By the way: We update the code on a regular basis, you do not need to wait until we post these overviews. 🙂

Important changes for all cows

  • Please contact me, if you want to share your spam with mailcow => info@servercow.de
  • We sponsored some changes to SOGo including HTML5 notifications and, as you may have seen, new folder indicator icons
  • We found old Docker unnamed Docker bridges from older mailcow versions on various systems and do now remove them via update.sh
  • mailcow speaks Romanian! Thanks to @Razvan0925!
  • Initial HAProxy endpoints via helper-scripts/docker-compose.override.yml.d/HAPROXY/docker-compose.override.yml (WIP)
  • The footer is ROT13 enoded/rotated and parsed via JS

There are many more useful changes, please see the list below. I could not decide between important and less important this time. Many changes are quite useful or simply important bug fixes. So: update time!

A BIG THANK YOU to all supporters! Thank you so much for keeping mailcow alive. 🙂
Another BIG THANK YOU goes out to all contributors!

Changes (please also see the commit history)

[ACME] Add DIRECTORY_URL for custom directory URLs
[ACME] Filter containers by compose project name
[ACME] Fix directory URL
[API] Removed api_blueprint docs and use swagger (#3595)
[Backup] Make delete-days delete only files with mailcow-* in backup location (#3609)
[Backup] Speed up Gziping of backup (#3623)
[ClamAV] Update to 0.102.3
[Clamd] Pass version as ARG
[Compose] Fix dependency loop
[Compose] Images updates, added COMPOSE_PROJECT_NAME to some containers
[Compose] Update Dovecot, add networks to PHP-FPM
[Config] Allow CIDR notation for API_ALLOW_FROM (#3655)
[Config] Check port 25 and use smtp protocol to check postfix certificate. Fixes #3636 (#3637)
[Config] Minor: Move line to correct place
[Config] Remove comment about cidr for api_allow
[DockerAPI] Show queue item content via postcat
[DockerAPI] Update image
[Dovecot] Filter by compose project name, create trusted map for SOGo IP, run DNS check before starting service
[Dovecot] Fix invalid rcpt when no bcc is set, fixes #3576
[Dovecot] Include SOGos IP as trusted
[Dovecot] Increase sieve actions and redirects to 100/101
[Dovecot] Quarantine: add increment of count to prevent infinity loop (#3591)
[Dovecot] Specify Dovecot version in case of errors with new versions
[Dovecot] Update Dovecot
[Feature] Add HAProxy listeners and an example override file
[Git] Add ignore
[Helper] Fix expiry-dates.sh
[Helper] Fix mariadb restore when "all" is selected, thanks to @takigama
[Helper] expiry-dates.sh to check expiry dates
[MySQL] Slightly more resources
[Netfilter] Fix Netfilter image
[Nginx] Mark script executable
[Nginx] Mark script not executable
[PHP-FPM] Add bcmath and GMP
[PHP-FPM] Add pspell
[PHP-FPM] Filter containers by compose project name
[PHP-FPM] Fix missing aspell lib, update Redis lib, fixes #3675
[PHP-FPM] Minor changes to prepare routine
[PHP-FPM] Update image to include CIDR fix via mailcow.conf
[Postfix] Disable SMTPUTF8 in Postfix due Dovecot-LMTP isn’t support it (#3680)
[Postfix] Fix "disallow login": A catch-all will not catch mail for mailboxes with disallowed login
[Postfix] Remove obsolete comment
[Postfix] Remove obsolete setting smtpd_use_tls. (#3548)
[Postfix] Remove smtpd_tls_CAfile, fixes #3589
[Postfix] Set smtp_address_preference to any (#3561)
[Postfix] Test DNS against mailcow.email
[Quarantine] Allow to redirect all quarantine messages to a specific address
[Web] Minor changes to quarantine UI
[Rspamd] Add hint to composite, minor
[Rspamd] Add urlhaus map to rspamd (#3683)
[Rspamd] Change whitelisted senders map from prefilter to score -2050
[Rspamd] Changes to WHITELISTED_FWD_HOST composite handling
[Rspamd] Consistent LOCAL_CONFDIR
[Rspamd] Do not exclude fwd hosts from dmarc checks
[Rspamd] IP WL is no more a prefilter to prevent unsigned mail
[Rspamd] More bulk headers
[Rspamd] More excludes for fwd hosts, minor fix to FORGED_W_BAD_POLICY
[Rspamd] Remove spoofed unauth symbol from mails from whitelisted fwd hosts
[Rspamd] Temporarily disable over-signing, as Cyren does mark those mails as DKIM invalid (blame them, not us)
[SOGo] 4.3.2.20200803-1
[SOGo] Disable EAS when SKIP_SOGO=y
[SOGo] Disable autodiscover-json for EAS when disabled
[SOGo] SOGo does no trust self signed or invalid certificates anymore, add temp workaround
[SOGo] Update image
[Update] Allow to skip fetching docker-compose
[Update] Check mulitple IPs
[Update] IMPORTANT: Remove old and unused bridges overlapping with the new bridge name. Important for older setups running updates
[Update] Update with "ours" is not recommended
[WEB] Fixed schema for add/dkim api docs
[WEB] fix undefined elements (#3651)
[Watchdog] Filter containers by compose project name
[Watchdog] Fix a Dovecot error message
[Watchdog] Less aggressive mailq alerting
[Watchdog] Minor change to Dovecot health check
[Watchdog] Send mails with priority 1
[Watchdog] Update compose file, update image
[Watchdog] Watch mail queue (added inexpensive check via "find" instead of adding an API endpoint to dockerapi-mailcow)
[Web] Add PHPMailer to quarantine file
[Web] Add SMTP rcpt to qitems, filter invalid addresses
[Web] Add hint to disallowed login string
[Web] Add hint to disallowed login string
[Web] Add password generator to domain admin and admin modals
[Web] Add sieve template, thanks to @Programmierus
[Web] Add smtp and header from to quarantine items, add more info to qhandler, allow to open qhandler links from qitem details
[Web] Added spam-score api docs (#3608)
[Web] Allow activation of own S/MIME Certificates in iOS configuration profile (#3622)
[Web] Allow mins_interval of max 1 month for sync jobs, fixes #3642
[Web] Allow underscore and hyphen in DKIM selector (#3643)
[Web] Change c_o to varchar 500
[Web] DNS: add link for downloading zonefile (WIP) (#3633)
[Web] Delete log lines containing ratelimit hash key when removing rate limit hashes from db
[Web] Disallow blacklisting of some special networks
[Web] Disallow web UI login, when domain is disabled
[Web] Expand IPv6 addresses for better comparison
[Web] Feature: Allow to view mailq item content via postcat
[Web] Fix PHPMailer, minor style change for quarantine rcpts
[Web] Fix Rspamd not drawing
[Web] Fix a bug that failed to edit Alias by address (#3574)
[Web] Fix duplicating DKIM keys: Duplicated keys were invalid, fixes #3578
[Web] Fix stupid mistake, thanks to @ntimo!
[Web] Fix symbol options encoding in rspamd item view
[Web] Fix transport password form size
[Web] Fix: show success message after quarantine action
[Web] Hide mobileconfig with DAV when SOGo is disabled
[Web] Improve SPF checks
[Web] Many language updates, THANK YOU!
[Web] Merge same notification types
[Web] More secure compose project name check
[Web] ROT13 footer html
[Web] Scroll admin tables
[Web] Shorten and sanitize downloaded file names, fixes too long file names in Firefox
[Web] Show textarea for queue item
[Web] Show transport password when editing a transport
[Web] Some minor changes to Aliases handling (#3572)
[Web] Update API docs
[Web] Update PHPMailer
[Web] Update libs
[Web] Update filename when downloading
[Web] Updated Yubico.php to v2.7 (#3535)
[Web] change autocomplete-behaviour on some forms
[Web] Clean PHP code by removing unused variables (#3646)

1. Identity management

inverse.ca did great job with implementing a new identity management.

By default, a user will – as always – see their aliases in a list to choose from:

In the “Email” -> “IMAP” preferences of SOGo, we can now create a custom identity for all associated alias addresses we created in mailcow UI and even set them as default:

Back in the email compose window we can now find the new default identity with our custom “From” header field preselected (if you don’t select it as default, it will obviously only show up as optional, selectable identity):

2. Indicator for expandable folders

By the way: We update the code on a regular basis, you don’t need to wait until we post these overviews. 🙂
 
 

Important changes for all moo cows

  • Please contact me, if you want to share your spam with mailcow => info@servercow.de
  • Elements blocked by blacklists via UI will not enter the quarantine
  • WIP and to be considered beta: Disable SOGo via “SKIP_SOGO” in mailcow.conf
  • API access can now be limited to CIDR notations
  • You can now disallow logins for mailboxes (int value 2 instead of 0 for inactive or 1 for active)
  • We do now log the matched string in netfilter-mailcow for bans instead of the regex
  • Allow to relay only non-local mailboxes
  • Rspamd 2.5
  • Remove policy checks from SPOOFED_UNAUTH, since SPF can be valid in envelope from, while forging the header from field
  • Show last IMAP and POP3 logins, toggle via vars.inc.php SHOW_LAST_LOGIN

 
 
A BIG THANK YOU to all supporters! Thank you so much for keeping mailcow alive. 🙂
Another BIG THANK YOU goes out to all contributors!
 
 

Changes (please also see the commit history)

[CI] New prepare-tests job
[CI] Update hmac
[Compose] Add WATCHDOG_MYSQL_REPLICATION_CHECKS to compose
[Compose] Update Dovecot to implement #3428 by @feldsam
[Compose] Update PHP and netfilter
[Config] Add API_KEY_READ_ONLY
[Config] Add hint to not use some ports mentioned in the docs
[Config] Allow to disable SOGo (unsupported, experimental)
[Config] CIDR API_ALLOW_FROM only allowed via API
[Dovecot] Fix imapsync_cron
[Dovecot] Implement disallowed logins
[Dovecot] Quarantine template: added username variable
[Dovecot] Quarantine template: css for mobile devices (#3520)
[Dovecot] Quota template – colored bar based on % (#3525)
[Dovecot] Set repl health on start
[Dovecot] Syslog-ng match fixes
[Dovecot] WIP: Read env vars for cronjobs from prepared file
[Dovecot] fix error redirection at doveconf (#3500)
[Helper] Added name to backup and restore containers (#3477)
[Helper] Create tar archives for SQL backups
[Helper] Fix for numbers in compose project name
[Helper] Remove useless rsync
[Helper] Some minor improvements
[Helper] backup fixes
[Netfilter] Log matching string instead of regex
[Netfilter] Python 3.8 – SyntaxWarning for ‘is not’ (#3537)
[Nextcloud] Update helper
[Nextcloud] Updated site
[Nginx] Drop X-Powered-By via fastcgi_hide_header
[PHP-FPM, Config] API key generated via mailcow.conf has rw access
[PHP-FPM] Add API_KEY_READ_ONLY generation
[PHP-FPM] Increase timeouts
[PHP-FPM] Update some libs
[PHP-FPM] Update to PHP 7.4
[Postfix] Allow to relay only non-local mailboxes
[Postfix] Do not log tls sni maps errors from connections initiated by mailcow checks
[Postfix] Implement disallowed logins
[Rspamd] Add metadata exporter for unauthed mail
[Rspamd] Add more bulk headers
[Rspamd] And even more spam headers
[Rspamd] Block more “Promio” spam crap
[Rspamd] Disable upstream checks for SIEVE_HOST
[Rspamd] Fix quarantine and pushover notifications
[Rspamd] Increase bulk header score
[Rspamd] More spam headers
[Rspamd] Various Pushover fixes
[Rspamd] Quarantine notifications – don’t send if sender is blacklisted (#3428)
[Rspamd] Quarantine notifications – exclude blacklisted sender (#3446)
[Rspamd] Quarantine release – fix when sender is empty (#3445)
[Rspamd] Remove policy checks from SPOOFED_UNAUTH, since SPF can be valid in envelope from, while forging the header from field
[Rspamd] Remove upstream spam check results from mail by fwd hosts
[Rspamd] Restore add header forced action (#3440)
[Rspamd] Score spoofed senders higher
[Rspamd] Set bounce RL to 25 / 1h ; Fix BAZAR (test)
[Rspamd] Slightly reduce BAD REP POL score
[Rspamd] Use empty-env-from@localhost as placeholder for empty env from senders in quarantine
[Rspamd] v2.5
[SOGo] Allow to not spawn SOGo but an idling shell
[Update] Check mulitple IPs in update.sh to verify connection
[Update] Validate docker-compose stack config before updating
[Update] added –force mode to update skript (#3453)
[Watchdog] Add WATCHDOG_MYSQL_REPLICATION_CHECKS, minor fix
[Watchdog] Watch replication, if any (unsupported)
[Web, Dovecot] Show last IMAP and POP3 logins, toggle via vars.inc.php SHOW_LAST_LOGIN
[Web] 2-digit dates for @patschi
[Web] Add domain statistics
[Web] Allow CIDR as allowed API networks; other minor fixes
[Web] Allow ratelimit time frame “day”; Allow to create announcements
[Web] Allow to split DKIM every 255 chars via vars.inc.php (fixes #3473)
[Web] Always scroll tables
[Web] Async Rspamd graph loading to prevent races (todo: changeme)
[Web] CSS fixes; Add OAUTH2_FORGET_SESSION_AFTER_LOGIN to vars.inc.php (wip); Do not run initdb on non-master cow
[Web] Date formats
[Web] Decrease footer top margin
[Web] Disable login for mailbox users, other SKIP_SOGO checks and fixes
[Web] Do not try to update sogo static view with skip_sogo y
[Web] Do not use EAS for Outlook by default
[Web] Encode footer, decode via JS
[Web] Fix U2F authentication, fixes #3468
[Web] Fix logout after oauth2 (if enabled)
[Web] Fix oAuth logout after authentication (if enabled)
[Web] Fix time limited alias creation via API, thanks to @ntimo
[Web] Fix typo and missing Dovecot restart function (fixes #3466)
[Web] Fixed DKIM regex to allow arguments after the public key (#3462)
[Web] Fixed read write API permissions (#3465)
[Web] Fixes blank page and fixes #3502
[Web] Minor change to app buttons, fixes ugly multi-button panel
[Web] Various fixes
[Web] Remove External as standard subfolder for sync jobs
[Web] Disallow a domain admin to set intersecting user ACLs
[Web] Allow Pushover and SOGo EAS cache reset by default, disallow profile reset by default
[Web] Remove sidebars from admin panel, add dropdowns
[Web] Restart Dovecot when changing global sieve filters, add a warning
[Web] Set appointment c_uid to varchar(1000), fixes errors with Caldavsynchronizer
[Web] Show label for relayed domains; Return total bytes and msgs of domain in API (WIP)
[Web] Show warning, when domain exhausted and only an unlimited mailbox could be created
[Web] Translation updates (THANKS!!!)
[Web] Updated Yubico.php to v2.7 (#3535)
[Web] Various language fixes (and sorting), Pushover lang fixes
[Web] r/o API keys, Pushover integration (can be limited by ACL), other minor changes

Did you know?

You can save the mailcow community as PWA on your smartphone.

Community PWA

Some people are afraid of the update process, even though it is a very easy and stable routine.

Even pretty old installations update just fine.

If you think an update may break your installation, contact me, André, at info@servercow.de.

\o/ Update all cows.

By the way: We update the code on a regular basis, you don’t need to wait until we post these overviews. 🙂
 
 

Important changes for all moo cows

  • A mailcow fuzzy storage! Please contact me, if you want to share your spam with mailcow => info@servercow.de – fair-use, please.
  • Netfilter does now log the matched regex (finally).
  • Global sieve filters can be modified using the UI.
  • We score CSA crap relatively high now (X-CSA-* headers).
  • We do now use mariabackup for a fully-consistent backup of the SQL data directory. We will write the data to a tar archive in the future (see open issues).
  • Redis is now exposed to 127.0.0.1:7654 (FYI, has no further use in default setups).
  • We disabled TLS 1.0 and 1.1 for authenticated channels. We made a post about how to re-enable old protocols a few weeks ago.

 
 
A BIG THANK YOU to all supporters! Thank you so much for keeping mailcow alive. 🙂
Another BIG THANK YOU goes out to all contributors!
 
 

Changes (please also see the commit history)

[ACME] Force renewal with force_renew file, docs will follow
[ACME] Restart Postfix, reload seems not work all the time
[ACME] Use redis master for write operations
[ACME, Watchdog] Improve waiting for Redis
[Rspamd] Add mailflowmonitoring.com to no_log in Rspamd
[SOGo] Sort aliases (#3386)
[ClamAV] Add specific db mirrors
[Compose] A few updated images, REDIS_SLAVEOF_IP, REDIS_SLAVEOF_PORT ans MASTER (not yet supported ot documented)
[Compose] Update SOGo and ACME [ACME] SKIP IP check for SNAT’ed setups to workaround race conditions
[Dovecot] Add auth_passdb_lookup to LUA, add default plugins for replicator, check if master, add node to GUID creation, use correct syslog-ng config if Redis write-master is not
[Dovecot] Fix check to determine running imapsync procs, todo: more jobs at the same time
[Dovecot] IMPORTANT: Disabling TLS 1.0 and 1.2 – welcome to 2020
[Dovecot] LUA: Passdb: Reconnect to SQL if connection was lost
[Dovecot] Set replicator options by default – unused, no support or docs as of today
[Dovecot] Show last mail (pop3, imap) login in web interface
[Dovecot] Wait for versions table instead of failing and restarting
[Git] Add last_login to gitignore
[Git] Ignore global sieve scripts (BUT: Scripts may be forcefully overwritten, when new features are added, that depend on a given change on global sieve maps)
[Helper] Use mariabackup for SQL
[Netfilter] Log matched regex
[Netfilter] Use Redis master if set
[Nginx] Add proxy_send_timeout and proxy_read_timeout of 300 to /SOGo
[PHP-FPM] Check if master, write to Redis master only
[PHP-FPM] Do not use Redis for session handling
[PHP-FPM] Fix permissions for global maps
[PHP-FPM] Update libs, add gnupg
[Postfix] Added custom_postscreen_whitelist.cidr for a custom Postscreen wl, fixes #3313
[Postfix] Add hooks
[Postfix] IMPORTANT: Disabling TLS 1.0 and 1.1 for submission and smtps
[Postfix] Remove default rcpt count limit
[Postfix] Remove duplicate COPY from Dockerfile, fixes #3397
[Postfix] Set empty HELO restrictions for quarantine smtpd
[Postfix] Use Redis master if set
[Rspamd] Add fuzzy hashes to headers, if matched
[Rspamd] Add mailcow fuzzy hash store
[Rspamd] Add X-CSA to bulk headers
[Rspamd] Add X-Last-TLS-Session-Version header
[Rspamd] Disable 304 until SOGO_CONTACT triggers an update, needs rework
[Rspamd] Fix neural.lua
[Rspamd] Forced action add header seems to be broken atm, switching to rewrite subject until fixed
[Rspamd] Move monitoring hosts to monitoring_nolog.map file
[Rspamd] Quarantine: Set sender to null@localhost when sender is missing
[Rspamd] Reduce CSA crap to 2.0
[Rspamd] Reduce Sorbs recent score
[Rspamd] Add annoying CSA to bulk symbols and score then with 3.2
[Rspamd] Update to v2.4
[Rspamd] Set fixed name for fuzzy store
[Rspamd] Set Redis slaveof if not master, adjust redis configs automatically
[Rspamd] Use redis master for RL operations in pipe_rl
[Rspamd, Web] Escape monitoring hosts, add regex maps to vars file
[SOGo] Auto-backup user data to sogo-userdata-backup-vol-1 daily, keep one backup
[SOGo] Check if master, only run DB prep if master, use correct syslog-ng config if not master
[SOGo] Cronjob for SOGo user data backup
[Update] Add –skip-start switch, implements #3317
[Update, Config] Add Redis to exposed hosts
[Update] Display git diff save message only when local changes exist (#3351)
[Update] Make sure containers are gone before updating mailcow
[Update] Save git diff only when local changes exist (#3350)
[Watchdog] Define thresholds in docker-compose(.override) file
[Watchdog] Send 10 last applied ratelimits in mail report
[Watchdog] Use Redis master for write operations
[Web] Added hint where api docs can be found (#3335)
[Web] Add icon to indicate relayed domain
[Web] Add latin-ext to PT Sans font #3018 (#3333)
[Web] Add missing maps
[Web] Add slovak language (#3387)
[Web] Allow empty bcc when saving quarantine settings, fixes #3363
[Web] Allow to change page size in table header for /mailbox tables
[Web] Allow to set global sieve filters
[Web] Allow to skip IP check for API
[Web] Check smtp_tls_policy_map destination (more checks should be added)
[Web] Fix button order, thanks to @dragoangel
[Web] Fix cow level, sorry 🙁
[Web] Fix data type for port1 in imapsync
[Web] Fix DNS check for relayed domain
[Web] Fix mail validation for quota sender address
[Web] Fix quarantine view and add missing lang string
[Web] Fix selection bug (reproduce: select an item, select all, deselect all, click an action and find previously selected items)
[Web] Fix sieve example insert
[Web] Fix sv lang
[Web] Fix tooltips in quarantine
[Web] Fix transport validation, thanks to Gideon!
[Web] Further work to improve the swedish translation and sentence structure to improve general quality, in context to Mailcow functions (#3396)
[Web] Implement table size to quarantine, implements #3325
[Web] Keep modal data when adding a sync job
[Web] Add hint to disable TFA instead of deleting last key
[Web] Prefer sieve redirects: adjust lang files
[Web] Replace rtrim by preg_replace to fix transport checks
[Web] Set desc == domain name, when desc is empty, implements #3341
[Web] Some more quarantine lang strings
[Web] Unlearn spam if released from quarantine, implements #3327
[web] Update lang.sk.json
[Web] Use redis master where necessary, hide UI if not master, create replicate quota2 table

I did not check a PR sufficiently and merged a `auto = subscribe` for Swedish folder names.

If you updated between ~ GMT 06:00 AM and GMT 10:00 AM, please update again and delete the new folders, that might have appeared.

I will check PRs more thorough in the future.

How to remove these folders?

# UPDATE! Update your mailcow to make sure, the subscriptions do not return.
docker-compose exec dovecot-mailcow doveadm mailbox unsubscribe -A "Skräp" "Borttagna Meddelanden" "Arkiv" "Arkeverat" "Skickat" "Skickade Meddelanden" "Utkast"
docker-compose exec dovecot-mailcow doveadm mailbox delete -A "Skräp" "Borttagna Meddelanden" "Arkiv" "Arkeverat" "Skickat" "Skickade Meddelanden" "Utkast"

André

Hi,

The fuzzy storage is now enabled in mailcow, so please update your cows.

Please contact me, André, at info@servercow.de, if you want to share your spam mail with us. Old, unused domains with a high spam rate are very welcome!

There are a lot of other cool changes. We will create a new post for these soon!

André

Today we disabled the deprecated protocols TLS 1.0 and 1.1.

Unauthenticated mail via SMTP on port 25/tcp does still accept >= TLS 1.0 . It is better to accept a weak encryption than none at all.

How to re-enable weak protocols?

nano data/conf/postfix/extra.cf

submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

nano data/conf/dovecot/extra.conf

ssl_min_protocol = TLSv1

Restart the affected services:

docker-compose restart postfix-mailcow dovecot-mailcow

Hint: You can enable TLS 1.2 in Windows 7.