chore(deps): update ghcr.io/docker-mailserver/docker-mailserver docker tag to v13.3.1

This MR contains the following updates:

Package	Update	Change
ghcr.io/docker-mailserver/docker-mailserver	minor	13.0.1 -> 13.3.1

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

---

Release Notes

docker-mailserver/docker-mailserver (ghcr.io/docker-mailserver/docker-mailserver)

v13.3.1

Compare Source

Fixes

• Dovecot:
  • Restrict the auth mechanisms for PassDB configs we manage (oauth2, passwd-file, ldap) (#​3812)
    • Prevents misleading auth failures from attempting to authenticate against a PassDB with incompatible auth mechanisms.
    • When the new OAuth2 feature was enabled, it introduced false-positives with logged auth failures which triggered Fail2Ban to ban the IP.
• Rspamd:
  • Ensure correct ownership (_rspamd:_rspamd) for the Rspamd DKIM directory + files /tmp/docker-mailserver/rspamd/dkim/ (#​3813)

v13.3.0

Compare Source

Features

• Authentication with OIDC / OAuth 2.0 🎉
  • DMS now supports authentication via OAuth2 (via XOAUTH2 or OAUTHBEARER SASL mechanisms) from capable services (like Roundcube).
    • This does not replace the need for an ACCOUNT_PROVISIONER (FILE / LDAP), which is required for an account to receive or send mail.
    • Successful authentication (via Dovecot PassDB) still requires an existing account (lookup via Dovecot UserDB).
• MTA-STS (Optional support for mandatory outgoing TLS encryption)
  • If enabled and the outbound recipient has an MTA-STS policy set, TLS is mandatory for delivering to that recipient.
    • Enable via the ENV ENABLE_MTA_STS=1
    • Supported by major email service providers like Gmail, Yahoo and Outlook.

Added

• Docs:
  • An example for how to bind outbound SMTP connections to a specific network interface (#​3465)

Updates

• Tests:
  • Revised OAuth2 test (#​3795)
  • Replace wc -l with grep -c (#​3752)
  • Revised testing of service process management (supervisord) to be more robust (#​3780)
  • Refactored mail sending (#​3747 & #​3772):
    • This change is a follow-up to #​3732 from DMS v13.2.
    • swaks version is now the latest from Github releases instead of the Debian package.
    • _nc_wrapper, _send_mail and related helpers expect the .txt filepath extension again.
    • sending.bash helper methods were refactored to better integrate swaks and accommodate different usage contexts.
    • test/files/emails/existing/ files were removed similar to previous removal of SMTP auth files as they became redundant with swaks.
• Internal:
  • Postfix is now configured with smtputf8_enable = no in our default main.cf config (instead of during container startup). (#​3750)
• Rspamd (#​3726):
  • Symbol scores for SPF, DKIM & DMARC were updated to more closely align with RFC7489. Please note that complete alignment is undesirable as other symbols may be added as well, which changes the overall score calculation again, see this issue
• Docs:
  • Revised the SpamAssassin ENV docs to better communicate configuration and their relation to other ENV settings. (#​3756)
  • Detailed how mail received is assigned a spam score by Rspamd and processed accordingly (#​3773)

Fixes

• Setup:
  • setup CLI - setup dkim domain now creates the keys files with the user owning the key directory (#​3783)
• Dovecot:
  • During container startup for Dovecot Sieve, .sievec source files compiled to .svbin now have their mtime adjusted post setup to ensure it is always older than the associated .svbin file. This avoids superfluous error logs for sieve scripts that don't actually need to be compiled again (#​3779)
• Internal:
  • .gitattributes: Always use LF line endings on checkout for files with shell script content (#​3755)
  • Fix missing 'jaq' binary for ARM architecture (#​3766)

v13.2.0

Compare Source

Security

DMS is now secured against the recently published spoofing attack "SMTP Smuggling" that affected Postfix (#​3727):

• Postfix upgraded from 3.5.18 to 3.5.23 which provides the long-term fix with smtpd_forbid_bare_newline = yes
• If you are unable to upgrade to this release of DMS, you may follow these instructions for applying the short-term workaround.
• This change should not cause compatibility concerns for legitimate mail clients, however if you use software like netcat to send mail to DMS (like our test-suite previously did) it may now be rejected (especially with the the short-term workaround smtpd_data_restrictions = reject_unauth_pipelining).
• NOTE: This Postfix update also includes the new parameter smtpd_forbid_bare_newline_exclusions which defaults to $mynetworks for excluding trusted mail clients excluded from the restriction.
  • With our default PERMIT_DOCKER=none this is not a concern.
  • Presently the Docker daemon config has user-proxy: true enabled by default.
    • On a host that can be reached by IPv6, this will route to a DMS IPv4 only container implicitly through the Docker network bridge gateway which rewrites the source address.
    • If your PERMIT_DOCKER setting allows that gateway IP, then it is part of $mynetworks and this attack would not be prevented from such connections.
    • If this affects your deployment, refer to our IPv6 docs for advice on handling IPv6 correctly in Docker. Alternatively use our postfix-main.cf to set smtpd_forbid_bare_newline_exclusions= as empty.

Updates

• The test suite now uses swaks instead of nc, which has multiple benefits (#​3732):
  • swaks handles pipelining correctly, hence we can now use reject_unauth_pipelining in Postfix's configuration.
  • swaks provides better CLI options that make many files superflous.
  • swaks can also replace openssl s_client and handles authentication on submission ports better.
• Postfix:
  • We now defer rejection from unauthorized pipelining until the SMTP DATA command via smtpd_data_restrictions (i.e. at the end of the mail transfer transaction) (#​3744)
    • Prevously our configuration only handled this during the client and recipient restriction stages. Postfix will flag this activity when encountered, but the rejection now is handled at DATA where unauthorized pipelining would have been valid from this point.
    • If you had the Amavis service enabled (default), this restriction was already in place. Otherwise the concerns expressed with smtpd_data_restrictions = reject_unauth_pipelining from the security section above apply. We have permitted trusted clients ($mynetworks or authenticated) to bypass this restriction.

v13.1.0

Compare Source

Added

• Dovecot:
  • ENV ENABLE_IMAP (#​3703)
• Tests:
  • You can now use make run-local-instance to run a DMS image that was built locally to test changes (#​3663)
• Internal:
  • Log a warning when update-check is enabled, but no stable release image is used (#​3684)

Updates

• Documentation:
  • Debugging - Raise awareness in the troubleshooting page for a common misconfiguration when deviating from our advice by using a bare domain (#​3680)
  • Debugging - Raise awareness of temporary downtime during certificate renewal that can cause a failure to deliver local mail (#​3718)
• Internal:
  • Postfix configures virtual_mailbox_maps and virtual_transport during startup instead of using defaults (configured for Dovecot) via our main.cf (#​3681)
• Rspamd:
  • Upgraded to version 3.7.5. This was previously inconsistent between our AMD64 (3.5) and ARM64 (3.4) images (#​3686)

Fixed

• Internal:
  • The container startup welcome log message now references DMS_RELEASE (#​3676)
  • VERSION was incremented for prior releases to be notified of the v13.0.1 patch release (#​3676)
  • VERSION is no longer included in the image (#​3711)
  • Update-check: fix 'read' exit status (#​3688)
  • ENABLE_QUOTAS=0 no longer tries to remove non-existent config (#​3715)
  • The postgrey service now writes logs to the supervisor directory like all other services. Previously this was /var/log/mail/mail.log (#​3724)
• Rspamd:
  • Switch to official arm64 packages to avoid segfaults (#​3686)
• CI / Automation:
  • The lint workflow can now be manually triggered by maintainers ([#​3714]https://github.com/docker-mailserver/docker-mailserver/pull/3714)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.