Update your Kernel, if you are on Ubuntu 16.04

You may encounter errors with Dovecot or ClamAV (and probably other containers besides mailcow), if you run Ubuntu 16.04 with its default kernel 4.4 and Docker from the official Docker repository.

Please install the HWE kernel from the Ubuntu repository and reboot:

apt-get update
apt-get install --install-recommends -y linux-generic-hwe-16.04
reboot

Moovember Updates

The year is slowly coming to its end. We hope you will enjoy the last few weeks of the year.

Instead of writing down all commits you can already find on GitHub, we will only mention important changes or fixes dating back from the previous post until today. This mooonths updates includes:

  • Watchdog now also watches the olefy container
  • The SSL cert used by mailcow can now be split into multiple certs to overcome the 100 domains limit from Let’s Encrypt (docs). Thanks to @mhofer117
  • The WebUi is now translated into Finnish 🇫🇮. Thanks to Mika
  • Rspamd has been updated to version 2.1
  • The MySQL memory usage has been tuned a lot to almost reduce it by 50%, thanks to @Thomas2500
  • SOGo can now be opened by /sogo or /Sogo all of these will redirect the user to /SOGo
  • More images are now based on Debian Buster
  • Translations are now provided using JSON files, thanks to @tinect
  • The preset management for custom Rspamd maps has been improved by @tinect
  • Domain admins are now shown in the domain table, thanks to @heavygale
  • More API docs have been added
  • oAuth has been improved by @mkuron to work better with NextCloud

Mootober Updates

Instead of writing down all commits you can already find on GitHub, we will only mention important changes or fixes dating back from the previous post until today.

  • Rspamd is now available in version 2.0
  • Netfilter will now ban failed Rspamd logins
  • oAuth support has been added (you can now use your mailcow as a oAuth service)
  • The quarantine shows the correlating rspamd symbols – thanks to @friedPotat0
  • It is now possible to download emails in .eml format from Quarantine – thanks to @friedPotat0
  • Dovecot is now rebased on Debian Buster and supports TLS 1.3
  • API docs are available via /api from your mailcow – thanks to @ntimo
  • API – thanks to @ntimo
    • Use proper status codes
    • Return 404 if route is not found
    • Only allow GET on get routes and POST on edit,del,add routes
    • Fixed issue where API session was not invalidated correctly
  • mailcow now returns a 502 status page, to let you know, that mailcow is not ready yet
  • Domain admins that don’t have a domain assigned now get properly deleted – thanks to @flo1212 for the report

MariaDB 10.3 rollout

We just included MariaDB 10.3. If you run ./update.sh, you will encounter some errors in mysql-mailcow, that will be fixed by the upgrade process triggered by php-fpm-mailcow.
A SQL backup is recommended.

EN: If you have a mailcow support subscription, feel free to use the ticket system for assistance or help after a failed update.
DE: Falls ein mailcow Supportpaket gebucht wurde, helfen wir gerne beim Update der mailcow Installation oder bei etwaigen Problemen.

Mootember updates

Sorry for the delay, mailcow was still worked on. Time is running too fast. 🙁

Instead of writing down all commits you can already find on GitHub, I will only mention important changes or fixes dating back from the previous post until today.

Edit: Forgot to say thanks to @irgendwr for fixing XSS!

  • The GAL (Global Address List) is now enabled by default. Various actions like availability in calendars depends on it.
  • Images are prefetched on ./update.sh (`–prefetch` will only prefetch images and exit)
  • Added SOGO_EXPIRE_SESSION variable to mailcow.conf to define when a session in SOGo times out
  • Added a whitelist map for IPs in Rspamd (`data/conf/rspamd/custom/ip_wl.map`, CIDR)
  • SAL was introduced – an **optional** license with some benefits in the future. Think about basic monitoring etc. 🙂
  • Various XSS fixes by @patschi and @irgendwr – thanks!
  • Some services were finally ported to Py3 – thank you @zkryakgul! Also thank you for exposing your policyd password in your commit, we will take care of it.
  • Added a bad word list, that triggers only, when received from a fishy tld (yes, that’s a new map, too)
  • You can now allow a mailbox to send from an external domain or only a defined set of mail addresses (edit a mailbox to find this feature)
  • @christianbur forces me to update the images more regulary, thank you.
  • Various fixes and changes in mailcow UI
  • Solr is now exposed to 127.0.0.1:18389 by default, you can setup a reverse proxy to browse its fancy UI – do not expose it to the internet!
  • I broke the anonymize headers, again. @iiegn and @patschi pointed it out, thanks!

Attention for Ubuntu 18.04 users: Kernel 4.15.0-60 causes kernel panic

This is a short heads-up for users running their mailcow instance on Ubuntu 18.04: Do NOT upgrade to kernel 4.15.0-60 as of now!

Based on various user reports and more extensive testing this specific kernel release triggers a kernel panic and crashes your server. So far we have been able to figure out, this is related when setting a nameserver in the docker-compose.yml file explicitly (which isn’t new in our code). For some strange reason this commit/hotfix fixes the crashes so far.

You can track the progress for this issue here. However please keep in mind that this is a small warning for our Ubuntu users, as there’s currently no final fix available yet. We’ve also filed a Ubuntu bug report already.

Update on 5th September: The issue was confirmed as a valid kernel bug and is already fixed by the Ubuntu team, see the Launchpad issue here. However, there’s no ETA when the new kernel update will be released.

Update on 11th September: The new fixed kernel image 4.15.0-62.69 was released on 9th September.

Security, security and security

So what happened the last few days and weeks? You guessed it! Some important security updates!

To sum it up:
Critical: There was a dovecot security issue fixed which can lead to private information leakage and remote code execution. Read more here.
– ClamAV got updated to v0.101.4 to address zipbomb vulnerability. Read more here.
– A few XSS vulnerabilities in the mailcow UI were fixed.
– Beside the security fixes there were also more mailserver blacklists and spam rules added to improve spam detection.

An update of your mailcow instances is strongly recommended and should be done as soon as possible. Update is possible as usual by executing the update script.

(Telegram users might be wondering: Yes, this is indeed a cross-post from my Telegram News post a few days arlier.)

 

Update your HTTP to HTTPS redirection and mailcow to prevent acme-mailcow HTTP verification failures

Hi,

Please see the updated reverse proxy docs and adjust your site.conf (only if you are not using a reverse proxy!).

An older draft excluded autoconfig from the redirection. Older setups may still have two server blocks at the top of that file. This is obsolete and needs to be changed! This is what it looked like before, it is wrong!

Correct and new: https://mailcow.github.io/mailcow-dockerized-docs/u_e-80_to_443/
Wrong and old: https://github.com/mailcow/mailcow-dockerized-docs/blob/cdf1a436ca904186d78e391bab71f2747af2a1af/docs/u_e-80_to_443.md

Please also update mailcow or at least acme-mailcow (make sure you use at least v1.60).

June updates

For commercially used mailcows, please consider buying a support subscription or help to keep mailcow alive by donating. 🙂

ONCE AGAIN A BIG THANKS TO ALL CONTRIBUTORS!

Important changes

  • Thanks to @c-rosenberg we integrated olefy into mailcow for macro scanning. It is skipped for authenticated users.
  • Quarantine can now be configured to remove old items.
  • *.autoconfig is back as part of default SANs in the certificate acquired by “acme-mailcow”.
    IMPORTANT: The certificate request will fail, if you copied the site config from our previous HTTP -> HTTPS redirect docs! Please update your site config (see here), make sure to remove the autoconfig block (see here).

Summary

[ACME] Autoconfig is back (re-added to SAN list by default for all mail domains)
[ACME] Better HTTP verification
[ClamAV] Fix missing exit code var, fixes #2746
[ClamAV] Update to 0.101.2
[Dovecot] Fix cleanup of old quarantine items, fixes #2721
[Dovecot] Rename sieve_after to global_sieve_after and create a global_sieve_before file
[Dovecot] Run cronjob at 4:15 AM to remove max aged quarantine items (default: 365 days)
[Dovecot] Fix permissions of console
[Helper] Omits the verbose option for gzip in the backup script
[Netfilter] Keep musl-dev, update pip
[Netfilter] Remove unused files after installation
[Netfilter] Set some f2boptions to int
[Olefy] A new container is born, thanks to @c-rosenberg
[PHP-FPM] Add exif module
[PHP-FPM] Add Q_MAX_AGE key and set to 365 days if missing
[PHP-FPM] Update PHP and some modules
[Postfix] Add UA header check, not enabled by default
[Postfix] Create resource maps
[Postfix] Remove authed user from header
[Postfix] Remove duplicate proxy read maps, add resource maps
[Rspamd] Added comment to composite
[Rspamd] Add OLEFY_MACRO symbol
[Rspamd] Add oletools via olefy, big thanks to @c-rosenberg
[Rspamd] Increase OLEFY_MACRO score
[Rspamd] Less aggressive bayes
[Rspamd] Remove authenticated user from auth results header
[Rspamd] Sign ARC inbonud, thanks to @Kraeutergarten
[Update] Add missing WATCHDOG_NOTIFY_BAN update option
[Update] Check if file is tracked before running git rm
[Update] Hide error when running git rm on old worker passwd file
[Update] Remove controller passwd file from index
[update.sh] Rename enable_ipv6 option
[Watchdog, Config] Added WATCHDOG_NOTIFY_BAN to disable IP ban notifications
[Watchdog] Fix broken mail with more than one rcpt in some cases
[Watchdog] Fix for fix for wrong mails
[Watchdog] Minor text changes and send whois report of banned IP
[Watchdog] Send mail when IP was banned
[Web] Allow to set max_age for quarantine items
[Web] Fix BCC error message
[Web] Fix lang strings for sieve pathes and sieve flow
[Web] Fix SPF link
[Web] Generate readable passwords
[Web] increased db version
[Web] Show resource alias