Merge branch 'docker-mailserver:master' into mta-sts-support

.gitattributes

@@ -10,7 +10,7 @@
 *.yml               text
 ### Documentation (Project, Tests, Docs site)
 *.md                text
-### TLS certs (test/test-files/) + DHE params (target/shared/)
+### TLS certs (test/files/) + DHE params (target/shared/)
 *.pem               text
 *.pem.sha512sum     text
 
@@ -90,9 +90,9 @@ TrustedHosts        text
 whitelist_recipients text
 
 ## MISC
-### test/config/ + test/test-files/
+### test/config/ + test/files/
 *.txt               text
-### test/linting/ (.ecrc.json) + test/test-files/ (*.acme.json):
+### test/linting/ (.ecrc.json) + test/files/ (*.acme.json):
 *.json              text
 
 #################################################

.github/pull_request_template.md

@@ -26,3 +26,4 @@ Fixes #
 - [ ] I have made corresponding changes to the documentation (README.md or the documentation under `docs/`)
 - [ ] If necessary I have added tests that prove my fix is effective or that my feature works
 - [ ] New and existing unit tests pass locally with my changes
+- [ ] **I have added information about changes made in this PR to `CHANGELOG.md`**

.github/workflows/contributors.yml

@@ -25,8 +25,9 @@ jobs:
         with:
           readme_path: CONTRIBUTORS.md
           collaborators: all
+          use_username: true
           commit_message: 'docs: updated `CONTRIBUTORS.md`'
           committer_username: github-actions[bot]
           committer_email: 41898282+github-actions[bot]@users.noreply.github.com
-          pr_title_on_protected: 'docs: update `CONTRIBUTORS.md'
+          pr_title_on_protected: 'docs: update `CONTRIBUTORS.md`'
           auto_detect_branch_protection: true

.github/workflows/docs-preview-deploy.yml

@@ -25,7 +25,7 @@ jobs:
 
       # The official Github Action for downloading artifacts does not support multi-workflow
       - name: 'Download build artifact'
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           run_id: ${{ github.event.workflow_run.id }}

.github/workflows/docs-preview-prepare.yml

@@ -73,7 +73,7 @@ jobs:
           tar --zstd -cf artifact.tar.zst pr.env ${{ env.BUILD_DIR }}
 
       - name: 'Upload artifact for workflow transfer'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: preview-build
           path: artifact.tar.zst

.github/workflows/generic_build.yml

@@ -83,7 +83,7 @@ jobs:
 
       # NOTE: AMD64 can build within 2 minutes
       - name: 'Build images'
-        uses: docker/build-push-action@v5.0.0
+        uses: docker/build-push-action@v5.1.0
         with:
           context: .
           # Build at least the AMD64 image (which runs against the test suite).

.github/workflows/generic_publish.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: 'Prepare tags'
         id: prep
-        uses: docker/metadata-action@v5.0.0
+        uses: docker/metadata-action@v5.4.0
         with:
           images: |
             ${{ secrets.DOCKER_REPOSITORY }}
@@ -66,18 +66,13 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: 'Acquire the image version'
-        id: get-version
-        shell: bash
-        run: echo "version=$(<VERSION)" >>"${GITHUB_OUTPUT}"
-
       - name: 'Build and publish images'
-        uses: docker/build-push-action@v5.0.0
+        uses: docker/build-push-action@v5.1.0
         with:
           context: .
           build-args: |
+            DMS_RELEASE=${{ github.ref_type == 'tag' && github.ref_name || 'edge' }}
             VCS_REVISION=${{ github.sha }}
-            VCS_VERSION=${{ steps.get-version.outputs.version }}
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.prep.outputs.tags }}

.github/workflows/generic_test.yml

@@ -43,7 +43,7 @@ jobs:
       # Importing from the cache should create the image within approx 30 seconds:
       # NOTE: `qemu` step is not needed as we only test for AMD64.
       - name: 'Build AMD64 image from cache'
-        uses: docker/build-push-action@v5.0.0
+        uses: docker/build-push-action@v5.1.0
         with:
           context: .
           tags: mailserver-testing:ci

.github/workflows/generic_vulnerability-scan.yml

@@ -42,7 +42,7 @@ jobs:
       # Importing from the cache should create the image within approx 30 seconds:
       # NOTE: `qemu` step is not needed as we only test for AMD64.
       - name: 'Build AMD64 image from cache'
-        uses: docker/build-push-action@v5.0.0
+        uses: docker/build-push-action@v5.1.0
         with:
           context: .
           tags: mailserver-testing:ci
@@ -55,13 +55,13 @@ jobs:
           provenance: false
 
       - name: 'Run the Anchore Grype scan action'
-        uses: anchore/scan-action@v3.3.6
+        uses: anchore/scan-action@v3.3.8
         id: scan
         with:
           image: mailserver-testing:ci
           fail-build: false
 
       - name: 'Upload vulnerability report'
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/handle_stalled.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Close stale issues
-        uses: actions/stale@v8
+        uses: actions/stale@v9
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 20

.github/workflows/linting.yml

@@ -1,6 +1,9 @@
 name: Lint
 
 on:
+  # A workflow that creates a PR will not trigger this workflow,
+  # Providing a manual trigger as a workaround
+  workflow_dispatch:
   pull_request:
   push:
     branches: [ master ]

CHANGELOG.md

@@ -2,16 +2,98 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v12.1.0...HEAD)
+## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v13.1.0...HEAD)
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+### Security
+
+DMS is now secured against the [recently published spoofing attack "SMTP Smuggling"](https://www.postfix.org/smtp-smuggling.html) that affected Postfix ([#3727](https://github.com/docker-mailserver/docker-mailserver/pull/3727)):
+- Postfix upgraded from `3.5.18` to `3.5.23` which provides the [long-term fix with `smtpd_forbid_bare_newline = yes`](https://www.postfix.org/smtp-smuggling.html#long)
+- If you are unable to upgrade to this release of DMS, you may follow [these instructions](https://github.com/docker-mailserver/docker-mailserver/issues/3719#issuecomment-1870865118) for applying the [short-term workaround](https://www.postfix.org/smtp-smuggling.html#short).
+- This change should not cause compatibility concerns for legitimate mail clients, however if you use software like `netcat` to send mail to DMS (_like our test-suite previously did_) it may now be rejected (_especially with the the short-term workaround `smtpd_data_restrictions = reject_unauth_pipelining`_).
+- **NOTE:** This Postfix update also includes the new parameter [`smtpd_forbid_bare_newline_exclusions`](https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline_exclusions) which defaults to `$mynetworks` for excluding trusted mail clients excluded from the restriction.
+  - With our default `PERMIT_DOCKER=none` this is not a concern.
+  - Presently the Docker daemon config has `user-proxy: true` enabled by default.
+    - On a host that can be reached by IPv6, this will route to a DMS IPv4 only container implicitly through the Docker network bridge gateway which rewrites the source address.
+    - If your `PERMIT_DOCKER` setting allows that gateway IP, then it is part of `$mynetworks` and this attack would not be prevented from such connections.
+    - If this affects your deployment, refer to [our IPv6 docs](https://docker-mailserver.github.io/docker-mailserver/v13.2/config/advanced/ipv6/) for advice on handling IPv6 correctly in Docker. Alternatively [use our `postfix-main.cf`](https://docker-mailserver.github.io/docker-mailserver/v13.2/config/advanced/override-defaults/postfix/) to set `smtpd_forbid_bare_newline_exclusions=` as empty.
+
+### Updates
+
+- The test suite now uses `swaks` instead of `nc`, which has multiple benefits ([#3732](https://github.com/docker-mailserver/docker-mailserver/pull/3732)):
+  - `swaks` handles pipelining correctly, hence we can now use `reject_unauth_pipelining` in Postfix's configuration.
+  - `swaks` provides better CLI options that make many files superflous.
+  - `swaks` can also replace `openssl s_client` and handles authentication on submission ports better.
+
+## [v13.1.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.1.0)
+
+### Added
+
+- **Dovecot:**
+  - ENV `ENABLE_IMAP` ([#3703](https://github.com/docker-mailserver/docker-mailserver/pull/3703))
+- **Tests:**
+  - You can now use `make run-local-instance` to run a DMS image that was built locally to test changes ([#3663](https://github.com/docker-mailserver/docker-mailserver/pull/3663))
+- **Internal**:
+  - Log a warning when update-check is enabled, but no stable release image is used ([#3684](https://github.com/docker-mailserver/docker-mailserver/pull/3684))
+
+### Updates
+
+- **Documentation:**
+  - Debugging - Raise awareness in the troubleshooting page for a common misconfiguration when deviating from our advice by using a bare domain ([#3680](https://github.com/docker-mailserver/docker-mailserver/pull/3680))
+  - Debugging - Raise awareness of temporary downtime during certificate renewal that can cause a failure to deliver local mail ([#3718](https://github.com/docker-mailserver/docker-mailserver/pull/3718))
+- **Internal:**
+  - Postfix configures `virtual_mailbox_maps` and `virtual_transport` during startup instead of using defaults (configured for Dovecot) via our `main.cf` ([#3681](https://github.com/docker-mailserver/docker-mailserver/pull/3681))
+- **Rspamd:**
+  - Upgraded to version `3.7.5`. This was previously inconsistent between our AMD64 (`3.5`) and ARM64 (`3.4`) images ([#3686](https://github.com/docker-mailserver/docker-mailserver/pull/3686))
+
+### Fixed
+
+- **Internal**:
+  - The container startup welcome log message now references `DMS_RELEASE` ([#3676](https://github.com/docker-mailserver/docker-mailserver/pull/3676))
+  - `VERSION` was incremented for prior releases to be notified of the v13.0.1 patch release ([#3676](https://github.com/docker-mailserver/docker-mailserver/pull/3676))
+  - `VERSION` is no longer included in the image ([#3711](https://github.com/docker-mailserver/docker-mailserver/pull/3711))
+  - Update-check: fix 'read' exit status ([#3688](https://github.com/docker-mailserver/docker-mailserver/pull/3688))
+  - `ENABLE_QUOTAS=0` no longer tries to remove non-existent config ([#3715](https://github.com/docker-mailserver/docker-mailserver/pull/3715))
+  - The `postgrey` service now writes logs to the supervisor directory like all other services. Previously this was `/var/log/mail/mail.log` ([#3724](https://github.com/docker-mailserver/docker-mailserver/pull/3724))
+- **Rspamd:**
+  - Switch to official arm64 packages to avoid segfaults ([#3686](https://github.com/docker-mailserver/docker-mailserver/pull/3686))
+- **CI / Automation:**
+  - The lint workflow can now be manually triggered by maintainers ([#3714]https://github.com/docker-mailserver/docker-mailserver/pull/3714)
+
+## [v13.0.1](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.0.1)
+
+This patch release fixes two bugs that Rspamd users encountered with the `v13.0.0` release. Big thanks to the those that helped to identify these issues! ❤️
+
+### Fixed
+
+- **Internal:**
+  - The update check service now queries the latest GH release for a version tag (_instead of from a `VERSION` file at the GH repo_). This should provide more reliable update notifications ([#3666](https://github.com/docker-mailserver/docker-mailserver/pull/3666))
+- **Rspamd:**
+  - The check for correct permission on the private key when signing e-mails with DKIM was flawed. The result was that a false warning was emitted ([#3669](https://github.com/docker-mailserver/docker-mailserver/pull/3669))
+  - When [`RSPAMD_CHECK_AUTHENTICATED=0`][docs::env-rspamd-check-auth], DKIM signing for outbound e-mail was disabled, which is undesirable ([#3669](https://github.com/docker-mailserver/docker-mailserver/pull/3669)). **Make sure to check the documentation of [`RSPAMD_CHECK_AUTHENTICATED`][docs::env-rspamd-check-auth]**!
+
+[docs::env-rspamd-check-auth]: https://docker-mailserver.github.io/docker-mailserver/v13.0/config/environment/#rspamd_check_authenticated
+
+## [v13.0.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.0.0)
+
 ### Breaking
 
-- The environment variable `ENABLE_LDAP=1` has been changed to `ACCOUNT_PROVISIONER=LDAP`.
-- Postfix now defaults to supporting DSNs (_[Delivery Status Notifications](https://github.com/docker-mailserver/docker-mailserver/pull/3572#issuecomment-1751880574)_) only for authenticated users. This is a security measure to reduce spammer abuse of your DMS instance as a backscatter source.
+- **LDAP:**
+  - ENV `LDAP_SERVER_HOST`, `DOVECOT_URIS`, and `SASLAUTHD_LDAP_SERVER` will now log an error if the LDAP URI scheme is missing. Previously there was an implicit fallback to `ldap://` ([#3522](https://github.com/docker-mailserver/docker-mailserver/pull/3522))
+  - `ENABLE_LDAP=1` is no longer supported, please use `ACCOUNT_PROVISIONER=LDAP` ([#3507](https://github.com/docker-mailserver/docker-mailserver/pull/3507))
+- **Rspamd:**
+  - The deprecated path for the Rspamd custom commands file (`/tmp/docker-mailserver/rspamd-modules.conf`) now prevents successful startup. The correct path is `/tmp/docker-mailserver/rspamd/custom-commands.conf`.
+- **Dovecot:**
+  - Dovecot mail storage per account in `/var/mail` previously shared the same path for the accounts home directory ([#3335](https://github.com/docker-mailserver/docker-mailserver/pull/3335))
+    - The home directory now is a subdirectory `home/`. This change better supports sieve scripts.
+    - **NOTE:** The change has not yet been implemented for `ACCOUNT_PROVISIONER=LDAP`.
+- **Postfix:**
+  - `/etc/postfix/master.cf` has renamed the "smtps" service to "submissions" ([#3235](https://github.com/docker-mailserver/docker-mailserver/pull/3235))
+    - This is the modern `/etc/services` name for port 465, aligning with the similar "submission" port 587.
+  - Postfix now defaults to supporting DSNs (_[Delivery Status Notifications](https://github.com/docker-mailserver/docker-mailserver/pull/3572#issuecomment-1751880574)_) only for authenticated users (_via ports 465 + 587_). This is a security measure to reduce spammer abuse of your DMS instance as a backscatter source. ([#3572](https://github.com/docker-mailserver/docker-mailserver/pull/3572))
     - If you need to modify this change, please let us know by opening an issue / discussion.
-  - You can [opt-out (_enable DSNs_) via the `postfix-main.cf` override support](https://docker-mailserver.github.io/docker-mailserver/v12.1/config/advanced/override-defaults/postfix/) using the contents: `smtpd_discard_ehlo_keywords =`.
+    - You can [opt out (_enable DSNs_) via the `postfix-main.cf` override support](https://docker-mailserver.github.io/docker-mailserver/v12.1/config/advanced/override-defaults/postfix/) using the contents: `smtpd_discard_ehlo_keywords =`.
     - Likewise for authenticated users, the submission(s) ports (465 + 587) are configured internally via `master.cf` to keep DSNs enabled (_since authentication protects from abuse_).
 
       If necessary, DSNs for authenticated users can be disabled via the `postfix-master.cf` override with the following contents:
@@ -21,11 +103,99 @@ All notable changes to this project will be documented in this file. The format
       submissions/inet/smtpd_discard_ehlo_keywords=silent-discard,dsn
       ```
 
-- using the old path for the Rspamd custom commands file (`/tmp/docker-mailserver/rspamd-modules.conf`), which was deprecated, will now prevent startup; use `/tmp/docker-mailserver/rspamd/custom-commands.conf` instead
-
 ### Added
 
-- New environment variable `MARK_SPAM_AS_READ`. When set to `1`, marks incoming junk as "read" to avoid unwanted notification of junk as new mail ([#3489](https://github.com/docker-mailserver/docker-mailserver/pull/3489))
+- **Features:**
+  - `getmail` as an alternative to `fetchmail` ([#2803](https://github.com/docker-mailserver/docker-mailserver/pull/2803))
+  - `setup` CLI - `setup fail2ban` gained a new `status <JAIL>` subcommand ([#3455](https://github.com/docker-mailserver/docker-mailserver/pull/3455))
+- **Environment Variables:**
+  - `MARK_SPAM_AS_READ`. When set to `1`, marks incoming spam as "read" to avoid unwanted "new mail" notifications for junk mail ([#3489](https://github.com/docker-mailserver/docker-mailserver/pull/3489))
+  - `DMS_VMAIL_UID` and `DMS_VMAIL_GID` allow changing the default ID values (`5000:5000`) for the Dovecot vmail user and group ([#3550](https://github.com/docker-mailserver/docker-mailserver/pull/3550))
+  - `RSPAMD_CHECK_AUTHENTICATED` allows authenticated users to avoid additional security checks by Rspamd ([#3440](https://github.com/docker-mailserver/docker-mailserver/pull/3440))
+- **Documentation:**
+  - Use-case examples / tutorials:
+    - iOS mail push support ([#3513](https://github.com/docker-mailserver/docker-mailserver/pull/3513))
+    - Guide for setting up Dovecot Authentication via Lua ([#3579](https://github.com/docker-mailserver/docker-mailserver/pull/3579))
+    - Guide for integrating with the Crowdsec service ([#3651](https://github.com/docker-mailserver/docker-mailserver/pull/3651))
+  - Debugging page:
+    - New compatibility section ([#3404](https://github.com/docker-mailserver/docker-mailserver/pull/3404))
+    - Now advises how to (re)start DMS correctly ([#3654](https://github.com/docker-mailserver/docker-mailserver/pull/3654))
+  - Better communicate distinction between DMS FQDN and DMS mail accounts ([#3372](https://github.com/docker-mailserver/docker-mailserver/pull/3372))
+  - Traefik example now includes `passthrough=true` on implicit ports ([#3568](https://github.com/docker-mailserver/docker-mailserver/pull/3568))
+  - Rspamd docs have received a variety of revisions ([#3318](https://github.com/docker-mailserver/docker-mailserver/pull/3318), [#3325](https://github.com/docker-mailserver/docker-mailserver/pull/3325), [#3329](https://github.com/docker-mailserver/docker-mailserver/pull/3329))
+  - IPv6 config examples with content tabs ([#3436](https://github.com/docker-mailserver/docker-mailserver/pull/3436))
+  - Mention [internet.nl](https://internet.nl/test-mail/) as another testing service ([#3445](https://github.com/docker-mailserver/docker-mailserver/pull/3445))
+  - `setup alias add ...` CLI help message now includes an example for aliasing to multiple recipients ([#3600](https://github.com/docker-mailserver/docker-mailserver/pull/3600))
+  - `SPAMASSASSIN_SPAM_TO_INBOX=1`, now emits a debug log to raise awareness that `SA_KILL` will be ignored ([#3360](https://github.com/docker-mailserver/docker-mailserver/pull/3360))
+  - `CLAMAV_MESSAGE_SIZE_LIMIT` now logs a warning when the value exceeds what ClamAV is capable of supporting (4GiB max scan size [#3332](https://github.com/docker-mailserver/docker-mailserver/pull/3332), 2GiB max file size [#3341](https://github.com/docker-mailserver/docker-mailserver/pull/3341))
+  - Added note to caution against changing `mydestination` in Postfix's `main.cf` ([#3316](https://github.com/docker-mailserver/docker-mailserver/pull/3316))
+- **Internal:**
+  - Added a wrapper to update Postfix configuration safely ([#3484](https://github.com/docker-mailserver/docker-mailserver/pull/3484), [#3503](https://github.com/docker-mailserver/docker-mailserver/pull/3503))
+  - Add debug group to `packages.sh` ([#3578](https://github.com/docker-mailserver/docker-mailserver/pull/3578))
+- **Tests:**
+  - Additional linting check for BASH syntax ([#3369](https://github.com/docker-mailserver/docker-mailserver/pull/3369))
+
+### Updates
+
+- **Misc:**
+  - Changed `setup config dkim` default key size to `2048` (`open-dkim`) ([#3508](https://github.com/docker-mailserver/docker-mailserver/pull/3508))
+- **Postfix:**
+  - Dropped special bits from `maildrop/` and `public/` directory permissions ([#3625](https://github.com/docker-mailserver/docker-mailserver/pull/3625))
+- **Rspamd:**
+  - Adjusted learning of ham ([#3334](https://github.com/docker-mailserver/docker-mailserver/pull/3334))
+  - Adjusted `antivirus.conf` ([#3331](https://github.com/docker-mailserver/docker-mailserver/pull/3331))
+  - `logrotate` setup + Rspamd log path + tests log helper fallback path ([#3576](https://github.com/docker-mailserver/docker-mailserver/pull/3576))
+  - Setup during container startup is now more resilient ([#3578](https://github.com/docker-mailserver/docker-mailserver/pull/3578))
+  - Changed DKIM default config location ([#3597](https://github.com/docker-mailserver/docker-mailserver/pull/3597))
+  - Removed the symlink for the `override.d/` directory in favor of using `cp`, integrated into the changedetector service, added a `--force` option for the Rspamd DKIM management, and provided a dedicated helper script for common ENV variables ([#3599](https://github.com/docker-mailserver/docker-mailserver/pull/3599))
+  - Required permissions are now verified for DKIM private key files ([#3627](https://github.com/docker-mailserver/docker-mailserver/pull/3627))
+- **Documentation:**
+  - Documentation aligned to Compose v2 conventions, `docker-compose` command changed to `docker compose`, `docker-compose.yaml` to `compose.yaml` ([#3295](https://github.com/docker-mailserver/docker-mailserver/pull/3295))
+  - Restored missing edit button ([#3338](https://github.com/docker-mailserver/docker-mailserver/pull/3338))
+  - Complete rewrite of the IPv6 page ([#3244](https://github.com/docker-mailserver/docker-mailserver/pull/3244), [#3531](https://github.com/docker-mailserver/docker-mailserver/pull/3531))
+  - Complete rewrite of the "Update and Cleanup" maintenance page ([#3539](https://github.com/docker-mailserver/docker-mailserver/pull/3539), [#3583](https://github.com/docker-mailserver/docker-mailserver/pull/3583))
+  - Improved debugging page advice on working with logs ([#3626](https://github.com/docker-mailserver/docker-mailserver/pull/3626), [#3640](https://github.com/docker-mailserver/docker-mailserver/pull/3640))
+  - Clarified the default for ENV `FETCHMAIL_PARALLEL` ([#3603](https://github.com/docker-mailserver/docker-mailserver/pull/3603))
+  - Removed port 25 from FAQ entry for mail client ports supporting authenticated submission ([#3496](https://github.com/docker-mailserver/docker-mailserver/pull/3496))
+  - Updated home path in docs for Dovecot Sieve ([#3370](https://github.com/docker-mailserver/docker-mailserver/pull/3370), [#3650](https://github.com/docker-mailserver/docker-mailserver/pull/3650))
+  - Fixed path to `rspamd.log` ([#3585](https://github.com/docker-mailserver/docker-mailserver/pull/3585))
+  - "Optional Config" page now uses consistent lowercase convention for directory names ([#3629](https://github.com/docker-mailserver/docker-mailserver/pull/3629))
+  - `CONTRIBUTORS.md`: Removed redundant "All Contributors" section ([#3638](https://github.com/docker-mailserver/docker-mailserver/pull/3638))
+- **Internal:**
+  - LDAP config improvements (Removed implicit `ldap://` LDAP URI scheme fallback) ([#3522](https://github.com/docker-mailserver/docker-mailserver/pull/3522))
+  - Changed style conventions for internal scripts ([#3361](https://github.com/docker-mailserver/docker-mailserver/pull/3361), [#3364](https://github.com/docker-mailserver/docker-mailserver/pull/3364), [#3365](https://github.com/docker-mailserver/docker-mailserver/pull/3365), [#3366](https://github.com/docker-mailserver/docker-mailserver/pull/3366), [#3368](https://github.com/docker-mailserver/docker-mailserver/pull/3368), [#3464](https://github.com/docker-mailserver/docker-mailserver/pull/3464))
+- **CI / Automation:**
+  - `.gitattributes` now ensures files are committed with `eol=lf` ([#3527](https://github.com/docker-mailserver/docker-mailserver/pull/3527))
+  - Revised the GitHub issue bug report template ([#3317](https://github.com/docker-mailserver/docker-mailserver/pull/3317), [#3381](https://github.com/docker-mailserver/docker-mailserver/pull/3381), [#3435](https://github.com/docker-mailserver/docker-mailserver/pull/3435))
+  - Clarified that the issue tracker is not for personal support ([#3498](https://github.com/docker-mailserver/docker-mailserver/pull/3498), [#3502](https://github.com/docker-mailserver/docker-mailserver/pull/3502))
+  - Bumped versions of miscellaneous software (also shoutout to @dependabot) ([#3371](https://github.com/docker-mailserver/docker-mailserver/pull/3371), [#3584](https://github.com/docker-mailserver/docker-mailserver/pull/3584), [#3504](https://github.com/docker-mailserver/docker-mailserver/pull/3504), [#3516](https://github.com/docker-mailserver/docker-mailserver/pull/3516))
+- **Tests:**
+  - Refactored LDAP tests to current conventions ([#3483](https://github.com/docker-mailserver/docker-mailserver/pull/3483))
+  - Changed OpenLDAP image to `bitnami/openldap` ([#3494](https://github.com/docker-mailserver/docker-mailserver/pull/3494))
+  - Revised LDAP config + setup ([#3514](https://github.com/docker-mailserver/docker-mailserver/pull/3514))
+  - Added tests for the helper function `_add_to_or_update_postfix_main()` ([#3505](https://github.com/docker-mailserver/docker-mailserver/pull/3505))
+  - EditorConfig Checker lint now uses a mount path to `/check` instead of `/ci` ([#3655](https://github.com/docker-mailserver/docker-mailserver/pull/3655))
+
+### Fixed
+
+- **Security:**
+  - Fixed issue with concatenating `$dmarc_milter` and `$dkim_milter` in `main.cf` ([#3380](https://github.com/docker-mailserver/docker-mailserver/pull/3380))
+  - Fixed Rspamd DKIM signing for inbound emails ([#3439](https://github.com/docker-mailserver/docker-mailserver/pull/3439), [#3453](https://github.com/docker-mailserver/docker-mailserver/pull/3453))
+  - OpenDKIM key generation is no longer broken when Rspamd is also enabled ([#3535](https://github.com/docker-mailserver/docker-mailserver/pull/3535))
+- **Internal:**
+  - The "database" files (_for managing users and aliases_) now correctly filters within lookup query ([#3359](https://github.com/docker-mailserver/docker-mailserver/pull/3359))
+  - `_setup_spam_to_junk()` no longer registered when `SMTP_ONLY=1` ([#3385](https://github.com/docker-mailserver/docker-mailserver/pull/3385))
+  - Dovecot `fts_xapian` is now compiled from source to match the Dovecot package ABI ([#3373](https://github.com/docker-mailserver/docker-mailserver/pull/3373))
+- **CI:**
+  - Scheduled build now have the correct permissions to run successfully ([#3345](https://github.com/docker-mailserver/docker-mailserver/pull/3345))
+- **Documentation:**
+  - Miscellaneous spelling and wording improvements ([#3324](https://github.com/docker-mailserver/docker-mailserver/pull/3324), [#3330](https://github.com/docker-mailserver/docker-mailserver/pull/3330), [#3337](https://github.com/docker-mailserver/docker-mailserver/pull/3337), [#3339](https://github.com/docker-mailserver/docker-mailserver/pull/3339), [#3344](https://github.com/docker-mailserver/docker-mailserver/pull/3344), [#3367](https://github.com/docker-mailserver/docker-mailserver/pull/3367), [#3411](https://github.com/docker-mailserver/docker-mailserver/pull/3411), [#3443](https://github.com/docker-mailserver/docker-mailserver/pull/3443))
+- **Tests:**
+  - Run `pgrep` within the actual container ([#3553](https://github.com/docker-mailserver/docker-mailserver/pull/3553))
+  - `lmtp_ip.bats` improved partial failure output ([#3552](https://github.com/docker-mailserver/docker-mailserver/pull/3552))
+  - Improvements to LDIF test data ([#3506](https://github.com/docker-mailserver/docker-mailserver/pull/3506))
+  - Normalized for `.gitattributes` + improved `eclint` coverage ([#3566](https://github.com/docker-mailserver/docker-mailserver/pull/3566))
+  - Fixed ShellCheck linting for BATS tests ([#3347](https://github.com/docker-mailserver/docker-mailserver/pull/3347))
 
 ## [v12.1.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v12.1.0)
 
@@ -38,7 +208,7 @@ All notable changes to this project will be documented in this file. The format
   - add option to re-enable `reject_unknown_client_hostname` after #3248 ([#3255](https://github.com/docker-mailserver/docker-mailserver/pull/3255))
   - add DKIM helper script ([#3286](https://github.com/docker-mailserver/docker-mailserver/pull/3286))
 - make `policyd-spf` configurable ([#3246](https://github.com/docker-mailserver/docker-mailserver/pull/3246))
-- add 'log' command to setup for Fail2Ban ([#3299](https://github.com/docker-mailserver/docker-mailserver/pull/3299))
+- add 'log' command to set up for Fail2Ban ([#3299](https://github.com/docker-mailserver/docker-mailserver/pull/3299))
 - `setup` command now expects accounts and aliases to be mutually exclusive ([#3270](https://github.com/docker-mailserver/docker-mailserver/pull/3270))
 
 ### Updated

Dockerfile

@@ -286,8 +286,6 @@ RUN <<EOF
   update-locale
 EOF
 
-COPY VERSION /
-
 COPY \
   target/bin/* \
   target/scripts/*.sh \
@@ -304,8 +302,8 @@ COPY target/scripts/startup/setup.d /usr/local/bin/setup.d
 #
 
 FROM stage-main AS stage-final
+ARG DMS_RELEASE=edge
 ARG VCS_REVISION=unknown
-ARG VCS_VERSION=edge
 
 WORKDIR /
 EXPOSE 25 587 143 465 993 110 995 4190
@@ -336,4 +334,5 @@ LABEL org.opencontainers.image.source="https://github.com/docker-mailserver/dock
 # ARG invalidates cache when it is used by a layer (implicitly affects RUN)
 # Thus to maximize cache, keep these lines last:
 LABEL org.opencontainers.image.revision=${VCS_REVISION}
-LABEL org.opencontainers.image.version=${VCS_VERSION}
+LABEL org.opencontainers.image.version=${DMS_RELEASE}
+ENV DMS_RELEASE=${DMS_RELEASE}

Makefile

@@ -18,11 +18,7 @@ BATS_PARALLEL_JOBS     ?= 2
 all: lint build generate-accounts tests clean
 
 build: ALWAYS_RUN
-	@ DOCKER_BUILDKIT=1 docker build \
-		--tag $(IMAGE_NAME) \
-		--build-arg VCS_VERSION=$(shell git rev-parse --short HEAD) \
-		--build-arg VCS_REVISION=$(shell cat VERSION) \
-		.
+	@ docker build --tag $(IMAGE_NAME) .
 
 generate-accounts: ALWAYS_RUN
 	@ cp test/config/templates/postfix-accounts.cf test/config/postfix-accounts.cf
@@ -36,6 +32,22 @@ clean: ALWAYS_RUN
 	-@ while read -r LINE; do [[ $${LINE} =~ test/.+ ]] && FILES+=("/mnt$${LINE#test}"); done < .gitignore ; \
 		docker run --rm -v "$(REPOSITORY_ROOT)/test/:/mnt" alpine ash -c "rm -rf $${FILES[@]}"
 
+run-local-instance: ALWAYS_RUN
+	bash -c 'sleep 8 ; ./setup.sh email add postmaster@example.test 123' &
+	docker run --rm --interactive --tty --name dms-test_example \
+		--env OVERRIDE_HOSTNAME=mail.example.test \
+		--env POSTFIX_INET_PROTOCOLS=ipv4 \
+		--env DOVECOT_INET_PROTOCOLS=ipv4 \
+		--env ENABLE_CLAMAV=0 \
+		--env ENABLE_AMAVIS=0 \
+		--env ENABLE_RSPAMD=0 \
+		--env ENABLE_OPENDKIM=0 \
+		--env ENABLE_OPENDMARC=0 \
+		--env ENABLE_POLICYD_SPF=0 \
+		--env ENABLE_SPAMASSASSIN=0 \
+		--env LOG_LEVEL=trace \
+		$(IMAGE_NAME)
+
 # -----------------------------------------------
 # --- Tests  ------------------------------------
 # -----------------------------------------------

VERSION

@@ -1 +1 @@
-12.1.0
+13.1.0

docs/content/config/advanced/mail-sieve.md

@@ -11,9 +11,9 @@ There are global and user specific filters which are filtering the incoming emai
 
 Global filters are applied to EVERY incoming mail for EVERY email address.
 To specify a global Sieve filter provide a `docker-data/dms/config/before.dovecot.sieve` or a `docker-data/dms/config/after.dovecot.sieve` file with your filter rules.
-If any filter in this filtering chain discards an incoming mail, the delivery process will stop as well and the mail will not reach any following filters(e.g. global-before stops an incoming spam mail: The mail will get discarded and a user-specific filter won't get applied.)
+If any filter in this filtering chain discards an incoming mail, the delivery process will stop as well and the mail will not reach any following filters (e.g. global-before stops an incoming spam mail: The mail will get discarded and a user-specific filter won't get applied.)
 
-To specify a user-defined Sieve filter place a `.dovecot.sieve` file into a virtual user's mail folder e.g. `/var/mail/example.com/user1/.dovecot.sieve`. If this file exists dovecot will apply the filtering rules.
+To specify a user-defined Sieve filter place a `.dovecot.sieve` file into a virtual user's mail folder (e.g. `/var/mail/example.com/user1/home/.dovecot.sieve`). If this file exists dovecot will apply the filtering rules.
 
 It's even possible to install a user provided Sieve filter at startup during users setup: simply include a Sieve file in the `docker-data/dms/config/` path for each user login that needs a filter. The file name provided should be in the form `<user_login>.dovecot.sieve`, so for example for `user1@example.com` you should provide a Sieve file named `docker-data/dms/config/user1@example.com.dovecot.sieve`.
 

docs/content/config/debugging.md

@@ -14,6 +14,27 @@ This page contains valuable information when it comes to resolving issues you en
 
 - Check that all published DMS ports are actually open and not blocked by your ISP / hosting provider.
 - SSL errors are likely the result of a wrong setup on the user side and not caused by DMS itself.
+- Ensure that you have correctly started DMS. Many problems related to configuration are due to this.
+
+!!! danger "Correctly starting DMS"
+
+    Use the [`--force-recreate`][docker-docs::force-recreate] option to avoid configuration mishaps: `docker compose up --force-recreate`
+
+    Alternatively, always use `docker compose down` to stop DMS. **Do not** rely on `CTRL + C`, `docker compose stop`, or `docker compose restart`.
+
+    ---
+
+    DMS setup scripts are run when a container starts, but may fail to work properly if you do the following:
+
+    - Stopping a container with commands like: `docker stop` or `docker compose up` stopped via `CTRL + C` instead of `docker compose down`.
+    - Restarting a container.
+
+    Volumes persist data across container instances, however the same container instance will keep internal changes not stored in a volume until the container is removed.
+
+    Due to this, DMS setup scripts may modify configuration it has already modified in the past.
+
+    - This is brittle as some changes are naive by assuming they are applied to the original configs from the image.
+    - Volumes in `compose.yaml` are expected to persist any important data. Thus it should be safe to throwaway the container created each time, avoiding this config problem.
 
 ### Mail sent from DMS does not arrive at destination
 
@@ -25,6 +46,17 @@ Some service providers block outbound traffic on port 25. Common hosting provide
 
 These links may advise how the provider can unblock the port through additional services offered, or via a support ticket request.
 
+### Mail sent to DMS does not get delivered to user
+
+Common logs related to this are:
+
+- `warning: do not list domain domain.fr in BOTH mydestination and virtual_mailbox_domains`
+- `Recipient address rejected: User unknown in local recipient table`
+
+If your logs look like this, you likely have [assigned the same FQDN to the DMS `hostname` and your mail accounts][gh-issues::dms-fqdn-misconfigured] which is not supported by default. You can either adjust your DMS `hostname` or follow [this FAQ advice][docs::faq-bare-domain]
+
+It is also possible that [DMS services are temporarily unavailable][gh-issues::dms-services-unavailable] when configuration changes are detected, producing the 2nd error. Certificate updates may be a less obvious trigger.
+
 ## Steps for Debugging DMS
 
 1. **Increase log verbosity**: Very helpful for troubleshooting problems during container startup. Set the environment variable [`LOG_LEVEL`][docs-environment-log-level] to `debug` or `trace`.
@@ -47,8 +79,7 @@ To get a shell inside the container run: `docker exec -it <CONTAINER NAME> bash`
 
 If you need more flexibility than what the `docker logs` command offers, then the most useful locations to get relevant DMS logs within the container are:
 
-- `/var/log/mail/mail.log`
-- `/var/log/mail/mail/<SERVICE>.log`
+- `/var/log/mail/<SERVICE>.log`
 - `/var/log/supervisor/<SERVICE>.log`
 
 You may use `nano` (a text editor) to edit files, while `less` (a file viewer) and `tail`/`cat` are useful tools to inspect the contents of logs.
@@ -74,6 +105,7 @@ This could be from outdated software, or running a system that isn't able to pro
 
 ### System
 
+- **macOS:** DMS has limited support for macOS. Often an issue encountered is due to permissions related to the `volumes` config in `compose.yaml`. You may have luck [trying `gRPC FUSE`][gh-macos-support] as the file sharing implementation; [`VirtioFS` is the successor][docker-macos-virtiofs] but presently appears incompatible with DMS.
 - **Kernel:** Some systems provide [kernels with modifications (_replacing defaults and backporting patches_)][network::kernels-modified] to support running legacy software or kernels, complicating compatibility. This can be commonly experienced with products like NAS.
 - **CGroups v2:** Hosts running older kernels (prior to 5.2) and systemd (prior to v244) are not likely to leverage cgroup v2, or have not defaulted to the cgroup v2 `unified` hierarchy. Not meeting this baseline may influence the behaviour of your DMS container, even with the latest Docker Engine installed.
 - **Container runtime:** Docker and Podman for example have subtle differences. DMS docs are primarily focused on Docker, but we try to document known issues where relevant.
@@ -86,13 +118,20 @@ This could be from outdated software, or running a system that isn't able to pro
 [network::kernels-modified]: https://github.com/docker-mailserver/docker-mailserver/pull/2662#issuecomment-1168435970
 [network::kernel-nftables]: https://unix.stackexchange.com/questions/596493/can-nftables-and-iptables-ip6tables-rules-be-applied-at-the-same-time-if-so-wh/596497#596497
 
-[docs-faq]: ../faq.md
 [docs-environment-log-level]: ./environment.md#log_level
+[docs-faq]: ../faq.md
+[docs::faq-bare-domain]: ../faq.md#can-i-use-a-nakedbare-domain-ie-no-hostname
 [docs-ipv6]: ./advanced/ipv6.md
 [docs-introduction]: ../introduction.md
+[docs-rootless-portdriver]: ./security/fail2ban.md#running-inside-a-rootless-container
 [docs-usage]: ../usage.md
+
 [gh-issues]: https://github.com/docker-mailserver/docker-mailserver/issues
+[gh-issues::dms-fqdn-misconfigured]: https://github.com/docker-mailserver/docker-mailserver/issues/3679#issuecomment-1837609043
+[gh-issues::dms-services-unavailable]: https://github.com/docker-mailserver/docker-mailserver/issues/3679#issuecomment-1848083358
+[gh-macos-support]: https://github.com/docker-mailserver/docker-mailserver/issues/3648#issuecomment-1822774080
 [gh-discuss-roundcube-fail2ban]: https://github.com/orgs/docker-mailserver/discussions/3273#discussioncomment-5654603
 
 [docker-rootless-interface]: https://github.com/moby/moby/issues/45742
-[docs-rootless-portdriver]: ./security/fail2ban.md#running-inside-a-rootless-container
+[docker-macos-virtiofs]: https://www.docker.com/blog/speed-boost-achievement-unlocked-on-docker-desktop-4-6-for-mac/
+[docker-docs::force-recreate]: https://docs.docker.com/compose/reference/up/

docs/content/config/environment.md

@@ -140,9 +140,14 @@ Enabled `policyd-spf` in Postfix's configuration. You will likely want to set th
 
 ##### ENABLE_POP3
 
-- **empty** => POP3 service disabled
+- **0** => POP3 service disabled
 - 1 => Enables POP3 service
 
+##### ENABLE_IMAP
+
+- 0 => Disabled
+- **1** => Enabled
+
 ##### ENABLE_CLAMAV
 
 - **0** => ClamAV is disabled
@@ -232,9 +237,9 @@ Provide any valid URI. Examples:
 - `lmtps:inet:<host>:<port>` (secure lmtp with starttls)
 - `lmtp:<kopano-host>:2003` (use kopano as mailstore)
 
-##### POSTFIX\_MAILBOX\_SIZE\_LIMIT
+##### POSTFIX_MAILBOX_SIZE_LIMIT
 
-Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default).
+Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
 
 - **empty** => 0 (no limit)
 
@@ -245,9 +250,9 @@ Set the mailbox size limit for all users. If set to zero, the size will be unlim
 
 See [mailbox quota][docs-accounts-quota].
 
-##### POSTFIX\_MESSAGE\_SIZE\_LIMIT
+##### POSTFIX_MESSAGE_SIZE_LIMIT
 
-Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)
+Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
 
 - **empty** => 10240000 (~10 MB)
 
@@ -375,6 +380,10 @@ The purpose of this setting is to opt-out of starting an internal Redis instance
 
 This settings controls whether checks should be performed on emails coming from authenticated users (i.e. most likely outgoing emails). The default value is `0` in order to align better with SpamAssassin. **We recommend** reading through [the Rspamd documentation on scanning outbound emails][rspamd-scanning-outbound] though to decide for yourself whether you need and want this feature.
 
+!!! note "Not all checks and actions are disabled"
+
+    DKIM signing of e-mails will still happen.
+
 - **0** => No checks will be performed for authenticated users
 - 1 => All default checks will be performed for authenticated users
 

docs/content/config/security/rspamd.md

@@ -8,10 +8,6 @@ Rspamd is a ["fast, free and open-source spam filtering system"][rspamd-homepage
 
 If you want to have a look at the default configuration files for Rspamd that DMS packs, navigate to [`target/rspamd/` inside the repository][dms-default-configuration]. Please consult the [section "The Default Configuration"](#the-default-configuration) section down below for a written overview.
 
-!!! note "AMD64 vs ARM64"
-
-    We are currently doing a best-effort installation of Rspamd for ARM64 (from the Debian backports repository for Debian 11). The current version difference as of 23rd Apr 2023: AMD64 is at version 3.5 | ARM64 is at version 3.4.
-
 [rspamd-homepage]: https://rspamd.com/
 [dms-default-configuration]: https://github.com/docker-mailserver/docker-mailserver/tree/master/target/rspamd
 

docs/content/contributing/tests.md

@@ -78,6 +78,10 @@ We use `make` to run commands.
 
     When writing tests, ensure that parallel set tests still pass when run in parallel. You need to account for other tests running in parallel that may interfere with your own tests logic.
 
+!!! tip
+
+    You may use `make run-local-instance` to run a version of the image built locally to test and edit your changes in a running DMS instance.
+
 ### An Example
 
 In this example, you've made a change to the Rspamd feature support (_or adjusted it's tests_). First verify no regressions have been introduced by running it's specific test file:

docs/content/examples/tutorials/crowdsec.md

@@ -0,0 +1,74 @@
+---
+title: 'Tutorials | Crowdsec'
+---
+
+!!! quote "What is Crowdsec?"
+    
+    Crowdsec is an open source software that detects and blocks attackers using log analysis.
+    It has access to a global community-wide IP reputation database.
+
+    [Source](https://www.crowdsec.net)
+
+## Installation
+
+Crowdsec supports multiple [installation methods][crowdsec-installation-docs], however this page will use the docker installation.
+
+
+### Docker mailserver
+
+In your `compose.yaml` for the DMS service, add a bind mount volume for `/var/log/mail`. This is to share the DMS logs to a separate crowdsec container.
+
+!!! example 
+    ```yaml
+    services:
+      mailserver:
+          - /docker-data/dms/mail-logs/:/var/log/mail/
+    ```
+
+### Crowdsec
+
+The crowdsec container should also bind mount the same host path for the DMS logs that was added in the DMS example above.
+
+```yaml
+services:
+  image: crowdsecurity/crowdsec
+  restart: unless-stopped
+  ports:
+    - "8080:8080"
+    - "6060:6060"
+  volumes:
+    - /docker-data/dms/mail-logs/:/var/log/dms:ro
+    - ./acquis.d:/etc/crowdsec/acquis.d
+    - crowdsec-db:/var/lib/crowdsec/data/
+  environment:
+    # These collection contains parsers and scenarios for postfix and dovecot
+    COLLECTIONS: crowdsecurity/postfix crowdsecurity/dovecot
+    TZ: Europe/Paris
+volumes:
+  crowdsec-db:
+```
+
+## Configuration
+
+Configure crowdsec to read and parse DMS logs file.
+
+!!! example
+
+    Create the file `dms.yml` in `./acquis.d/`
+    
+    ```yaml
+    ---
+    source: file
+    filenames:
+      - /var/log/dms/mail.log
+    labels:
+      type: syslog
+    ```
+
+!!! warning Bouncers
+
+    Crowdsec on its own is just a detection software, the remediation is done by components called bouncers.
+    This page does not explain how to install or configure a bouncer. It can be found in [crowdsec documentation][crowdsec-bouncer-docs].
+
+[crowdsec-installation-docs]: https://doc.crowdsec.net/docs/getting_started/install_crowdsec
+[crowdsec-bouncer-docs]: https://doc.crowdsec.net/docs/bouncers/intro

docs/content/examples/tutorials/docker-build.md

@@ -10,7 +10,7 @@ You'll need to retrieve the git submodules prior to building your own Docker ima
 
 ```sh
 git submodule update --init --recursive
-docker build -t <YOUR CUSTOM IMAGE NAME> .
+docker build --tag <YOUR CUSTOM IMAGE NAME> .
 ```
 
 Or, you can clone and retrieve the submodules in one command:
@@ -21,19 +21,26 @@ git clone --recurse-submodules https://github.com/docker-mailserver/docker-mails
 
 ### About Docker
 
-#### Version
+#### Minimum supported version
 
-We make use of build-features that require a recent version of Docker. Depending on your distribution, please have a look at [the official installation documentation for Docker](https://docs.docker.com/engine/install/) to get the latest version. Otherwise, you may encounter issues, for example with the `--link` flag for a [`#!dockerfile COPY`](https://docs.docker.com/engine/reference/builder/#copy) command.
+We make use of build features that require a recent version of Docker. v23.0 or newer is advised, but earlier releases may work.
 
-#### Environment
+- To get the latest version for your distribution, please have a look at [the official installation documentation for Docker](https://docs.docker.com/engine/install/).
+- If you are using a version of Docker prior to v23.0, you will need to enable BuildKit via the ENV [`DOCKER_BUILDKIT=1`](https://docs.docker.com/build/buildkit/#getting-started).
 
-If you are not using `make` to build the image, note that you will need to provide `DOCKER_BUILDKIT=1` to the `docker build` command for the build to succeed.
+#### Build Arguments (Optional)
 
-#### Build Arguments
+The `Dockerfile` includes several build [`ARG`][docker-docs::builder-arg] instructions that can be configured:
 
-The `Dockerfile` takes additional, so-called build arguments. These are
+- `DOVECOT_COMMUNITY_REPO`: Install Dovecot from the community repo instead of from Debian (default = 1) 
+- `DMS_RELEASE`: The image version (default = edge)
+- `VCS_REVISION`: The git commit hash used for the build (default = unknown)
 
-1. `VCS_VERSION`: the image version (default = edge)
-2. `VCS_REVISION`: the image revision (default = unknown)
+!!! note
 
-When using `make` to build the image, these are filled with proper values. You can build the image without supplying these arguments just fine though.
+    - `DMS_RELEASE` (_when not `edge`_) will be used to check for updates from our GH releases page at runtime due to the default feature [`ENABLE_UPDATE_CHECK=1`][docs::env-update-check].
+    - Both `DMS_RELEASE` and `VCS_REVISION` are also used with `opencontainers` metadata [`LABEL`][docker-docs::builder-label] instructions.
+
+[docs::env-update-check]: https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/#enable_update_check
+[docker-docs::builder-arg]: https://docs.docker.com/engine/reference/builder/#using-arg-variables
+[docker-docs::builder-label]: https://docs.docker.com/engine/reference/builder/#label

docs/mkdocs.yml

@@ -158,6 +158,7 @@ nav:
     - 'Tutorials':
       - 'Basic Installation': examples/tutorials/basic-installation.md
       - 'Mailserver behind Proxy': examples/tutorials/mailserver-behind-proxy.md
+      - 'Crowdsec': examples/tutorials/crowdsec.md
       - 'Building your own Docker image': examples/tutorials/docker-build.md
       - 'Blog Posts': examples/tutorials/blog-posts.md
     - 'Use Cases':

mailserver.env

@@ -119,10 +119,16 @@ ENABLE_OPENDMARC=1
 # - **1** => Enabled
 ENABLE_POLICYD_SPF=1
 
-# 1 => Enables POP3 service
-# empty => disables POP3
+# Enables POP3 service
+# - **0** => Disabled
+# - 1     => Enabled
 ENABLE_POP3=
 
+# Enables IMAP service
+# - 0     => Disabled
+# - **1** => Enabled
+ENABLE_IMAP=1
+
 # Enables ClamAV, and anti-virus scanner.
 #   1   => Enabled
 # **0** => Disabled
@@ -153,6 +159,8 @@ RSPAMD_LEARN=0
 # is `0` in order to align better with SpamAssassin. We recommend reading
 # through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
 # decide for yourself whether you need and want this feature.
+#
+# Note that DKIM signing of e-mails will still happen.
 RSPAMD_CHECK_AUTHENTICATED=0
 
 # Controls whether the Rspamd Greylisting module is enabled.
@@ -246,7 +254,7 @@ VIRUSMAILS_DELETE_DELAY=
 # `lmtp:<kopano-host>:2003` (use kopano as mailstore)
 POSTFIX_DAGENT=
 
-# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default).
+# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
 #
 # empty => 0
 POSTFIX_MAILBOX_SIZE_LIMIT=
@@ -256,7 +264,7 @@ POSTFIX_MAILBOX_SIZE_LIMIT=
 # 1 => Dovecot quota is enabled
 ENABLE_QUOTAS=1
 
-# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)
+# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
 #
 # empty => 10240000 (~10 MB)
 POSTFIX_MESSAGE_SIZE_LIMIT=

target/bin/setquota

@@ -59,10 +59,14 @@ function _quota_request_if_missing() {
   fi
 }
 
+
+# Dovecot docs incorrectly refer to these units with names for SI types (base 10),
+# But then mentions they're actually treated as IEC type (base 2):
+# https://doc.dovecot.org/settings/types/#size
 function _quota_unit_is_valid() {
   if ! grep -qE "^([0-9]+(B|k|M|G|T)|0)\$" <<< "${QUOTA}"; then
     __usage
-    _exit_with_error 'Invalid quota format. e.g. 302M (B (byte), k (kilobyte), M (megabyte), G (gigabyte) or T (terabyte))'
+    _exit_with_error 'Invalid quota format. e.g. 302M (B (byte), k (kibibyte), M (mebibyte), G (gibibyte) or T (tebibyte))'
   fi
 }
 

target/postfix/main.cf

@@ -57,6 +57,12 @@ smtpd_sender_restrictions = $dms_smtpd_sender_restrictions
 smtpd_discard_ehlo_keywords = silent-discard, dsn
 disable_vrfy_command = yes
 
+# Security - Prevent SMTP Smuggling attack
+# https://www.postfix.org/smtp-smuggling.html#long
+smtpd_forbid_bare_newline = yes
+# It is possible to exclude clients on trusted networks from this restriction (the upstream default is `$mynetwork`):
+# smtpd_forbid_bare_newline_exclusions = $mynetworks
+
 # Custom defined parameters for DMS:
 dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
 # Submission ports 587 and 465 support for SPOOF_PROTECTION=1
@@ -88,10 +94,10 @@ smtpd_sasl_security_options = noanonymous
 smtpd_sasl_local_domain = $mydomain
 broken_sasl_auth_clients = yes
 
-# Mail directory
-virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
+# Postfix lookup tables for verifying valid users and managed mail domains:
+# Populated during startup in: scripts/helpers/postfix.sh
 virtual_mailbox_domains = /etc/postfix/vhost
-virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
+# Populated during startup in: scripts/helpers/aliases.sh
 virtual_alias_maps = texthash:/etc/postfix/virtual
 
 # Milters used by DKIM

target/rspamd/local.d/settings.conf

@@ -6,7 +6,7 @@ authenticated {
     priority = high;
     authenticated = yes;
     apply {
-        groups_enabled = [];
+        groups_enabled = [dkim];
     }
 }
 # DMS::SED_TAG::1::END

target/scripts/build/packages.sh

@@ -80,7 +80,7 @@ function _install_packages() {
   # `bind9-dnsutils` provides the `dig` command
   # `iputils-ping` provides the `ping` command
   DEBUG_PACKAGES=(
-    bind9-dnsutils iputils-ping less nano
+    bind9-dnsutils iputils-ping less nano swaks
   )
 
   apt-get "${QUIET}" --no-install-recommends install \
@@ -130,29 +130,14 @@ function _install_dovecot() {
 function _install_rspamd() {
   _log 'trace' 'Adding Rspamd package signatures'
   local DEB_FILE='/etc/apt/sources.list.d/rspamd.list'
-  local RSPAMD_PACKAGE_NAME
 
-  # We try getting the most recent version of Rspamd for aarch64 (from an official source, which
-  # is the backports repository). The version for aarch64 is 3.2; the most recent version for amd64
-  # that we get with the official PPA is 3.4.
-  #
-  # Not removing it later is fine as you have to explicitly opt into installing a backports package
-  # which is not something you could be doing by accident.
-  if [[ $(uname --machine) == 'aarch64' ]]; then
-    echo '# Official Rspamd PPA does not support aarch64, so we use the Bullseye backports' >"${DEB_FILE}"
-    echo 'deb [arch=arm64] http://deb.debian.org/debian bullseye-backports main' >>"${DEB_FILE}"
-    RSPAMD_PACKAGE_NAME='rspamd/bullseye-backports'
-  else
   curl -sSfL https://rspamd.com/apt-stable/gpg.key | gpg --dearmor >/etc/apt/trusted.gpg.d/rspamd.gpg
-    local URL='[arch=amd64 signed-by=/etc/apt/trusted.gpg.d/rspamd.gpg] http://rspamd.com/apt-stable/ bullseye main'
+  local URL='[signed-by=/etc/apt/trusted.gpg.d/rspamd.gpg] http://rspamd.com/apt-stable/ bullseye main'
   echo "deb ${URL}" >"${DEB_FILE}"
-    echo "deb-src ${URL}" >>"${DEB_FILE}"
-    RSPAMD_PACKAGE_NAME='rspamd'
-  fi
 
   _log 'debug' 'Installing Rspamd'
   apt-get "${QUIET}" update
-  apt-get "${QUIET}" --no-install-recommends install "${RSPAMD_PACKAGE_NAME}" 'redis-server'
+  apt-get "${QUIET}" --no-install-recommends install 'rspamd' 'redis-server'
 }
 
 function _install_fail2ban() {
@@ -205,6 +190,11 @@ function _install_getmail() {
   apt-get "${QUIET}" autoremove
 }
 
+function _install_utils() {
+  _log 'debug' 'Installing utils sourced from Github'
+  curl -sL https://github.com/01mf02/jaq/releases/latest/download/jaq-v1.2.0-x86_64-unknown-linux-musl -o /usr/bin/jaq && chmod +x /usr/bin/jaq
+}
+
 function _remove_data_after_package_installations() {
   _log 'debug' 'Deleting sensitive files (secrets)'
   rm /etc/postsrsd.secret
@@ -228,5 +218,6 @@ _install_dovecot
 _install_rspamd
 _install_fail2ban
 _install_getmail
+_install_utils
 _remove_data_after_package_installations
 _post_installation_steps

target/scripts/helpers/aliases.sh

@@ -23,6 +23,7 @@ function _handle_postfix_virtual_config() {
   fi
 }
 
+# TODO: Investigate why this file is always created, nothing seems to append only the cp below?
 function _handle_postfix_regexp_config() {
   : >/etc/postfix/regexp
 

target/scripts/start-mailserver.sh

@@ -91,20 +91,22 @@ function _register_functions() {
   _register_setup_function '_setup_dovecot_hostname'
 
   _register_setup_function '_setup_postfix_early'
-  _register_setup_function '_setup_fetchmail'
-  _register_setup_function '_setup_fetchmail_parallel'
 
-  # needs to come after _setup_postfix_early
+  # Dependent upon _setup_postfix_early first calling _create_aliases
+  # Due to conditional check for /etc/postfix/regexp
   _register_setup_function '_setup_spoof_protection'
 
-  _register_setup_function '_setup_getmail'
+  _register_setup_function '_setup_postfix_late'
 
   if [[ ${ENABLE_SRS} -eq 1  ]]; then
     _register_setup_function '_setup_SRS'
     _register_start_daemon '_start_daemon_postsrsd'
   fi
 
-  _register_setup_function '_setup_postfix_late'
+  _register_setup_function '_setup_fetchmail'
+  _register_setup_function '_setup_fetchmail_parallel'
+  _register_setup_function '_setup_getmail'
+
   _register_setup_function '_setup_logrotate'
   _register_setup_function '_setup_mail_summary'
   _register_setup_function '_setup_logwatch'
@@ -125,7 +127,13 @@ function _register_functions() {
 
   [[ ${SMTP_ONLY}               -ne 1 ]] && _register_start_daemon '_start_daemon_dovecot'
 
-  [[ ${ENABLE_UPDATE_CHECK}     -eq 1 ]] && _register_start_daemon '_start_daemon_update_check'
+  if [[ ${ENABLE_UPDATE_CHECK} -eq 1 ]]; then
+    if [[ ${DMS_RELEASE} != 'edge' ]]; then
+      _register_start_daemon '_start_daemon_update_check'
+    else
+      _log 'warn' "ENABLE_UPDATE_CHECK=1 is configured, but image is not a stable release. Update-Check is disabled."
+    fi
+  fi
 
   # The order here matters: Since Rspamd is using Redis, Redis should be started before Rspamd.
   [[ ${ENABLE_RSPAMD_REDIS}     -eq 1 ]] && _register_start_daemon '_start_daemon_rspamd_redis'
@@ -158,7 +166,7 @@ function _register_functions() {
 _early_supervisor_setup
 _early_variables_setup
 
-_log 'info' "Welcome to docker-mailserver $(</VERSION)"
+_log 'info' "Welcome to docker-mailserver ${DMS_RELEASE}"
 
 _register_functions
 _check

target/scripts/startup/setup.d/dovecot.sh

@@ -6,12 +6,10 @@ function _setup_dovecot() {
   cp -a /usr/share/dovecot/protocols.d /etc/dovecot/
   # disable pop3 (it will be eventually enabled later in the script, if requested)
   mv /etc/dovecot/protocols.d/pop3d.protocol /etc/dovecot/protocols.d/pop3d.protocol.disab
+  # disable imap (it will be eventually enabled later in the script, if requested)
+  mv /etc/dovecot/protocols.d/imapd.protocol /etc/dovecot/protocols.d/imapd.protocol.disab
   mv /etc/dovecot/protocols.d/managesieved.protocol /etc/dovecot/protocols.d/managesieved.protocol.disab
-  sed -i -e 's|#ssl = yes|ssl = yes|g' /etc/dovecot/conf.d/10-master.conf
-  sed -i -e 's|#port = 993|port = 993|g' /etc/dovecot/conf.d/10-master.conf
-  sed -i -e 's|#port = 995|port = 995|g' /etc/dovecot/conf.d/10-master.conf
-  sed -i -e 's|#ssl = yes|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
-  sed -i 's|^postmaster_address = .*$|postmaster_address = '"${POSTMASTER_ADDRESS}"'|g' /etc/dovecot/conf.d/15-lda.conf
+    sedfile -i 's|^postmaster_address = .*$|postmaster_address = '"${POSTMASTER_ADDRESS}"'|g' /etc/dovecot/conf.d/15-lda.conf
 
   if ! grep -q -E '^stats_writer_socket_path=' /etc/dovecot/dovecot.conf; then
     printf '\n%s\n' 'stats_writer_socket_path=' >>/etc/dovecot/dovecot.conf
@@ -37,9 +35,21 @@ function _setup_dovecot() {
 
   esac
 
+  if [[ ${ENABLE_POP3} -eq 1 || ${ENABLE_IMAP} -eq 1 ]]; then
+    sedfile -i -e 's|#ssl = yes|ssl = yes|g' /etc/dovecot/conf.d/10-master.conf
+    sedfile -i -e 's|#ssl = yes|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
+  fi
+
   if [[ ${ENABLE_POP3} -eq 1 ]]; then
     _log 'debug' 'Enabling POP3 services'
     mv /etc/dovecot/protocols.d/pop3d.protocol.disab /etc/dovecot/protocols.d/pop3d.protocol
+    sedfile -i -e 's|#port = 995|port = 995|g' /etc/dovecot/conf.d/10-master.conf
+  fi
+
+  if [[ ${ENABLE_IMAP} -eq 1 ]]; then
+    _log 'debug' 'Enabling IMAP services'
+    mv /etc/dovecot/protocols.d/imapd.protocol.disab /etc/dovecot/protocols.d/imapd.protocol
+    sedfile -i -e 's|#port = 993|port = 993|g' /etc/dovecot/conf.d/10-master.conf
   fi
 
   [[ -f /tmp/docker-mailserver/dovecot.cf ]] && cp /tmp/docker-mailserver/dovecot.cf /etc/dovecot/local.conf
@@ -89,23 +99,20 @@ function _setup_dovecot_quota() {
     # disable dovecot quota in docevot confs
     if [[ -f /etc/dovecot/conf.d/90-quota.conf ]]; then
       mv /etc/dovecot/conf.d/90-quota.conf /etc/dovecot/conf.d/90-quota.conf.disab
-      sed -i \
+      sedfile -i \
         "s|mail_plugins = \$mail_plugins quota|mail_plugins = \$mail_plugins|g" \
         /etc/dovecot/conf.d/10-mail.conf
-      sed -i \
+      sedfile -i \
         "s|mail_plugins = \$mail_plugins imap_quota|mail_plugins = \$mail_plugins|g" \
         /etc/dovecot/conf.d/20-imap.conf
     fi
-
-    # disable quota policy check in postfix
-    sed -i "s|check_policy_service inet:localhost:65265||g" /etc/postfix/main.cf
   else
     if [[ -f /etc/dovecot/conf.d/90-quota.conf.disab ]]; then
       mv /etc/dovecot/conf.d/90-quota.conf.disab /etc/dovecot/conf.d/90-quota.conf
-      sed -i \
+      sedfile -i \
         "s|mail_plugins = \$mail_plugins|mail_plugins = \$mail_plugins quota|g" \
         /etc/dovecot/conf.d/10-mail.conf
-      sed -i \
+      sedfile -i \
         "s|mail_plugins = \$mail_plugins|mail_plugins = \$mail_plugins imap_quota|g" \
         /etc/dovecot/conf.d/20-imap.conf
     fi
@@ -113,11 +120,11 @@ function _setup_dovecot_quota() {
     local MESSAGE_SIZE_LIMIT_MB=$((POSTFIX_MESSAGE_SIZE_LIMIT / 1000000))
     local MAILBOX_LIMIT_MB=$((POSTFIX_MAILBOX_SIZE_LIMIT / 1000000))
 
-    sed -i \
+    sedfile -i \
       "s|quota_max_mail_size =.*|quota_max_mail_size = ${MESSAGE_SIZE_LIMIT_MB}$([[ ${MESSAGE_SIZE_LIMIT_MB} -eq 0 ]] && echo "" || echo "M")|g" \
       /etc/dovecot/conf.d/90-quota.conf
 
-    sed -i \
+    sedfile -i \
       "s|quota_rule = \*:storage=.*|quota_rule = *:storage=${MAILBOX_LIMIT_MB}$([[ ${MAILBOX_LIMIT_MB} -eq 0 ]] && echo "" || echo "M")|g" \
       /etc/dovecot/conf.d/90-quota.conf
 
@@ -127,7 +134,7 @@ function _setup_dovecot_quota() {
     fi
 
     # enable quota policy check in postfix
-    sed -i -E \
+    sedfile -i -E \
       "s|(reject_unknown_recipient_domain)|\1, check_policy_service inet:localhost:65265|g" \
       /etc/postfix/main.cf
   fi
@@ -188,5 +195,5 @@ function _setup_dovecot_dhparam() {
 
 function _setup_dovecot_hostname() {
   _log 'debug' 'Applying hostname to Dovecot'
-  sed -i "s|^#hostname =.*$|hostname = '${HOSTNAME}'|g" /etc/dovecot/conf.d/15-lda.conf
+  sedfile -i "s|^#hostname =.*$|hostname = '${HOSTNAME}'|g" /etc/dovecot/conf.d/15-lda.conf
 }

target/scripts/startup/setup.d/postfix.sh

@@ -30,18 +30,25 @@ mech_list: plain login
 EOF
   fi
 
+  # User has explicitly requested to disable SASL auth:
+  # TODO: Additive config by feature would be better. Should only enable SASL auth
+  # on submission(s) services in master.cf when SASLAuthd or Dovecot is enabled.
   if [[ ${ENABLE_SASLAUTHD} -eq 0 ]] && [[ ${SMTP_ONLY} -eq 1 ]]; then
+    # Default for services (eg: Port 25); NOTE: This has since become the default:
     sed -i -E \
       's|^smtpd_sasl_auth_enable =.*|smtpd_sasl_auth_enable = no|g' \
       /etc/postfix/main.cf
+    # Submission services that are explicitly enabled by default:
     sed -i -E \
       's|^  -o smtpd_sasl_auth_enable=.*|  -o smtpd_sasl_auth_enable=no|g' \
       /etc/postfix/master.cf
   fi
 
+  # scripts/helpers/aliases.sh:_create_aliases()
   __postfix__log 'trace' 'Setting up aliases'
   _create_aliases
 
+  # scripts/helpers/postfix.sh:_create_postfix_vhost()
   __postfix__log 'trace' 'Setting up Postfix vhost'
   _create_postfix_vhost
 
@@ -63,6 +70,25 @@ EOF
       's|^(dms_smtpd_sender_restrictions = .*)|\1, reject_unknown_client_hostname|' \
       /etc/postfix/main.cf
   fi
+
+  # Dovecot feature integration
+  # TODO: Alias SMTP_ONLY=0 to DOVECOT_ENABLED=1?
+  if [[ ${SMTP_ONLY} -ne 1 ]]; then
+    __postfix__log 'trace' 'Configuring Postfix with Dovecot integration'
+
+    # /etc/postfix/vmailbox is created by: scripts/helpers/accounts.sh:_create_accounts()
+    # This file config is for Postfix to verify a mail account exists before accepting
+    # mail arriving and delivering it to Dovecot over LMTP.
+    if [[ ${ACCOUNT_PROVISIONER} == 'FILE' ]]; then
+      postconf 'virtual_mailbox_maps = texthash:/etc/postfix/vmailbox'
+    fi
+    postconf 'virtual_transport = lmtp:unix:/var/run/dovecot/lmtp'
+  fi
+
+  if [[ -n ${POSTFIX_DAGENT} ]]; then
+    __postfix__log 'trace' "Changing virtual transport to '${POSTFIX_DAGENT}'"
+    postconf "virtual_transport = ${POSTFIX_DAGENT}"
+  fi
 }
 
 function _setup_postfix_late() {
@@ -80,12 +106,6 @@ function _setup_postfix_late() {
   __postfix__log 'trace' 'Configuring relay host'
   _setup_relayhost
 
-  if [[ -n ${POSTFIX_DAGENT} ]]; then
-    __postfix__log 'trace' "Changing virtual transport to '${POSTFIX_DAGENT}'"
-    # Default value in main.cf should be 'lmtp:unix:/var/run/dovecot/lmtp'
-    postconf "virtual_transport = ${POSTFIX_DAGENT}"
-  fi
-
   __postfix__setup_override_configuration
 }
 

target/scripts/startup/setup.d/security/rspamd.sh

@@ -325,7 +325,7 @@ function __rspamd__check_dkim_permissions() {
       __rspamd__log 'trace' "Checking DKIM file '${FILE}'"
       # See https://serverfault.com/a/829314 for an explanation on `-exec false {} +`
       # We additionally resolve symbolic links to check the permissions of the actual files
-      if find "$(realpath -eL "${FILE}")" -user _rspamd -or -group _rspamd -or -perm -o=r -exec false {} +; then
+      if find "$(realpath -eL "${FILE}")" \( -user _rspamd -or -group _rspamd -or -perm -o=r \) -exec false {} +; then
         __rspamd__log 'warn' "Rspamd DKIM private key file '${FILE}' does not appear to have correct permissions/ownership for Rspamd to use it"
       else
         __rspamd__log 'trace' "DKIM file '${FILE}' permissions and ownership appear correct"

target/scripts/startup/setup.d/security/spoofing.sh

@@ -11,6 +11,9 @@ function _setup_spoof_protection() {
         postconf 'smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf'
       fi
     else
+      # NOTE: This file is always created at startup, it potentially has content added.
+      # TODO: From section: "SPOOF_PROTECTION=1 handling for smtpd_sender_login_maps"
+      # https://github.com/docker-mailserver/docker-mailserver/issues/2819#issue-1402114383
       if [[ -f /etc/postfix/regexp ]]; then
         postconf 'smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }'
       else

target/scripts/startup/variables-stack.sh

@@ -87,6 +87,7 @@ function __environment_variables_general_setup() {
   VARS[ENABLE_OPENDMARC]="${ENABLE_OPENDMARC:=1}"
   VARS[ENABLE_POLICYD_SPF]="${ENABLE_POLICYD_SPF:=1}"
   VARS[ENABLE_POP3]="${ENABLE_POP3:=0}"
+  VARS[ENABLE_IMAP]="${ENABLE_IMAP:=1}"
   VARS[ENABLE_POSTGREY]="${ENABLE_POSTGREY:=0}"
   VARS[ENABLE_QUOTAS]="${ENABLE_QUOTAS:=1}"
   VARS[ENABLE_RSPAMD]="${ENABLE_RSPAMD:=0}"

target/scripts/update-check.sh

@@ -3,8 +3,8 @@
 # shellcheck source=./helpers/log.sh
 source /usr/local/bin/helpers/log.sh
 
-VERSION=$(</VERSION)
-VERSION_URL='https://raw.githubusercontent.com/docker-mailserver/docker-mailserver/master/VERSION'
+VERSION="${DMS_RELEASE#v}"
+VERSION_URL='https://github.com/docker-mailserver/docker-mailserver/releases/latest'
 CHANGELOG_URL='https://github.com/docker-mailserver/docker-mailserver/blob/master/CHANGELOG.md'
 
 # check for correct syntax
@@ -17,7 +17,8 @@ fi
 
 while true; do
   # get remote version information
-  LATEST=$(curl -Lsf "${VERSION_URL}")
+  # JSON response provides a field for the release tag, the `v` prefix is removed with `[1:]`
+  LATEST=$(curl -sfL -H 'accept: application/json' "${VERSION_URL}" | jaq -r '.tag_name[1:]')
 
   # did we get a valid response?
   if [[ ${LATEST} =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -26,7 +27,7 @@ while true; do
     # compare versions
     if dpkg --compare-versions "${VERSION}" lt "${LATEST}"; then
       # send mail notification to postmaster
-      read -r -d '' MAIL << EOF
+      read -r -d '#' MAIL << EOF
 Hello ${POSTMASTER_ADDRESS}!
 
 There is a docker-mailserver update available on your host: $(hostname -f)
@@ -34,7 +35,7 @@ There is a docker-mailserver update available on your host: $(hostname -f)
 Current version: ${VERSION}
 Latest  version: ${LATEST}
 
-Changelog: ${CHANGELOG_URL}
+Changelog: ${CHANGELOG_URL}#END
 EOF
 
       _log_with_date 'info' "Update available [ ${VERSION} --> ${LATEST} ]"

target/supervisor/conf.d/supervisor-app.conf

@@ -83,8 +83,8 @@ startsecs=0
 stopwaitsecs=55
 autostart=false
 autorestart=true
-stdout_logfile=/var/log/mail/mail.log
-stderr_logfile=/var/log/mail/mail.log
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
 command=/usr/sbin/postgrey --inet=127.0.0.1:10023 --syslog-facility=mail --delay="%(ENV_POSTGREY_DELAY)s" --max-age="%(ENV_POSTGREY_MAX_AGE)s" --auto-whitelist-clients="%(ENV_POSTGREY_AUTO_WHITELIST_CLIENTS)s" --greylist-text="%(ENV_POSTGREY_TEXT)s"
 
 [program:amavis]

test/files/emails/amavis/spam.txt

@@ -1,13 +1,6 @@
-HELO mail.external.tld
-MAIL FROM: spam@external.tld
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
-Subject: Test Message amavis-spam.txt
+Subject: Test Message amavis/spam.txt
 This is a test mail.
 XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
-
-.
-QUIT

test/files/emails/amavis/virus.txt

@@ -1,11 +1,7 @@
-HELO mail.external.tld
-MAIL FROM: virus@external.tld
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
-Subject: Test Message amavis-virus.txt
+Subject: Test Message amavis/virus.txt
 
 Content-type: multipart/mixed; boundary="emailboundary"
 MIME-version: 1.0
@@ -27,6 +23,3 @@ ACAA/4EAAAAAZWljYXIuY29tUEsFBgAAAAABAAEANwAAAGsAAAAAAA==
 
 
 --emailboundary--
-
-.
-QUIT

test/files/emails/auth/added-smtp-auth-spoofed-alias.txt

@@ -1,14 +1,5 @@
-EHLO mail
-AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu
-bXlwYXNzd29yZA==
-MAIL FROM: alias1@localhost.localdomain
-RCPT TO: user1@localhost.localdomain
-DATA
 From: user1_alias <alias1@localhost.localdomain>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail.
-
-.
-QUIT

test/files/emails/auth/added-smtp-auth-spoofed.txt

@@ -1,14 +1,5 @@
-EHLO mail
-AUTH LOGIN YWRkZWRAbG9jYWxob3N0LmxvY2FsZG9tYWlu
-bXlwYXNzd29yZA==
-MAIL FROM: user2@localhost.localdomain
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Not_My_Business <user2@localhost.localdomain>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail.
-
-.
-QUIT

test/files/emails/auth/ldap-smtp-auth-spoofed-alias.txt

@@ -1,15 +1,5 @@
-EHLO mail
-AUTH LOGIN
-c29tZS51c2VyQGxvY2FsaG9zdC5sb2NhbGRvbWFpbg==
-c2VjcmV0
-MAIL FROM: postmaster@localhost.localdomain
-RCPT TO: some.user@localhost.localdomain
-DATA
 From: alias_address <postmaster@localhost.localdomain>
 To: Existing Local User <some.user@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail from ldap-smtp-auth-spoofed-alias.txt
-
-.
-QUIT

test/files/emails/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt

@@ -1,15 +1,5 @@
-EHLO mail
-AUTH LOGIN
-c29tZS51c2VyLmVtYWlsQGxvY2FsaG9zdC5sb2NhbGRvbWFpbgo=
-c2VjcmV0
-MAIL FROM: randomspoofedaddress@localhost.localdomain
-RCPT TO: some.user@localhost.localdomain
-DATA
 From: spoofed_address <randomspoofedaddress@localhost.localdomain>
 To: Existing Local User <some.user@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail from ldap-smtp-auth-spoofed-sender-with-filter-exception.txt
-
-.
-QUIT

test/files/emails/auth/ldap-smtp-auth-spoofed.txt

@@ -1,15 +1,5 @@
-EHLO mail
-AUTH LOGIN
-c29tZS51c2VyQGxvY2FsaG9zdC5sb2NhbGRvbWFpbg==
-c2VjcmV0
-MAIL FROM: ldap@localhost.localdomain
-RCPT TO: user1@localhost.localdomain
-DATA
 From: forged_address <ldap@localhost.localdomain>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail.
-
-.
-QUIT

test/files/emails/existing/added.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: added@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <added@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message existing-added.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/existing/alias-external.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: alias1@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <alias1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message existing-alias-external.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/existing/alias-local.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: alias2@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local Alias <alias2@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message existing-alias-local.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/existing/alias-recipient-delimiter.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: alias1~test@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local Alias With Delimiter <alias1+test@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message existing-alias-recipient-delimiter.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/existing/catchall-local.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: wildcard@localdomain2.com
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <wildcard@localdomain2.com>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message existing-catchall-local.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/existing/regexp-alias-external.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: bounce-always@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <bounce-always@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message existing-regexp-alias-external.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/existing/regexp-alias-local.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: test123@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <test123@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message existing-regexp-alias-local.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/existing/user-and-cc-local-alias.txt

@@ -1,13 +1,6 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <user1@localhost.localdomain>
 Cc: Existing Local Alias <alias2@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message existing-user-and-cc-local-alias.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/existing/user1.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message existing-user1.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/non-existing-user.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: nouser@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message non-existing-user.txt
 This is a test mail.
-
-.
-QUIT

test/files/emails/postgrey.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Postgrey Test Message
 This is a test mail.
-
-.
-QUIT

test/files/emails/postscreen.txt

@@ -0,0 +1,5 @@
+From: Docker Mail Server <user@external.tld>
+To: Existing Local User <user1@localhost.localdomain>
+Date: Sat, 22 May 2010 07:43:25 -0400
+Subject: Test Message postscreen.txt
+This is a test mail for postscreen.

test/files/emails/privacy.txt

@@ -1,15 +1,6 @@
-EHLO mail
-AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu
-bXlwYXNzd29yZA==
-mail from: <user1@localhost.localdomain>
-rcpt to: <user1@localhost.localdomain>
-data
 From: Some User <user1@localhost.localdomain>
 To: Some User <user1@localhost.localdomain>
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
   Gecko/20100101 Thunderbird/52.2.1
 Subject: Test ESMTP Auth LOGIN and remove privacy
 This is a test mail.
-
-.
-QUIT

test/files/emails/quota-exceeded.txt

@@ -1,7 +1,3 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: quotauser@otherdomain.tld
-DATA
 From: Docker Mail Server <user@external.tld>
 To: Existing Local User <quotauser@otherdomain.tld>
 Date: Sat, 22 May 2010 07:43:25 -0400
@@ -20,6 +16,3 @@ Et voluptatum nobis ut odio voluptatem et quibusdam fugit ut libero sapiente vel
 Sit sint obcaecati et reiciendis tenetur aut dolorum culpa. Ab veritatis maxime qui necessitatibus facilis eum voluptate asperiores non totam omnis. Nam modi officia in reiciendis odit sit rerum laudantium est rerum voluptatem ut fugit cupiditate! Sit atque sint aut delectus omnis ut asperiores enim quo reprehenderit quae! In quasi nemo ut error totam ut quia harum ut commodi tenetur? Non quod dolorum eum explicabo labore vel asperiores quas est perferendis nulla eum nemo tenetur. Ut libero blanditiis ex voluptatibus repudiandae ab reiciendis nemo id debitis impedit hic quia incidunt sed quam excepturi ut magnam odit. Qui dolor deleniti aut sunt voluptas aut blanditiis distinctio nam omnis deleniti hic omnis rerum eum magni voluptatem. Nam labore facere eum molestiae dolorum ea consectetur praesentium ut cupiditate iste ad magnam aut neque maiores! Et excepturi ducimus ut nemo voluptas eum voluptas nihil hic perferendis quos vel quasi nesciunt est praesentium dolore hic quia quis. Et maxime ducimus ea cupiditate voluptatem ad quia dolores!
 
 Sed quos quaerat vel aperiam minus non sapiente quia ut ratione dolore eum officiis rerum. Non dolor vitae qui facilis dignissimos aut voluptate odit et ullam consequuntur. Et laudantium perspiciatis sit nisi temporibus a temporibus itaque ut iure dolor a voluptatum mollitia eos officia nobis et quibusdam voluptas. Amet eligendi eos nulla corporis et blanditiis nihil vel eveniet veritatis et sunt perferendis id molestiae eius! Quo harum quod aut nemo autem ut adipisci sint sed quia sunt. Aut voluptas error ut quae perferendis eos adipisci internos. Nam rerum fugiat aut minima nostrum quo repellendus quas exercitationem tenetur. Et molestiae architecto id quibusdam reprehenderit et magnam aliquam! Quo tempora veritatis At dolorem sint ex nulla blanditiis At voluptas laudantium est molestiae exercitationem et sequi voluptates aut ipsa atque. Et animi ipsum aut atque recusandae ea nemo ullam non quisquam quos sit libero sint vel libero delectus. Eos labore quidem a velit obcaecati nam explicabo consequatur eos maxime blanditiis? Et ipsam molestiae non quia explicabo ex galisum repudiandae et tempora veniam. Sed optio repellendus ut consequatur temporibus et harum quas hic ipsa officia? Aut dolores ipsum sit nulla dignissimos id quia perferendis aut dolores dolor et quibusdam porro aut Quis consequatur.
-
-.
-QUIT

test/files/emails/rspamd/pass.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: pass@example.test
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <pass@example.test>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
-Subject: Test Message rspamd-pass.txt
+Subject: Test Message rspamd/pass.txt
 This mail should pass and Rspamd should not mark it.
-
-.
-QUIT

test/files/emails/rspamd/spam-header.txt

@@ -1,12 +1,5 @@
-HELO mail.example.test
-MAIL FROM: spam-header@example.test
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <spam-header@example.test>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 21 Jan 2023 11:11:11 +0000
 Subject: Test Message rspamd-spam-header.txt
 YJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
-
-.
-QUIT

test/files/emails/rspamd/spam.txt

@@ -1,12 +1,5 @@
-HELO mail.example.test
-MAIL FROM: spam@example.test
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <spam@example.test>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 21 Jan 2023 11:11:11 +0000
 Subject: Test Message rspamd-spam.txt
 XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
-
-.
-QUIT

test/files/emails/rspamd/virus.txt

@@ -1,12 +1,5 @@
-HELO mail.example.test
-MAIL FROM: virus@example.test
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <virus@example.test>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 21 Jan 2023 11:11:11 +0000
 Subject: Test Message rspamd-virus.txt
 X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
-
-.
-QUIT

test/files/emails/sieve/pipe.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: user2@otherdomain.tld
-DATA
 From: Sieve-pipe-test <sieve.pipe@external.tld>
 To: Existing Local User <user2@otherdomain.tld>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Sieve pipe test message
 This is a test mail to sieve pipe.
-
-.
-QUIT

test/files/emails/sieve/spam-folder.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Spambot <spam@spam.com>
 To: Existing Local User <alias2@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message sieve-spam-folder.txt
 This is a test mail.
-
-.
-QUIT