mirror/docker-mailserver
1
1
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver synced 2024-10-18 10:18:07 +02:00
Code Issues
2,762 Commits 3 Branches 27 Tags 52 MiB
master
Commit Graph

782 Commits

Author SHA1 Message Date
Brennan Kinney
7d9eb1e4a7
docs: Add context to sender-cleanup in Postfix master.cf (#3834) 
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
 2024-01-26 11:32:49 +01:00
Brennan Kinney
47f8d50beb
fix: Ensure configs are sanitized for parsing (#3819) 
* chore: Detect missing final newline in configs read

These lines will be not be processed by `read`, emit a warning to raise awareness.

* fix: Ensure parsed config has final newline appended (when possible)

This functionality was handled in `accounts.sh` via a similar sed command (that the linked references also offer).

`printf` is better for this, no shellcheck comment required either.

We additionally don't attempt to modify files that are read-only.

* fix: Ensure parsed configs have CRLF to LF corrected (where possible)

Likewise, this runtime fix was only covering two config files. It now applies to all callers of this method.

* fix: Sanitize `postfix-master.cf` via helper

This feature should have been using the helper to avoid user error from their config updates accidentally introducing subtle breakage implicitly (due to CRLF or missing final newline).

* tests: Add test cases for new helpers

* tests:  `rm` is redundant when using `BATS_TEST_TMPDIR`

This temporary directory is created and removed implicitly. Even after a test failure.

* chore: Remove old `postfix-virtual.cf` migration logic

This was introduced in 2018, there should be no one needing to rely on this anymore?

* tests: Remove comment on sed failure concern

* chore: Add entry to `CHANGELOG.md`

* Apply suggestions from code review

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>

---------

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
 2024-01-26 10:28:26 +13:00
Brennan Kinney
22c6daee32
chore: Revise improper restart message (#3826) 
Improved guidance.
 2024-01-25 12:21:24 +00:00
Georg Lauterbach
00018e7e2b
general: update base image to Debian 12 ("Bookworm") (#3403) 
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
 2024-01-24 17:05:55 +01:00
Brennan Kinney
611a66bf98
fix: Correctly support multiple Dovecot PassDBs (#3812) 
* fix: Dovecot PassDB should restrict allowed auth mechanisms

This prevents PassDBs incompatible with certain auth mechanisms from logging failures which accidentally triggers Fail2Ban.

Instead only allow the PassDB to be authenticated against when it's compatible with the auth mechanism used.

* tests: Use `curl` for OAuth2 login test-cases instead of netcat

`curl` provides this capability for both IMAP and SMTP authentication with a bearer token. It supports both `XOAUTH2` and `OAUTHBEARER` mechanisms, as these updated test-cases demonstrate.

* chore: Add entry to `CHANGELOG.md`
 2024-01-23 19:11:05 +01:00
Brennan Kinney
d40a17f7e0
fix: Ensure correct ownership for the Rspamd DKIM directory (#3813) 
The UID / GID shifted during a new release. Until DKIM handling is refactored in a new major release, this fix ensures the content maintains the expected `_rspamd` ownership.
 2024-01-23 11:51:10 +01:00
Brennan Kinney
a5d536201b
docs: Add maintenance comment for reject_unknown_sender_domain (#3793) 
I figured this was a useful comment to reference related to the setting if it's ever being changed or needs to be better understood (linked issue is a common failure that can be encountered related to this restriction).
 2024-01-20 17:51:32 +13:00
Andreas Perhab
9cdbef2b36
setup/dkim: chown created dkim directories and keys to config user (#3783) 
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2024-01-18 10:41:55 +01:00
Brennan Kinney
2d59aac5a1
chore: Add maintenance comment for sed usage (#3789) 
This is a more explicit reminder for any future contributors that get thrown off by the usage of `sed` here and may be inclined to change it.

Add a link to reference a comment where it's already been explored what the alternative `sed` invocations available are.
 2024-01-17 20:54:27 +13:00
Brennan Kinney
265440b2bb
fix: Ensure .svbin files are newer than .sieve source files (#3779) 2024-01-15 10:34:15 +01:00
Joerg Sonnenberger
e3331b0f44
feat: Add MTA-STS support for outbound mail (#3592) 
* feat: add support for MTA-STS for outgoing mails

* Hook-up mta-sts-daemon into basic process handling test

* fix: Call python script directly

The python3 shebang will run it, which will now meet the expectations of the process testing via pgrep. fail2ban has the same approach.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2024-01-13 21:37:20 +13:00
Casper
71e1102749
Tiny #3480 follow up: Add missing ENABLE_OAUTH2 var (#3775) 2024-01-12 23:48:14 +01:00
Keval Kapdee
52c4582f7b
feat: Auth - OAuth2 (Dovecot PassDB) (#3480) 
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2024-01-13 09:45:14 +13:00
Georg Lauterbach
06fab3f129
tests: streamline tests and helpers further (#3747) 
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2024-01-11 10:34:08 +01:00
Casper
aba218e6d7
Fix jaq: Download platform specific binary (#3766) 
* choose architecture dynamically
 2024-01-10 12:31:30 +13:00
Brennan Kinney
5e28c17cf4
docs: SpamAssassin ENV docs refactor (#3756) 
* chore: Log `SPAMASSASSIN_SPAM_TO_INBOX=1` ENV correctly

ENV name logged was incomplete.

* docs: Update SA related ENV docs

* fix: Log level `warning` should be `warn`

* docs: FAQ - Revise outdated SA entry

* chore: Antispam / Antivirus => Anti-spam / Anti-virus

* docs: ENV - Additional revisions to SA ENV

* docs: ENV - Move `ENABLE_SPAMASSASSIN_KAM`
 2024-01-08 03:07:38 +01:00
Brennan Kinney
6082d5f8d0
chore: Disable smtputf8 support in config directly (#3750) 
* chore: Disable `smtputf8` support in config

This was always configured disabled at runtime, better to just set explicitly in `main.cf` unless config diverges when Dovecot is enabled to opt-out of this feature.
 2024-01-05 23:18:30 +01:00
Georg Lauterbach
04f4ae4569
Rspamd: add custom symbol scores for SPF, DKIM & DMARC (#3726) 2024-01-05 09:07:31 +01:00
Georg Lauterbach
bf69ef248e
Postfix: add smtpd_data_restrictions = reject_unauth_pipelining (#3744) 
* add `smtpd_data_restrictions = reject_unauth_pipelining`

* fix: Skip restriction if trusted

* add changelog entry

* revert change to `postfix-amavis.cf`

* Update CHANGELOG.md

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2024-01-04 22:13:13 +01:00
Georg Lauterbach
25c7024cc4
security(Postfix): Protect against "SMTP Smuggling" attack (#3727) 
View `CHANGELOG.md` entry and PR for details.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2024-01-03 14:02:59 +13:00
Georg Lauterbach
9e81517fe3
tests: Use swaks instead of nc for sending mail (#3732) 
See associated `CHANGELOG.md` entry for details.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2024-01-03 13:17:54 +13:00
Brennan Kinney
0889b0ff06
fix: supervisor-app.conf - Correct the log location for postgrey (#3724) 
* fix: `supervisor-app.conf` - Correct `postgrey` log location

Looks like this should have been like every other service and reference a log file(s) based on program name in the supervisor log directory.

* tests: Adjust log location for `postgrey_enabled.bats`
 2023-12-30 09:59:09 +13:00
Casper
3adb53eb12
Remove sed statement (#3715) 2023-12-20 13:43:32 +13:00
Brennan Kinney
5908d9f060
tests(refactor): Dovecot quotas (#3068) 
* chore: Extract out Dovecot Quota test cases into new test file

Test cases are just cut + paste, no logic changed there yet.

* chore: Rename test case descriptions

* chore: Use `setup ...` methods instead of direct calls

* chore: Adjust `_run_in_container_bash` to `_run_in_container`

Plus some additional bug fixes in the disabled test case

* tests(refactor): Revise ENV test cases for max mailbox and message sizes

* tests(refactor): Revise ENV test cases for mailbox and message limits v2

Removes the extra variables and filtering in favour of explicit values instead of matching for comparison.

- Easier at a glance to know what is actually expected.
- Additionally reworks the quota limit checks in other test cases. Using a different formatter for `doveadm` is easier to match the desired value (`Limit`).

* chore: Sync improvement from `tests.bats` master

---

NOTE: This PR has been merged to avoid additional maintenance burden without losing the improvements. It was not considered complete, but remaining tasks were not documented in the PR.
 2023-12-19 14:33:38 +13:00
Casper
98a4c13ca9
Add ENV ENABLE_IMAP (#3703) 2023-12-18 12:26:28 +01:00
René Plötz
2f5dfed726
fix: Only set virtual_mailbox_maps to texthash when using the FILE account provisioner (#3693) 
Signed-off-by: René Plötz <reneploetz@users.noreply.github.com>
 2023-12-11 10:22:31 +13:00
Casper
d3b4e94d06
update-check: fix 'read' exit status (#3688) 
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
 2023-12-08 01:20:17 +01:00
Peter Adam
77917f5cc6
scripts: Install arm64 rspamd from official repository (#3686) 
* scripts: Install rspamd from official repository instead of debian backports on arm64 architecture

* Remove unnecessary deb-src repository for rspamd

* Remove note about ARM64 rspamd version, update CHANGELOG.md

---------

Co-authored-by: Peter Adam <p.adam@cygnusnetworks.de>
 2023-12-07 23:45:02 +01:00
Casper
908d38047c
scripts: add warning when update-check is enabled, but no stable release image is used (#3684) 2023-12-05 20:42:30 +00:00
Brennan Kinney
c75975d59e
chore: Postfix should integrate Dovecot at runtime (#3681) 
* chore: Better establish startup scope

* chore: Configure `main.cf` for Dovecot at runtime
 2023-12-05 17:16:39 +13:00
Brennan Kinney
68f9671a22
fix: Logging - Welcome should use DMS_RELEASE ENV (#3676) 2023-11-30 14:47:31 +13:00
Brennan Kinney
19e96b5131
fix: update-check.sh should query GH Releases (#3666) 
* fix: Source `VERSION` from image ENV

Now CI builds triggered from tagged releases will always have the correct version. No need for manually updating a separate file.

* fix: Query latest GH release tag

Compare to the remote GH release tag published, rather than contents of a `VERSION` file.

`VERSION` file remains in source for now as prior releases still rely on it for an update notification.

* chore: Switch from `yq` to `jaq`

- Can more easily express a string subslice.
- Lighter weight: 9.3M vs 1.7M.
- Drawback, no YAML input/output support.

If `yq` is preferred, the `v` prefix could be removed via BASH easily enough.

* chore: Add entry to `CHANGELOG.md`

* ci: `VERSION` has no relevance to `:edge`

* docs: Update build guide + simplify `make build`

---------

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
 2023-11-30 10:21:26 +13:00
Georg Lauterbach
a11951e398
hotfix: solve #3665 (#3669) 
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-11-28 10:33:29 +01:00
Georg Lauterbach
5f2fb72c9c
Rspamd: add check for DKIM private key files' permissions (#3627) 
* added check for Rspamd DKIM on startup

The newly added function `__rspamd__check_dkim_permissions` performs a
check on DKIM private key files. This is useful to prevent issues
like #3621 in the future. The function is deliberately kept simple and
may not catch every single misconfiguration in terms of permissions and
ownership, but it should be quite accurate.

Please note that the Rspamd setup does NOT change at all, and the checks
will not abort the setup in case they fail. A simple warning is emmited.

* add more documentation to Rspamd functions

* Apply suggestions from code review

* improve `__do_as_rspamd_user`

* rework check similar to review suggestion

see https://github.com/docker-mailserver/docker-mailserver/pull/3627#discussion_r1388697547

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-11-13 12:34:46 +01:00
Georg Lauterbach
26214491ef
fix: Drop special bits from Postfix maildrop/ and public/ directory permissions (#3625) 
* update K8s deployment

Because `allowPrivilegeEscalation` controls SUID/SGID, we require it
when postdrop is invoked.

* correct permissions for maildrop/public

The reason our permissions previously worked out as that in setups where
SUID/SGID worked, the binaries used to place files in these directories
already have SGID set; the current set of permissions makes less sense
(as explained in this comment:
https://github.com/docker-mailserver/docker-mailserver/issues/3619#issuecomment-1793816412)

Since the binaries used to place files inside these directories alredy
have SUID/SGID set, we do not require these bits (or the sticky bit) to
be set on the directories.

* Apply suggestions from code review

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-11-10 19:57:17 +01:00
Zepmann
290355cf5a
docs: Add Dovecot Lua auth guide + required package (#3579) 
* Dovecot: add deb package dovecot-lua to support Lua scripting
* Adding documentation for Lua authentication
* Updated documentation and made a better distinction between Dovecot packages for officially supported features and for community supported features.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-11-09 10:18:17 +13:00
Georg Lauterbach
f674232f71
misc: final Rspamd adjustments for v13 (#3599) 
* outsource Rspamd ENVs into explicit helper

This will allow us to uniformly source the helper and get the values
from everywhere consistently. This is more than desirable since we will
be using these values not only for the Rspamd setup, but also for DKIM
management and during change-detection.

* integrate Rspamd into changedetection

We outsource one more function to reside in the helper script for Rspamd
so that we can call this function from the Rspamd setup and from the
changedetection functionality too.

* realize deprecation of old commands file for Rspamd

THIS IS A BREAKING CHANGE!

This change realizes the log message: "Using old file location now
(deprecated) - this will prevent startup in v13.0.0" Startup will now
fail.

* added '--force' option to Rspamd DKIM script

* use new helper to get ENVs for Rspamd in DKIM script

* remove the need for linking directories

This was unnecessary, as explained in
https://github.com/docker-mailserver/docker-mailserver/pull/3597#discussion_r1369413599

* Apply suggestions from code review

review by @polarathene

* apply more review feedback from @polarathene

- <https://github.com/docker-mailserver/docker-mailserver/pull/3599#discussion_r1370885519>
- <https://github.com/docker-mailserver/docker-mailserver/pull/3599#discussion_r1370904201>

* update documentation

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-10-30 10:20:37 +01:00
Joerg Sonnenberger
097dc6c9a4
docs(bin/setup): Add an example for an alias with multiple recipients (#3600) 
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-10-26 13:22:36 +13:00
Georg Lauterbach
cb62ce20e6
bugfix: change Rspamd DKIM default config location (#3597) 
Instead of using `etc/rspamd/override.d/dkim_signing.conf`, we will now
be using `/tmp/docker-mailserver/rspamd/override.d/dkim_signing.conf`.
The new location is persisted (and linked again during startup) and
hence better suited.
 2023-10-24 10:31:22 +02:00
allddd
eacc379cf1
feat: Postfix permit DSN (Delivery Status Notification) only on authenticated ports (465 + 587) (#3572) 
* add POSTFIX_DSN

* add tests for POSTFIX_DSN

* Revert "add POSTFIX_DSN"

This reverts commit d5bd0e911737eb8b9efa9566caac6e95c6570af2.

* discard DSN requests on unauthenticated ports

* make tests work with overrides instead of ENV

* Apply suggestions from code review

* fix test inconsistencies

---------

Co-authored-by: allddd <allddd@proton.me>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-10-22 15:16:41 +02:00
Georg Lauterbach
128e6b4d1f
chore: Add debug group (packages.sh) + more resilient rspamd setup (#3578) 2023-10-16 09:51:48 +02:00
Georg Lauterbach
894978ddd7
refactor: logrotate setup + rspamd log path + tests log helper fallback path (#3576) 
* simplify `_setup_logrotate`

* adjust Rspamd's log file and improve it's management

* add information to docs about Rspamd log

* update log query helper to allow another file location

* bail in case `LOGROTATE_INTERVAL` is invalid

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-10-14 17:14:10 +02:00
Brennan Kinney
aae42fae9b
ci(fix): Normalize for .gitattributes + improve eclint coverage (#3566) 2023-10-04 12:53:32 +02:00
Vincent Ducamps
bd96c1161e
feat: Allow changing the Dovecot vmail UID/GID via ENV (#3550) 
Some deployment scenarios are not compatible with `5000:5000` static vmail user with `/var/mail`. This feature allows adjusting the defaults to a UID / GID that is compatible.

Signed-off-by: vincent <vincent@ducamps.win>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-10-01 00:20:03 +13:00
Lucas Bartholemy
86edaf9a8a
fix: DKIM key generation broken when Rspamd & OpenDKIM are enabled (#3535) 
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
 2023-09-13 10:42:52 +02:00
Brennan Kinney
ed84dca147
chore: LDAP config improvements (#3522) 
* chore: Drop management of `SASLAUTHD_*` ENV

- `variables-stack.sh` does not need to manage all these extra ENV or store them. They're not used anywhere else.
- `saslauthd.sh` is the only consumer of these ENV which are effectively direct key/value mappings, with some defaults provided / inherited.

Instead of trying to conditionally support key/value pairs when ENV is set, we could instead use `sed` to delete lines with empty values.

* chore: Drop fallbacks + update configs to match docs

- Drop deprecated support:
  - `DOVECOT_HOSTS` is an ENV deprecated since v10.
  - Fallback for missing URI scheme introduced for Dovecot and SASLAuthd in v10.
  - Adding error log message when no LDAP URI scheme is detected for the supported ENV (when set).
- Docs updated for ENV to reflect the mandatory requirement. `mailserver.env` partially synced equivalent sections.
- Provided base LDAP configs (for overriding) likewise updated from `domain.com` to `example.com`.
- LDAP test updated for required `ldap://` URI scheme. Common ENV shared across LDAP configs hoisted out of the Postfix group.

* chore: Remove unset lines in generated `saslauthd.conf`
 2023-09-02 22:07:02 +12:00
Brennan Kinney
9446fa9b9a
chore: Adapt ENABLE_LDAP=1 to ACCOUNT_PROVISIONER=LDAP (#3507) 
- Deprecation startup script check is kept for `ENABLE_LDAP=1` but adjusted to emit an error instead. It can be dropped in a future release. Just a precaution for those who mistakenly update (_possibly via automation_) without checking the release notes, an error log is somewhat helpful, although it could alternatively panic?
- Docs updated to remove the `ENABLE_LDAP=1` usage
- ENV docs updated to reference a maintained LDAP image.
- Changelog includes the breaking change, and slight revision to prior release mention of deprecation.
 2023-08-29 10:19:03 +12:00
Brennan Kinney
e9f04cf8a7
chore: Change setup config dkim default key size to 2048 (open-dkim) (#3508) 
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit

4096-bit is excessive in size for DKIM key. 2048-bit is plenty.

* chore: Additional revisions to `open-dkim` command help output

- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.

* docs: Revise DKIM docs

Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).

* docs: Sync DKIM commands help messages and update DKIM docs for LDAP

- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.

* tests: Adjust test-cases for `setup config dkim` change

`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.

`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.

* docs: Update DKIM section for large keys to newer RFC

The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.

The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.

* docs: Extract out common DKIM generation command from content tabs

Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.

* docs: DKIM refactoring

- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.

* docs: Revise DKIM docs

Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
 2023-08-29 09:40:02 +12:00
Casper
43a122fe18
scripts: add wrapper to update Postfix configuration safely (follow up) (#3503) 2023-08-28 09:40:24 +12:00
Georg Lauterbach
cf9eb8278a
scripts: add wrapper to update Postfix configuration safely (#3484) 
The new function can

1. update/append
2. update/prepend
3. initialize if non-existent

options in `/etc/postfix/main.cf` in a safe and secure manner. When the
container is improperly restarted, the option is not applied twice.

---

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-08-22 08:03:41 +00:00
H4R0
bb2038e8c6
feat: Allow marking spam as read via a sieve filter (ENV MARK_SPAM_AS_READ=1) (#3489) 
* add MARK_SPAM_AS_READ environment variable

* review changes

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* update unit test

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-08-21 10:32:26 +12:00
Georg Lauterbach
f28fce9cc4
rspamd: disable checks for authenticated users (#3440) 
Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>
 2023-08-08 10:43:21 +02:00
Georg Lauterbach
b001f5a140
Rspamd: local network addition and user name mismatch (#3453) 2023-08-04 13:45:35 +02:00
Nils Höll
85603193a2
feat(setup): Add fail2ban sub-command status <JAIL> (#3455) 
* Added status command to fail2ban setup script

* Switched to `printf` for command output

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/fail2ban.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

---------

Co-authored-by: Casper <casperklein@users.noreply.github.com>
 2023-08-02 12:09:01 +12:00
Georg Lauterbach
da984e5696
see https://github.com/docker-mailserver/docker-mailserver/issues/3433#issuecomment-1646532264 (#3439) 2023-07-28 13:39:23 +02:00
Felix N
a2247bf655
fix spelling issues in rspamd-dkim (#3411) 
Co-authored-by: Felix Nieuwenhuizen <felix@tdlrali.com>
 2023-06-28 20:42:57 +00:00
wligtenberg
68c6f247a6
Fix issue with concatenating $dmarc_milter and $dkim_milter in main.cf (#3380) 
* Fix issue with concatenating $dmarc_milter and $dkim_milter in main.cf 

Upon each start the  `smtpd_milters` and `non_smtpd_milters` would be extended with the following:
```
smtpd_milters =   $dmarc_milter $dkim_milter
non_smtpd_milters = $dkim_milter
```
In my case they became long enough that mail delivery stopped. I think this was because of the extra headers that are added by these steps. (which in turn would cause the mail to be dropped)

* fix sed to work when the variables are there and when they are not.

---------

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
 2023-06-20 19:44:54 +00:00
Claude Brisson
2b400a9269
Fix sieve setup (#3397) 2023-06-20 13:37:31 +02:00
Casper
e0c7cd475b
Don't register _setup_spam_to_junk() when SMTP_ONLY=1 (#3385) 2023-06-11 22:59:26 +02:00
Thomas Butter
efed9d8012
Dovecot: compile fts_xapian from source to match Dovecot ABI (#3373) 
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
 2023-06-01 10:50:31 +02:00
Georg Lauterbach
6a4fac61f8
misc: remaining v13 todos (#3370) 2023-05-29 19:07:45 +02:00
Casper
8bfe8424fc
Change 'for' style (#3368) 2023-05-26 14:00:40 +02:00
Casper
c2d0b748b2
Change 'while' style (#3365) 2023-05-26 01:39:39 +02:00
Casper
37ca0f9ba9
Change 'function' style (#3364) 2023-05-26 01:01:41 +02:00
Casper
cf74127f78
change if style (#3361) 2023-05-24 09:06:59 +02:00
Casper
0e592aa911
SPAM_TO_INBOX=1; add info about SA_KILL (#3360) 2023-05-23 19:32:09 +02:00
LucidityCrash
7af7546d88
feature: adding getmail as an alternative to fetchmail (#2803) 
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
 2023-05-23 17:25:08 +02:00
Brennan Kinney
1d2df8d499
fix: DB helper should properly filter entries (#3359) 
Previously it was assumed the sed operation was applying the sed expressions as a sequence, but it did not seem to filter entries being looked up correctly.

Instead any line that matched either sed expression pattern was output (_value without matching key, values split by the delimiter_), then grep would match any of that causing false-positives.

Resolved by piping the first sed expression into the next.
 2023-05-23 11:02:30 +12:00
Georg Lauterbach
7453bc096b
Dovecot: make home dir distinct from mail dir (#3335) 
* add new home dir for Dovecot

I tried changing the mail dir, but this is a _very_ disruptive change,
so I took approach 3 on
<https://doc.dovecot.org/configuration_manual/home_directories_for_virtual_users/>,
whereby the home directory is now inside the mail directory.

The MDBOX/SDBOX formats are not touched by this change. The change
itself could be considered breaking though.

* adjust Sieve tests accordingly

* Update target/dovecot/10-mail.conf

* Update target/dovecot/auth-passwdfile.inc

---------

Co-authored-by: Casper <casperklein@users.noreply.github.com>
 2023-05-15 20:10:29 +02:00
Casper
a72adc2731
Fix typos (#3344) 2023-05-15 19:11:36 +02:00
Andreas Perhab
ec330a35a1
ClamAV: add a warning for the internal message size limit (#3341) 2023-05-15 15:46:13 +02:00
Georg Lauterbach
a99ae786db
adjust antivirus.conf for Rspamd (#3331) 
See #3320
 2023-05-15 07:01:13 +02:00
Georg Lauterbach
9fd00bd6ad
Rspamd: adjust learning of ham (#3334) 
* adjust learning of ham

See #3333

When moving a mail from the Junk folder to the Trash folder, the mail
previously classified as ham due to the wildcard match of `*`. Because
the syntax does not allow for negation, we can only change the behavior
in a way that mails are learned as ham when they are moved into `INBOX`
from `Junk`. This is reasonable though.

* adjust tests accordingly

* adjust docs accordingly
 2023-05-13 13:59:16 +02:00
Georg Lauterbach
78b7f0cbea
scripts: improve CLAMAV_MESSAGE_SIZE_LIMIT usage (#3332) 
* add sanity check for Clam size & adjusted MaxScanSize

The second part is of special importance! See
<https://askubuntu.com/a/1448525>, which explains that the maximum scan
size is important as well. We previously just set the maximum file size,
which actually is pretty insecure as we silently not scan mile bigger
than `MaxScanSize`. This is corrected now.

* add SlamAV size configuration to Rspamd
 2023-05-12 16:04:41 +02:00
ghnp5
823ef33a92
fix: typo about OpenDMARC (#3330) 
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
 2023-05-11 18:10:51 +02:00
Georg Lauterbach
e4274ef113
docs: improve Rspamd docs about DKIM signing of multiple domains (#3329) 
* improve Rspamd docs

See #3326 & #3328

* improve warning message

See #3328
 2023-05-11 18:08:54 +02:00
Brennan Kinney
793e4026fc
chore(main.cf): Add note advising caution changing mydestination (#3316) 
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
 2023-05-10 23:23:02 +00:00
Georg Lauterbach
595ff03804
Postfix: rename "smtps" to "submissions" (#3235) 2023-05-10 11:29:51 +02:00
Georg Lauterbach
c461dabe9e
docs/misc: update to align with Docker Compose v2 (#3295) 
* rename: `docker-compose.yml` => `compose.yaml`
* rename: `docker-compose` => `docker compose`
 2023-05-10 11:02:44 +02:00
Georg Lauterbach
bba72daedf
scripts: add DKIM helper script for Rspamd (#3286) 
Co-authored-by: Casper <casperklein@users.noreply.github.com>
 2023-05-03 08:30:49 +02:00
Casper
423188176f
fail2ban: add 'log' command (#3299) 
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
 2023-05-03 00:13:44 +02:00
Georg Lauterbach
2bdbe5d918
F2B: update F2B after discussion in #3256 (#3288) 2023-05-01 15:00:35 +02:00
Georg Lauterbach
b6261c7387
remove unnecessary return 0 statements (#3290) 
See <https://github.com/docker-mailserver/docker-mailserver/pull/3285#issuecomment-1521706729>
 2023-04-29 10:55:54 +02:00
Georg Lauterbach
7e7497ae5a
scripts: apply fixes to helpers when using set -eE (#3285) 
For an upcoming PR, these changes are required, because the script that
is using the helpers uses `set -eE`. This leads to situations where
errors are not properly handled in our helpers (yet; I plan on changing
that in the future).
 2023-04-24 14:35:19 +02:00
Georg Lauterbach
449d53fc3f
docs/scripts: remove WIP warnings for Rspamd (#3283) 2023-04-23 15:14:36 +02:00
Georg Lauterbach
cd1721334c
scripts: Rspamd stabilization pt. 2 (#3282) 
* move modules adjustment file to new location

Because we link `/tmp/docker-mailserver/rspamd/override.d` to
`/etc/rspamd/override.d`, I think it makes sense to move the modules
adjustment file into `/tmp/docker-mailserver/rspamd/` as well.

I write the code in a way that it is backwards compatible for now, so
this is NOT a breaking change.

* minor improvement to `__rspamd__handle_user_modules_adjustments`

The expansion of `ARGUMENT3` is now done in a way that only adds the
whitespace in case the variable is set and not null.

* move test file structure to respect latest changes

Because we're now linking `rspamd/override.d/`, we can simplify the
setup a bit. But this requires a change in directory structure.

The current Rspamd test will be renamed to `rspamd_full.bats`, because I
plan on adding more tests in different files for different feature sets.
This is done to make this feature well-tested!

* improved and added tests to Rspamd-full

FYI: The line

```bats
_run_in_container grep 'sieve_global_extensions.*\+vnd\.dovecot\.pipe'
"${SIEVE_CONFIG_FILE}"
```

was testing a condition that should actually not be met, but when I
started working on this feature, I thought this was the correct
configuration. Adding the `assert_success` statements revealed this
wrong line.

I also added tests to check whether `override.d` is linked correctly.

* renamed: `rspamd.bats` => `rspamd_full.bats`

* added new tests for incomplete Rspamd feature set

We now test that warnings are emitted & features are disabled correctly.

* update documentation
 2023-04-23 14:02:56 +02:00
Georg Lauterbach
638975922e
scripts: Rspamd stabilization pt. 1 (#3261) 
* added checks whether OpenDKIM/OpenDMARC/policyd-spf are enabled
* added functions to check if VAR is 0/0 or an int

and also added tests.

I also adjusted the test file to not run in a container, because there
is no need. This also decreases test time, which, in turn, increases
maintainers' happiness.

* added more checks to Rspamd setup

I added the helpers from the previous commit to the Rspamd setup to make
the whole setup more robust, and indicate to the user that an ENV
variable's value is incorrect.

While we did not issues for this in the past, I believe it to be
worthwhile for the future.

* added canonical directory for users to place files in

This dir is canonical with DMS's optional configuration dirs, as it
lives in well-known volume mounts. Hence, users will not need to adjust
`/etc/rspamd/override.d` manually anymore, or mount a volume to this
place.

The docs explain this now, but the DKIM page needs a slight update on
this too I guess. I will follow-up here.

* misc minor improvements
* use variables for common directories
 2023-04-23 12:22:54 +02:00
Georg Lauterbach
88cd244e47
scripts: misc improvements (#3281) 
* corrected typo
* corrected indentation
 2023-04-23 12:16:53 +02:00
Andreas Perhab
2b330fdc49
scripts: remove superfluous EOF in dmarc_dkim_spf.sh (#3266) 
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
 2023-04-20 09:52:07 +02:00
Casper
ea07bcdb4c
scripts: improve shutdown function by making PANIC_STRATEGY obsolete (#3265) 2023-04-18 23:38:46 +02:00
James
a735dddc52
scripts: fix setting SRS_EXCLUDE_DOMAINS during startup (#3271) 2023-04-18 17:07:08 +02:00
Andreas Perhab
2f33f44f4a
postfix.sh: add missing -E for extended regexes in smtpd_sender_restrictions (#3272) 2023-04-18 11:08:19 +02:00
Georg Lauterbach
3f22cbce01
scripts: disallow alias = account (#3270) 2023-04-17 19:22:50 +02:00
Georg Lauterbach
c8dfb9ac76
Posfix: add option to re-enable reject_unknown_client_hostname after #3248 (#3255) 2023-04-16 14:09:00 +02:00
Georg Lauterbach
03772f612a
scripts: get all policyd-spf setup in one place (#3263) 2023-04-15 00:40:42 +02:00
Georg Lauterbach
1076aac37d
change F2B configs: made config more aggressive (#3243) 2023-04-11 20:28:43 +02:00
Georg Lauterbach
9a284150b2
Rspamd: replace reject_unknown_client_hostname with Rspamd HFILTER_HOSTNAME_UNKNOWN and make it configurable (#3248) 2023-04-11 18:51:23 +02:00
Georg Lauterbach
806d3efef9
Rspamd: add greylisting option & code refactoring (#3206) 2023-04-11 09:16:57 +02:00
Georg Lauterbach
9ee33a81b7
scripts: make policyd-spf configurable (#3246) 2023-04-11 08:52:43 +02:00
Georg Lauterbach
1e20e7c332
Image registry and setup update (#3233) 
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 2023-04-10 11:37:25 +02:00