Almost-spring-updates

Updated on March 10, 2019: Moooore!

For commercially used mailcows, please consider buying a support subscription or help to keep mailcow alive by donating. 🙂

Many under-the-hood changes since Foobruary updates.

Important changes

  • Updated on March 10, 2019: Due to changes in Solr, you should trigger a rescan (not a full reindex!) for all users: docker-compose exec dovecot-mailcow doveadm fts rescan -A – yes, again – sorry!
  • TLSv1.2 is now the min. required protocol for mandatory encryption in Postfix.
    This affects per-user TLS encryption (when a user enforces TLS) or any TLS policy created with “encrypt” policy or higher.
    We only make an exception for authenticated connections over port 587 and 465, where we accept TLSv1 and higher.
    Dovecot remains at TLSv1+ for IMAP, while we require TLSv1.2+ for LMTP connections now.
  • “vacation-seconds” can now be used in sieve filters
  • The IPv6 NAT check in watchdog-mailcow is less CPU intensive
  • A Postfix transport destination “*” now excludes hosts matching /localhost$/
  • Rspamd settings map is checked for changes instead of always re-applying it in Rspamd – saves CPU time

Summary

Added on March 10

[Web] Change core to dovecot-fts
[Dovecot] Use dovecot-fts core
[Solr] Use fixed, recommended schema but add EdgeNGramFilterFactory
[Compose] Update Rspamd, Postfix, Dovecot and Solr images
[Dovecot] v2.3.5 (PH 0.5.5)
[Dovecot] Change Solr cronjob to fit dovecot-fts
[Postfix] Fix sasl_passwd query from alias domain, fixes #2410
[Rspamd] Remove buggy last-modified check


[ClamAV] Create directory before handling whitelist
[ClamAV] More checks and permission fixes
[Compose] Update ClamAV, watchdog, SOGo and Rspamd images
[Dovecot] Add flags and notify to sieve_extensions
[Dovecot] Enable sieve vacation seconds not just for global scripts
[Dovecot] Fix very stupid error in quarantine_notify.py – thanks to @DevTek314
[Dovecot] Remove vacation-seconds from global-only
[Postfix] Fix mandatory encryption protocols and always require at least TLS 1.2 for LMTP
[Postfix] Mandatory encryption protocol is now min. TLS 1.2
[Postfix] Mandatory protocol for authenticated clients over 587/tcp and 465/tcp is now TLSv1.0+
[Postfix] Force route localhost$ over local:
[Postfix] Remove sasl requiring policies from port 25
[Rspamd] Add fuzzy worker with worker-fuzzy.inc
[Rspamd] Drop rspamd.conf.local
[Rspamd] Make upstream an object
[Rspamd] Mime from and rcpt can now be checked by from_mime and rcpt_mime instead of “header { XY }”
[Rspamd] Reduce SOGO_CONTACT score to -99
[Rspamd] Use almost-stable unstable 🙂
[Rspamd] Check if filterconf table was changed and return Last-Modified accordingly
[Update] Add /opt/bin to PATH, fixes #2391
[Watchdog] Do not hammer API too much when running Ipv6 NAT check
[Watchdog] Run IPv6 NAT check more often (300s sleep instead of 3600s)
[Watchdog] Minor fixes, print last log lines on error
[Watchdog] Use ipv6nat-mailcow instead of ipv6nat
[Web] Fix bootstrap pathes
[Web] Fix transport_check over port 465, fixes #2386
[Web] Strip < and > from start/end of full name
[Web] Update bootstrap to 3.4.1, fixes #2381