Commit graph

288 commits

Author SHA1 Message Date
georglauterbach 3180a63e77
update Dovecot Xapian installation 2023-12-21 17:47:18 +01:00
georglauterbach 93c9c04912
update scripts for Amavis & SpamAssassin 2023-12-21 17:47:17 +01:00
georglauterbach e4230e5a93
updated packages lists and added comments for maintainability 2023-12-21 17:47:15 +01:00
georglauterbach 1861718cc1
use PPA for Rspamd 2023-12-21 17:47:15 +01:00
georglauterbach cf0bf59698
better communicate why we need early packages 2023-12-21 17:47:15 +01:00
georglauterbach f96b8fbcc1
moved and merged functions in packages.sh 2023-12-21 17:47:14 +01:00
georglauterbach fde195b9b0
removed custom installations of Fail2Ban, getmail6 and Rspamd 2023-12-21 17:47:14 +01:00
georglauterbach bcb06f4a89
packages.sh now uses /etc/os-release to determine the release name of Debian 2023-12-21 17:47:13 +01:00
Casper 3adb53eb12
Remove sed statement (#3715) 2023-12-20 13:43:32 +13:00
Casper 98a4c13ca9
Add ENV ENABLE_IMAP (#3703) 2023-12-18 12:26:28 +01:00
René Plötz 2f5dfed726
fix: Only set virtual_mailbox_maps to texthash when using the FILE account provisioner (#3693)
Signed-off-by: René Plötz <reneploetz@users.noreply.github.com>
2023-12-11 10:22:31 +13:00
Casper d3b4e94d06
update-check: fix 'read' exit status (#3688)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-12-08 01:20:17 +01:00
Peter Adam 77917f5cc6
scripts: Install arm64 rspamd from official repository (#3686)
* scripts: Install rspamd from official repository instead of debian backports on arm64 architecture

* Remove unnecessary deb-src repository for rspamd

* Remove note about ARM64 rspamd version, update CHANGELOG.md

---------

Co-authored-by: Peter Adam <p.adam@cygnusnetworks.de>
2023-12-07 23:45:02 +01:00
Casper 908d38047c
scripts: add warning when update-check is enabled, but no stable release image is used (#3684) 2023-12-05 20:42:30 +00:00
Brennan Kinney c75975d59e
chore: Postfix should integrate Dovecot at runtime (#3681)
* chore: Better establish startup scope

* chore: Configure `main.cf` for Dovecot at runtime
2023-12-05 17:16:39 +13:00
Brennan Kinney 68f9671a22
fix: Logging - Welcome should use DMS_RELEASE ENV (#3676) 2023-11-30 14:47:31 +13:00
Brennan Kinney 19e96b5131
fix: update-check.sh should query GH Releases (#3666)
* fix: Source `VERSION` from image ENV

Now CI builds triggered from tagged releases will always have the correct version. No need for manually updating a separate file.

* fix: Query latest GH release tag

Compare to the remote GH release tag published, rather than contents of a `VERSION` file.

`VERSION` file remains in source for now as prior releases still rely on it for an update notification.

* chore: Switch from `yq` to `jaq`

- Can more easily express a string subslice.
- Lighter weight: 9.3M vs 1.7M.
- Drawback, no YAML input/output support.

If `yq` is preferred, the `v` prefix could be removed via BASH easily enough.

* chore: Add entry to `CHANGELOG.md`

* ci: `VERSION` has no relevance to `:edge`

* docs: Update build guide + simplify `make build`

---------

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-11-30 10:21:26 +13:00
Georg Lauterbach a11951e398
hotfix: solve #3665 (#3669)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-11-28 10:33:29 +01:00
Georg Lauterbach 5f2fb72c9c
Rspamd: add check for DKIM private key files' permissions (#3627)
* added check for Rspamd DKIM on startup

The newly added function `__rspamd__check_dkim_permissions` performs a
check on DKIM private key files. This is useful to prevent issues
like #3621 in the future. The function is deliberately kept simple and
may not catch every single misconfiguration in terms of permissions and
ownership, but it should be quite accurate.

Please note that the Rspamd setup does NOT change at all, and the checks
will not abort the setup in case they fail. A simple warning is emmited.

* add more documentation to Rspamd functions

* Apply suggestions from code review

* improve `__do_as_rspamd_user`

* rework check similar to review suggestion

see https://github.com/docker-mailserver/docker-mailserver/pull/3627#discussion_r1388697547

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-11-13 12:34:46 +01:00
Georg Lauterbach 26214491ef
fix: Drop special bits from Postfix maildrop/ and public/ directory permissions (#3625)
* update K8s deployment

Because `allowPrivilegeEscalation` controls SUID/SGID, we require it
when postdrop is invoked.

* correct permissions for maildrop/public

The reason our permissions previously worked out as that in setups where
SUID/SGID worked, the binaries used to place files in these directories
already have SGID set; the current set of permissions makes less sense
(as explained in this comment:
https://github.com/docker-mailserver/docker-mailserver/issues/3619#issuecomment-1793816412)

Since the binaries used to place files inside these directories alredy
have SUID/SGID set, we do not require these bits (or the sticky bit) to
be set on the directories.

* Apply suggestions from code review

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-11-10 19:57:17 +01:00
Zepmann 290355cf5a
docs: Add Dovecot Lua auth guide + required package (#3579)
* Dovecot: add deb package dovecot-lua to support Lua scripting
* Adding documentation for Lua authentication
* Updated documentation and made a better distinction between Dovecot packages for officially supported features and for community supported features.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-11-09 10:18:17 +13:00
Georg Lauterbach f674232f71
misc: final Rspamd adjustments for v13 (#3599)
* outsource Rspamd ENVs into explicit helper

This will allow us to uniformly source the helper and get the values
from everywhere consistently. This is more than desirable since we will
be using these values not only for the Rspamd setup, but also for DKIM
management and during change-detection.

* integrate Rspamd into changedetection

We outsource one more function to reside in the helper script for Rspamd
so that we can call this function from the Rspamd setup and from the
changedetection functionality too.

* realize deprecation of old commands file for Rspamd

THIS IS A BREAKING CHANGE!

This change realizes the log message: "Using old file location now
(deprecated) - this will prevent startup in v13.0.0" Startup will now
fail.

* added '--force' option to Rspamd DKIM script

* use new helper to get ENVs for Rspamd in DKIM script

* remove the need for linking directories

This was unnecessary, as explained in
https://github.com/docker-mailserver/docker-mailserver/pull/3597#discussion_r1369413599

* Apply suggestions from code review

review by @polarathene

* apply more review feedback from @polarathene

- <https://github.com/docker-mailserver/docker-mailserver/pull/3599#discussion_r1370885519>
- <https://github.com/docker-mailserver/docker-mailserver/pull/3599#discussion_r1370904201>

* update documentation

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-10-30 10:20:37 +01:00
Georg Lauterbach cb62ce20e6
bugfix: change Rspamd DKIM default config location (#3597)
Instead of using `etc/rspamd/override.d/dkim_signing.conf`, we will now
be using `/tmp/docker-mailserver/rspamd/override.d/dkim_signing.conf`.
The new location is persisted (and linked again during startup) and
hence better suited.
2023-10-24 10:31:22 +02:00
Georg Lauterbach 128e6b4d1f
chore: Add debug group (packages.sh) + more resilient rspamd setup (#3578) 2023-10-16 09:51:48 +02:00
Georg Lauterbach 894978ddd7
refactor: logrotate setup + rspamd log path + tests log helper fallback path (#3576)
* simplify `_setup_logrotate`

* adjust Rspamd's log file and improve it's management

* add information to docs about Rspamd log

* update log query helper to allow another file location

* bail in case `LOGROTATE_INTERVAL` is invalid

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-10-14 17:14:10 +02:00
Vincent Ducamps bd96c1161e
feat: Allow changing the Dovecot vmail UID/GID via ENV (#3550)
Some deployment scenarios are not compatible with `5000:5000` static vmail user with `/var/mail`. This feature allows adjusting the defaults to a UID / GID that is compatible.

Signed-off-by: vincent <vincent@ducamps.win>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-10-01 00:20:03 +13:00
Brennan Kinney ed84dca147
chore: LDAP config improvements (#3522)
* chore: Drop management of `SASLAUTHD_*` ENV

- `variables-stack.sh` does not need to manage all these extra ENV or store them. They're not used anywhere else.
- `saslauthd.sh` is the only consumer of these ENV which are effectively direct key/value mappings, with some defaults provided / inherited.

Instead of trying to conditionally support key/value pairs when ENV is set, we could instead use `sed` to delete lines with empty values.

* chore: Drop fallbacks + update configs to match docs

- Drop deprecated support:
  - `DOVECOT_HOSTS` is an ENV deprecated since v10.
  - Fallback for missing URI scheme introduced for Dovecot and SASLAuthd in v10.
  - Adding error log message when no LDAP URI scheme is detected for the supported ENV (when set).
- Docs updated for ENV to reflect the mandatory requirement. `mailserver.env` partially synced equivalent sections.
- Provided base LDAP configs (for overriding) likewise updated from `domain.com` to `example.com`.
- LDAP test updated for required `ldap://` URI scheme. Common ENV shared across LDAP configs hoisted out of the Postfix group.

* chore: Remove unset lines in generated `saslauthd.conf`
2023-09-02 22:07:02 +12:00
Brennan Kinney 9446fa9b9a
chore: Adapt ENABLE_LDAP=1 to ACCOUNT_PROVISIONER=LDAP (#3507)
- Deprecation startup script check is kept for `ENABLE_LDAP=1` but adjusted to emit an error instead. It can be dropped in a future release. Just a precaution for those who mistakenly update (_possibly via automation_) without checking the release notes, an error log is somewhat helpful, although it could alternatively panic?
- Docs updated to remove the `ENABLE_LDAP=1` usage
- ENV docs updated to reference a maintained LDAP image.
- Changelog includes the breaking change, and slight revision to prior release mention of deprecation.
2023-08-29 10:19:03 +12:00
Casper 43a122fe18
scripts: add wrapper to update Postfix configuration safely (follow up) (#3503) 2023-08-28 09:40:24 +12:00
Georg Lauterbach cf9eb8278a
scripts: add wrapper to update Postfix configuration safely (#3484)
The new function can

1. update/append
2. update/prepend
3. initialize if non-existent

options in `/etc/postfix/main.cf` in a safe and secure manner. When the
container is improperly restarted, the option is not applied twice.

---

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-08-22 08:03:41 +00:00
H4R0 bb2038e8c6
feat: Allow marking spam as read via a sieve filter (ENV MARK_SPAM_AS_READ=1) (#3489)
* add MARK_SPAM_AS_READ environment variable

* review changes

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

* update unit test

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-08-21 10:32:26 +12:00
Georg Lauterbach f28fce9cc4
rspamd: disable checks for authenticated users (#3440)
Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>
2023-08-08 10:43:21 +02:00
wligtenberg 68c6f247a6
Fix issue with concatenating $dmarc_milter and $dkim_milter in main.cf (#3380)
* Fix issue with concatenating $dmarc_milter and $dkim_milter in main.cf 

Upon each start the  `smtpd_milters` and `non_smtpd_milters` would be extended with the following:
```
smtpd_milters =   $dmarc_milter $dkim_milter
non_smtpd_milters = $dkim_milter
```
In my case they became long enough that mail delivery stopped. I think this was because of the extra headers that are added by these steps. (which in turn would cause the mail to be dropped)

* fix sed to work when the variables are there and when they are not.

---------

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-06-20 19:44:54 +00:00
Claude Brisson 2b400a9269
Fix sieve setup (#3397) 2023-06-20 13:37:31 +02:00
Casper e0c7cd475b
Don't register _setup_spam_to_junk() when SMTP_ONLY=1 (#3385) 2023-06-11 22:59:26 +02:00
Thomas Butter efed9d8012
Dovecot: compile fts_xapian from source to match Dovecot ABI (#3373)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-06-01 10:50:31 +02:00
Georg Lauterbach 6a4fac61f8
misc: remaining v13 todos (#3370) 2023-05-29 19:07:45 +02:00
Casper 8bfe8424fc
Change 'for' style (#3368) 2023-05-26 14:00:40 +02:00
Casper c2d0b748b2
Change 'while' style (#3365) 2023-05-26 01:39:39 +02:00
Casper 37ca0f9ba9
Change 'function' style (#3364) 2023-05-26 01:01:41 +02:00
Casper cf74127f78
change if style (#3361) 2023-05-24 09:06:59 +02:00
Casper 0e592aa911
SPAM_TO_INBOX=1; add info about SA_KILL (#3360) 2023-05-23 19:32:09 +02:00
LucidityCrash 7af7546d88
feature: adding getmail as an alternative to fetchmail (#2803)
Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-05-23 17:25:08 +02:00
Brennan Kinney 1d2df8d499
fix: DB helper should properly filter entries (#3359)
Previously it was assumed the sed operation was applying the sed expressions as a sequence, but it did not seem to filter entries being looked up correctly.

Instead any line that matched either sed expression pattern was output (_value without matching key, values split by the delimiter_), then grep would match any of that causing false-positives.

Resolved by piping the first sed expression into the next.
2023-05-23 11:02:30 +12:00
Georg Lauterbach 7453bc096b
Dovecot: make home dir distinct from mail dir (#3335)
* add new home dir for Dovecot

I tried changing the mail dir, but this is a _very_ disruptive change,
so I took approach 3 on
<https://doc.dovecot.org/configuration_manual/home_directories_for_virtual_users/>,
whereby the home directory is now inside the mail directory.

The MDBOX/SDBOX formats are not touched by this change. The change
itself could be considered breaking though.

* adjust Sieve tests accordingly

* Update target/dovecot/10-mail.conf

* Update target/dovecot/auth-passwdfile.inc

---------

Co-authored-by: Casper <casperklein@users.noreply.github.com>
2023-05-15 20:10:29 +02:00
Casper a72adc2731
Fix typos (#3344) 2023-05-15 19:11:36 +02:00
Andreas Perhab ec330a35a1
ClamAV: add a warning for the internal message size limit (#3341) 2023-05-15 15:46:13 +02:00
Georg Lauterbach 9fd00bd6ad
Rspamd: adjust learning of ham (#3334)
* adjust learning of ham

See #3333

When moving a mail from the Junk folder to the Trash folder, the mail
previously classified as ham due to the wildcard match of `*`. Because
the syntax does not allow for negation, we can only change the behavior
in a way that mails are learned as ham when they are moved into `INBOX`
from `Junk`. This is reasonable though.

* adjust tests accordingly

* adjust docs accordingly
2023-05-13 13:59:16 +02:00
Georg Lauterbach 78b7f0cbea
scripts: improve CLAMAV_MESSAGE_SIZE_LIMIT usage (#3332)
* add sanity check for Clam size & adjusted MaxScanSize

The second part is of special importance! See
<https://askubuntu.com/a/1448525>, which explains that the maximum scan
size is important as well. We previously just set the maximum file size,
which actually is pretty insecure as we silently not scan mile bigger
than `MaxScanSize`. This is corrected now.

* add SlamAV size configuration to Rspamd
2023-05-12 16:04:41 +02:00
ghnp5 823ef33a92
fix: typo about OpenDMARC (#3330)
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-05-11 18:10:51 +02:00