Updates, updates, updates…

Important changes

  • Maildir encryption is enabled by default! Backup “crypt-vol-1”! You lose/delete this key, you lose your mail. There is no way to recover them.
    bash helper-scripts/backup_and_restore.sh backup crypt
    
  • Deleted mailboxes and domains will be moved to /var/vmail/_garbage and cleaned up after $MAILDIR_GC_TIME minutes, the collector runs hourly
  • Rspamd controller password change commands are now piped to a bash to hide them from process lists
  • Docker API now uses a self-generated key pair
  • Unbound logging is finally fixed
  • “unbound-control” was made available
  • Peer Heinlein allowed us to use their SA rules, many thanks!

Summary

[Update] Add MAILDIR_GC_TIME
[Postfix] Increase default message size limit to 100 MiB
[Rspamd] Add desc to high spam networks
[Rspamd] Ignore custom files, but keep bad asn map
[Rspamd] Fix permissions of controller password file
[Rspamd] Place socket in _rspamd home and fix permissions
[Rspamd] Ignore sa-rules-heinlein file, remove from index
[Unbound] Fix logging, fixes #585
[Unbound] Enable unbound-control
[Docker API] Use TLS encryption for communication with “on-the-fly” created key paris (non-exposed)
[Docker API] Create pipe to pass Rspamd UI worker password
[Dovecot] Do not query gid and uid
[Dovecot] Pull Spamassassin ruleset to be read by Rspamd (MANY THANKS to Peer Heinlein!)
[Dovecot] Garbage collector for deleted maildirs (set keep time via MAILDIR_GC_TIME which defaults to 1440 minutes)
[Dovecot] Encrypt maildir with global key pair in crypt-vol-1 (BACKUP!), also fixes #1791
[Dovecot] Check garbage hourly
[Dovecot] Update SA rules once when container starts
[Web] Flush memcached after mailbox item changes, fixes #1808
[Web] Fix duplicate IDs, fixes #1792
[Web] Fix deletion of spam aliases
[Web] Do not exit loop on fuzzy errors when learning a message as spam
[Compose] Use SQL sockets
[Compose] New images for Rspamd, PHP-FPM, SOGo, Dovecot, Docker API, Watchdog, ACME, Postfix
[Compose] Update Unbound image and set tty true
[Compose] Remove volume for Rspamd socket
[PHP-FPM] Update APCu and Redis libs
[Helper] Add “crypt” to backup script
[Helper] Override file for external SQL socket (not supported!)

ACL and ‘;–have i been pwned?

Hi,

I would love to get some feedback on the ACL implementation. If you find bugs etc., please let us know @ GitHub.

There is some info in the docs => https://mailcow.github.io/mailcow-dockerized-docs/model-acl/ – they still need more updates.

One improvement I see is to hide the divs completely and/or deny access to the functions ‘get’ methods. Let us know on Freenode, #mailcow.

Thanks for the idea to integrate haveibeenpwned.com, I like it! Sorry to haveibeenpwned.com for playing with it and trying a bunch of old passwords, I hope I didn’t hammer your API too much. 🙂

For your information: Your password is never sent to their API!
We only query the API with the first 5 characters of the SHA1 hash of the current input fields value (generated in your browser, not server-side) and check the response for matches of the full hash, still stored in your browser.

André

Updates and two important fixes

We just fixed SOGo theme switching again. There is a chance we did it, I promise…

Knight1 made us aware of a critical bug, that led to mailcow accepting custom X-FORWARDED-FOR headers. This bug was introduced with the last update.

Important change: We disabled “any” and “all authenticated” ACL settings in Dovecot and removed the box in SOGos ACL editor (big thanks to the SOGo devs, please help them, buy a subscription!).
You can find information about how to re-enable it here.

We will add an easy way to enable your SOGo subscription soon.

Please don’t forget to support mailcow. 🙂

Updates!

Learning methods for bayes and fuzzy hashes (new) changed on todays update, I recommend to run…

bash helper-scripts/reset-learns.sh

…to start over with a clean hash database.

Spam/ham is no more auto-learned, please move mails into/out of the junk folder to train the filter or use the new spam/ham alias target.The logging method changed slightly, some more changes will follow.

A new section “mailcow UI” was added to the logs panel. IPs are logged but anonymized by default, please see ANONYMIZE_IPS in “vars.inc.php”.
Users now see their last login.

Redis logs are now trimmed by a cronjob in “dovecot-mailcow”, that will move to “watchdog-mailcow” in the future => much less hammering.

SYSCTL_IPV6_DISABLED was removed, please see the docs about how to disable IPv6.

Sync jobs are now unlocked when the job was abruptly interrupted.
Sync jobs in mailcow UI can now contain custom parameters.
Some previously hard-coded parameters were removed!
“subscribeall”, “timeout1” and “timeout2” can now be defined in the job details.
“buffersize”, “split1”, “split2”, “fastio1”, “fastio2” were removed and can be used in custom parameters.

The SOGo theme switching bug is hopefully fixed. I will probably find a better way to fix it than using “sed” to replace the hard-coded colors.

PS: If you like to, please consider supporting us. 🙂