January – Mooray, updates!

Sorry for the lack of december update news.
 
 

Important change for SAL users (see “support development” on the right sidebar)

You can now set WATCHDOG_EXTERNAL_CHECKS=y in mailcow.conf to enable an open relay check. The check is run about every minute.
In the future, you will be able to shut down Postfix whenever watchdog-mailcow detects an open relay.
Your source IP must match your mailcow IP, will only work with unmodified mailcows.
 
 

Important changes for all moos

  • App passwords! They work for IMAP and SMTP connections, not yet for SOGo – but we are working on it. Login as user to find them. You can also restrict access via ACL.
  • Do not reject .doc per se, but reject when any document has a macro assigned to it.
  • SOGo can be built using a subscription:
      sogo-mailcow:
        build:
          context: ./data/Dockerfiles/sogo
          dockerfile: Dockerfile
          args:
            - SOGO_DEBIAN_REPOSITORY=https://user:pass@packages.inverse.ca/SOGo/release/4/debian/
    
  • Sieve and Rspamd presets were improved. Create presets in data/web/inc/presets/rspamd/. Headline can be a lang string. Please feel free to add more useful presets!
  • Mail forwards and rejects were improved. Rejects are now signed, forwards are only ARC_SIGNED and remain SPF and DKIM valid.

A BIG THANK YOU to all supporters! Thank you so much for keeping mailcow alive. 🙂
Another BIG THANK YOU goes out to all contributors!
 
 

Changes (please also see the commit history)

[API] Added DKIM get route to api docs
[API] Added docs for new status api
[API] Added new status route to get some system infos
[API] Fixed api docs not being displayed correctly
[API] Make Solr API return data if Solr is enabled
[API] Update API docs with app password routes
[Rspamd] ARC remains active for forwards. Result: fully signed and trusted forwards and signed rejects in sieve.
[Rspamd] block all Office documents with macros
[CI] Added automated testing using drone (#3278)
[ClamAV] Whitelist JS in PDF – too many false-positives
[Web] Disable refresh button, while refreshing (#3199)
[Dovecot] Add map for app passwds
[Dovecot] Change LUA path
[Dovecot] Delete ham/spam hash if previously learned; Change LUA script pathes
[Dovecot] Drop logs
[Dovecot] Enable editheaders plugin in sieve for all users
[Dovecot] Fix app passwds: allow multiple pass hashes by using LUA construct
[Dovecot] Fix lua error when trying to escape empty domains
[Dovecot] Really strange race condition when reading an untouched LUA file on slower systems
[Dovecot] Remove CONTROL from shared namespace – thanks to @Keessaus
[Dovecot] Set BCC in quarantine notify
[Git] Ignore auto generated Dovecot LUA
[Git] Ignore whitelist.ign2
[IMPORTANT] If you run Ubuntu 16.04, upgrade your kernel to linux-generic-hwe-16.04
[Nginx] Catch case-insensitive /sogo$ request and redirect to /SOGo
[PHP-FPM] Remove useless flag for gd
[Postfix] Add bl.suomispam.net
[Postfix] Client rcpt rate limit set to 50
[Postfix] Set CA path for smtpd
[Postfix] Update Postscreen whitelist
[Rspamd] Add mailcow_networks map
[Rspamd] Allow empty envfrom for system mails, add only Dovecot to sign_networks and sign by header when sign_networks fires.
[Rspamd] allow_hdrfrom_mismatch true, auth_only false (sieve)
[Rspamd] Decrease weight of missed charset
[Rspamd] Do not normalise domains to eSLD for ARC
[Rspamd] Lower map watch interval
[Rspamd] Ratelimit for bounces reduced, max_rcpt for ratelimit increased
[Rspamd] SA trivial converter (wip)
[Rspamd] Set rspamd as trusted host, rspamd is not spoofing
[Rspamd] Split deprecated metrics.conf to actions.conf and groups.conf
[SOGo] Fix for whitespaces in mysql return; Order aliases
[SOGo] Make view more readable
[SOGo] Read build args
[SSL] fix bug with pruning old certificates (#3272)
[Update] Split metrics to actions and groups, warn if metrics is different from repo
[Web] Use main_name in the “Yubico OTP Authentifizierung” modal and in the mailbox edit modal.
[Watchdog] Add external check for open relay, requires SAL
[Watchdog] Fix ipv6 config check
[Watchdog] Retry to get current ACME log status, if empty (may fix watchdog mails on very busy servers – eg while running a backup)
[Watchdog] Revert acme-mailcow threshold to 1
[Watchdog] smtp-cli 3.10 (yay) and a new check for IPv6 configuration problems
[Web] Add “add” button to header of table
[Web] Add missing lang strings for edit
[Web] Add more password generator links
[Web] Add more map types soon; Do not expose private key via API if hidden in vars (fixes #3231)
[Web] Add more sieve presets
[Web] Add new preset for Rspamd settings map: Only allow specific senders to send to a mailbox
[Web] Allow to set BCC for quarantine
[Web] Allow to use data/web/css/build/0081-custom-mailcow.css for ignored overrides
[Web] Better mobileconfig handling
[Web] Complain about non-email email fields
[Web] Deleted hashes previously learned
[Web] Do not show Solr and Clam status when disabled, thanks to Tina
[Web] Feature: Allow app passwords for imap/smtp, allow to set acl permission for app passwords (domain admin [when logged in as user] and user)
[Web] Finally fix solr and clam status…
[Web] Fix global maps
[Web] Fix lang.en.json
[Web] Fix policy map selection for dane
[Web] Fix quarantine for sneaky dots, also fixes #3263
[Web] Fix Solr status and sort containers
[Web] Fix some major errors in app passwds but disable app passwds due to a show stopper… todo: fix asap
[Web] Fix some transport verifications
[Web] Fix transport validation for hostnames
[Web] Generate longer passwords for app passwords
[Web] Generate longer passwords for app passwords (edit was missing)
[Web] Get all app passwd ids for a single user by using get/app-passwd/all/user@domain
[Web] Hide app passwords from logs
[Web] hide echoed var
[Web] Make mobile usage less annoying; anchors for maps; sidebar for maps
[Web] Minor style fix and re-enable app passwds
[Web] Remove “add domain” from table when not admin, fixes #3267
[Web] Remove tracking for custom-mailcow css
[Web] Revert dropup to dropdown
[Web] Revert some style changes, mobile view should be fixes/better with bootstrap 4
[Web, Rspamd] Add bad language map, add map to mailcow UI
[Web] Show hint when SOGo admin login is enabed, fix sieve preset in API
[Web] Small adjustments to presets
[Web] Update languages
[Web] Various fixes for app passwd functions

Update your Kernel, if you are on Ubuntu 16.04

You may encounter errors with Dovecot or ClamAV (and probably other containers besides mailcow), if you run Ubuntu 16.04 with its default kernel 4.4 and Docker from the official Docker repository.

Please install the HWE kernel from the Ubuntu repository and reboot:

apt-get update
apt-get install --install-recommends -y linux-generic-hwe-16.04
reboot

Moovember Updates

The year is slowly coming to its end. We hope you will enjoy the last few weeks of the year.

Instead of writing down all commits you can already find on GitHub, we will only mention important changes or fixes dating back from the previous post until today. This mooonths updates includes:

  • Watchdog now also watches the olefy container
  • The SSL cert used by mailcow can now be split into multiple certs to overcome the 100 domains limit from Let’s Encrypt (docs). Thanks to @mhofer117
  • The WebUi is now translated into Finnish 🇫🇮. Thanks to Mika
  • Rspamd has been updated to version 2.1
  • The MySQL memory usage has been tuned a lot to almost reduce it by 50%, thanks to @Thomas2500
  • SOGo can now be opened by /sogo or /Sogo all of these will redirect the user to /SOGo
  • More images are now based on Debian Buster
  • Translations are now provided using JSON files, thanks to @tinect
  • The preset management for custom Rspamd maps has been improved by @tinect
  • Domain admins are now shown in the domain table, thanks to @heavygale
  • More API docs have been added
  • oAuth has been improved by @mkuron to work better with NextCloud

Mootober Updates

Instead of writing down all commits you can already find on GitHub, we will only mention important changes or fixes dating back from the previous post until today.

  • Rspamd is now available in version 2.0
  • Netfilter will now ban failed Rspamd logins
  • oAuth support has been added (you can now use your mailcow as a oAuth service)
  • The quarantine shows the correlating rspamd symbols – thanks to @friedPotat0
  • It is now possible to download emails in .eml format from Quarantine – thanks to @friedPotat0
  • Dovecot is now rebased on Debian Buster and supports TLS 1.3
  • API docs are available via /api from your mailcow – thanks to @ntimo
  • API – thanks to @ntimo
    • Use proper status codes
    • Return 404 if route is not found
    • Only allow GET on get routes and POST on edit,del,add routes
    • Fixed issue where API session was not invalidated correctly
  • mailcow now returns a 502 status page, to let you know, that mailcow is not ready yet
  • Domain admins that don’t have a domain assigned now get properly deleted – thanks to @flo1212 for the report

MariaDB 10.3 rollout

We just included MariaDB 10.3. If you run ./update.sh, you will encounter some errors in mysql-mailcow, that will be fixed by the upgrade process triggered by php-fpm-mailcow.
A SQL backup is recommended.

EN: If you have a mailcow support subscription, feel free to use the ticket system for assistance or help after a failed update.
DE: Falls ein mailcow Supportpaket gebucht wurde, helfen wir gerne beim Update der mailcow Installation oder bei etwaigen Problemen.

Mootember updates

Sorry for the delay, mailcow was still worked on. Time is running too fast. 🙁

Instead of writing down all commits you can already find on GitHub, I will only mention important changes or fixes dating back from the previous post until today.

Edit: Forgot to say thanks to @irgendwr for fixing XSS!

  • The GAL (Global Address List) is now enabled by default. Various actions like availability in calendars depends on it.
  • Images are prefetched on ./update.sh (`–prefetch` will only prefetch images and exit)
  • Added SOGO_EXPIRE_SESSION variable to mailcow.conf to define when a session in SOGo times out
  • Added a whitelist map for IPs in Rspamd (`data/conf/rspamd/custom/ip_wl.map`, CIDR)
  • SAL was introduced – an **optional** license with some benefits in the future. Think about basic monitoring etc. 🙂
  • Various XSS fixes by @patschi and @irgendwr – thanks!
  • Some services were finally ported to Py3 – thank you @zkryakgul! Also thank you for exposing your policyd password in your commit, we will take care of it.
  • Added a bad word list, that triggers only, when received from a fishy tld (yes, that’s a new map, too)
  • You can now allow a mailbox to send from an external domain or only a defined set of mail addresses (edit a mailbox to find this feature)
  • @christianbur forces me to update the images more regulary, thank you.
  • Various fixes and changes in mailcow UI
  • Solr is now exposed to 127.0.0.1:18389 by default, you can setup a reverse proxy to browse its fancy UI – do not expose it to the internet!
  • I broke the anonymize headers, again. @iiegn and @patschi pointed it out, thanks!

Attention for Ubuntu 18.04 users: Kernel 4.15.0-60 causes kernel panic

This is a short heads-up for users running their mailcow instance on Ubuntu 18.04: Do NOT upgrade to kernel 4.15.0-60 as of now!

Based on various user reports and more extensive testing this specific kernel release triggers a kernel panic and crashes your server. So far we have been able to figure out, this is related when setting a nameserver in the docker-compose.yml file explicitly (which isn’t new in our code). For some strange reason this commit/hotfix fixes the crashes so far.

You can track the progress for this issue here. However please keep in mind that this is a small warning for our Ubuntu users, as there’s currently no final fix available yet. We’ve also filed a Ubuntu bug report already.

Update on 5th September: The issue was confirmed as a valid kernel bug and is already fixed by the Ubuntu team, see the Launchpad issue here. However, there’s no ETA when the new kernel update will be released.

Update on 11th September: The new fixed kernel image 4.15.0-62.69 was released on 9th September.

Security, security and security

So what happened the last few days and weeks? You guessed it! Some important security updates!

To sum it up:
Critical: There was a dovecot security issue fixed which can lead to private information leakage and remote code execution. Read more here.
– ClamAV got updated to v0.101.4 to address zipbomb vulnerability. Read more here.
– A few XSS vulnerabilities in the mailcow UI were fixed.
– Beside the security fixes there were also more mailserver blacklists and spam rules added to improve spam detection.

An update of your mailcow instances is strongly recommended and should be done as soon as possible. Update is possible as usual by executing the update script.

(Telegram users might be wondering: Yes, this is indeed a cross-post from my Telegram News post a few days arlier.)