki/Smart_host
 [docs::env-relay]: ../../environment.md#relay-host
-[dms-repo::helpers-relay]: https://github.com/docker-mailserver/docker-mailserver/blob/v14.0.0/target/scripts/helpers/relay.sh
+[dms-repo::helpers-relay]: https://github.com/docker-mailserver/docker-mailserver/blob/v15.0.0/target/scripts/helpers/relay.sh
 [dms-gh::pr-3607]: https://github.com/docker-mailserver/docker-mailserver/issues/3607
 [dms-gh::relay-example]: https://github.com/docker-mailserver/docker-mailserver/issues/3842#issuecomment-1913380639
--- a/docs/content/config/security/fail2ban.md
+++ b/docs/content/config/security/fail2ban.md
@ -14,18 +14,48 @@ hide:
 ## Configuration
-!!! warning
+Enabling Fail2Ban support can be done via ENV, but also requires granting at least the `NET_ADMIN` capability to interact with the kernel and ban IP addresses.
-    DMS must be launched with the `NET_ADMIN` capability in order to be able to install the NFTables rules that actually ban IP addresses. Thus, either include `--cap-add=NET_ADMIN` in the `docker run` command, or the equivalent in the `compose.yaml`:
+!!! example
-    ```yaml
+    === "Docker Compose"
-    cap_add:
+
-      - NET_ADMIN
+        ```yaml title="compose.yaml"
-    ```
+        services:
          mailserver:
            environment:
              - ENABLE_FAIL2BAN=1
            cap_add:
              - NET_ADMIN
        ```
    === "Docker CLI"
        ```bash
        docker run --rm -it \
          --cap-add=NET_ADMIN \
          --env ENABLE_FAIL2BAN=1
        ```
 !!! warning "Security risk of adding non-default capabilties"
    DMS bundles F2B into the image for convenience to simplify integration and deployment.
    The [`NET_ADMIN`][security::cap-net-admin] and [`NET_RAW`][security::cap-net-raw] capabilities are not granted by default to the container root user, as they can be used to compromise security.
    If this risk concerns you, it may be wiser to instead prefer only granting these capabilities to a dedicated Fail2Ban container ([example][lsio:f2b-image]).
 !!! bug "Running Fail2Ban on Older Kernels"
-    DMS configures F2B to use NFTables, not IPTables (legacy). We have observed that older systems, for example NAS systems, do not support the modern NFTables rules. You will need to configure F2B to use legacy IPTables again, for example with the [``fail2ban-jail.cf``][github-file-f2bjail], see the [section on configuration further down below](#custom-files).
+    DMS configures F2B to use [NFTables][network::nftables], not [IPTables (legacy)][network::iptables-legacy].
    We have observed that older systems (for example NAS systems), do not support the modern NFTables rules. You will need to configure F2B to use legacy IPTables again, for example with the [`fail2ban-jail.cf`][github-file-f2bjail], see the [section on configuration further down below](#custom-files).
 [security::cap-net-admin]: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_net_admin
 [security::cap-net-raw]: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_net_raw
 [lsio:f2b-image]: https://docs.linuxserver.io/images/docker-fail2ban
 [network::nftables]: https://en.wikipedia.org/wiki/Nftables
 [network::iptables-legacy]: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#two_variants_of_the_iptables_command
 ### DMS Defaults
--- a/docs/content/config/security/rspamd.md
+++ b/docs/content/config/security/rspamd.md
@ -139,7 +139,7 @@ To use the web interface you will need to configure a password, [otherwise you w
    ---
-    **Related:** A minimal Rspamd `compose.yaml` [example with a reverse-proxy for web access][gh-dms:guide::rspamd-web].
+    **Related:** A minimal Rspamd `compose.yaml` [example with a reverse-proxy for web access][gh-dms::guide::rspamd-web].
 ### DNS
@ -353,8 +353,8 @@ While _Abusix_ can be integrated into Postfix, Postscreen and a multitude of oth
 [abusix-docs::rspamd-integration]: https://abusix.com/docs/rspamd/
 [spamhaus::faq::dnsbl-usage]: https://www.spamhaus.org/faq/section/DNSBL%20Usage#365
-[dms-repo::rspamd-actions-config]: https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd/local.d/actions.conf
+[dms-repo::rspamd-actions-config]: https://github.com/docker-mailserver/docker-mailserver/tree/v15.0.0/target/rspamd/local.d/actions.conf
-[dms-repo::default-rspamd-configuration]: https://github.com/docker-mailserver/docker-mailserver/tree/v14.0.0/target/rspamd
+[dms-repo::default-rspamd-configuration]: https://github.com/docker-mailserver/docker-mailserver/tree/v15.0.0/target/rspamd
 [gh-dms::guide::valkey]: https://github.com/docker-mailserver/docker-mailserver/issues/4001#issuecomment-2652596692
 [gh-dms::guide::rspamd-web]: https://github.com/orgs/docker-mailserver/discussions/4269#discussioncomment-11329588
--- a/docs/content/examples/tutorials/dovecot-solr.md
+++ b/docs/content/examples/tutorials/dovecot-solr.md
@ -44,19 +44,21 @@ As the official DMS image does not provide `dovecot-solr`, you'll need to includ
          mailserver:
            hostname: mail.example.com
            # The `image` setting now represents the tag for the local build configured below:
-            image: local/dms:14.0
+            image: local/dms:${DMS_TAG?Must set DMS image tag}
            # Local build (no need to try pull `image` remotely):
            pull_policy: build
            # Add this `build` section to your real `compose.yaml` for your DMS service:
            build:
              dockerfile_inline: |
-                FROM docker.io/mailserver/docker-mailserver:14.0
+                FROM docker.io/mailserver/docker-mailserver:${DMS_TAG?Must set DMS image tag}
                RUN apt-get update && apt-get install dovecot-solr
        ```
-        - Just run `docker compose up` and it will pull DMS and build your custom image to run a container.
+        This approach only needs to install the package once with the image build itself which minimizes the delay of container startup.
-        - Updating to a new DMS release is straight-forward, just adjust the version tag as you normally would. If you make future changes that don't apply, you may need to force a rebuild.
+
-        - This approach only needs to install the package once with the image build itself. This minimizes delay of container startup.
+        - Just run `DMS_TAG='14.0' docker compose up` and it will pull the DMS image, then build your custom DMS image to run a new container instance.
        - Updating to a new DMS release is straight-forward, just adjust the `DMS_TAG` ENV value or change the image tag directly in `compose.yaml` as you normally would to upgrade an image.
        - If you make future changes to the `dockerfile_inline` that don't seem to be applied, you may need to force a rebuild with `DMS_TAG='14.0' docker compose up --build`.
 !!! note "Why doesn't DMS include `dovecot-solr`?"
--- a/mailserver.env
+++ b/mailserver.env
@ -508,7 +508,7 @@ DOVECOT_MAILBOX_FORMAT=maildir
 # empty => no
 # yes => Allow bind authentication for LDAP
-# https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
+# https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#authentication-bind
 DOVECOT_AUTH_BIND=
 # -----------------------------------------------
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@ -68,9 +68,10 @@ smtpd_forbid_bare_newline = yes
 # smtpd_forbid_bare_newline_exclusions = $mynetworks
 # Custom defined parameters for DMS:
-# reject_unknown_sender_domain: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234
+# Custom sender restrictions overview: https://github.com/docker-mailserver/docker-mailserver/pull/4379#issuecomment-2670365917
 # `reject_unknown_sender_domain`: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234
 dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
-# Submission ports 587 and 465 support for SPOOF_PROTECTION=1
+# `SPOOF_PROTECTION=1` support requires prepending `reject_authenticated_sender_login_mismatch`
 mua_sender_restrictions = reject_authenticated_sender_login_mismatch, $dms_smtpd_sender_restrictions
 # Postscreen settings to drop zombies/open relays/spam early
--- a/target/scripts/build/packages.sh
+++ b/target/scripts/build/packages.sh
@ -36,20 +36,46 @@ function _pre_installation_steps() {
  apt-get "${QUIET}" install --no-install-recommends "${EARLY_PACKAGES[@]}" 2>/dev/null
 }
 # Install third-party commands to /usr/local/bin
 function _install_utils() {
  local ARCH_A
  ARCH_A=$(uname --machine)
  # Alternate naming convention support: x86_64 (amd64) / aarch64 (arm64)
  # https://en.wikipedia.org/wiki/X86-64#Industry_naming_conventions
  local ARCH_B
  case "${ARCH_A}" in
    ( 'x86_64'  ) ARCH_B='amd64' ;;
    ( 'aarch64' ) ARCH_B='arm64' ;;
    ( * )
      _log 'error' "Unsupported arch: '${ARCH_A}'"
      return 1
      ;;
  esac
  # TIP: `*.tar.gz` releases tend to forget to reset UID/GID ownership when archiving.
  # When extracting with `tar` as `root` the archived UID/GID is kept, unless using `--no-same-owner`.
  # Likewise when the binary is in a nested location the full archived path
  # must be provided + `--strip-components` to extract the file to the target directory.
  # Doing this avoids the need for (`mv` + `rm`) or (`--to-stdout` + `chmod +x`)
  _log 'debug' 'Installing utils sourced from Github'
  _log 'trace' 'Installing jaq'
  local JAQ_TAG='v2.1.0'
-  curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/bin/jaq
+  curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/local/bin/jaq
-  chmod +x /usr/bin/jaq
+  chmod +x /usr/local/bin/jaq
  _log 'trace' 'Installing step'
  local STEP_RELEASE='0.28.2'
  curl -sSfL "https://github.com/smallstep/cli/releases/download/v${STEP_RELEASE}/step_linux_${STEP_RELEASE}_${ARCH_B}.tar.gz" \
    | tar -xz --directory /usr/local/bin --no-same-owner --strip-components=2 "step_${STEP_RELEASE}/bin/step"
  _log 'trace' 'Installing swaks'
  # `perl-doc` is required for `swaks --help` to work:
  apt-get "${QUIET}" install --no-install-recommends perl-doc
  local SWAKS_VERSION='20240103.0'
  local SWAKS_RELEASE="swaks-${SWAKS_VERSION}"
-  curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" | tar -xz
+  curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" \
-  mv "${SWAKS_RELEASE}/swaks" /usr/local/bin
+    | tar -xz --directory /usr/local/bin --no-same-owner --strip-components=1 "${SWAKS_RELEASE}/swaks"
  rm -r "${SWAKS_RELEASE}"
 }
 function _install_postfix() {
--- a/target/scripts/helpers/rspamd.sh
+++ b/target/scripts/helpers/rspamd.sh
@ -111,14 +111,6 @@ function _rspamd_handle_user_modules_adjustments() {
    fi
  }
  # We check for usage of the previous location of the commands file.
  # TODO This can be removed after the release of v14.0.0.
  local RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD="${RSPAMD_DMS_D}-modules.conf"
  readonly RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD
  if [[ -f ${RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD} ]]; then
    _dms_panic__general "Old custom command file location '${RSPAMD_DMS_CUSTOM_COMMANDS_F_OLD}' is deprecated (use '${RSPAMD_DMS_CUSTOM_COMMANDS_F}' now)" 'Rspamd setup'
  fi
  if [[ -f "${RSPAMD_DMS_CUSTOM_COMMANDS_F}" ]]; then
    __rspamd__log 'debug' "Found file '${RSPAMD_DMS_CUSTOM_COMMANDS_F}' - parsing and applying it"
--- a/target/scripts/start-mailserver.sh
+++ b/target/scripts/start-mailserver.sh
@ -43,7 +43,6 @@ function _register_functions() {
  # ? >> Setup
  _register_setup_function '_setup_vmail_id'
  _register_setup_function '_setup_logs_general'
  _register_setup_function '_setup_timezone'
  if [[ ${SMTP_ONLY} -ne 1 ]]; then
@ -182,6 +181,9 @@ if [[ -f /CONTAINER_START ]]; then
  # We cannot skip all setup routines because some need to run _after_
  # the initial setup (and hence, they cannot be moved to the check stack).
  _setup_directory_and_file_permissions
  # shellcheck source=./startup/setup.d/mail_state.sh
  source /usr/local/bin/setup.d/mail_state.sh
  _setup_adjust_state_permissions
 else
  _setup
--- a/target/scripts/startup/setup-stack.sh
+++ b/target/scripts/startup/setup-stack.sh
@ -82,6 +82,8 @@ function _setup_timezone() {
  fi
 }
 # Misc checks and fixes migrated here until next refactor:
 # NOTE: `start-mailserver.sh` runs this along with `mail-state.sh` during container restarts
 function _setup_directory_and_file_permissions() {
  _log 'trace' 'Removing leftover PID files from a stop/start'
  find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete
@ -101,6 +103,8 @@ function _setup_directory_and_file_permissions() {
    _log 'debug' "Ensuring '${RSPAMD_DMS_DKIM_D}' is owned by '_rspamd:_rspamd'"
    chown -R _rspamd:_rspamd "${RSPAMD_DMS_DKIM_D}"
  fi
  __log_fixes
 }
 function _setup_run_user_patches() {
@ -113,3 +117,32 @@ function _setup_run_user_patches() {
    _log 'trace' "No optional '${USER_PATCHES}' provided"
  fi
 }
 function __log_fixes() {
  _log 'debug' 'Ensuring /var/log/mail owneership + permissions are correct'
  # File/folder permissions are fine when using docker volumes, but may be wrong
  # when file system folders are mounted into the container.
  # Set the expected values and create missing folders/files just in case.
  mkdir -p /var/log/{mail,supervisor}
  # TODO: Remove these lines in a future release once concerns are resolved:
  # https://github.com/docker-mailserver/docker-mailserver/pull/4370#issuecomment-2661762043
  chown syslog:root /var/log/mail
  if [[ ${ENABLE_CLAMAV} -eq 1 ]]; then
    # TODO: Consider assigning /var/log/mail a writable non-root group for other processes like ClamAV?
    # - Check if ClamAV is capable of creating files itself when they're missing?
    # - Alternatively a symlink to /var/log/mail from the original intended location would allow write access
    #   as a user to the symlink location, while keeping ownership as root at /var/log/mail
    # - `LogSyslog false` for clamd.conf + freshclam.conf could possibly be enabled instead of log files?
    #   However without better filtering in place (once Vector is adopted), this should be avoided.
    touch /var/log/mail/{clamav,freshclam}.log
    chown clamav:adm /var/log/mail/{clamav,freshclam}.log
  fi
  # Volume permissions should be corrected:
  # https://github.com/docker-mailserver/docker-mailserver-helm/issues/137
  chmod 755 /var/log/mail/
  find /var/log/mail/ -type f -exec chmod 640 {} +
 }
--- a/target/scripts/startup/setup.d/log.sh
+++ b/target/scripts/startup/setup.d/log.sh
@ -1,15 +1,5 @@
 #!/bin/bash
 function _setup_logs_general() {
  _log 'debug' 'Setting up general log files'
  # File/folder permissions are fine when using docker volumes, but may be wrong
  # when file system folders are mounted into the container.
  # Set the expected values and create missing folders/files just in case.
  mkdir -p /var/log/{mail,supervisor}
  chown syslog:root /var/log/mail
 }
 function _setup_logrotate() {
  _log 'debug' 'Setting up logrotate'
--- a/target/scripts/startup/setup.d/postfix.sh
+++ b/target/scripts/startup/setup.d/postfix.sh
@ -93,13 +93,19 @@ EOF
 function _setup_postfix_late() {
  _log 'debug' 'Configuring Postfix (late setup)'
  # These two config files are `access` database tables managed via `setup email restrict`:
  # NOTE: Prepends to existing restrictions, thus has priority over other permit/reject policies that follow.
  # https://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
  # https://www.postfix.org/access.5.html
  __postfix__log 'trace' 'Configuring user access'
  if [[ -f /tmp/docker-mailserver/postfix-send-access.cf ]]; then
-    sed -i -E 's|(smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf
+    # Prefer to prepend to our specialized variant instead:
    # https://github.com/docker-mailserver/docker-mailserver/pull/4379
    sed -i -E 's|^(dms_smtpd_sender_restrictions =)|\1 check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf
  fi
  if [[ -f /tmp/docker-mailserver/postfix-receive-access.cf ]]; then
-    sed -i -E 's|(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf
+    sed -i -E 's|^(smtpd_recipient_restrictions =)|\1 check_recipient_access texthash:/tmp/docker-mailserver/postfix-receive-access.cf,|' /etc/postfix/main.cf
  fi
  __postfix__log 'trace' 'Configuring relay host'
--- a/target/scripts/startup/setup.d/security/misc.sh
+++ b/target/scripts/startup/setup.d/security/misc.sh
@ -155,13 +155,6 @@ function __setup__security__clamav() {
  if [[ ${ENABLE_CLAMAV} -eq 1 ]]; then
    _log 'debug' 'Enabling and configuring ClamAV'
    local FILE
    for FILE in /var/log/mail/{clamav,freshclam}.log; do
      touch "${FILE}"
      chown clamav:adm "${FILE}"
      chmod 640 "${FILE}"
    done
    if [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]]; then
      _log 'trace' "Setting ClamAV message scan size limit to '${CLAMAV_MESSAGE_SIZE_LIMIT}'"