chore(deps): update ghcr.io/docker-mailserver/docker-mailserver docker tag to v13.3.1
This MR contains the following updates:
Package | Update | Change |
---|---|---|
ghcr.io/docker-mailserver/docker-mailserver | minor |
13.0.1 -> 13.3.1
|
⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
Release Notes
docker-mailserver/docker-mailserver (ghcr.io/docker-mailserver/docker-mailserver)
v13.3.1
Fixes
-
Dovecot:
- Restrict the auth mechanisms for PassDB configs we manage (oauth2, passwd-file, ldap) (#3812)
- Prevents misleading auth failures from attempting to authenticate against a PassDB with incompatible auth mechanisms.
- When the new OAuth2 feature was enabled, it introduced false-positives with logged auth failures which triggered Fail2Ban to ban the IP.
- Restrict the auth mechanisms for PassDB configs we manage (oauth2, passwd-file, ldap) (#3812)
-
Rspamd:
- Ensure correct ownership (
_rspamd:_rspamd
) for the Rspamd DKIM directory + files/tmp/docker-mailserver/rspamd/dkim/
(#3813)
- Ensure correct ownership (
v13.3.0
Features
-
Authentication with OIDC / OAuth 2.0
🎉 - DMS now supports authentication via OAuth2 (via
XOAUTH2
orOAUTHBEARER
SASL mechanisms) from capable services (like Roundcube).- This does not replace the need for an
ACCOUNT_PROVISIONER
(FILE
/LDAP
), which is required for an account to receive or send mail. - Successful authentication (via Dovecot PassDB) still requires an existing account (lookup via Dovecot UserDB).
- This does not replace the need for an
- DMS now supports authentication via OAuth2 (via
-
MTA-STS (Optional support for mandatory outgoing TLS encryption)
- If enabled and the outbound recipient has an MTA-STS policy set, TLS is mandatory for delivering to that recipient.
- Enable via the ENV
ENABLE_MTA_STS=1
- Supported by major email service providers like Gmail, Yahoo and Outlook.
- Enable via the ENV
- If enabled and the outbound recipient has an MTA-STS policy set, TLS is mandatory for delivering to that recipient.
Added
-
Docs:
- An example for how to bind outbound SMTP connections to a specific network interface (#3465)
Updates
-
Tests:
- Revised OAuth2 test (#3795)
- Replace
wc -l
withgrep -c
(#3752) - Revised testing of service process management (supervisord) to be more robust (#3780)
- Refactored mail sending (#3747 & #3772):
- This change is a follow-up to #3732 from DMS v13.2.
-
swaks
version is now the latest from Github releases instead of the Debian package. -
_nc_wrapper
,_send_mail
and related helpers expect the.txt
filepath extension again. -
sending.bash
helper methods were refactored to better integrateswaks
and accommodate different usage contexts. -
test/files/emails/existing/
files were removed similar to previous removal of SMTP auth files as they became redundant withswaks
.
-
Internal:
- Postfix is now configured with
smtputf8_enable = no
in our defaultmain.cf
config (instead of during container startup). (#3750)
- Postfix is now configured with
-
Rspamd (#3726):
- Symbol scores for SPF, DKIM & DMARC were updated to more closely align with RFC7489. Please note that complete alignment is undesirable as other symbols may be added as well, which changes the overall score calculation again, see this issue
- Docs:
Fixes
-
Setup:
-
setup
CLI -setup dkim domain
now creates the keys files with the user owning the key directory (#3783)
-
-
Dovecot:
- During container startup for Dovecot Sieve,
.sievec
source files compiled to.svbin
now have theirmtime
adjusted post setup to ensure it is always older than the associated.svbin
file. This avoids superfluous error logs for sieve scripts that don't actually need to be compiled again (#3779)
- During container startup for Dovecot Sieve,
- Internal:
v13.2.0
Security
DMS is now secured against the recently published spoofing attack "SMTP Smuggling" that affected Postfix (#3727):
- Postfix upgraded from
3.5.18
to3.5.23
which provides the long-term fix withsmtpd_forbid_bare_newline = yes
- If you are unable to upgrade to this release of DMS, you may follow these instructions for applying the short-term workaround.
- This change should not cause compatibility concerns for legitimate mail clients, however if you use software like
netcat
to send mail to DMS (like our test-suite previously did) it may now be rejected (especially with the the short-term workaroundsmtpd_data_restrictions = reject_unauth_pipelining
). -
NOTE: This Postfix update also includes the new parameter
smtpd_forbid_bare_newline_exclusions
which defaults to$mynetworks
for excluding trusted mail clients excluded from the restriction.- With our default
PERMIT_DOCKER=none
this is not a concern. - Presently the Docker daemon config has
user-proxy: true
enabled by default.- On a host that can be reached by IPv6, this will route to a DMS IPv4 only container implicitly through the Docker network bridge gateway which rewrites the source address.
- If your
PERMIT_DOCKER
setting allows that gateway IP, then it is part of$mynetworks
and this attack would not be prevented from such connections. - If this affects your deployment, refer to our IPv6 docs for advice on handling IPv6 correctly in Docker. Alternatively use our
postfix-main.cf
to setsmtpd_forbid_bare_newline_exclusions=
as empty.
- With our default
Updates
- The test suite now uses
swaks
instead ofnc
, which has multiple benefits (#3732):-
swaks
handles pipelining correctly, hence we can now usereject_unauth_pipelining
in Postfix's configuration. -
swaks
provides better CLI options that make many files superflous. -
swaks
can also replaceopenssl s_client
and handles authentication on submission ports better.
-
-
Postfix:
- We now defer rejection from unauthorized pipelining until the SMTP
DATA
command viasmtpd_data_restrictions
(i.e. at the end of the mail transfer transaction) (#3744)- Prevously our configuration only handled this during the client and recipient restriction stages. Postfix will flag this activity when encountered, but the rejection now is handled at
DATA
where unauthorized pipelining would have been valid from this point. - If you had the Amavis service enabled (default), this restriction was already in place. Otherwise the concerns expressed with
smtpd_data_restrictions = reject_unauth_pipelining
from the security section above apply. We have permitted trusted clients ($mynetworks
or authenticated) to bypass this restriction.
- Prevously our configuration only handled this during the client and recipient restriction stages. Postfix will flag this activity when encountered, but the rejection now is handled at
- We now defer rejection from unauthorized pipelining until the SMTP
v13.1.0
Added
-
Dovecot:
- ENV
ENABLE_IMAP
(#3703)
- ENV
-
Tests:
- You can now use
make run-local-instance
to run a DMS image that was built locally to test changes (#3663)
- You can now use
-
Internal:
- Log a warning when update-check is enabled, but no stable release image is used (#3684)
Updates
- Documentation:
-
Internal:
- Postfix configures
virtual_mailbox_maps
andvirtual_transport
during startup instead of using defaults (configured for Dovecot) via ourmain.cf
(#3681)
- Postfix configures
-
Rspamd:
- Upgraded to version
3.7.5
. This was previously inconsistent between our AMD64 (3.5
) and ARM64 (3.4
) images (#3686)
- Upgraded to version
Fixed
-
Internal:
- The container startup welcome log message now references
DMS_RELEASE
(#3676) -
VERSION
was incremented for prior releases to be notified of the v13.0.1 patch release (#3676) -
VERSION
is no longer included in the image (#3711) - Update-check: fix 'read' exit status (#3688)
-
ENABLE_QUOTAS=0
no longer tries to remove non-existent config (#3715) - The
postgrey
service now writes logs to the supervisor directory like all other services. Previously this was/var/log/mail/mail.log
(#3724)
- The container startup welcome log message now references
-
Rspamd:
- Switch to official arm64 packages to avoid segfaults (#3686)
-
CI / Automation:
- The lint workflow can now be manually triggered by maintainers ([#3714]https://github.com/docker-mailserver/docker-mailserver/pull/3714)
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.