Commit graph

382 commits

Author SHA1 Message Date
Georg Lauterbach 26214491ef
fix: Drop special bits from Postfix maildrop/ and public/ directory permissions (#3625)
* update K8s deployment

Because `allowPrivilegeEscalation` controls SUID/SGID, we require it
when postdrop is invoked.

* correct permissions for maildrop/public

The reason our permissions previously worked out as that in setups where
SUID/SGID worked, the binaries used to place files in these directories
already have SGID set; the current set of permissions makes less sense
(as explained in this comment:
https://github.com/docker-mailserver/docker-mailserver/issues/3619#issuecomment-1793816412)

Since the binaries used to place files inside these directories alredy
have SUID/SGID set, we do not require these bits (or the sticky bit) to
be set on the directories.

* Apply suggestions from code review

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-11-10 19:57:17 +01:00
Joerg Sonnenberger 0703e01492
docs: Clarify default for ENV FETCHMAIL_PARALLEL (#3603)
- Make this easier to find when browsing the example environment file.
- Adjust ENV documentation to properly mark the actual default value.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-11-10 13:03:21 +13:00
Joerg Sonnenberger 460f2d5be5
docs: correct Rspamd directory name (#3629) 2023-11-08 17:57:16 +01:00
Georg Lauterbach 8c0777b669
docs: improve docs about how to work with logs (#3626)
* improvide docs about how to work with logs

Most importantly,

1. I added information on the recently adopted `less` / `nano`
2. I added information about `/var/log/mail/`

* fix typos

* Apply suggestions from code review

* Update docs/content/config/debugging.md

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-11-08 10:49:36 +01:00
Georg Lauterbach f674232f71
misc: final Rspamd adjustments for v13 (#3599)
* outsource Rspamd ENVs into explicit helper

This will allow us to uniformly source the helper and get the values
from everywhere consistently. This is more than desirable since we will
be using these values not only for the Rspamd setup, but also for DKIM
management and during change-detection.

* integrate Rspamd into changedetection

We outsource one more function to reside in the helper script for Rspamd
so that we can call this function from the Rspamd setup and from the
changedetection functionality too.

* realize deprecation of old commands file for Rspamd

THIS IS A BREAKING CHANGE!

This change realizes the log message: "Using old file location now
(deprecated) - this will prevent startup in v13.0.0" Startup will now
fail.

* added '--force' option to Rspamd DKIM script

* use new helper to get ENVs for Rspamd in DKIM script

* remove the need for linking directories

This was unnecessary, as explained in
https://github.com/docker-mailserver/docker-mailserver/pull/3597#discussion_r1369413599

* Apply suggestions from code review

review by @polarathene

* apply more review feedback from @polarathene

- <https://github.com/docker-mailserver/docker-mailserver/pull/3599#discussion_r1370885519>
- <https://github.com/docker-mailserver/docker-mailserver/pull/3599#discussion_r1370904201>

* update documentation

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-10-30 10:20:37 +01:00
Andreas Perhab f6e556e33f
docs: fix path to rspamd.log (#3585) 2023-10-17 10:24:01 +02:00
Brennan Kinney 4a58e2eb83
docs: Revise watchtower page (#3583)
- Better clarify images are only updated to newer image updates to the same tag of the running container(s).
- Slight revisions to existing content.
2023-10-16 15:20:50 +02:00
Georg Lauterbach 894978ddd7
refactor: logrotate setup + rspamd log path + tests log helper fallback path (#3576)
* simplify `_setup_logrotate`

* adjust Rspamd's log file and improve it's management

* add information to docs about Rspamd log

* update log query helper to allow another file location

* bail in case `LOGROTATE_INTERVAL` is invalid

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-10-14 17:14:10 +02:00
Brennan Kinney aae42fae9b
ci(fix): Normalize for .gitattributes + improve eclint coverage (#3566) 2023-10-04 12:53:32 +02:00
Vincent Ducamps bd96c1161e
feat: Allow changing the Dovecot vmail UID/GID via ENV (#3550)
Some deployment scenarios are not compatible with `5000:5000` static vmail user with `/var/mail`. This feature allows adjusting the defaults to a UID / GID that is compatible.

Signed-off-by: vincent <vincent@ducamps.win>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-10-01 00:20:03 +13:00
jpduyx 8c0cfa0836
docs: Revise update-and-cleanup.md (#3539)
* Update update-and-cleanup.md

spotify dockergc is UNMAINTAINED, they advice to consider using the `docker system prune` command instead.

"This repository has been archived by the owner on Feb 2, 2021. It is now read-only."

https://github.com/spotify/docker-gc

* Revise `update-and-cleanup.md`

Merges the image update + cleanup sections.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-09-19 16:21:33 +12:00
Milas Bowman 20241691b8
docs: Fix IPv6 example for Compose (#3531)
The subnet must be specified as part of `ipam.configs`.

This was unfortunately slightly incorrect due to a mistake in the official Docker docs being propagated, which has since been fixed upstream.

Refer to the official Compose Spec for more details:
 * https://docs.docker.com/compose/compose-file/06-networks/#ipam
2023-09-08 10:35:08 +12:00
Brennan Kinney ed84dca147
chore: LDAP config improvements (#3522)
* chore: Drop management of `SASLAUTHD_*` ENV

- `variables-stack.sh` does not need to manage all these extra ENV or store them. They're not used anywhere else.
- `saslauthd.sh` is the only consumer of these ENV which are effectively direct key/value mappings, with some defaults provided / inherited.

Instead of trying to conditionally support key/value pairs when ENV is set, we could instead use `sed` to delete lines with empty values.

* chore: Drop fallbacks + update configs to match docs

- Drop deprecated support:
  - `DOVECOT_HOSTS` is an ENV deprecated since v10.
  - Fallback for missing URI scheme introduced for Dovecot and SASLAuthd in v10.
  - Adding error log message when no LDAP URI scheme is detected for the supported ENV (when set).
- Docs updated for ENV to reflect the mandatory requirement. `mailserver.env` partially synced equivalent sections.
- Provided base LDAP configs (for overriding) likewise updated from `domain.com` to `example.com`.
- LDAP test updated for required `ldap://` URI scheme. Common ENV shared across LDAP configs hoisted out of the Postfix group.

* chore: Remove unset lines in generated `saslauthd.conf`
2023-09-02 22:07:02 +12:00
Brennan Kinney 9446fa9b9a
chore: Adapt ENABLE_LDAP=1 to ACCOUNT_PROVISIONER=LDAP (#3507)
- Deprecation startup script check is kept for `ENABLE_LDAP=1` but adjusted to emit an error instead. It can be dropped in a future release. Just a precaution for those who mistakenly update (_possibly via automation_) without checking the release notes, an error log is somewhat helpful, although it could alternatively panic?
- Docs updated to remove the `ENABLE_LDAP=1` usage
- ENV docs updated to reference a maintained LDAP image.
- Changelog includes the breaking change, and slight revision to prior release mention of deprecation.
2023-08-29 10:19:03 +12:00
Brennan Kinney e9f04cf8a7
chore: Change setup config dkim default key size to 2048 (open-dkim) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit

4096-bit is excessive in size for DKIM key. 2048-bit is plenty.

* chore: Additional revisions to `open-dkim` command help output

- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.

* docs: Revise DKIM docs

Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).

* docs: Sync DKIM commands help messages and update DKIM docs for LDAP

- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.

* tests: Adjust test-cases for `setup config dkim` change

`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.

`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.

* docs: Update DKIM section for large keys to newer RFC

The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.

The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.

* docs: Extract out common DKIM generation command from content tabs

Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.

* docs: DKIM refactoring

- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.

* docs: Revise DKIM docs

Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
2023-08-29 09:40:02 +12:00
H4R0 bb2038e8c6
feat: Allow marking spam as read via a sieve filter (ENV MARK_SPAM_AS_READ=1) (#3489)
* add MARK_SPAM_AS_READ environment variable

* review changes

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* update unit test

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-08-21 10:32:26 +12:00
Georg Lauterbach f28fce9cc4
rspamd: disable checks for authenticated users (#3440)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>
2023-08-08 10:43:21 +02:00
Nils Höll 85603193a2
feat(setup): Add fail2ban sub-command status <JAIL> (#3455)
* Added status command to fail2ban setup script

* Switched to `printf` for command output

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/fail2ban.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

---------

Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-08-02 12:09:01 +12:00
rriski 59f483f157
docs: Fix typos (#3443)
Various typos fixed in docs, in addition to a config and ENV template.
2023-07-27 12:24:36 +12:00
Brennan Kinney a0fde8b83f
docs: IPv6 config examples with content tabs (#3436)
For added clarity, a user requested we document the example config snippets instead of only linking external references to them. Revised section and adjusted to presenting via the content tabs feature.
2023-07-20 23:05:19 +02:00
Georg Lauterbach 9f5d662da7
docs: Rewrite of IPv6 page (#3244)
Much better docs for IPv6 support. Third-party container no longer required, Docker has `ip6tables` feature now.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-07-03 11:33:14 +12:00
Brennan Kinney a276589e40
docs: Add compatibility section to debugging page (#3404)
docs: Add compatibility section to debugging page

ci: Adjust bug report template
Reduce some text + compress the preliminary checks down to single check item.
2023-06-22 09:17:41 +02:00
Georg Lauterbach 6a4fac61f8
misc: remaining v13 todos (#3370) 2023-05-29 19:07:45 +02:00
Arun 69ae4ff319
Update dkim_dmarc_spf.md (#3367) 2023-05-26 14:24:07 +02:00
LucidityCrash 7af7546d88
feature: adding getmail as an alternative to fetchmail (#2803)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-05-23 17:25:08 +02:00
Georg Lauterbach 9fd00bd6ad
Rspamd: adjust learning of ham (#3334)
* adjust learning of ham

See #3333

When moving a mail from the Junk folder to the Trash folder, the mail
previously classified as ham due to the wildcard match of `*`. Because
the syntax does not allow for negation, we can only change the behavior
in a way that mails are learned as ham when they are moved into `INBOX`
from `Junk`. This is reasonable though.

* adjust tests accordingly

* adjust docs accordingly
2023-05-13 13:59:16 +02:00
Georg Lauterbach e4274ef113
docs: improve Rspamd docs about DKIM signing of multiple domains (#3329)
* improve Rspamd docs

See #3326 & #3328

* improve warning message

See #3328
2023-05-11 18:08:54 +02:00
Georg Lauterbach 03c0b116c7
clear up confusion about override.d (#3325)
See https://github.com/docker-mailserver/docker-mailserver/issues/3323#issuecomment-1543636636
2023-05-11 13:33:32 +02:00
Georg Lauterbach 45361094e9
fix spelling mistakes (#3324) 2023-05-11 11:06:43 +02:00
Georg Lauterbach 272c19c218
docs: update Rspamd docs (small improvement) (#3318) 2023-05-10 11:51:49 +02:00
Georg Lauterbach 595ff03804
Postfix: rename "smtps" to "submissions" (#3235) 2023-05-10 11:29:51 +02:00
Georg Lauterbach c461dabe9e
docs/misc: update to align with Docker Compose v2 (#3295)
* rename: `docker-compose.yml` => `compose.yaml`
* rename: `docker-compose` => `docker compose`
2023-05-10 11:02:44 +02:00
Georg Lauterbach bba72daedf
scripts: add DKIM helper script for Rspamd (#3286)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-05-03 08:30:49 +02:00
Casper 423188176f
fail2ban: add 'log' command (#3299)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-05-03 00:13:44 +02:00
Georg Lauterbach 2bdbe5d918
F2B: update F2B after discussion in #3256 (#3288) 2023-05-01 15:00:35 +02:00
Georg Lauterbach bbc54c7139
docs: update FAQ entries (#3294)
* removed FAQ entry about Rancher, see <https://github.com/docker-mailserver/docker-mailserver/issues/3289#issuecomment-1521333815>
* update FAQ about special directories, see <https://github.com/docker-mailserver/docker-mailserver/issues/3289#issuecomment-1521333815>
2023-04-26 10:24:21 +02:00
Georg Lauterbach f9d55a9384
docs: update F2B docs & bind mount links (#3293) 2023-04-26 10:05:42 +02:00
Georg Lauterbach 449d53fc3f
docs/scripts: remove WIP warnings for Rspamd (#3283) 2023-04-23 15:14:36 +02:00
Georg Lauterbach cd1721334c
scripts: Rspamd stabilization pt. 2 (#3282)
* move modules adjustment file to new location

Because we link `/tmp/docker-mailserver/rspamd/override.d` to
`/etc/rspamd/override.d`, I think it makes sense to move the modules
adjustment file into `/tmp/docker-mailserver/rspamd/` as well.

I write the code in a way that it is backwards compatible for now, so
this is NOT a breaking change.

* minor improvement to `__rspamd__handle_user_modules_adjustments`

The expansion of `ARGUMENT3` is now done in a way that only adds the
whitespace in case the variable is set and not null.

* move test file structure to respect latest changes

Because we're now linking `rspamd/override.d/`, we can simplify the
setup a bit. But this requires a change in directory structure.

The current Rspamd test will be renamed to `rspamd_full.bats`, because I
plan on adding more tests in different files for different feature sets.
This is done to make this feature well-tested!

* improved and added tests to Rspamd-full

FYI: The line

```bats
_run_in_container grep 'sieve_global_extensions.*\+vnd\.dovecot\.pipe'
"${SIEVE_CONFIG_FILE}"
```

was testing a condition that should actually not be met, but when I
started working on this feature, I thought this was the correct
configuration. Adding the `assert_success` statements revealed this
wrong line.

I also added tests to check whether `override.d` is linked correctly.

* renamed: `rspamd.bats` => `rspamd_full.bats`

* added new tests for incomplete Rspamd feature set

We now test that warnings are emitted & features are disabled correctly.

* update documentation
2023-04-23 14:02:56 +02:00
Georg Lauterbach 638975922e
scripts: Rspamd stabilization pt. 1 (#3261)
* added checks whether OpenDKIM/OpenDMARC/policyd-spf are enabled
* added functions to check if VAR is 0/0 or an int

and also added tests.

I also adjusted the test file to not run in a container, because there
is no need. This also decreases test time, which, in turn, increases
maintainers' happiness.

* added more checks to Rspamd setup

I added the helpers from the previous commit to the Rspamd setup to make
the whole setup more robust, and indicate to the user that an ENV
variable's value is incorrect.

While we did not issues for this in the past, I believe it to be
worthwhile for the future.

* added canonical directory for users to place files in

This dir is canonical with DMS's optional configuration dirs, as it
lives in well-known volume mounts. Hence, users will not need to adjust
`/etc/rspamd/override.d` manually anymore, or mount a volume to this
place.

The docs explain this now, but the DKIM page needs a slight update on
this too I guess. I will follow-up here.

* misc minor improvements
* use variables for common directories
2023-04-23 12:22:54 +02:00
Georg Lauterbach 1c9ed6ce32
docs: improve Rspamd docs (part of its stabilization) (#3257)
* revise links in docs
* added information about `soft_reject_on_timeout`
* added `ENABLE_POLICYD_SPF=0` to basic Rspamd setup docs
2023-04-21 12:21:20 +02:00
Georg Lauterbach c8dfb9ac76
Posfix: add option to re-enable reject_unknown_client_hostname after #3248 (#3255) 2023-04-16 14:09:00 +02:00
Georg Lauterbach 1076aac37d
change F2B configs: made config more aggressive (#3243) 2023-04-11 20:28:43 +02:00
Georg Lauterbach 9a284150b2
Rspamd: replace reject_unknown_client_hostname with Rspamd HFILTER_HOSTNAME_UNKNOWN and make it configurable (#3248) 2023-04-11 18:51:23 +02:00
Georg Lauterbach 806d3efef9
Rspamd: add greylisting option & code refactoring (#3206) 2023-04-11 09:16:57 +02:00
Georg Lauterbach 9ee33a81b7
scripts: make policyd-spf configurable (#3246) 2023-04-11 08:52:43 +02:00
Georg Lauterbach bbe1d2da31
docs: add note about Rspamd web interface (#3245) 2023-04-10 16:00:24 +02:00
Georg Lauterbach ddcc1dcc5c
docs: renamings (#3242) 2023-04-10 15:36:34 +02:00
Georg Lauterbach 34a1fd613f
docs: Combine DKIM/DMARC/SPF pages (#3231)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-04-10 22:08:58 +12:00
Georg Lauterbach 1e20e7c332
Image registry and setup update (#3233)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-04-10 11:37:25 +02:00