Docker Mailserver Versions Save

Production-ready fullstack but simple mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) running inside a container.

v13.3.1

3 months ago
  1. Diff to last release: https://github.com/docker-mailserver/docker-mailserver/compare/v13.3.0...v13.3.1
  2. Our Changelog

What's Changed

This is a patch release fixing two important bugs in v13.3.0:

  1. Dovecot: We now restrict the authentication mechanisms for PassDB configurations we manage (oauth2, passwd-file, ldap) (https://github.com/docker-mailserver/docker-mailserver/pull/3812). This prevents misleading auth failures from attempting to authenticate against a PassDB with incompatible auth mechanisms. When the new OAuth2 feature was enabled, it introduced false-positives with logged auth failures which triggered Fail2Ban to ban the IP.
  2. Rspamd: We now ensure correct ownership (_rspamd:_rspamd) for the Rspamd DKIM directory and files (/tmp/docker-mailserver/rspamd/dkim/)

What's Changed

v13.3.0

3 months ago
  1. Diff to last release: https://github.com/docker-mailserver/docker-mailserver/compare/v13.2.0...v13.3.0
  2. Our Changelog

What's Changed

The main feature that can be found in this release is added very simple OAUTH2 support. DMS now supports authentication via OAuth2 (via XOAUTH2 or OAUTHBEARER SASL mechanisms) from capable services (like Roundcube). This does not replace the need for an ACCOUNT_PROVISIONER (FILE / LDAP), which is required for an account to receive or send mail.

Additionally, MTA-STS support for outbound mail was added to DMS. A bunch of smaller changes have made it into this release as well: Rspamd symbol scores for SPF, DKIM & DMARC have been adjusted to better align with RFC7489; smtputf8 has been disabled directly; scripts were improved (replacing wc -l with grep -c, etc.); and a bug fix for jaq on arm64 was added.

As is usual business, we worked on improving the documentation. Last but not least, the test suite saw bigger changes in the area of helper functions used during tests to send test e-mails.

Merged Pull Requests

New Contributors

v13.2.0

3 months ago
  1. Diff to last release: https://github.com/docker-mailserver/docker-mailserver/compare/v13.1.0...v13.2.0
  2. Our Changelog

What's Changed

Most importantly, DMS is now protected by default against the security vulnerability called "SMTP smuggling". Moreover, we switched from raw netcat (nc) to swaks in our test suite - a change that is beneficial for upcoming changes and improvements to our test suite. Last but not least, the log path for Postgrey was corrected.

Merged Pull Requests

v13.1.0

4 months ago
  1. Diff to last release: https://github.com/docker-mailserver/docker-mailserver/compare/v13.0.1...v13.1.0
  2. Our Changelog

What's Changed

Updated

  • Internal
    • We now store the version that DMS is running on in the environment variable DMS_RELEASE and no longer in the file /VERSION. Moreover, the update check will use this to determine whether you are running :edge (to disable the update check if this is the case).
    • An option to run DMS locally was added, and the docs saw improvements (as usual).
    • The quota tests were adjusted and now conform to our new standards.
  • Documentation
    • The troubleshooting documentation was enhanced.

Added

  • Rspamd
    • The ARM64 build now also uses the official PPA, making the version even for ARM64 and AMD64.
  • Dovecot
    • The environment variable ENABLE_IMAP was added, which works analogous to ENABLE_POP3.

Fixed

  • Internal
    • A sed line for quota-related changes to Postfix's main.cf was not working as expected. This has been taken care of.

Merged Pull Requests

New Contributors

v13.0.1

5 months ago

This patch release fixes two bugs that Rspamd users encountered with the v13.0.0 release. Big thanks to the those that helped to identify these issues! ❤️

What's Changed

Fixed

  • Internal:
    • The update check service now queries the latest GH release for a version tag (instead of from a VERSION file at the GH repo). This should provide more reliable update notifications (#3666)
  • Rspamd:
    • The check for correct permission on the private key when signing e-mails with DKIM was flawed. The result was that a false warning was emitted (#3669)
    • When RSPAMD_CHECK_AUTHENTICATED=0, DKIM signing for outbound e-mail was disabled, which is undesirable (#3669). Make sure to check the documentation of RSPAMD_CHECK_AUTHENTICATED!

Merged Pull Requests

Full Changelog: https://github.com/docker-mailserver/docker-mailserver/compare/v13.0.0...v13.0.1

v13.0.0

5 months ago

Please refer to the CHANGELOG to get the complete and comprehensive overview of this release. Here is the full git-diff: https://github.com/docker-mailserver/docker-mailserver/compare/v12.1.0...v13.0.0.

Summary

v13.0.0 contains a lot of changes! In fact, we never had more pull requests in a single release before 🚀 Thus, please read the following changes thoroughly!

Breaking Changes

LDAP

The environment variables LDAP_SERVER_HOST, DOVECOT_URIS, and SASLAUTHD_LDAP_SERVER will now log an error if the LDAP URI scheme is missing. Previously, there was an implicit fallback to ldap:// (see #3522).

Moreover, ENABLE_LDAP=1 is no longer supported. Please use ACCOUNT_PROVISIONER=LDAP.

Rspamd

The deprecated path for the Rspamd custom commands file (/tmp/docker-mailserver/rspamd-modules.conf) now prevents successful startup. The correct path is /tmp/docker-mailserver/rspamd/custom-commands.conf.

Dovecot

Dovecot mail storage per account in /var/mail previously shared the same path for the accounts home directory (#3335). The home directory now is a subdirectory home/. This change better supports sieve scripts. You will need to manually move (manageseive) Sieve scripts from <SERVER>/<ACCOUNT>/sieve to <SERVER>/<ACCOUNT>/home/sieve and re-enable them with managesieve. This change has not been implemented yet with ACCOUNT_PROVISIONER=LDAP.

Postfix

/etc/postfix/master.cf has renamed the "smtps" service to "submissions" (#3235).

  • This is the modern /etc/services name for port 465, aligning with the similar "submission" port 587.
  • If you have configured Proxy Protocol support with a reverse proxy via postfix-master.cf (as per our docs guide), you will want to update smtps to submissions there.

Postfix now defaults to supporting DSNs (Delivery Status Notifications) only for authenticated users (via ports 465 + 587). This is a security measure to reduce spammer abuse of your DMS instance as a backscatter source. (#3572). If you need to modify this change, please let us know by opening an issue / discussion. You can opt out (enable DSNs) via the postfix-main.cf override support using the contents: smtpd_discard_ehlo_keywords =. Likewise for authenticated users, the submission(s) ports (465 + 587) are configured internally via master.cf to keep DSNs enabled (since authentication protects from abuse). If necessary, DSNs for authenticated users can be disabled via the postfix-master.cf override with the following contents:

submission/inet/smtpd_discard_ehlo_keywords=silent-discard,dsn
submissions/inet/smtpd_discard_ehlo_keywords=silent-discard,dsn

Miscellaneous

This section only contains the most important updates; for a full list, consult our CHANGELOG.

  • The default DKIM key size was changed to 2048.
  • Getmail was added as an alternative to Fetchmail.
  • New environment variables were added: MARK_SPAM_AS_READ, DMS_VMAIL_UID/DMS_VMAIL_GID, and RSPAMD_CHECK_AUTHENTICATED.

Our documentation was updated heavily across many pages; especially the debugging section should be much more helpful now.

Rspamd saw many adjustments as well:

  • The configuration of the anti-virus engines (for ClamAV) was updated
  • Ham is now learned in a better way
  • logrotate was implemented for Rspamd logs
  • The default config location for DKIM was changed to be preserved in a volume now, internal symlinks were removed in favor of simplicity, DKIM key permissions are now verified.

Merged Pull Requests

New Contributors

v12.1.0

11 months ago

Please refer to the CHANGELOG to get the complete and comprehensive overview of this release. Here is the full git-diff: https://github.com/docker-mailserver/docker-mailserver/compare/v12.0.0...v12.1.0.

Summary

Rspamd Stabilization

With v12.1.0, Rspamd is stabilized. We added more documentation (e.g. on the web interface), the option to greylist e-mails, an option to use HFILTER_HOSTNAME_UNKNOWN and a helper script for DKIM signing. The scripts have been properly stabilized and cleaned up as well, and all WIP warnings are now removed.

Updates to Fail2Ban

Fail2Ban saw some major updates in its configuration. The mode for Postfix was changed to extra to catch more log lines and the time to find an offender and the time the offer is banned was raised as well.

Smaller Fixes

v12.1.0 also packs a lot of smaller fixes for scripts, our CI and configurations.

What's Changed

v12.0.0

1 year ago

Please refer to the CHANGELOG to get the complete and comprehensive overview of this release. Here is the full git-diff: https://github.com/docker-mailserver/docker-mailserver/compare/v12.0.0...v12.1.0.

Summary

v12.0.0 is our biggest release yet, with over 100 merged pull requests and closed issues, this release packs a ton of changes & updates. Make sure to thoroughly read the CHANGELOG! We will list the most natable changes now.

Rspamd Support

v12.0.0 is the first release to feature Rspamd. Support for this feature is expected to stabilize with v12.1.0 - we encourage all users to give it a try though, as we feel like support is mature enough to run it on production systems. There will be a dedicated page in our documentation about Rspamd!

We plan on making Rspamd the default anti-spam engine in DMS. For the time being, Rspamd is an opt-in and you'll most likely want to disable Amavis & SA when using Rspamd.

Dropping ARMv7

Support for the already deprecated ARMv7 platform was dropped.

SASL Socket Location

The socket location for SASL changed to /dev/shm/sasl-auth.sock - custom setups need to take care!

Disabling chroot

We do not use chroot environments anymore. These environments caused trouble in the past and did not bring an advantage.

Bumping the Minimum TLS Version & Disabling SMTP Authentication on Port 25

The minimum supported protocol is now TLSv1.2. Moreover, we disabled SMTP authentication on the unencrypted port 25.

Fail2Ban Major Version Bump

We now ship Fail2Ban version 1.0.2, which is one major version ahead of DMS v11.3.1 and the latest version for Debian 11.

MOVE_SPAM_TO_JUNK Sieve File Adjustments

When using MOVE_SPAM_TO_JUNK, the Sieve script is now a global-after rule (before it was a global-before rule). This means you will now need to explicitly use the stop directive and disable implicit keep when using user scripts (e.g. to whitelist e-mails).

Heavily Updated Unit & Integration Tests

While you may not notice this in the final image, we are working hard behind the scenes to further improve our CI. With v12.0.0, almost all of our tests have been migrated to a new format in which tests can now run in parallel, decreasing the time it takes to test new changes. The code quality was also improved, a ton of comments were added to the helper code and many new helpers now assist in tests.

Miscellaneous

  • ping & dig are now shipped with the image
  • many minor bugfixes
  • added vulnerability scanning workflow to GH Actions
  • better default for SA_KILL
  • added check for improper restarts so users directly see when they did a not-supported restart
  • the Dovecot community repository is now the default
  • removed DNSBLs from Postfix's recipient checks
  • removed all wrapper scripts, cleaning up the code

Merged Pull Requests

[Excluding PRs by @dependabot & @github-actions.]

New Contributors

Full Changelog: https://github.com/docker-mailserver/docker-mailserver/compare/v11.3.1...v12.0.0

v11.3.1

1 year ago

Summary

This patch version fixes a build-time error when using the Dovecot community repository. This does not affect users that use the plain container image but people who build DMS on their own with DOVECOT_COMMUNITY_REPO=1.

What's Changed

Full Changelog: https://github.com/docker-mailserver/docker-mailserver/compare/v11.3.0...v11.3.1

v11.3.0

1 year ago

Please refer to the CHANGELOG to get the complete and comprehensive overview of this release.

Summary

Internal Changes

This release saw significant changes to the CI: we are now capable of running tests in parallel, which will cut down test time significantly in the future. Future pull requests will improve this further.

External Changes

The Postfix / Postscreen configuration was adjusted to better work with DNSBL return codes (throwing away invalid or useless return codes or codes that indicate using an open resolver). The user-patches.sh is now run exactly at the time the documentation says it will run. Fetchmal data was made persistent. Some scripts was minor bug fixes.

Deprecation Notice

  • Removing TLS 1.0 and TLS 1.1 ciphersuites from TLS_LEVEL=intermediate You should not realistically need support for TLS 1.0 or TLS 1.1, except in niche scenarios such as an old printer/scanner device that refuses to negotiate a compatible non-vulnerable cipher. More details covered here.

  • SASL_PASSWD ENV An old ENV SASL_PASSWD has been around for supporting relay-host authentication, but since superceded by the postfix-sasl-password.cf config file. It will be removed in a future major release as detailed here.

  • Platform Support - ARMv7 This is a very old platform, superceded by ARMv8 and newer with broad product availability around 2016 onwards. Support was introduced primarily for users of the older generations of Raspberry Pi. ARM64 is the modern target for ARM devices.

    If you require ARMv7 support, please let us know.

What's Changed

New Contributors

Full Changelog: https://github.com/docker-mailserver/docker-mailserver/compare/v11.2.0...v11.3.0