October updates (more updates!)

Updated on October 14, 2018: More updates!

Important changes

  • New: send system emails to mailboxes hosted on mailcow (via LMTP)
  • API table changes (in case anyone is using it already ;-))
  • Add multiple administrators
  • Database initialization is now run in the entrypoint script, check php-fpm-mailcow logs if it fails to start
  • Removed Bitcoin donation and added liberapay.com/mailcow
  • Support packages are almost here (many thanks to Tim Korves for everything!)

Summary

Added on 14th Oct

[PHP-FPM] Base on Alpine 3.8
[ACME] Base on Alpine 3.8
[ACME] Do not add alias domains to auto* domains
[Web] Fall back to raw content when mail parsing fails, fixes #1892
[Compose] Add some parameters to watchdog-mailcow
[Compose] New images for ClamAV, ACME and watchdog
[Compose] New PHP-FPM image
[Watchdog] Minor changes
[Watchdog] Base on Alpine 3.8
[Watchdog] Remove some check_ping checks
[Watchdog] Add ClamAV check (if SKIP_CLAMD=n)
[Watchdog] Add Unbound check
[Watchdog] Do not use Docker API by default to determine IP of containers (see “IP_BY_DOCKER_API”)
[Watchdog] Minor changes
[ClamAV] Update to 0.100.2
[Netfilter] Remove duplicate import
[Unbound] Upgrade to Alpine 3.8, fixes #1882


[Compose] Update Postfix and Dovecot images
[Compose] New images: Unbound, PHP-FPM, SOGo, Dovecot, ACME
[Postfix] Proper permissions for sql config files
[Dovecot] Proper permissions for sql config files
[Dovecot] Set imap_max_line_length = 2 M
[Dovecot] Use mysqladmin status instead of ping to determine readiness
[README] Remove Bitcoin donation link, add liberapay.com/mailcow
[Config] Add allowed chars for API key
[Helper] Fix mailcow reset admin to work in multi-admin environment
[Web] Some language updates for sys mails
[Web] Fix require_once to always include document root
[Web] Add system mails (send mails to all mailboxes via LMTP)
[Web] Allow to add more administrators
[Web] Fix domain administrator editing
[Web] Remove some foreign keys
[Web] Remove username from API
[Web] Remove more .php extension from code
[Web] More minor fixes
[Rspamd] Prefix quarantine error_log messages with “QUARANTINE”
[Rspamd] Fix quarantine max size check (it was ignored)
[PHP-FPM] Move max_execution_time and max_input_time to general PHP config, removed as fixed php_admin_value
[PHP-FPM] Use mysqladmin status instead of ping to determine readiness
[PHP-FPM] Init database in entrypoint
[PHP-FPM] Change API credential injection
[ACME] Log acme-client output base64 encoded, use mysqladmin status instead of ping to determine readiness
[SOGo] Use mysqladmin status instead of ping to determine readiness

Updates, again…

Important changes

  • “Better” URLs, edit.php?what=item becomes edit/what/item etc.
  • Define default mailbox attributes for new mailboxes (as of today: “tls_enforce_in”, “tls_enforce_out”, “force_pw_update” – all default to false) =>
    // Force incoming TLS for new mailboxes by default
    $MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_in'] = false;
    
    // Force outgoing TLS for new mailboxes by default
    $MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_out'] = false;
    
    // Force password change on next login (only allows login to mailcow UI)
    $MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update'] = false;
    

Summary

[Compose] New Postfix image
[Web] Fix domain admin edit function
[Web] Feature: TLS policy maps
[Web] Avoid php extensions in links
[Web] Minor fixes
[Postfix] Enable/create smtp_tls_policy_maps
[Nginx] Avoid php extensions, use rewrite
[SOGo] SOGoMaximumSyncWindowSize = 99

Updates, updates, updates…

Important changes

  • Maildir encryption is enabled by default! Backup “crypt-vol-1”! You lose/delete this key, you lose your mail. There is no way to recover them.
    bash helper-scripts/backup_and_restore.sh backup crypt
    
  • Deleted mailboxes and domains will be moved to /var/vmail/_garbage and cleaned up after $MAILDIR_GC_TIME minutes, the collector runs hourly
  • Rspamd controller password change commands are now piped to a bash to hide them from process lists
  • Docker API now uses a self-generated key pair
  • Unbound logging is finally fixed
  • “unbound-control” was made available
  • Peer Heinlein allowed us to use their SA rules, many thanks!

Summary

[Update] Add MAILDIR_GC_TIME
[Postfix] Increase default message size limit to 100 MiB
[Rspamd] Add desc to high spam networks
[Rspamd] Ignore custom files, but keep bad asn map
[Rspamd] Fix permissions of controller password file
[Rspamd] Place socket in _rspamd home and fix permissions
[Rspamd] Ignore sa-rules-heinlein file, remove from index
[Unbound] Fix logging, fixes #585
[Unbound] Enable unbound-control
[Docker API] Use TLS encryption for communication with “on-the-fly” created key paris (non-exposed)
[Docker API] Create pipe to pass Rspamd UI worker password
[Dovecot] Do not query gid and uid
[Dovecot] Pull Spamassassin ruleset to be read by Rspamd (MANY THANKS to Peer Heinlein!)
[Dovecot] Garbage collector for deleted maildirs (set keep time via MAILDIR_GC_TIME which defaults to 1440 minutes)
[Dovecot] Encrypt maildir with global key pair in crypt-vol-1 (BACKUP!), also fixes #1791
[Dovecot] Check garbage hourly
[Dovecot] Update SA rules once when container starts
[Web] Flush memcached after mailbox item changes, fixes #1808
[Web] Fix duplicate IDs, fixes #1792
[Web] Fix deletion of spam aliases
[Web] Do not exit loop on fuzzy errors when learning a message as spam
[Compose] Use SQL sockets
[Compose] New images for Rspamd, PHP-FPM, SOGo, Dovecot, Docker API, Watchdog, ACME, Postfix
[Compose] Update Unbound image and set tty true
[Compose] Remove volume for Rspamd socket
[PHP-FPM] Update APCu and Redis libs
[Helper] Add “crypt” to backup script
[Helper] Override file for external SQL socket (not supported!)

ACL and ‘;–have i been pwned?

Hi,

I would love to get some feedback on the ACL implementation. If you find bugs etc., please let us know @ GitHub.

There is some info in the docs => https://mailcow.github.io/mailcow-dockerized-docs/model-acl/ – they still need more updates.

One improvement I see is to hide the divs completely and/or deny access to the functions ‘get’ methods. Let us know on Freenode, #mailcow.

Thanks for the idea to integrate haveibeenpwned.com, I like it! Sorry to haveibeenpwned.com for playing with it and trying a bunch of old passwords, I hope I didn’t hammer your API too much. 🙂

For your information: Your password is never sent to their API!
We only query the API with the first 5 characters of the SHA1 hash of the current input fields value (generated in your browser, not server-side) and check the response for matches of the full hash, still stored in your browser.

André

Updates and two important fixes

We just fixed SOGo theme switching again. There is a chance we did it, I promise…

Knight1 made us aware of a critical bug, that led to mailcow accepting custom X-FORWARDED-FOR headers. This bug was introduced with the last update.

Important change: We disabled “any” and “all authenticated” ACL settings in Dovecot and removed the box in SOGos ACL editor (big thanks to the SOGo devs, please help them, buy a subscription!).
You can find information about how to re-enable it here.

We will add an easy way to enable your SOGo subscription soon.

Please don’t forget to support mailcow. 🙂

Updates!

Learning methods for bayes and fuzzy hashes (new) changed on todays update, I recommend to run…

bash helper-scripts/reset-learns.sh

…to start over with a clean hash database.

Spam/ham is no more auto-learned, please move mails into/out of the junk folder to train the filter or use the new spam/ham alias target.The logging method changed slightly, some more changes will follow.

A new section “mailcow UI” was added to the logs panel. IPs are logged but anonymized by default, please see ANONYMIZE_IPS in “vars.inc.php”.
Users now see their last login.

Redis logs are now trimmed by a cronjob in “dovecot-mailcow”, that will move to “watchdog-mailcow” in the future => much less hammering.

SYSCTL_IPV6_DISABLED was removed, please see the docs about how to disable IPv6.

Sync jobs are now unlocked when the job was abruptly interrupted.
Sync jobs in mailcow UI can now contain custom parameters.
Some previously hard-coded parameters were removed!
“subscribeall”, “timeout1” and “timeout2” can now be defined in the job details.
“buffersize”, “split1”, “split2”, “fastio1”, “fastio2” were removed and can be used in custom parameters.

The SOGo theme switching bug is hopefully fixed. I will probably find a better way to fix it than using “sed” to replace the hard-coded colors.

PS: If you like to, please consider supporting us. 🙂