Production-ready fullstack but simple mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) running inside a container.
This is a patch release fixing two important bugs in v13.3.0
:
_rspamd:_rspamd
) for the Rspamd DKIM directory and files (/tmp/docker-mailserver/rspamd/dkim/
)The main feature that can be found in this release is added very simple OAUTH2 support. DMS now supports authentication via OAuth2 (via XOAUTH2
or OAUTHBEARER
SASL mechanisms) from capable services (like Roundcube). This does not replace the need for an ACCOUNT_PROVISIONER
(FILE
/ LDAP
), which is required for an account to receive or send mail.
Additionally, MTA-STS support for outbound mail was added to DMS. A bunch of smaller changes have made it into this release as well: Rspamd symbol scores for SPF, DKIM & DMARC have been adjusted to better align with RFC7489; smtputf8
has been disabled directly; scripts were improved (replacing wc -l
with grep -c
, etc.); and a bug fix for jaq
on arm64 was added.
As is usual business, we worked on improving the documentation. Last but not least, the test suite saw bigger changes in the area of helper functions used during tests to send test e-mails.
smtputf8
support in config directly by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3750
wc -l
with grep -c
by @casperklein in https://github.com/docker-mailserver/docker-mailserver/pull/3752
.gitattributes
- Ensure eol=lf
for shell scripts by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3755
SA_SPAM_SUBJECT
in mailserver.env
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3767
path
setting by @denisix in https://github.com/docker-mailserver/docker-mailserver/pull/3702
.svbin
files are newer than .sieve
source files by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3779
sed
usage by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3789
process_check_restart.bats
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3780
setup dkim
generates DKIM keys with ownership matching the parent directory by @ap-wtioit in https://github.com/docker-mailserver/docker-mailserver/pull/3783
main.cf:reject_unknown_sender_domain
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3793
Most importantly, DMS is now protected by default against the security vulnerability called "SMTP smuggling". Moreover, we switched from raw netcat (nc
) to swaks
in our test suite - a change that is beneficial for upcoming changes and improvements to our test suite. Last but not least, the log path for Postgrey was corrected.
supervisor-app.conf
- Correct the log location for postgrey
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3724
swaks
instead of nc
for sending mail by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3732
smtpd_data_restrictions = reject_unauth_pipelining
by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3744
DMS_RELEASE
and no longer in the file /VERSION
. Moreover, the update check will use this to determine whether you are running :edge
(to disable the update check if this is the case).ENABLE_IMAP
was added, which works analogous to ENABLE_POP3
.sed
line for quota-related changes to Postfix's main.cf
was not working as expected. This has been taken care of.DMS_RELEASE
ENV by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3676
run-local-instance
target to Makefile
by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3663
virtual_mailbox_maps
to texthash when not using LDAP by @reneploetz in https://github.com/docker-mailserver/docker-mailserver/pull/3693
ENABLE_IMAP
by @casperklein in https://github.com/docker-mailserver/docker-mailserver/pull/3703
CONTRIBUTORS.yml
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3705
VERSION
from Dockerfile
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3711
sed
logic for ENABLE_QUOTAS=0
is not actionable by @casperklein in https://github.com/docker-mailserver/docker-mailserver/pull/3715
This patch release fixes two bugs that Rspamd users encountered with the v13.0.0
release. Big thanks to the those that helped to identify these issues! ❤️
VERSION
file at the GH repo). This should provide more reliable update notifications (#3666)RSPAMD_CHECK_AUTHENTICATED=0
, DKIM signing for outbound e-mail was disabled, which is undesirable (#3669). Make sure to check the documentation of RSPAMD_CHECK_AUTHENTICATED
!CONTRIBUTORS.md
by @github-actions in https://github.com/docker-mailserver/docker-mailserver/pull/3656
:edge
when VERSION
is updated as well by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3662
update-check.sh
should query GH Releases by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3666
Full Changelog: https://github.com/docker-mailserver/docker-mailserver/compare/v13.0.0...v13.0.1
Please refer to the CHANGELOG to get the complete and comprehensive overview of this release. Here is the full git-diff: https://github.com/docker-mailserver/docker-mailserver/compare/v12.1.0...v13.0.0.
v13.0.0
contains a lot of changes! In fact, we never had more pull requests in a single release before 🚀 Thus, please read the following changes thoroughly!
The environment variables LDAP_SERVER_HOST
, DOVECOT_URIS
, and SASLAUTHD_LDAP_SERVER
will now log an error if the LDAP URI scheme is missing. Previously, there was an implicit fallback to ldap://
(see #3522).
Moreover, ENABLE_LDAP=1
is no longer supported. Please use ACCOUNT_PROVISIONER=LDAP
.
The deprecated path for the Rspamd custom commands file (/tmp/docker-mailserver/rspamd-modules.conf
) now prevents successful startup. The correct path is /tmp/docker-mailserver/rspamd/custom-commands.conf
.
Dovecot mail storage per account in /var/mail
previously shared the same path for the accounts home directory (#3335). The home directory now is a subdirectory home/
. This change better supports sieve scripts. You will need to manually move (manageseive) Sieve scripts from <SERVER>/<ACCOUNT>/sieve
to <SERVER>/<ACCOUNT>/home/sieve
and re-enable them with managesieve. This change has not been implemented yet with ACCOUNT_PROVISIONER=LDAP
.
/etc/postfix/master.cf
has renamed the "smtps
" service to "submissions
" (#3235).
/etc/services
name for port 465, aligning with the similar "submission
" port 587.postfix-master.cf
(as per our docs guide), you will want to update smtps
to submissions
there.Postfix now defaults to supporting DSNs (Delivery Status Notifications) only for authenticated users (via ports 465 + 587). This is a security measure to reduce spammer abuse of your DMS instance as a backscatter source. (#3572). If you need to modify this change, please let us know by opening an issue / discussion. You can opt out (enable DSNs) via the postfix-main.cf override support using the contents: smtpd_discard_ehlo_keywords =. Likewise for authenticated users, the submission(s) ports (465 + 587) are configured internally via master.cf to keep DSNs enabled (since authentication protects from abuse). If necessary, DSNs for authenticated users can be disabled via the postfix-master.cf override with the following contents:
submission/inet/smtpd_discard_ehlo_keywords=silent-discard,dsn
submissions/inet/smtpd_discard_ehlo_keywords=silent-discard,dsn
This section only contains the most important updates; for a full list, consult our CHANGELOG.
MARK_SPAM_AS_READ
, DMS_VMAIL_UID
/DMS_VMAIL_GID
, and RSPAMD_CHECK_AUTHENTICATED
.Our documentation was updated heavily across many pages; especially the debugging section should be much more helpful now.
Rspamd saw many adjustments as well:
logrotate
was implemented for Rspamd logsmydestination
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3316
override.d
directory by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3325
CLAMAV_MESSAGE_SIZE_LIMIT
usage by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3332
antivirus.conf
for Rspamd by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3331
getmail
as an alternative to fetchmail
by @LucidityCrash in https://github.com/docker-mailserver/docker-mailserver/pull/2803
fts_xapian
from source to match Dovecot ABI by @tbutter in https://github.com/docker-mailserver/docker-mailserver/pull/3373
latest
in bug report version field by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3435
fail2ban
sub-command status <JAIL>
by @nilshoell in https://github.com/docker-mailserver/docker-mailserver/pull/3455
MARK_SPAM_AS_READ=1
) by @H4R0 in https://github.com/docker-mailserver/docker-mailserver/pull/3489
bitnami/openldap
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3494
question.yml
- Clarify that the issue tracker is not for personal support by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3498
question.yml
template - value
should be an attribute by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3502
testssl.sh
tag to 3.2
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3504
setup config dkim
default key size to 2048
(open-dkim
) by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3508
ENABLE_LDAP=1
to ACCOUNT_PROVISIONER=LDAP
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3507
_add_to_or_update_postfix_main()
by @casperklein in https://github.com/docker-mailserver/docker-mailserver/pull/3505
eol=lf
via .gitattributes
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3527
update-and-cleanup.md
by @jpduyx in https://github.com/docker-mailserver/docker-mailserver/pull/3539
pgrep
within the actual container by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3553
lmtp_ip.bats
improve partial failure output by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3552
.gitattributes
+ improve eclint
coverage by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3566
passthrough=true
on implicit ports for Traefik example by @vincentDcmps in https://github.com/docker-mailserver/docker-mailserver/pull/3568
logrotate
setup + rspamd log path + tests log helper fallback path by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3576
packages.sh
) + more resilient rspamd setup by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3578
watchtower
page by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3583
eclint
to 2.7.2
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3584
FETCHMAIL_PARALLEL
by @jsonn in https://github.com/docker-mailserver/docker-mailserver/pull/3603
maildrop/
and public/
directory permissions by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3625
gRPC FUSE
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3652
/check
as the mount path by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3655
Please refer to the CHANGELOG to get the complete and comprehensive overview of this release. Here is the full git-diff: https://github.com/docker-mailserver/docker-mailserver/compare/v12.0.0...v12.1.0.
With v12.1.0, Rspamd is stabilized. We added more documentation (e.g. on the web interface), the option to greylist e-mails, an option to use HFILTER_HOSTNAME_UNKNOWN
and a helper script for DKIM signing. The scripts have been properly stabilized and cleaned up as well, and all WIP warnings are now removed.
Fail2Ban saw some major updates in its configuration. The mode for Postfix was changed to extra
to catch more log lines and the time to find an offender and the time the offer is banned was raised as well.
v12.1.0 also packs a lot of smaller fixes for scripts, our CI and configurations.
policyd-spf
configurable by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3246
reject_unknown_client_hostname
with Rspamd HFILTER_HOSTNAME_UNKNOWN
and make it configurable by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3248
policyd-spf
setup in one place by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3263
reject_unknown_client_hostname
after #3248 by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3255
SRS_EXCLUDE_DOMAINS
during startup by @jamebus in https://github.com/docker-mailserver/docker-mailserver/pull/3271
bug_report.yml
by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3275
bug_report.yml
by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3276
EOF
in dmarc_dkim_spf.sh
by @ap-wtioit in https://github.com/docker-mailserver/docker-mailserver/pull/3266
set -eE
by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3285
return 0
statements by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3290
Please refer to the CHANGELOG to get the complete and comprehensive overview of this release. Here is the full git-diff: https://github.com/docker-mailserver/docker-mailserver/compare/v12.0.0...v12.1.0.
v12.0.0
is our biggest release yet, with over 100 merged pull requests and closed issues, this release packs a ton of changes & updates. Make sure to thoroughly read the CHANGELOG! We will list the most natable changes now.
v12.0.0
is the first release to feature Rspamd. Support for this feature is expected to stabilize with v12.1.0
- we encourage all users to give it a try though, as we feel like support is mature enough to run it on production systems. There will be a dedicated page in our documentation about Rspamd!
We plan on making Rspamd the default anti-spam engine in DMS. For the time being, Rspamd is an opt-in and you'll most likely want to disable Amavis & SA when using Rspamd.
Support for the already deprecated ARMv7 platform was dropped.
The socket location for SASL changed to /dev/shm/sasl-auth.sock
- custom setups need to take care!
chroot
We do not use chroot
environments anymore. These environments caused trouble in the past and did not bring an advantage.
The minimum supported protocol is now TLSv1.2. Moreover, we disabled SMTP authentication on the unencrypted port 25.
We now ship Fail2Ban version 1.0.2
, which is one major version ahead of DMS v11.3.1
and the latest version for Debian 11.
MOVE_SPAM_TO_JUNK
Sieve File AdjustmentsWhen using MOVE_SPAM_TO_JUNK
, the Sieve script is now a global-after rule (before it was a global-before rule). This means you will now need to explicitly use the stop
directive and disable implicit keep when using user scripts (e.g. to whitelist e-mails).
While you may not notice this in the final image, we are working hard behind the scenes to further improve our CI. With v12.0.0
, almost all of our tests have been migrated to a new format in which tests can now run in parallel, decreasing the time it takes to test new changes. The code quality was also improved, a ton of comments were added to the helper code and many new helpers now assist in tests.
ping
& dig
are now shipped with the imageSA_KILL
[Excluding PRs by @dependabot & @github-actions.]
SASL_PASSWD
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/2946
reload
commands instead of supervisorctl restart <service>
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/2947
wait_until_change_detection_event_completes
to count by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/2974
mail.example.test
as common container hostname by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/2975
tests.bats
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/2980
devnull
alias gotcha when using a catchall rule by @worldworm in https://github.com/docker-mailserver/docker-mailserver/pull/2949
mail_tls_dhparams.bats
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/2994
postconf
write settling logic by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/2998
backup
target by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3000
mail_lmtp_ip.bats
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3004
mail_changedetector
+ change detection helpers by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/2997
mail_fetchmail.bats
+ co-locate test cases for processes by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3010
mail_privacy.bats
to new format and helpers by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3014
/var/mail-state
retains correct group by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3011
clean
recipe (don't require sudo
anymore) by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3020
spam_junk_folder.bats
+ spam_bounced.bats
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3036
mail_hostname.bats
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3027
gamin
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3030
tls_cipherlists
should configure testssl.sh
to use CA cert by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3037
master.cf
) by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3033
*_INET_PROTOCOLS
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3052
tests.bats
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3055
127.0.0.1
for the Dovecot quota-status
service by @yogo1212 in https://github.com/docker-mailserver/docker-mailserver/pull/3057
docker-container
driver by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3072
open_dkim.bats
by @polarathene in https://github.com/docker-mailserver/docker-mailserver/pull/3060
Envelope From
is properly set by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3081
restrict-access
avoid inserting duplicates by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3067
sedfile
& used _send_mail
where possible by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3103
_send_email
by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3105
setup-stack.sh
by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3115
ENABLE_REDIS
& add persistence for Redis by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3143
SS_CA_CERT
by @jrpear in https://github.com/docker-mailserver/docker-mailserver/pull/3168
latest
symlink via docs-production-deploy workflow by @jrpear in https://github.com/docker-mailserver/docker-mailserver/pull/3183
make build
instruction from paragraph into list by @jrpear in https://github.com/docker-mailserver/docker-mailserver/pull/3193
edge
version links to latest
+ fix links intended as relative not absolute by @jrpear in https://github.com/docker-mailserver/docker-mailserver/pull/3190
chroot
for Dovecot & PostSRSd by @georglauterbach in https://github.com/docker-mailserver/docker-mailserver/pull/3208
Full Changelog: https://github.com/docker-mailserver/docker-mailserver/compare/v11.3.1...v12.0.0
This patch version fixes a build-time error when using the Dovecot community repository. This does not affect users that use the plain container image but people who build DMS on their own with DOVECOT_COMMUNITY_REPO=1
.
Full Changelog: https://github.com/docker-mailserver/docker-mailserver/compare/v11.3.0...v11.3.1
Please refer to the CHANGELOG to get the complete and comprehensive overview of this release.
This release saw significant changes to the CI: we are now capable of running tests in parallel, which will cut down test time significantly in the future. Future pull requests will improve this further.
The Postfix / Postscreen configuration was adjusted to better work with DNSBL return codes (throwing away invalid or useless return codes or codes that indicate using an open resolver). The user-patches.sh
is now run exactly at the time the documentation says it will run. Fetchmal data was made persistent. Some scripts was minor bug fixes.
Removing TLS 1.0 and TLS 1.1 ciphersuites from TLS_LEVEL=intermediate
You should not realistically need support for TLS 1.0 or TLS 1.1, except in niche scenarios such as an old printer/scanner device that refuses to negotiate a compatible non-vulnerable cipher. More details covered here.
SASL_PASSWD
ENV
An old ENV SASL_PASSWD
has been around for supporting relay-host authentication, but since superceded by the postfix-sasl-password.cf
config file. It will be removed in a future major release as detailed here.
Platform Support - ARMv7 This is a very old platform, superceded by ARMv8 and newer with broad product availability around 2016 onwards. Support was introduced primarily for users of the older generations of Raspberry Pi. ARM64 is the modern target for ARM devices.
If you require ARMv7 support, please let us know.
setup
CLI password example by @pravynandas in https://github.com/docker-mailserver/docker-mailserver/pull/2926
opendmarc.conf
): Change the default OpenDMARC policy to reject by @k3it in https://github.com/docker-mailserver/docker-mailserver/pull/2933
Full Changelog: https://github.com/docker-mailserver/docker-mailserver/compare/v11.2.0...v11.3.0