Commit graph

2475 commits

Author SHA1 Message Date
Brennan Kinney 9446fa9b9a
chore: Adapt ENABLE_LDAP=1 to ACCOUNT_PROVISIONER=LDAP (#3507)
- Deprecation startup script check is kept for `ENABLE_LDAP=1` but adjusted to emit an error instead. It can be dropped in a future release. Just a precaution for those who mistakenly update (_possibly via automation_) without checking the release notes, an error log is somewhat helpful, although it could alternatively panic?
- Docs updated to remove the `ENABLE_LDAP=1` usage
- ENV docs updated to reference a maintained LDAP image.
- Changelog includes the breaking change, and slight revision to prior release mention of deprecation.
2023-08-29 10:19:03 +12:00
Brennan Kinney 351ef2afa1
tests: LDAP - Improvements to LDIF (#3506)
- The `uniqueIdentifier` attribute is not appropriate and was relying on `objectClass: extensibleObject` as a workaround to allow it. A more appropriate attribute to use instead is `userID` (_short name: `uid`_).
- Removing `extensibleObject` now requires switching the user accounts to use `inetOrgPerson` class (_which inherits from `organizationalPerson`_). which allows the attributes `givenName`, `userID` and `mail` (_also provided via the `PostfixBookMailAccount` class_).
- The LDAP root object now uses `dc` attributes for `example.test` instead of `localhost.localdomain`. This has nothing to do with DMS or LDAP containers networking config, nor the users mail addresses.
- Users are now grouped under the organizational unit of `users` instead of `people`. Purely a naming change out of preference, no functional difference.

The LDAP test ENV has been updated to accommodate the above changes. An additional ENV override was required for SASLAuthd to switch an attribute set for `ldap_filter` in `/etc/saslauthd.conf` from the implicit default of `uniqueIdentifier` (_that we set during startup as an ENV default for fallback_) to the `userID` attribute.
2023-08-29 10:16:08 +12:00
Brennan Kinney e9f04cf8a7
chore: Change setup config dkim default key size to 2048 (open-dkim) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit

4096-bit is excessive in size for DKIM key. 2048-bit is plenty.

* chore: Additional revisions to `open-dkim` command help output

- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.

* docs: Revise DKIM docs

Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).

* docs: Sync DKIM commands help messages and update DKIM docs for LDAP

- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.

* tests: Adjust test-cases for `setup config dkim` change

`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.

`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.

* docs: Update DKIM section for large keys to newer RFC

The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.

The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.

* docs: Extract out common DKIM generation command from content tabs

Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.

* docs: DKIM refactoring

- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.

* docs: Revise DKIM docs

Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
2023-08-29 09:40:02 +12:00
dependabot[bot] 855d9acb53
chore(deps): Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#3511)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-28 19:33:05 +02:00
Casper 43a122fe18
scripts: add wrapper to update Postfix configuration safely (follow up) (#3503) 2023-08-28 09:40:24 +12:00
Brennan Kinney f89cbac21c
tests: TLS cipher suites - Update testssl.sh tag to 3.2 (#3504) 2023-08-27 23:44:53 +12:00
Brennan Kinney c8a0bfd361
ci: Fix question.yml template - value should be an attribute (#3502)
The recent change to this template was invalid, as `value` should have been nested under the `attributes` object.
2023-08-24 14:29:08 +02:00
Brennan Kinney af09db6648
ci: question.yml - Clarify that the issue tracker is not for personal support (#3498)
* ci: Revise `question.yml` to better clarify the issue tracker is not for support queries

Users have been making low effort reports (_bypassing the dedicated form_) through this alternative that is intended for addressing other concerns related to the project - not troubleshooting user problems.

When a user does not want to put the effort in of a full bug report (_and following our debug docs tips that it refers them to_), they should be using the Github Discussions page which provides the same free-form input, but should not require attention of project devs (contributors / maintainers).

---

The markdown rendered field above the "Description" input field didn't seem too relevant for this template. I've opted for a markdown comment (so it won't render if kept) into the input field with hopes that'll be more visible to the readers attention.

* chore: Fix typo
2023-08-23 16:56:24 +02:00
Brennan Kinney 39ae101266
tests: Change OpenLDAP image to bitnami/openldap (#3494)
**TL;DR:**
- New image is actively maintained vs existing one that is over 5 years old. 
- Slight improvement to LDAP tree config via `.ldif` files.
- No more `Dockerfile` required to build, we can just rely on `docker run`.

`osixia/openldap` has not seen any activity since Feb 2021, while our `Dockerfile` was fixed to v1.1.6` (Feb 2018).

Startup time for this new image is around 5 seconds? (_The LDAP test uses a standard 20 second timeout check to wait until the server is ready before continuing with starting the DMS image_).

This commit migrates to `bitnami/openldap` which required modifying the `01_mail-tree.ldif` to also include adding the root object to start successfully. This image is actively maintained and one of the most popular OpenLDAP images on DockerHub.

The user account `.ldif` files have minimal changes:
- Lines moved around for better organization
- Additional comments for context
- Removal of inherited `objectClass` attributes (`person`, `top`) from the `orgnizationalPerson` class. Attribute `sn` changed to long form `surname` and values corrected with `givenName`. `changetype: add` was also not necessary.

Additionally the image does not support the `.schema` format, they must be converted to `.ldif` which has been done for `postfix-book.schema`.

See PR for more details.
2023-08-22 21:38:25 +12:00
Georg Lauterbach cf9eb8278a
scripts: add wrapper to update Postfix configuration safely (#3484)
The new function can

1. update/append
2. update/prepend
3. initialize if non-existent

options in `/etc/postfix/main.cf` in a safe and secure manner. When the
container is improperly restarted, the option is not applied twice.

---

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-08-22 08:03:41 +00:00
HeySora 758fd9c913
Docs: Drop mention of port 25 support for authenticated submission (#3496)
* FAQ: Remove outdated port 25 for mail client use
2023-08-22 17:49:15 +12:00
dependabot[bot] 0dc862156f
chore(deps): Bump nwtgck/actions-netlify from 2.0 to 2.1 (#3495)
Bumps [nwtgck/actions-netlify](https://github.com/nwtgck/actions-netlify) from 2.0 to 2.1.
- [Release notes](https://github.com/nwtgck/actions-netlify/releases)
- [Changelog](https://github.com/nwtgck/actions-netlify/blob/develop/CHANGELOG.md)
- [Commits](https://github.com/nwtgck/actions-netlify/compare/v2.0...v2.1)

---
updated-dependencies:
- dependency-name: nwtgck/actions-netlify
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-22 10:30:10 +12:00
H4R0 bb2038e8c6
feat: Allow marking spam as read via a sieve filter (ENV MARK_SPAM_AS_READ=1) (#3489)
* add MARK_SPAM_AS_READ environment variable

* review changes

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* update unit test

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-08-21 10:32:26 +12:00
Brennan Kinney 5bada0a83b
tests: Refactor LDAP tests to current conventions (#3483)
* tests: Switch to setup helper and conventions

* tests: Adapt run command to new conventions

- We have two helper methods with implicit `CONTAINER_NAME` reference, which is a bit more DRY and improves readability.
- `wc -l` + `assert_output 1` converted to use helper `_should_output_number_of_lines 1`
- `DOMAIN` var changed from `my-domain.com` to local testing domain `example.test`.

* tests: Refactor `setup_file()`

- Test wide ENV defined at the top
- OpenLDAP build and run logic grouped together. Added notes, network alias and tty not required.
- Extracted out special LDAP Postfix/Dovecot ENV into separate array. LDAP specific provisioning / auth ENV also included, with comments + linebreak to better group related ENV.
- Likewise additional ENV to support test cases has been extracted to a separate array with additional comments for context.
- Those two arrays are expanded back into the main `CUSTOM_SETUP_ARGUMENTS` that configure hostname and network for the DMS container.

* tests: Refactor the LDAP account table query testcase

- Covers 3 accounts to test from LDAP.
  - 2 are the same query against users/aliases/groups tables in Postfix, only differing by account queried (and expected as returned result).
  - 1 separate test to ensure a difference in config is supported correctly.
- Extracted repeated test logic into a helper method.
- Added additional context in comments about the creation source of these LDAP accounts and their related Postfix config / interaction. Direct reference to special case PR (since `git blame` will be less useful).

* tests: Use iteration for `grep` setting checks

More DRY approach. With a bit more helpful failure context via `assert_output` (_and only grepping the key_). Simpler to grok what's being covered.

* tests: DRY test email delivery

A bit more verbose with the new helper method. `test-email.txt` template is only used by the LDAP test, as is the `sendmail` command.

Helper will take two args to support the testcases, but at a later date should be refactored to be consistent with the `_send_email()` helper (_which presently uses `nc` that is required for plain-text mail/auth, otherwise we'd have used `openssl`, bigger refactor required_).

* tests: Slight revisions and relocating testcases

- Dovecot quota plugin testcase revised to check files exist instead of rely on `ls` failure.
- Moved Postfix quota plugin testcase into prior dovecot testcase for quota plugin check. Better error output by only querying the `smtpd_recipient_restrictions` setting (_which should be the only one configured for the service_).
- Moved the saslauthd and pflogsumm testcases (_no changes beyond revised comments_) above the `ATTENTION` comment, and one testcase below the comment that belonged to that group.

* tests: Simplify openldap `docker build` command

- `--no-cache` was creating a new image on the Docker host each time the test is run. Shouldn't be any need to build without cache.
- No need to use `pushd` + `popd`, can just provide the path context directly, and the `./Dockerfile` is an implicit default thus `-f` not required either.

Additionally removed the old `checking` prefix from testcase names.

* tests: Move LDAP specific config into `test/config/ldap/`

- No changes to any of these config files, just better isolation as not relevant to any other tests.
- Section heading in `setup_file()` added to distinguish the remainder of the function is dedicated to the DMS container setup.
- Comment providing some context about the `mv` to maintainers, this should be done after defaults are initialized but before starting up the container.

* chore: Appease the lint gods

* Apply suggestions from code review
2023-08-17 14:33:34 +12:00
Casper 8f97171336
compose.yaml: Add comment about disabled authentication on port 25 (#3464)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-08-14 01:58:54 +02:00
Georg Lauterbach f28fce9cc4
rspamd: disable checks for authenticated users (#3440)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>
2023-08-08 10:43:21 +02:00
Georg Lauterbach b001f5a140
Rspamd: local network addition and user name mismatch (#3453) 2023-08-04 13:45:35 +02:00
Nils Höll 85603193a2
feat(setup): Add fail2ban sub-command status <JAIL> (#3455)
* Added status command to fail2ban setup script

* Switched to `printf` for command output

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/fail2ban.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

---------

Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-08-02 12:09:01 +12:00
Georg Lauterbach da984e5696
see https://github.com/docker-mailserver/docker-mailserver/issues/3433#issuecomment-1646532264 (#3439) 2023-07-28 13:39:23 +02:00
rmlhuk f53a40d2ae
docs(page:usage): Add internet.nl to the testing tools section (#3445)
Adding `internet.nl` mail tester, this testing services gives users in-depth analysis of their mail server, connectivity, DKIM/SPF/DMARC records and DNS.
2023-07-28 11:07:26 +12:00
rriski 59f483f157
docs: Fix typos (#3443)
Various typos fixed in docs, in addition to a config and ENV template.
2023-07-27 12:24:36 +12:00
Brennan Kinney a0fde8b83f
docs: IPv6 config examples with content tabs (#3436)
For added clarity, a user requested we document the example config snippets instead of only linking external references to them. Revised section and adjusted to presenting via the content tabs feature.
2023-07-20 23:05:19 +02:00
Brennan Kinney 5ef048bfae
chore: Discourage latest in bug report version field (#3435) 2023-07-20 22:45:33 +02:00
dependabot[bot] 7d5c2736ce
chore(deps): Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#3430)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-17 21:48:19 +02:00
dependabot[bot] 18f8d2573b
chore(deps): Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#3421)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-10 19:25:14 +02:00
dependabot[bot] ee7c4b1ede
chore(deps): Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#3414)
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.7.0 to 2.8.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v2.7.0...v2.8.0)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-03 14:54:14 +02:00
Georg Lauterbach 9f5d662da7
docs: Rewrite of IPv6 page (#3244)
Much better docs for IPv6 support. Third-party container no longer required, Docker has `ip6tables` feature now.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-07-03 11:33:14 +12:00
Felix N a2247bf655
fix spelling issues in rspamd-dkim (#3411)
Co-authored-by: Felix Nieuwenhuizen <felix@tdlrali.com>
2023-06-28 20:42:57 +00:00
dependabot[bot] 32c3ecd00e
chore(deps): Bump anchore/scan-action from 3.3.5 to 3.3.6 (#3406)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-26 20:01:26 +02:00
Brennan Kinney a276589e40
docs: Add compatibility section to debugging page (#3404)
docs: Add compatibility section to debugging page

ci: Adjust bug report template
Reduce some text + compress the preliminary checks down to single check item.
2023-06-22 09:17:41 +02:00
wligtenberg 68c6f247a6
Fix issue with concatenating $dmarc_milter and $dkim_milter in main.cf (#3380)
* Fix issue with concatenating $dmarc_milter and $dkim_milter in main.cf 

Upon each start the  `smtpd_milters` and `non_smtpd_milters` would be extended with the following:
```
smtpd_milters =   $dmarc_milter $dkim_milter
non_smtpd_milters = $dkim_milter
```
In my case they became long enough that mail delivery stopped. I think this was because of the extra headers that are added by these steps. (which in turn would cause the mail to be dropped)

* fix sed to work when the variables are there and when they are not.

---------

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-06-20 19:44:54 +00:00
Claude Brisson 2b400a9269
Fix sieve setup (#3397) 2023-06-20 13:37:31 +02:00
dependabot[bot] 4dae83b256
chore(deps): Bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 (#3399)
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.1 to 5.0.2.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](https://github.com/peter-evans/create-pull-request/compare/v5.0.1...v5.0.2)

---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-20 09:43:57 +02:00
dependabot[bot] e380cc3065
chore(deps): Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 (#3398) 2023-06-19 23:21:13 +02:00
dependabot[bot] 59bcab6127
chore(deps): Bump docker/build-push-action from 4.1.0 to 4.1.1 (#3400) 2023-06-19 23:14:09 +02:00
dependabot[bot] 7a5dfb71c2
chore(deps): Bump docker/metadata-action from 4.5.0 to 4.6.0 (#3401) 2023-06-19 23:03:45 +02:00
dependabot[bot] 8fbc58cf5d
chore(deps): Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 (#3389) 2023-06-12 19:19:35 +02:00
dependabot[bot] 7b1a712c91
chore(deps): Bump docker/metadata-action from 4.4.0 to 4.5.0 (#3387)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-12 17:13:51 +00:00
dependabot[bot] 8e87a4d845
chore(deps): Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 (#3388)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-12 17:12:00 +00:00
dependabot[bot] 7bf772e2d6
chore(deps): Bump docker/build-push-action from 4.0.0 to 4.1.0 (#3390)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-12 19:10:10 +02:00
Casper e0c7cd475b
Don't register _setup_spam_to_junk() when SMTP_ONLY=1 (#3385) 2023-06-11 22:59:26 +02:00
Thomas Butter efed9d8012
Dovecot: compile fts_xapian from source to match Dovecot ABI (#3373)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-06-01 10:50:31 +02:00
Brennan Kinney e68062282a
ci: Simplify GH bug report template (#3381)
Simplify the bug report form further by dropping / merging form sections.

Change Overview:
- Minor revisions and formatting changes (_multi-line pipe operator, emoji, fix typos, etc_).
- Collapsed OS + Arch into single input field (_not much benefit from the two additional dropdown items_).
- Description/reproduction and expectation sections revised (_expectation intent is typically inferred by the issue description, while detailed reproduction steps can belong a separate optional section_).
- Removed platform dropdown (_Windows and macOS are mentioned in description as unsupported_).
- Removed experience checkboxes (_context doesn't really change responses_).
- Removed the orchestrator dropdown (_we don't seem to use this information, it's just noise_)
- Relocate the DMS version + OS/Arch sections to come after the Reproduction steps.
2023-06-01 12:57:05 +12:00
Brennan Kinney 86e18d04dd
chore: Revise Dockerfile comment on COPY bug (#3378) 2023-05-31 01:22:42 +12:00
Georg Lauterbach 6a4fac61f8
misc: remaining v13 todos (#3370) 2023-05-29 19:07:45 +02:00
Georg Lauterbach 68265b744d
add note about DMS FQDN (#3372) 2023-05-29 18:34:58 +02:00
dependabot[bot] d1fb8f5958
chore(deps): Bump myrotvorets/set-commit-status-action from 1.1.6 to 1.1.7 (#3377)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-29 16:52:34 +02:00
Casper 5c504a5741
Bump hadolint/eclint version (#3371) 2023-05-28 22:48:11 +02:00
Casper 3d6260adf8
Add BASH syntax check to linter (#3369) 2023-05-27 22:12:24 +02:00
Arun 69ae4ff319
Update dkim_dmarc_spf.md (#3367) 2023-05-26 14:24:07 +02:00