2019-11-05 20:58:51 +01:00
|
|
|
version: '3.7'
|
|
|
|
|
2022-12-10 18:16:50 +01:00
|
|
|
# https://hub.docker.com/r/mailserver/docker-mailserver
|
|
|
|
# https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/basic-installation/
|
|
|
|
# https://github.com/docker-mailserver/docker-mailserver
|
2022-12-11 00:10:46 +01:00
|
|
|
# https://github.com/docker-mailserver/docker-mailserver/blob/master/docs/content/config/advanced/mail-sieve.md
|
2023-09-13 22:33:47 +02:00
|
|
|
# https://docker-mailserver.github.io/docker-mailserver/latest/faq/#how-can-i-make-spamassassin-better-recognize-spam
|
|
|
|
# https://docker-mailserver.github.io/docker-mailserver/latest/examples/use-cases/imap-folders/#mailboxes-aka-imap-folders
|
|
|
|
# https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge
|
|
|
|
# https://notes.sagredo.eu/en/qmail-notes-185/expunging-expired-junk-and-trash-emails-with-dovecot-124.html
|
2022-12-10 18:16:50 +01:00
|
|
|
|
|
|
|
# create account: task srv:mail-setup -- email add <user>@<domain>
|
2020-02-04 19:05:07 +01:00
|
|
|
|
2019-11-05 20:58:51 +01:00
|
|
|
networks:
|
|
|
|
mail:
|
|
|
|
name: mail
|
|
|
|
|
|
|
|
services:
|
|
|
|
mail:
|
chore(deps): update mailserver/docker-mailserver docker tag to v14 (#47)
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [mailserver/docker-mailserver](https://github.com/docker-mailserver) ([source](https://github.com/docker-mailserver/docker-mailserver)) | major | `13` -> `14` |
---
### Release Notes
<details>
<summary>docker-mailserver/docker-mailserver (mailserver/docker-mailserver)</summary>
### [`v14`](https://github.com/docker-mailserver/docker-mailserver/blob/HEAD/CHANGELOG.md#v1400)
The most noteworthy change of this release is the update of the container's base image from Debian 11 ("Bullseye") to Debian 12 ("Bookworm"). This update alone involves breaking changes and requires a careful update!
##### Breaking
- **Updated base image to Debian 12** ([#​3403](https://github.com/docker-mailserver/docker-mailserver/pull/3403))
- Changed the default of `DOVECOT_COMMUNITY_REPO` to `0` (disabled) - the Dovecot community repo will (for now) not be the default when building the DMS.
- While Debian 12 (Bookworm) was released in June 2023 and the latest Dovecot `2.3.21` in Sep 2023, as of Jan 2024 there is no [Dovecot community repo available for Debian 12](https://repo.dovecot.org).
- This results in the Dovecot version being downgraded from `2.3.21` (DMS v13.3) to `2.3.19`, which [may affect functionality when you've explicitly configured for these features](https://github.com/dovecot/core/blob/30cde20f63650d8dcc4c7ad45418986f03159946/NEWS#L1-L158):
- OAuth2 (*mostly regarding JWT usage, or POST requests (`introspection_mode = post`) with `client_id` + `client_secret`*).
- Lua HTTP client (*DNS related*).
- Updated packages. For an overview, [we have a review comment on the PR that introduces Debian 12](https://github.com/docker-mailserver/docker-mailserver/pull/3403#issuecomment-1694563615)
- Notable major version bump: `openssl 3`, `clamav 1`, `spamassassin 4`, `redis-server 7`.
- Notable minor version bump: `postfix 3.5.23 => 3.7.9`
- Notable minor version bump + downgrade: `dovecot 2.3.13 => 2.3.19` (*Previous release provided `2.3.21` via community repo, `2.3.19` is now the default*)
- Updates to `packages.sh`:
- Removed custom installations of Fail2Ban, getmail6 and Rspamd
- Updated packages lists and added comments for maintainability
- OpenDMARC upgrade: `v1.4.0` => `v1.4.2` ([#​3841](https://github.com/docker-mailserver/docker-mailserver/pull/3841))
- Previous versions of OpenDMARC would place incoming mail from domains announcing `p=quarantaine` (*that fail the DMARC check*) into the [Postfix "hold" queue](https://www.postfix.org/QSHAPE_README.html#hold_queue) until administrative intervention.
- [OpenDMARC v1.4.2 has disabled that feature by default](https://github.com/trusteddomainproject/OpenDMARC/issues/105), but it can be enabled again by adding the setting `HoldQuarantinedMessages true` to [`/etc/opendmarc.conf`](https://github.com/docker-mailserver/docker-mailserver/blob/v13.3.1/target/opendmarc/opendmarc.conf) (*provided from DMS*).
- [Our `user-patches.sh` feature](https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/override-defaults/user-patches/) provides a convenient approach to updating that config file.
- Please let us know if you disagree with the upstream default being carried with DMS, or the value of providing alternative configuration support within DMS.
- **Postfix:**
- Postfix upgrade from 3.5 to 3.7 ([#​3403](https://github.com/docker-mailserver/docker-mailserver/pull/3403))
- `compatibility_level` was raised from `2` to `3.6`
- Postfix has deprecated the usage of `whitelist` / `blacklist` in config parameters and logging in favor of `allowlist` / `denylist` and similar variations. ([#​3403](https://github.com/docker-mailserver/docker-mailserver/pull/3403/files#r1306356328))
- This [may affect monitoring / analysis of logs output from Postfix](https://www.postfix.org/COMPATIBILITY_README.html#respectful_logging) that expects to match patterns on the prior terminology used.
- DMS `main.cf` has renamed `postscreen_dnsbl_whitelist_threshold` to `postscreen_dnsbl_allowlist_threshold` as part of this change.
- `smtpd_relay_restrictions` (relay policy) is now evaluated after `smtpd_recipient_restrictions` (spam policy). Previously it was evaluated before `smtpd_recipient_restrictions`. Mail to be relayed via DMS must now pass through the spam policy first.
- The TLS fingerprint policy has changed the default from MD5 to SHA256 (*DMS does not modify this Postfix parameter, but may affect any user customizations that do*).
- **Dovecot**
- The "Junk" mailbox (folder) is now referenced by it's [special-use flag `\Junk`](https://docker-mailserver.github.io/docker-mailserver/v13.3/examples/use-cases/imap-folders/) instead of an explicit mailbox. ([#​3925](https://github.com/docker-mailserver/docker-mailserver/pull/3925))
- This provides compatibility for the Junk mailbox when it's folder name differs (*eg: Renamed to "Spam"*).
- Potential breakage if your deployment modifies our `spam_to_junk.sieve` sieve script (*which is created during container startup when ENV `MOVE_SPAM_TO_JUNK=1`*) that handles storing spam mail into a users "Junk" mailbox folder.
- **Removed support for Solr integration:** ([#​4025](https://github.com/docker-mailserver/docker-mailserver/pull/4025))
- This was a community contributed feature for FTS (Full Text Search), the docs advise using an image that has not been maintained for over 2 years and lacks ARM64 support. Based on user engagement over the years this feature has very niche value to continue to support, thus is being removed.
- If you use Solr, support can be restored if you're willing to contribute docs for the feature that resolves the concerns raised
- **Log**:
- The format of DMS specific logs (*from our scripts, not running services*) has been changed. The new format is `<RFC 3339 TIMESTAMP> <LOG LEVEL> <LOG EVENT SRC>: <MESSAGE>` ([#​4035](https://github.com/docker-mailserver/docker-mailserver/pull/4035))
- **rsyslog:**
- Debian 12 adjusted the `rsyslog` configuration for the default file template from `RSYSLOG_TraditionalFileFormat` to `RSYSLOG_FileFormat` (*upstream default since 2012*). This change may affect you if you have any monitoring / analysis of log output (*eg: `mail.log` / `docker logs`*).
- The two formats are roughly equivalent to [RFC 3164](https://www.rfc-editor.org/rfc/rfc3164)) and [RFC 5424](https://datatracker.ietf.org/doc/html/rfc5424#section-1) respectively.
- A notable difference is the change to [RFC 3339](https://www.rfc-editor.org/rfc/rfc3339.html#appendix-A) timestamps (*a strict subset of ISO 8601*). The [previous non-standardized timestamp format was defined in RFC 3164](https://www.rfc-editor.org/rfc/rfc3164.html#section-4.1.2) as `Mmm dd hh:mm:ss`.
- To revert this change you can add `sedfile -i '1i module(load="builtin:omfile" template="RSYSLOG_TraditionalFileFormat")' /etc/rsyslog.conf` via [our `user-patches.sh` feature](https://docker-mailserver.github.io/docker-mailserver/v14.0/config/advanced/override-defaults/user-patches/).
- Rsyslog now creates fewer log files:
- The files `/var/log/mail/mail.{info,warn,err}` are no longer created. These files represented `/var/log/mail.log` filtered into separate priority levels. As `/var/log/mail.log` contains all mail related messages, these files (*and their rotated counterparts*) can be deleted safely.
- `/var/log/messages`, `/var/log/debug` and several other log files not relevant to DMS were configured by default by Debian previously. These are not part of the `/var/log/mail/` volume mount, so should not impact anyone.
- **Features:**
- The relay host feature was refactored ([#​3845](https://github.com/docker-mailserver/docker-mailserver/pull/3845))
- The only breaking change this should introduce is with the Change Detection service (`check-for-changes.sh`).
- When credentials are configured for relays, change events that trigger the relayhost logic now reapply the relevant Postfix settings:
- `smtp_sasl_auth_enable = yes` (*SASL auth to outbound MTA connections is enabled*)
- `smtp_sasl_security_options = noanonymous` (*credentials are mandatory for outbound mail delivery*)
- `smtp_tls_security_level = encrypt` (*the outbound MTA connection must always be secure due to credentials sent*)
- **Environment Variables**:
- `SA_SPAM_SUBJECT` has been renamed into `SPAM_SUBJECT` to become anti-spam service agnostic. ([#​3820](https://github.com/docker-mailserver/docker-mailserver/pull/3820))
- As this functionality is now handled in Dovecot via a Sieve script instead of the respective anti-spam service during Postfix processing, this feature will only apply to mail stored in Dovecot. If you have relied on this feature in a different context, it will no longer be available.
- Rspamd previously handled this functionality via the `rewrite_subject` action which as now been disabled by default in favor of the new approach with `SPAM_SUBJECT`.
- `SA_SPAM_SUBJECT` is now deprecated and will log a warning if used. The value is copied as a fallback to `SPAM_SUBJECT`.
- The default has changed to not prepend any prefix to the subject unless configured to do so. If you relied on the implicit prefix, you will now need to provide one explicitly.
- `undef` was previously supported as an opt-out with `SA_SPAM_SUBJECT`. This is no longer valid, the equivalent opt-out value is now an empty value (*or rather the omission of this ENV being configured*).
- The feature to include [`_SCORE_` tag](https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html#rewrite_header-subject-from-to-STRING) in your value to be replaced by the associated spam score is no longer available.
- **Supervisord**:
- `supervisor-app.conf` renamed to `dms-services.conf`
- **Rspamd**:
- the Redis history key has been changed in order to not incorporate the hostname of the container (which is desirable in Kubernetes environments) ([#​3927](https://github.com/docker-mailserver/docker-mailserver/pull/3927))
- **Account Management**
- addresses (accounts) are now normalized to lowercase automatically and a warning is logged in case uppercase letters are supplied
##### Added
- **Docs:**
- A guide for configuring a public server to relay inbound and outbound mail from DMS on a private server ([#​3973](https://github.com/docker-mailserver/docker-mailserver/pull/3973))
- **Environment Variables:**
- `LOGROTATE_COUNT` defines the number of files kept by logrotate ([#​3907](https://github.com/docker-mailserver/docker-mailserver/pull/3907))
- The fail2ban log file is now also taken into account by `LOGROTATE_COUNT` and `LOGROTATE_INTERVAL` ([#​3915](https://github.com/docker-mailserver/docker-mailserver/pull/3915), [#​3919](https://github.com/docker-mailserver/docker-mailserver/pull/3919))
- **Internal:**
- Regular container restarts are now better supported. Setup scripts that ran previously will now be skipped ([#​3929](https://github.com/docker-mailserver/docker-mailserver/pull/3929))
##### Updates
- **Environment Variables:**
- `ONE_DIR` has been removed (legacy ENV) ([#​3840](https://github.com/docker-mailserver/docker-mailserver/pull/3840))
- It's only functionality remaining was to opt-out of run-time state consolidation with `ONE_DIR=0` (*when a volume was already mounted to `/var/mail-state`*).
- **Internal:**
- Changed the Postgrey whitelist retrieved during build to [source directly from Github](https://github.com/schweikert/postgrey/blob/master/postgrey_whitelist_clients) as the list is updated more frequently than the [author publishes at their website](https://postgrey.schweikert.ch) ([#​3879](https://github.com/docker-mailserver/docker-mailserver/pull/3879))
- Enable spamassassin only, when amavis is enabled too. ([#​3943](https://github.com/docker-mailserver/docker-mailserver/pull/3943))
- **Tests:**
- Refactored helper methods for sending e-mails with specific `Message-ID` headers and the helpers for retrieving + filtering logs, which together help isolate logs relevant to specific mail when multiple mails have been processed within a single test. ([#​3786](https://github.com/docker-mailserver/docker-mailserver/pull/3786))
- **Rspamd**:
- The `rewrite_subject` action, is now disabled by default. It has been replaced with the new `SPAM_SUBJECT` environment variable, which implements the functionality via a Sieve script instead which is anti-spam service agnostic ([#​3820](https://github.com/docker-mailserver/docker-mailserver/pull/3820))
- `RSPAMD_NEURAL` was added and is disabled by default. If switched on it will enable the experimental Rspamd "Neural network" module to add a layer of analysis to spam detection ([#​3833](https://github.com/docker-mailserver/docker-mailserver/pull/3833))
- The symbol weights of SPF, DKIM and DMARC have been adjusted again. Fixes a bug and includes more appropriate combinations of symbols ([#​3913](https://github.com/docker-mailserver/docker-mailserver/pull/3913), [#​3923](https://github.com/docker-mailserver/docker-mailserver/pull/3923))
- **Dovecot:**
- `logwatch` now filters out non-error logs related to the status of the `index-worker` process for FTS indexing. ([#​4012](https://github.com/docker-mailserver/docker-mailserver/pull/4012))
- updated FTS Xapian from version 1.5.5 to 1.7.12
##### Fixes
- DMS config:
- Files that are parsed line by line are now more robust to parse by detecting and fixing line-endings ([#​3819](https://github.com/docker-mailserver/docker-mailserver/pull/3819))
- The override config `postfix-main.cf` now retains custom parameters intended for use with `postfix-master.cf` ([#​3880](https://github.com/docker-mailserver/docker-mailserver/pull/3880))
- Variables related to Rspamd are declared as `readonly`, which would cause warnings in the log when being re-declared; we now guard against this issue ([#​3837](https://github.com/docker-mailserver/docker-mailserver/pull/3837))
- Relay host feature refactored ([#​3845](https://github.com/docker-mailserver/docker-mailserver/pull/3845))
- `DEFAULT_RELAY_HOST` ENV can now also use the `RELAY_USER` + `RELAY_PASSWORD` ENV for supplying credentials.
- `RELAY_HOST` ENV no longer enforces configuring outbound SMTP to require credentials. Like `DEFAULT_RELAY_HOST` it can now configure a relay where credentials are optional.
- Restarting DMS should not be required when configuring relay hosts without these ENV, but solely via `setup relay ...`, as change detection events now apply relevant Postfix setting changes for supporting credentials too.
- Rspamd configuration: Add a missing comma in `local_networks` so that all internal IP addresses are actually considered as internal ([#​3862](https://github.com/docker-mailserver/docker-mailserver/pull/3862))
- Ensure correct SELinux security context labels for files and directories moved to the mail-state volume during setup ([#​3890](https://github.com/docker-mailserver/docker-mailserver/pull/3890))
- Use correct environment variable for fetchmail ([#​3901](https://github.com/docker-mailserver/docker-mailserver/pull/3901))
- When using `ENABLE_GETMAIL=1` the undocumented internal location `/var/lib/getmail/` usage has been removed. Only the config volume `/tmp/docker-mailserver/getmail/` location is supported when Getmail has not been configured to deliver mail to Dovecot as advised in the DMS docs ([#​4018](https://github.com/docker-mailserver/docker-mailserver/pull/4018))
- Dovecot dummy accounts (*virtual alias workaround for dovecot feature `ENABLE_QUOTAS=1`*) now correctly matches the home location of the user for that alias ([#​3997](https://github.com/docker-mailserver/docker-mailserver/pull/3997))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zODUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjM4NS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Reviewed-on: https://git.csprung.de/carsten/container-server/pulls/47
Co-authored-by: Renovate Bot <renovate@git.csprung.de>
Co-committed-by: Renovate Bot <renovate@git.csprung.de>
2024-06-13 14:51:07 +02:00
|
|
|
image: mailserver/docker-mailserver:14
|
2019-12-05 23:02:28 +01:00
|
|
|
container_name: mail
|
2019-12-04 22:00:35 +01:00
|
|
|
restart: "${RESTART:-no}"
|
2019-12-05 23:02:28 +01:00
|
|
|
domainname: ${BASE_DOMAIN}
|
2023-09-13 22:33:47 +02:00
|
|
|
cap_add:
|
|
|
|
- NET_ADMIN # For Fail2Ban to work
|
2022-12-10 18:16:50 +01:00
|
|
|
environment:
|
|
|
|
- SSL_TYPE=letsencrypt
|
2022-12-22 18:11:48 +01:00
|
|
|
# You may want to enable this: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#spoof_protection
|
|
|
|
# See step 8 below, which demonstrates setup with enabled/disabled SPOOF_PROTECTION:
|
|
|
|
- SPOOF_PROTECTION=0
|
2022-12-10 18:16:50 +01:00
|
|
|
# Allow sending emails from other docker containers
|
|
|
|
# Beware creating an Open Relay: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#permit_docker
|
2022-12-17 19:20:46 +01:00
|
|
|
- PERMIT_DOCKER=connected-networks
|
2022-12-10 18:16:50 +01:00
|
|
|
- ONE_DIR=1
|
2023-09-13 22:33:47 +02:00
|
|
|
|
|
|
|
- ENABLE_AMAVIS=1
|
2022-12-10 18:16:50 +01:00
|
|
|
- ENABLE_POSTGREY=0
|
|
|
|
- ENABLE_CLAMAV=0
|
2023-09-13 22:33:47 +02:00
|
|
|
- ENABLE_SPAMASSASSIN=1
|
2022-12-11 00:10:46 +01:00
|
|
|
- ENABLE_MANAGESIEVE=1
|
2023-09-20 20:56:20 +02:00
|
|
|
- ENABLE_FAIL2BAN=0
|
2023-09-13 22:33:47 +02:00
|
|
|
|
2022-12-10 18:16:50 +01:00
|
|
|
- TZ=${TIMEZONE}
|
2022-12-22 18:11:48 +01:00
|
|
|
- POSTMASTER_ADDRESS=postmaster@${BASE_DOMAIN}
|
2023-09-13 22:33:47 +02:00
|
|
|
|
|
|
|
- SPAMASSASSIN_SPAM_TO_INBOX=1
|
|
|
|
- MOVE_SPAM_TO_JUNK=1
|
|
|
|
- SA_TAG=-10000.0 # set headers on all mails
|
|
|
|
- SA_TAG2=3.75 # above is considered spam
|
|
|
|
- SA_KILL=10000.0 # don't bounce/quarantine anything
|
2024-06-13 15:24:16 +02:00
|
|
|
- "SPAM_SUBJECT=[SPAM] "
|
2019-11-05 20:58:51 +01:00
|
|
|
ports:
|
2023-09-13 22:33:47 +02:00
|
|
|
- "25:25" # SMTP (explicit TLS => STARTTLS)
|
|
|
|
- "143:143" # IMAP4 (explicit TLS => STARTTLS)
|
|
|
|
- "465:465" # ESMTP (implicit TLS)
|
|
|
|
- "587:587" # ESMTP (explicit TLS => STARTTLS)
|
|
|
|
- "993:993" # IMAP4 (implicit TLS)
|
2022-12-11 00:10:46 +01:00
|
|
|
- "4190:4190" # managesieve
|
2019-11-05 20:58:51 +01:00
|
|
|
volumes:
|
2022-12-10 18:16:50 +01:00
|
|
|
# config
|
|
|
|
- ${BASE_DIR:-/srv}/mail/config:/tmp/docker-mailserver/
|
2023-09-13 22:33:47 +02:00
|
|
|
- ./mail/spamassassin-learn:/etc/cron.d/spamassassin-learn:ro
|
|
|
|
- ./mail/15-mailboxes.conf:/etc/dovecot/conf.d/15-mailboxes.conf:ro
|
2022-12-10 18:16:50 +01:00
|
|
|
# Mail data
|
|
|
|
- ${BASE_DIR:-/srv}/mail/mail-data:/var/mail/
|
|
|
|
- ${BASE_DIR:-/srv}/mail/mail-state:/var/mail-state/
|
|
|
|
- ${BASE_DIR:-/srv}/mail/mail-logs:/var/log/mail/
|
|
|
|
# certificates
|
2023-09-13 22:33:47 +02:00
|
|
|
- ${CERTS_DIR}/post.${BASE_DOMAIN}/post.${BASE_DOMAIN}.crt:/etc/letsencrypt/live/post.${BASE_DOMAIN}/fullchain.pem:ro
|
|
|
|
- ${CERTS_DIR}/post.${BASE_DOMAIN}/post.${BASE_DOMAIN}.key:/etc/letsencrypt/live/post.${BASE_DOMAIN}/privkey.pem:ro
|
2019-11-05 20:58:51 +01:00
|
|
|
networks:
|
2023-09-13 22:33:47 +02:00
|
|
|
mail:
|
|
|
|
aliases:
|
|
|
|
- post.${BASE_DOMAIN}
|