January updates

Updated on January 18, 2019: More updates!

Here we go again. Thank you so much for your help, contributions and donations!

Important changes

  • Solr is here, thanks to evilstiefel. Please also check the docs.
  • We now include some Sanesecurity signatures to improve spam detection (hopefully). We had to switch to a Debian base und hope to decrease its size a bit in the future.
  • The default add_header score (move mail to “Junk”) is not 8 (7 for greylisting).
  • Blacklist/Whitelist can now contain “.*” and will be read as “\..*”.
  • Redis 5
  • Thanks to @feldsam we can now have multiple profiles on Apple devices.
  • “ipv6nat” will be restarted if it was not the last container to start (this is a work-in-progress, we hope to move a lot of this from Watchdog to Netfilter)

Summary

Added on January 18

[ClamAV] Add more signatures
[ClamAV] Fix whitelist permission error
[ClamAV] Set prio of clamd parent to 10, fixes #2174
[Compose] New image for ClamAV
[Compose] Update ClamAV and SOGo images
[Compose] Update Rspamd image
[Config] Change some texts, lower RAM req. to 3.5 GB for Solr
[Config/Update] Set limits and change descriptions for Solr
[DockerAPI] Add unused FTS endpoints…
[Dovecot] Add Czech folder names to namespace
[Dovecot] Allow setting ACL_ANYONE in mailcow.conf
[Dovecot] Use Solr for LMTP
[Dovecot] Add Solr
[Rspamd] Do not apply SOGO_CONTACT for hard SPF failures
[Rspamd] Fix metadata_exporter
[rspamd] increased values for SPF, DKIM reject
[Rspamd] Set higher/lower scores for local fuzzy matches
[Rspamd] Set max_size for AV
[SOGo] Allow to turn off GAL for each domain
[Solr] Refuse to start with RAM lt 2 GB
[Web] Allow to turn off GAL for each domain
[Web] Delete index data from Solr when deleting mailbox
[Web] Minor fix in return
[Web] Show subjet in quarantine
[Web] Update lang strings

Added on January 12

[ClamAV] Improve logging
[Nextcloud] Download Nextcloud 15
[Web] Delete network from whitelist when adding it to the blacklist
[Web] Revert password policy, fixes #2163


[Rspamd] Scan the whole message to be able to trigger Sanesecurity rules
[Rspamd] Increase add_header and greylist score
[Web] Save filter objects 1:1 to database
[Rspamd] preg_quote filter objects, only translate * to .* – fixes #2152
[ClamAV] Update to 0.101.1 (based on Debian to fix some errors)
[ClamAV] Include some junk signatures from Sanesecurity
[ClamAV] Some config values are deprecated and were replaced
[ClamAV] Scan whole file
[Backup] Made backup container mounts read only
[Web] Apple mobileconfig enhancements by @feldsam
[Config] Fix misleading typo in generated mailcow.conf
[SOGo] Fix ealarms, again, fixes #2136
[Web] Hide self-edit passwords of domain admins, fixes #2135
[Web] Various minor fixes
[Compose] Update to Redis 5
[Compose] New images for ClamAV, Watchdog, SOGo, Postfix and PHP-FPM
[Watchdog] Run IPv6 NAT check hourly
[PHP-FPM] Update PHP and libs
[Watchdog] Add check for IPv6 NAT: Make sure IPv6 NAT container was started at least 30s after other containers
[Compose] Make ipv6nat depend on all containers
[Postfix] Fix transport map authentication with multiple identical nexthops
[SOGo] Remove old js file
[Web] Fix for the fix of transport map checks
[Web] Remove unnecessary check for transport maps
[SOGo] Fix file path of sogo-full.svg
[Update] Add user.name and user.email for local git config if missing
[Web] Update languages (cs, en)
[Web] Add more details for transport maps
[Web] More checks and fixes for transport maps

December updates (updated on December 21)

Hi,

Yes, there have been a few pushes, but enotime to update the website, sorry.

BIG thanks to Radek Tříška for his Czech translation of mailcow!

 

Important changes

Added on December 21
  • You can now add transport maps in mailcow. Transport service is always “smtp:”. Please see the hints added to mailcow UI.
  • Relayhosts are renamed to sender-dependent transport maps.

  • Watchdog now sends a mail when the ratelimit log table changed (does not send a mail for each triggered ratelimit to prevent hammering)
  • A ratelimit log was added to the UI, hashes are identified by color and can be removed (which resets the limit)
  • We speak Czech!
  • SOGos email reminders are enabled and working (thanks to inverse.ca!)
  • Please check your mysql-mailcow and php-fpm-mailcow logs, when mysql-mailcow fails to start. We added a routine to automatically run mysql_upgrade via API.
  • Quarantine items are now released as they were received, this can be changed in mailcow UI.

 

Summary

Added on December 21

[Web] Fix some language strings
[SOGo] Copy logo from config dir, no need to rebuild image
[Web] Allow to set transport maps, rename relayhosts to sender-dependent transports
[Compose] Fix custom-sogo.js mount
[Compose] Update Postfix and SOGo images
[Postfix] Split SASL passwd maps
[Postfix] create new smtp service to skip sender-dependent SASL map
[Postfix] Hard-bounce on SASL errors
[Postfix] Split sasl passwd maps to not lookup sender_dependent_default_transport_maps auth info when querying for transport_maps
[SOGo] Remove custom colors, there were various broken styles especially for indicators of freebusy states


Added on December 15

[Web] Show ratelimited messages, allow to delete Redis hash to reset status of a bucket
[Rspamd] Use meta exporter to pipe meta data of ratelimited msg to Redis
[Rspamd] Updated values of default ratelimit settings, add info_symbol
[Rspamd] Add ratelimit.lua (to be removed from Dockerfile with next Rspamd release)
[Compose] Update Watchdog, Dovecot, PHP, Rspamd images
[Watchdog] Alert when ratelimit log changed (does NOT send one mail per triggered ratelimit)
[PHP-FPM] Try SQL once, prevent loops (todo: fix view before upgrade)
[Dovecot] Give master user a uid and gid, fixes #2093
[Dovecot] Trim more logs
[Nextcloud] Fix headers (fixes duplicate frame origin header)
[Nextcloud] Use db 10 for Redis cache
[Postfix] Add missing regexp map, fixes #2083
[Git] Add allow_mailcow_local.regexp and dovecot-master.userdb


[Git] Add allow_mailcow_local.regexp and dovecot-master.userdb
[SOGo] Enable EMailAlarms
[SOGo] Use sieve.creds to authenticate against Dovecot and send email reminders
[SOGo] Wait for updated db schema before bootstrapping
[Compose] Additional SOGo mount for future use
[Compose] Update images: Rspamd, PHP, Dovecot, Netfilter, SOGo, DockerAPI
[Dovecot] Split imapsync cron by —
[Dovecot] Add master user to userdb (to be used in SOGo)
[Dovecot] passdb query ignored active attribute in mailbox table
[Dovecot] Increate proc limit and default client limit
[Dovecot] Update Dovecot to 2.3.4, update Pigeonhole to 0.5.4
[Dovecot] Remove UTF-8 attribute
[Dovecot] Fix maildir_gc, build with ldap support
[DockerAPI] Add mysql_upgrade task
[MySQL] Remove deprecated values for future use of MariaDB 10.3
[PHP-FPM] Trigger mysql_upgrade
[PHP-FPM] Add default release format for spam
[Netfilter] Disable aborted login without auth as fail2ban trigger
[Web] Remove a divider
[Web] Small css fixes
[Web] Fix missing string in modal dialog
[Web] Allow to toggle release format of quarantine msgs
[Web] Update lang.nl.php
[Web] Rename configuration menu
[Web] Show warning when configuration disabled quarantine
[Web] Fix init_db, init json when attributes are null
[Web] Do not fail when _sogo_static_view fails to update
[Web] Fix init_db, init json when attributes are null
[Web] Allow actions in quarantine modal, fixes #1991
[Web] Fixes for Source Sans Pro font
[Web] Czech localization
[Web] Edit domain, allow set max mailboxes to 0, fixes #2021
[Web] Fix settings_map_removed, fixes #2018
[Rspamd] Do not apply SOGO_CONTACT for SPF fails and when sending from whitelisted host
[Rspamd] Remove SOGO_CONTACT for header from
[Rspamd] Use boolean for one_shot, fixes #2066
[Rspamd] Add global rcpt blacklist and whitelist
[Rspamd] Globel whitelist/blacklist from via multimap
[Postfix] Important fix for mailbox maps, fixes #2013
[Postfix] Security: Prefer server-side ciphers

Moovember updates #1

Updated on Moovember 14, 2018: More updates!

Important changes

  • You can now add a subdomain for all existing domains by using ADDITINAL_SAN like ADDITINAL_SAN=mail.* – thanks to @markusg on GitHub!
  • mail_log is enabled, if it is heavy on resources, let us know.
  • There is a new mailbox_format attribute in vars.inc.php, that CAN be changed to mdbox, but you most likely break existing ACLs on mixed-setups (also change dovecot.conf to use mdbox for shared namespace) – unsupported.
  • We use a /var/volatile directory for files that can cause trouble on NFS shares (e.g. locking files)
  • A custom-sogo.js file is now included to SOGo by default. This allows, for example, to set CKEditor attributes.

Summary

Added on 15th Oct

[Web] Add “alias_domains” ACL to prevent alias domains to add alias domains (by default!)
[Web] Edit alias domains: use select menu
[Web] Minor fixes


[Compose] Remove dedicated index (wip)
[Web] mailbox_format maildir
[Dovecot] Enable mail_log (events: delete undelete expunge copy mailbox_delete mailbox_rename)
[Dovecot] Increase vsz_limit for some services to 1 G
[Dovecot] Enable auth_cache
[Dovecot] Remove dedicated index (wip)
[SOGo] Fix sogo_view
[Config] Add info for sub.* records to generate_config.sh
[Compose] New images for Rspamd, SOGo, Dovecot, Postfix, ACME
[Compose] New volume for deduplicated attachments <- only on mdbox; encrypted [Web] Adjust mailbox format
[Web] Include IMAP lib for future use
[Web] Fix default exception handler
[Web] Fix sync job edit forms
[Web] Other minor fixes
[Web] Fix _sogo_static_view creation when parent tables changed order of cols
[Web] Fix details for blind DKIM keys
[SOGo] Include custom-sogo.js to dynamically add JS to SOGo, increase textarea font of CKeditor by default
[Rspamd] Add fuzzy hash to msg
[Rspamd] Add SOGo contacts to whitelist
[SOGo] Adjust SOGo view
[Nginx] Remove Strict-Transport-Security for subdomains (prevented autoconfig from working without TLS)
[Rspamd] Add stopsignal (testing)
[Dovecot] Create crypted mail_attachment_fs to store attachments with a min size of 128k
[Dovecot] Shared location to “auto:” to auto-detect legacy mailbox formats across shared mailboxes <- reverted, wip [Dovecot] Create config service for crypted mail_attachment_fs
[Postfix] Adjust mailbox query
[Dovecot] Dovecot 2.3.3, Pigeonhole 0.5.3
[Dovecot] Use “–enable-hardening” flag
[Dovecot] Fix cronjobs
[Dovecot] Use /var/volatile to prevent locking files from being written to NFS storage (if vmail is on NFS)
[Dovecot] Change userdb query
[Dovecot] Use /var/attachments for mdbox attachment deduplication and /var/index for index files <- index reverted, deduplication only with mdbox [Dovecot] Fix sieve user creation
[Dovecot] Make console writable
[Dovecot] Fix trim_logs.sh
[ACME] Allow for sub.* values in ADDITIONAL_SAN
[Rspamd] Reduce rspamd DNS timeout
[Web] Fix init_db for older mailcow installations, fixes #1961

Close-to-Halloween updates and fixes

Important changes

  • We do now try to reload a service instead of restarting it, when a certificate changed. When reloading fails, we restart the container.
  • A supervisord controlled container will now die when a program it started exits.

Summary

[Web] More mailq fixes
[Compose] Update SOGo, Dovecot and Postfix images
[Web] Fix mailq styles in /admin
[Web] Move ‘get’ method to mailq functions file
[Web] Add overflows in /admin for small devices
[Web] Fix maildir cleanup after deleting mailbox
[Postfix] Use events to kill supervisord when main proc dies
[SOGo] Use events to kill supervisord when main proc dies
[Dockerapi] Some minor changes
[Web] Cleanup _sogo_static_view and memcached
[Compose] Update Docker API and ACME images
[ACME] Try to reload services after certificate changes instead of restarting
[DockerAPI] Add service reload commands
[Postfix] Do not remove user agent


Updated on 27 Oct:

[Rspamd] Change log level to silent (see docs)
[Rspamd] Adjust default values for (perm) failures of DKIM and SPF
[Compose] Update ClamAV, watchdog and Docker API images
[Compose] Remove whitelist mount in ClamAV service
[DockerAPI] Add top and stats
[ClamAV] Do not try to modify cross-mounted file, copy whitelist from conf to lib directory
[ClamAV] Remove AllowSupplementaryGroups from freshclam.conf (deprecated)
[Watchdog] Check if initdb is running and if true skip killing php-fpm-mailcow
[Watchdog] Allow multiple rcpts separated by comma
[Postfix] Add tls_preempt_cipherlist to SMTPS
[Update] Remove obsolete parameters


Updated on 28 Oct:

[Web] Fix sieve validation, fixes #1960
[Update] Change umask for update to ensure its 0022
[Watchdog] Skip container restart if running for less than 120 seconds

Some more features

Important changes

  • No breaking changes, don’t worry… 🙂
  • New: Postqueue manager
  • New: Grant/Disallow SOGo access
  • New: Reset SOGo profiles

Summary

[Compose] Update SOGo and Docker API images
[Web] Queue manager for Postfix
[Web] Add sogo_access mail attribute
[Web] Allow to wipe SOGo profiles
[SOGo] Read .sogo_access attribute when bootstrapping view
[DockerAPI] WIP: change of structure, add some more commands to control mail queue
[Helper] Do not use full network name for MySQL backup

“Almost November” updates

Important changes

  • We do not request autoconfig.* names anymore!
    Who needs to change what?
    – If you are using a HTTP -> HTTPS redirect without reverse proxy, check the updated docs here. The first “server” block is new, you probably already use the second “server” block. 🙂
    – If you are using a reverse proxy, you should check the updated guides here.
  • The default guide for a reverse proxy setup has changed! See here. We use “acme-mailcow” as ACME client in our examples now. It is probably easier for most use-cases. You don’t need to change your current configuration – besides stopping redirecting autoconfig.* to a HTTPS session. Check out the examples for Nginx and Apache.
  • Rspamd 1.8.1

Summary

[Compose] New Rspamd image (1.8.1)
[Compose] Update ACME and Rspamd images
[Watchdog] Remove cert check (wip)
[Watchdog] Append last check loop as attachment to mail
[Watchdog] Print time and date in mail alerts
[ACME] Stop requesting certificates for autoconfig.*
[Rspamd] Upgrade base to Bionic
[Rspamd] Remove deprecated attachments_only in AV module
[Rspamd] Remove old symbol score
[Update] Checkout pcre header check if missing, fixes #1906
[Update] Remove old header check to prevent update failure
[Unbound] Reduce negative max ttl to 60s and min-ttl for all other keys to 5
[Web] Fix API (broken in previous update, still a wip)
[Web] Set new expire date for time limited aliases via actions button, fixes #1903
[Web] Hardening HTTP headers
[Web] Hide autodiscover records on DNS page for alias domains
[Web] Read default actions from Rspamd instead of using/printing “5,15”
[Web] Allow to reset spam score to server default (which deletes the custom spam score from the database and prints the default action values of Rspamd in use)
[Postfix] Change mail_name to Postcow and only replace headers when mail_name matches
[Postfix] Remove headers only when mail_name matches
[PHP-FPM] Disabling more functions inside php-fpm

October updates (more updates!)

Updated on October 15, 2018: More updates!

Important changes

  • New: send system emails to mailboxes hosted on mailcow (via LMTP)
  • API table changes (in case anyone is using it already ;-))
  • Add multiple administrators
  • Database initialization is now run in the entrypoint script, check php-fpm-mailcow logs if it fails to start
  • Removed Bitcoin donation and added liberapay.com/mailcow
  • Support packages are almost here (many thanks to Tim Korves for everything!)

Summary

Added on 15th Oct

[PHP-FPM] Disable some functions by default
[Postfix] Add mailcow_anonymize_headers to default config
[Web] Minor language fix
[Helper] Add MAILCOW_BACKUP_LOCATION as alternative to BACKUP_LOCATION to backup script, fixes #957


Added on 14th Oct

[PHP-FPM] Base on Alpine 3.8
[ACME] Base on Alpine 3.8
[ACME] Do not add alias domains to auto* domains
[Web] Fall back to raw content when mail parsing fails, fixes #1892
[Compose] Add some parameters to watchdog-mailcow
[Compose] New images for ClamAV, ACME and watchdog
[Compose] New PHP-FPM image
[Watchdog] Minor changes
[Watchdog] Base on Alpine 3.8
[Watchdog] Remove some check_ping checks
[Watchdog] Add ClamAV check (if SKIP_CLAMD=n)
[Watchdog] Add Unbound check
[Watchdog] Do not use Docker API by default to determine IP of containers (see “IP_BY_DOCKER_API”)
[Watchdog] Minor changes
[ClamAV] Update to 0.100.2
[Netfilter] Remove duplicate import
[Unbound] Upgrade to Alpine 3.8, fixes #1882


[Compose] Update Postfix and Dovecot images
[Compose] New images: Unbound, PHP-FPM, SOGo, Dovecot, ACME
[Postfix] Proper permissions for sql config files
[Dovecot] Proper permissions for sql config files
[Dovecot] Set imap_max_line_length = 2 M
[Dovecot] Use mysqladmin status instead of ping to determine readiness
[README] Remove Bitcoin donation link, add liberapay.com/mailcow
[Config] Add allowed chars for API key
[Helper] Fix mailcow reset admin to work in multi-admin environment
[Web] Some language updates for sys mails
[Web] Fix require_once to always include document root
[Web] Add system mails (send mails to all mailboxes via LMTP)
[Web] Allow to add more administrators
[Web] Fix domain administrator editing
[Web] Remove some foreign keys
[Web] Remove username from API
[Web] Remove more .php extension from code
[Web] More minor fixes
[Rspamd] Prefix quarantine error_log messages with “QUARANTINE”
[Rspamd] Fix quarantine max size check (it was ignored)
[PHP-FPM] Move max_execution_time and max_input_time to general PHP config, removed as fixed php_admin_value
[PHP-FPM] Use mysqladmin status instead of ping to determine readiness
[PHP-FPM] Init database in entrypoint
[PHP-FPM] Change API credential injection
[ACME] Log acme-client output base64 encoded, use mysqladmin status instead of ping to determine readiness
[SOGo] Use mysqladmin status instead of ping to determine readiness

Updates, again…

Important changes

  • “Better” URLs, edit.php?what=item becomes edit/what/item etc.
  • Define default mailbox attributes for new mailboxes (as of today: “tls_enforce_in”, “tls_enforce_out”, “force_pw_update” – all default to false) =>
    // Force incoming TLS for new mailboxes by default
    $MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_in'] = false;
    
    // Force outgoing TLS for new mailboxes by default
    $MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_out'] = false;
    
    // Force password change on next login (only allows login to mailcow UI)
    $MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update'] = false;
    

Summary

[Compose] New Postfix image
[Web] Fix domain admin edit function
[Web] Feature: TLS policy maps
[Web] Avoid php extensions in links
[Web] Minor fixes
[Postfix] Enable/create smtp_tls_policy_maps
[Nginx] Avoid php extensions, use rewrite
[SOGo] SOGoMaximumSyncWindowSize = 99