From 9cdbef2b369fb4fb0f1b4e534da8703daf92abc9 Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Thu, 18 Jan 2024 10:41:55 +0100
Subject: [PATCH 1/2] setup/dkim: chown created dkim directories and keys to
 config user (#3783)

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
---
 CHANGELOG.md         | 2 ++
 target/bin/open-dkim | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cfdfd314..3ecf1251 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,6 +38,8 @@ All notable changes to this project will be documented in this file. The format
 
 ### Fixes
 
+- **Setup:**
+  - `setup` CLI - `setup dkim domain` now creates the keys files with the user owning the key directory ([#3783](https://github.com/docker-mailserver/docker-mailserver/pull/3783))
 - **Dovecot:**
   - During container startup for Dovecot Sieve, `.sievec` source files compiled to `.svbin` now have their `mtime` adjusted post setup to ensure it is always older than the associated `.svbin` file. This avoids superfluous error logs for sieve scripts that don't actually need to be compiled again ([#3779](https://github.com/docker-mailserver/docker-mailserver/pull/3779))
 - **Internal:**
diff --git a/target/bin/open-dkim b/target/bin/open-dkim
index 86fbfb81..808ef8cc 100755
--- a/target/bin/open-dkim
+++ b/target/bin/open-dkim
@@ -144,6 +144,9 @@ while read -r DKIM_DOMAIN; do
       --directory="/tmp/docker-mailserver/opendkim/keys/${DKIM_DOMAIN}"
   fi
 
+  # fix permissions to use the same user:group as /tmp/docker-mailserver/opendkim/keys
+  chown -R "$(stat -c '%U:%G' /tmp/docker-mailserver/opendkim/keys)" "/tmp/docker-mailserver/opendkim/keys/${DKIM_DOMAIN}"
+
   # write to KeyTable if necessary
   KEYTABLEENTRY="${SELECTOR}._domainkey.${DKIM_DOMAIN} ${DKIM_DOMAIN}:${SELECTOR}:/etc/opendkim/keys/${DKIM_DOMAIN}/${SELECTOR}.private"
   if [[ ! -f "/tmp/docker-mailserver/opendkim/KeyTable" ]]; then

From deb0d2d09a98bd8bc0b0f977dbed590fde28c706 Mon Sep 17 00:00:00 2001
From: Roy Sindre Norangshol <roy.sindre@norangshol.no>
Date: Fri, 19 Jan 2024 02:58:20 +0100
Subject: [PATCH 2/2] docs: Guidance for binding outbound SMTP with multiple
 interfaces available (#3465)

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
---
 CHANGELOG.md                                  |  9 ++-
 .../use-cases/bind-smtp-network-interface.md  | 68 +++++++++++++++++++
 docs/mkdocs.yml                               |  1 +
 3 files changed, 76 insertions(+), 2 deletions(-)
 create mode 100644 docs/content/examples/use-cases/bind-smtp-network-interface.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3ecf1251..b6126956 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,9 +17,15 @@ All notable changes to this project will be documented in this file. The format
     - Enable via the ENV `ENABLE_MTA_STS=1`
     - Supported by major email service providers like Gmail, Yahoo and Outlook.
 
+### Added
+
+- **Docs:**
+  - An example for how to bind outbound SMTP connections to a specific network interface ([#3465](https://github.com/docker-mailserver/docker-mailserver/pull/3465))
+
 ### Updates
 
 - **Tests**:
+  - Replace `wc -l` with `grep -c` ([#3752](https://github.com/docker-mailserver/docker-mailserver/pull/3752))
   - Revised testing of service process management (supervisord) to be more robust ([#3780](https://github.com/docker-mailserver/docker-mailserver/pull/3780))
   - Refactored mail sending ([#3747](https://github.com/docker-mailserver/docker-mailserver/pull/3747) & [#3772](https://github.com/docker-mailserver/docker-mailserver/pull/3772)):
     - This change is a follow-up to [#3732](https://github.com/docker-mailserver/docker-mailserver/pull/3732) from DMS v13.2.
@@ -28,10 +34,9 @@ All notable changes to this project will be documented in this file. The format
     - `sending.bash` helper methods were refactored to better integrate `swaks` and accommodate different usage contexts.
     - `test/files/emails/existing/` files were removed similar to previous removal of SMTP auth files as they became redundant with `swaks`.
 - **Internal:**
-  - tests: Replace `wc -l` with `grep -c` ([#3752](https://github.com/docker-mailserver/docker-mailserver/pull/3752))
   - Postfix is now configured with `smtputf8_enable = no` in our default `main.cf` config (_instead of during container startup_). ([#3750](https://github.com/docker-mailserver/docker-mailserver/pull/3750))
 - **Rspamd** ([#3726](https://github.com/docker-mailserver/docker-mailserver/pull/3726)):
-  - symbol scores for SPF, DKIM & DMARC were updated to more closely align with [RFC7489](https://www.rfc-editor.org/rfc/rfc7489#page-24); please note though that complete alignment is undesirable, because other symbols might be added as well, which changes the overall score calculation again, see [this issue](https://github.com/docker-mailserver/docker-mailserver/issues/3690#issuecomment-1866871996)
+  - Symbol scores for SPF, DKIM & DMARC were updated to more closely align with [RFC7489](https://www.rfc-editor.org/rfc/rfc7489#page-24). Please note that complete alignment is undesirable as other symbols may be added as well, which changes the overall score calculation again, see [this issue](https://github.com/docker-mailserver/docker-mailserver/issues/3690#issuecomment-1866871996)
 - **Docs:**
   - Revised the SpamAssassin ENV docs to better communicate configuration and their relation to other ENV settings. ([#3756](https://github.com/docker-mailserver/docker-mailserver/pull/3756))
   - Detailed how mail received is assigned a spam score by Rspamd and processed accordingly ([#3773](https://github.com/docker-mailserver/docker-mailserver/pull/3773))
diff --git a/docs/content/examples/use-cases/bind-smtp-network-interface.md b/docs/content/examples/use-cases/bind-smtp-network-interface.md
new file mode 100644
index 00000000..b12e21de
--- /dev/null
+++ b/docs/content/examples/use-cases/bind-smtp-network-interface.md
@@ -0,0 +1,68 @@
+---
+title: 'Use Cases | Binding outbound SMTP to a specific network'
+hide:
+  - toc
+---
+
+!!! warning "Advice not extensively tested"
+
+    This configuration advice is a community contribution which has only been verified as a solution when using `network: host`, where you have direct access to the host interfaces.
+
+    It may be applicable in other network modes if the container has control of the outbound IPs to bind to. This is not the case with bridge networks that typically bind to a private range network for containers which are bridged to a public interface via Docker.
+
+If your Docker host is running multiple IPv4 and IPv6 IP-addresses, it may be beneficial to bind outgoing SMTP connections to specific IP-address / interface.
+
+- When a mail is sent outbound from DMS, it greets the MTA it is connecting to with a EHLO (DMS FQDN) which might be verified against the IP resolved, and that a `PTR` record for that IP resolves an address back to the same IP.
+- A similar check with SPF can be against the envelope-sender address which may verify a DNS record like MX / A is valid (_or a similar restriction check from an MTA like [Postfix has with `reject_unknown_sender`][gh-pr::3465::comment-restrictions]_).
+- If the IP address is inconsistent for those connections from DMS, these DNS checks are likely to fail.
+
+This can be configured by [overriding the default Postfix configurations][docs::overrides-postfix] DMS provides. Create `postfix-master.cf` and `postfix-main.cf` files for your config volume (`docker-data/dms/config`).
+
+In `postfix-main.cf` you'll have to set the [`smtp_bind_address`][postfix-docs::smtp-bind-address-ipv4] and [`smtp_bind_address6`][postfix-docs::smtp-bind-address-ipv6]
+to the respective IP-address on the server you want to use.
+
+[docs::overrides-postfix]: ../../config/advanced/override-defaults/postfix.md
+[postfix-docs::smtp-bind-address-ipv4]: https://www.postfix.org/postconf.5.html#smtp_bind_address
+[postfix-docs::smtp-bind-address-ipv6]: https://www.postfix.org/postconf.5.html#smtp_bind_address6
+
+!!! example
+
+    === "Contributed solution"
+
+        ```title="postfix-main.cf"
+        smtp_bind_address = 198.51.100.42
+        smtp_bind_address6 = 2001:DB8::42
+        ```
+
+        !!! bug "Inheriting the bind from `main.cf` can misconfigure services"
+
+            One problem when setting `smtp_bind_address` in `main.cf` is that it will be inherited by any services in `master.cf` that extend the `smtp` transport. One of these is `smtp-amavis`, which is explicitly configured to listen / connect via loopback (localhost / `127.0.0.1`).
+
+            A `postfix-master.cf` override can workaround that issue by ensuring `smtp-amavis` binds to the expected internal IP:
+
+            ```title="postfix-master.cf"
+            smtp-amavis/unix/smtp_bind_address=127.0.0.1
+            smtp-amavis/unix/smtp_bind_address6=::1
+            ```
+
+    === "Alternative (unverified)"
+
+        A potentially better solution might be to instead [explicitly set the `smtp_bind_address` override on the `smtp` transport service][gh-pr::3465::alternative-solution]:
+
+        ```title="postfix-master.cf"
+        smtp/inet/smtp_bind_address = 198.51.100.42
+        smtp/inet/smtp_bind_address6 = 2001:DB8::42
+        ```
+
+        If that avoids the concern with `smtp-amavis`, you may still need to additionally override for the [`relay` transport][gh-src::postfix-master-cf::relay-transport] as well if you have configured DMS to relay mail.
+
+!!! note "IP addresses for documentation"
+
+    IP addresses shown in above examples are placeholders, they are IP addresses reserved for documentation by IANA (_[RFC-5737 (IPv4)][rfc-5737] and [RFC-3849 (IPv6)][rfc-3849]_). Replace them with the IP addresses you want DMS to send mail through.
+    
+[rfc-5737]: https://datatracker.ietf.org/doc/html/rfc5737
+[rfc-3849]: https://datatracker.ietf.org/doc/html/rfc3849
+
+[gh-pr::3465::comment-restrictions]: https://github.com/docker-mailserver/docker-mailserver/pull/3465#discussion_r1458114528
+[gh-pr::3465::alternative-solution]: https://github.com/docker-mailserver/docker-mailserver/pull/3465#issuecomment-1678107233
+[gh-src::postfix-master-cf::relay-transport]: https://github.com/docker-mailserver/docker-mailserver/blob/9cdbef2b369fb4fb0f1b4e534da8703daf92abc9/target/postfix/master.cf#L65
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index 8a6a24b0..0d34b407 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -167,6 +167,7 @@ nav:
       - 'Customize IMAP Folders': examples/use-cases/imap-folders.md
       - 'iOS Mail Push Support': examples/use-cases/ios-mail-push-support.md
       - 'Lua Authentication': examples/use-cases/auth-lua.md
+      - 'Bind outbound SMTP to a specific network': examples/use-cases/bind-smtp-network-interface.md
   - 'FAQ' : faq.md
   - 'Contributing':
     - 'General Information': contributing/general.md