1. Identity management

inverse.ca did great job with implementing a new identity management.

By default, a user will – as always – see their aliases in a list to choose from:

In the “Email” -> “IMAP” preferences of SOGo, we can now create a custom identity for all associated alias addresses we created in mailcow UI and even set them as default:

Back in the email compose window we can now find the new default identity with our custom “From” header field preselected (if you don’t select it as default, it will obviously only show up as optional, selectable identity):

2. Indicator for expandable folders

By the way: We update the code on a regular basis, you don’t need to wait until we post these overviews. 🙂

Important changes for all moo cows

  • Please contact me, if you want to share your spam with mailcow => info@servercow.de
  • Elements blocked by blacklists via UI will not enter the quarantine
  • WIP and to be considered beta: Disable SOGo via “SKIP_SOGO” in mailcow.conf
  • API access can now be limited to CIDR notations
  • You can now disallow logins for mailboxes (int value 2 instead of 0 for inactive or 1 for active)
  • We do now log the matched string in netfilter-mailcow for bans instead of the regex
  • Allow to relay only non-local mailboxes
  • Rspamd 2.5
  • Remove policy checks from SPOOFED_UNAUTH, since SPF can be valid in envelope from, while forging the header from field
  • Show last IMAP and POP3 logins, toggle via vars.inc.php SHOW_LAST_LOGIN

A BIG THANK YOU to all supporters! Thank you so much for keeping mailcow alive. 🙂
Another BIG THANK YOU goes out to all contributors!

Changes (please also see the commit history)

[CI] New prepare-tests job
[CI] Update hmac
[Compose] Update Dovecot to implement #3428 by @feldsam
[Compose] Update PHP and netfilter
[Config] Add hint to not use some ports mentioned in the docs
[Config] Allow to disable SOGo (unsupported, experimental)
[Config] CIDR API_ALLOW_FROM only allowed via API
[Dovecot] Fix imapsync_cron
[Dovecot] Implement disallowed logins
[Dovecot] Quarantine template: added username variable
[Dovecot] Quarantine template: css for mobile devices (#3520)
[Dovecot] Quota template – colored bar based on % (#3525)
[Dovecot] Set repl health on start
[Dovecot] Syslog-ng match fixes
[Dovecot] WIP: Read env vars for cronjobs from prepared file
[Dovecot] fix error redirection at doveconf (#3500)
[Helper] Added name to backup and restore containers (#3477)
[Helper] Create tar archives for SQL backups
[Helper] Fix for numbers in compose project name
[Helper] Remove useless rsync
[Helper] Some minor improvements
[Helper] backup fixes
[Netfilter] Log matching string instead of regex
[Netfilter] Python 3.8 – SyntaxWarning for ‘is not’ (#3537)
[Nextcloud] Update helper
[Nextcloud] Updated site
[Nginx] Drop X-Powered-By via fastcgi_hide_header
[PHP-FPM, Config] API key generated via mailcow.conf has rw access
[PHP-FPM] Add API_KEY_READ_ONLY generation
[PHP-FPM] Increase timeouts
[PHP-FPM] Update some libs
[PHP-FPM] Update to PHP 7.4
[Postfix] Allow to relay only non-local mailboxes
[Postfix] Do not log tls sni maps errors from connections initiated by mailcow checks
[Postfix] Implement disallowed logins
[Rspamd] Add metadata exporter for unauthed mail
[Rspamd] Add more bulk headers
[Rspamd] And even more spam headers
[Rspamd] Block more “Promio” spam crap
[Rspamd] Disable upstream checks for SIEVE_HOST
[Rspamd] Fix quarantine and pushover notifications
[Rspamd] Increase bulk header score
[Rspamd] More spam headers
[Rspamd] Various Pushover fixes
[Rspamd] Quarantine notifications – don’t send if sender is blacklisted (#3428)
[Rspamd] Quarantine notifications – exclude blacklisted sender (#3446)
[Rspamd] Quarantine release – fix when sender is empty (#3445)
[Rspamd] Remove policy checks from SPOOFED_UNAUTH, since SPF can be valid in envelope from, while forging the header from field
[Rspamd] Remove upstream spam check results from mail by fwd hosts
[Rspamd] Restore add header forced action (#3440)
[Rspamd] Score spoofed senders higher
[Rspamd] Set bounce RL to 25 / 1h ; Fix BAZAR (test)
[Rspamd] Slightly reduce BAD REP POL score
[Rspamd] Use empty-env-from@localhost as placeholder for empty env from senders in quarantine
[Rspamd] v2.5
[SOGo] Allow to not spawn SOGo but an idling shell
[Update] Check mulitple IPs in update.sh to verify connection
[Update] Validate docker-compose stack config before updating
[Update] added –force mode to update skript (#3453)
[Watchdog] Watch replication, if any (unsupported)
[Web, Dovecot] Show last IMAP and POP3 logins, toggle via vars.inc.php SHOW_LAST_LOGIN
[Web] 2-digit dates for @patschi
[Web] Add domain statistics
[Web] Allow CIDR as allowed API networks; other minor fixes
[Web] Allow ratelimit time frame “day”; Allow to create announcements
[Web] Allow to split DKIM every 255 chars via vars.inc.php (fixes #3473)
[Web] Always scroll tables
[Web] Async Rspamd graph loading to prevent races (todo: changeme)
[Web] CSS fixes; Add OAUTH2_FORGET_SESSION_AFTER_LOGIN to vars.inc.php (wip); Do not run initdb on non-master cow
[Web] Date formats
[Web] Decrease footer top margin
[Web] Disable login for mailbox users, other SKIP_SOGO checks and fixes
[Web] Do not try to update sogo static view with skip_sogo y
[Web] Do not use EAS for Outlook by default
[Web] Encode footer, decode via JS
[Web] Fix U2F authentication, fixes #3468
[Web] Fix logout after oauth2 (if enabled)
[Web] Fix oAuth logout after authentication (if enabled)
[Web] Fix time limited alias creation via API, thanks to @ntimo
[Web] Fix typo and missing Dovecot restart function (fixes #3466)
[Web] Fixed DKIM regex to allow arguments after the public key (#3462)
[Web] Fixed read write API permissions (#3465)
[Web] Fixes blank page and fixes #3502
[Web] Minor change to app buttons, fixes ugly multi-button panel
[Web] Various fixes
[Web] Remove External as standard subfolder for sync jobs
[Web] Disallow a domain admin to set intersecting user ACLs
[Web] Allow Pushover and SOGo EAS cache reset by default, disallow profile reset by default
[Web] Remove sidebars from admin panel, add dropdowns
[Web] Restart Dovecot when changing global sieve filters, add a warning
[Web] Set appointment c_uid to varchar(1000), fixes errors with Caldavsynchronizer
[Web] Show label for relayed domains; Return total bytes and msgs of domain in API (WIP)
[Web] Show warning, when domain exhausted and only an unlimited mailbox could be created
[Web] Translation updates (THANKS!!!)
[Web] Updated Yubico.php to v2.7 (#3535)
[Web] Various language fixes (and sorting), Pushover lang fixes
[Web] r/o API keys, Pushover integration (can be limited by ACL), other minor changes

Did you know?

You can save the mailcow community as PWA on your smartphone.

Community PWA

Some people are afraid of the update process, even though it is a very easy and stable routine.

Even pretty old installations update just fine.

If you think an update may break your installation, contact me, André, at info@servercow.de.

\o/ Update all cows.

By the way: We update the code on a regular basis, you don’t need to wait until we post these overviews. 🙂

Important changes for all moo cows

  • A mailcow fuzzy storage! Please contact me, if you want to share your spam with mailcow => info@servercow.de – fair-use, please.
  • Netfilter does now log the matched regex (finally).
  • Global sieve filters can be modified using the UI.
  • We score CSA crap relatively high now (X-CSA-* headers).
  • We do now use mariabackup for a fully-consistent backup of the SQL data directory. We will write the data to a tar archive in the future (see open issues).
  • Redis is now exposed to (FYI, has no further use in default setups).
  • We disabled TLS 1.0 and 1.1 for authenticated channels. We made a post about how to re-enable old protocols a few weeks ago.

A BIG THANK YOU to all supporters! Thank you so much for keeping mailcow alive. 🙂
Another BIG THANK YOU goes out to all contributors!

Changes (please also see the commit history)

[ACME] Force renewal with force_renew file, docs will follow
[ACME] Restart Postfix, reload seems not work all the time
[ACME] Use redis master for write operations
[ACME, Watchdog] Improve waiting for Redis
[Rspamd] Add mailflowmonitoring.com to no_log in Rspamd
[SOGo] Sort aliases (#3386)
[ClamAV] Add specific db mirrors
[Compose] A few updated images, REDIS_SLAVEOF_IP, REDIS_SLAVEOF_PORT ans MASTER (not yet supported ot documented)
[Compose] Update SOGo and ACME [ACME] SKIP IP check for SNAT’ed setups to workaround race conditions
[Dovecot] Add auth_passdb_lookup to LUA, add default plugins for replicator, check if master, add node to GUID creation, use correct syslog-ng config if Redis write-master is not
[Dovecot] Fix check to determine running imapsync procs, todo: more jobs at the same time
[Dovecot] IMPORTANT: Disabling TLS 1.0 and 1.2 – welcome to 2020
[Dovecot] LUA: Passdb: Reconnect to SQL if connection was lost
[Dovecot] Set replicator options by default – unused, no support or docs as of today
[Dovecot] Show last mail (pop3, imap) login in web interface
[Dovecot] Wait for versions table instead of failing and restarting
[Git] Add last_login to gitignore
[Git] Ignore global sieve scripts (BUT: Scripts may be forcefully overwritten, when new features are added, that depend on a given change on global sieve maps)
[Helper] Use mariabackup for SQL
[Netfilter] Log matched regex
[Netfilter] Use Redis master if set
[Nginx] Add proxy_send_timeout and proxy_read_timeout of 300 to /SOGo
[PHP-FPM] Check if master, write to Redis master only
[PHP-FPM] Do not use Redis for session handling
[PHP-FPM] Fix permissions for global maps
[PHP-FPM] Update libs, add gnupg
[Postfix] Added custom_postscreen_whitelist.cidr for a custom Postscreen wl, fixes #3313
[Postfix] Add hooks
[Postfix] IMPORTANT: Disabling TLS 1.0 and 1.1 for submission and smtps
[Postfix] Remove default rcpt count limit
[Postfix] Remove duplicate COPY from Dockerfile, fixes #3397
[Postfix] Set empty HELO restrictions for quarantine smtpd
[Postfix] Use Redis master if set
[Rspamd] Add fuzzy hashes to headers, if matched
[Rspamd] Add mailcow fuzzy hash store
[Rspamd] Add X-CSA to bulk headers
[Rspamd] Add X-Last-TLS-Session-Version header
[Rspamd] Disable 304 until SOGO_CONTACT triggers an update, needs rework
[Rspamd] Fix neural.lua
[Rspamd] Forced action add header seems to be broken atm, switching to rewrite subject until fixed
[Rspamd] Move monitoring hosts to monitoring_nolog.map file
[Rspamd] Quarantine: Set sender to null@localhost when sender is missing
[Rspamd] Reduce CSA crap to 2.0
[Rspamd] Reduce Sorbs recent score
[Rspamd] Add annoying CSA to bulk symbols and score then with 3.2
[Rspamd] Update to v2.4
[Rspamd] Set fixed name for fuzzy store
[Rspamd] Set Redis slaveof if not master, adjust redis configs automatically
[Rspamd] Use redis master for RL operations in pipe_rl
[Rspamd, Web] Escape monitoring hosts, add regex maps to vars file
[SOGo] Auto-backup user data to sogo-userdata-backup-vol-1 daily, keep one backup
[SOGo] Check if master, only run DB prep if master, use correct syslog-ng config if not master
[SOGo] Cronjob for SOGo user data backup
[Update] Add –skip-start switch, implements #3317
[Update, Config] Add Redis to exposed hosts
[Update] Display git diff save message only when local changes exist (#3351)
[Update] Make sure containers are gone before updating mailcow
[Update] Save git diff only when local changes exist (#3350)
[Watchdog] Define thresholds in docker-compose(.override) file
[Watchdog] Send 10 last applied ratelimits in mail report
[Watchdog] Use Redis master for write operations
[Web] Added hint where api docs can be found (#3335)
[Web] Add icon to indicate relayed domain
[Web] Add latin-ext to PT Sans font #3018 (#3333)
[Web] Add missing maps
[Web] Add slovak language (#3387)
[Web] Allow empty bcc when saving quarantine settings, fixes #3363
[Web] Allow to change page size in table header for /mailbox tables
[Web] Allow to set global sieve filters
[Web] Allow to skip IP check for API
[Web] Check smtp_tls_policy_map destination (more checks should be added)
[Web] Fix button order, thanks to @dragoangel
[Web] Fix cow level, sorry 🙁
[Web] Fix data type for port1 in imapsync
[Web] Fix DNS check for relayed domain
[Web] Fix mail validation for quota sender address
[Web] Fix quarantine view and add missing lang string
[Web] Fix selection bug (reproduce: select an item, select all, deselect all, click an action and find previously selected items)
[Web] Fix sieve example insert
[Web] Fix sv lang
[Web] Fix tooltips in quarantine
[Web] Fix transport validation, thanks to Gideon!
[Web] Further work to improve the swedish translation and sentence structure to improve general quality, in context to Mailcow functions (#3396)
[Web] Implement table size to quarantine, implements #3325
[Web] Keep modal data when adding a sync job
[Web] Add hint to disable TFA instead of deleting last key
[Web] Prefer sieve redirects: adjust lang files
[Web] Replace rtrim by preg_replace to fix transport checks
[Web] Set desc == domain name, when desc is empty, implements #3341
[Web] Some more quarantine lang strings
[Web] Unlearn spam if released from quarantine, implements #3327
[web] Update lang.sk.json
[Web] Use redis master where necessary, hide UI if not master, create replicate quota2 table

I did not check a PR sufficiently and merged a `auto = subscribe` for Swedish folder names.

If you updated between ~ GMT 06:00 AM and GMT 10:00 AM, please update again and delete the new folders, that might have appeared.

I will check PRs more thorough in the future.

How to remove these folders?

# UPDATE! Update your mailcow to make sure, the subscriptions do not return.
docker-compose exec dovecot-mailcow doveadm mailbox unsubscribe -A "Skräp" "Borttagna Meddelanden" "Arkiv" "Arkeverat" "Skickat" "Skickade Meddelanden" "Utkast"
docker-compose exec dovecot-mailcow doveadm mailbox delete -A "Skräp" "Borttagna Meddelanden" "Arkiv" "Arkeverat" "Skickat" "Skickade Meddelanden" "Utkast"



The fuzzy storage is now enabled in mailcow, so please update your cows.

Please contact me, André, at info@servercow.de, if you want to share your spam mail with us. Old, unused domains with a high spam rate are very welcome!

There are a lot of other cool changes. We will create a new post for these soon!


Today we disabled the deprecated protocols TLS 1.0 and 1.1.

Unauthenticated mail via SMTP on port 25/tcp does still accept >= TLS 1.0 . It is better to accept a weak encryption than none at all.

How to re-enable weak protocols?

nano data/conf/postfix/extra.cf

submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

nano data/conf/dovecot/extra.conf

ssl_min_protocol = TLSv1

Restart the affected services:

docker-compose restart postfix-mailcow dovecot-mailcow

Hint: You can enable TLS 1.2 in Windows 7.

Sorry for the lack of december update news.

Important change for SAL users (see “support development” on the right sidebar)

You can now set WATCHDOG_EXTERNAL_CHECKS=y in mailcow.conf to enable an open relay check. The check is run about every minute.
In the future, you will be able to shut down Postfix whenever watchdog-mailcow detects an open relay.
Your source IP must match your mailcow IP, will only work with unmodified mailcows.

Important changes for all moos

  • App passwords! They work for IMAP and SMTP connections, not yet for SOGo – but we are working on it. Login as user to find them. You can also restrict access via ACL.
  • Do not reject .doc per se, but reject when any document has a macro assigned to it.
  • SOGo can be built using a subscription:
          context: ./data/Dockerfiles/sogo
          dockerfile: Dockerfile
            - SOGO_DEBIAN_REPOSITORY=https://user:pass@packages.inverse.ca/SOGo/release/4/debian/
  • Sieve and Rspamd presets were improved. Create presets in data/web/inc/presets/rspamd/. Headline can be a lang string. Please feel free to add more useful presets!
  • Mail forwards and rejects were improved. Rejects are now signed, forwards are only ARC_SIGNED and remain SPF and DKIM valid.

A BIG THANK YOU to all supporters! Thank you so much for keeping mailcow alive. 🙂
Another BIG THANK YOU goes out to all contributors!

Changes (please also see the commit history)

[API] Added DKIM get route to api docs
[API] Added docs for new status api
[API] Added new status route to get some system infos
[API] Fixed api docs not being displayed correctly
[API] Make Solr API return data if Solr is enabled
[API] Update API docs with app password routes
[Rspamd] ARC remains active for forwards. Result: fully signed and trusted forwards and signed rejects in sieve.
[Rspamd] block all Office documents with macros
[CI] Added automated testing using drone (#3278)
[ClamAV] Whitelist JS in PDF – too many false-positives
[Web] Disable refresh button, while refreshing (#3199)
[Dovecot] Add map for app passwds
[Dovecot] Change LUA path
[Dovecot] Delete ham/spam hash if previously learned; Change LUA script pathes
[Dovecot] Drop logs
[Dovecot] Enable editheaders plugin in sieve for all users
[Dovecot] Fix app passwds: allow multiple pass hashes by using LUA construct
[Dovecot] Fix lua error when trying to escape empty domains
[Dovecot] Really strange race condition when reading an untouched LUA file on slower systems
[Dovecot] Remove CONTROL from shared namespace – thanks to @Keessaus
[Dovecot] Set BCC in quarantine notify
[Git] Ignore auto generated Dovecot LUA
[Git] Ignore whitelist.ign2
[IMPORTANT] If you run Ubuntu 16.04, upgrade your kernel to linux-generic-hwe-16.04
[Nginx] Catch case-insensitive /sogo$ request and redirect to /SOGo
[PHP-FPM] Remove useless flag for gd
[Postfix] Add bl.suomispam.net
[Postfix] Client rcpt rate limit set to 50
[Postfix] Set CA path for smtpd
[Postfix] Update Postscreen whitelist
[Rspamd] Add mailcow_networks map
[Rspamd] Allow empty envfrom for system mails, add only Dovecot to sign_networks and sign by header when sign_networks fires.
[Rspamd] allow_hdrfrom_mismatch true, auth_only false (sieve)
[Rspamd] Decrease weight of missed charset
[Rspamd] Do not normalise domains to eSLD for ARC
[Rspamd] Lower map watch interval
[Rspamd] Ratelimit for bounces reduced, max_rcpt for ratelimit increased
[Rspamd] SA trivial converter (wip)
[Rspamd] Set rspamd as trusted host, rspamd is not spoofing
[Rspamd] Split deprecated metrics.conf to actions.conf and groups.conf
[SOGo] Fix for whitespaces in mysql return; Order aliases
[SOGo] Make view more readable
[SOGo] Read build args
[SSL] fix bug with pruning old certificates (#3272)
[Update] Split metrics to actions and groups, warn if metrics is different from repo
[Web] Use main_name in the “Yubico OTP Authentifizierung” modal and in the mailbox edit modal.
[Watchdog] Add external check for open relay, requires SAL
[Watchdog] Fix ipv6 config check
[Watchdog] Retry to get current ACME log status, if empty (may fix watchdog mails on very busy servers – eg while running a backup)
[Watchdog] Revert acme-mailcow threshold to 1
[Watchdog] smtp-cli 3.10 (yay) and a new check for IPv6 configuration problems
[Web] Add “add” button to header of table
[Web] Add missing lang strings for edit
[Web] Add more password generator links
[Web] Add more map types soon; Do not expose private key via API if hidden in vars (fixes #3231)
[Web] Add more sieve presets
[Web] Add new preset for Rspamd settings map: Only allow specific senders to send to a mailbox
[Web] Allow to set BCC for quarantine
[Web] Allow to use data/web/css/build/0081-custom-mailcow.css for ignored overrides
[Web] Better mobileconfig handling
[Web] Complain about non-email email fields
[Web] Deleted hashes previously learned
[Web] Do not show Solr and Clam status when disabled, thanks to Tina
[Web] Feature: Allow app passwords for imap/smtp, allow to set acl permission for app passwords (domain admin [when logged in as user] and user)
[Web] Finally fix solr and clam status…
[Web] Fix global maps
[Web] Fix lang.en.json
[Web] Fix policy map selection for dane
[Web] Fix quarantine for sneaky dots, also fixes #3263
[Web] Fix Solr status and sort containers
[Web] Fix some major errors in app passwds but disable app passwds due to a show stopper… todo: fix asap
[Web] Fix some transport verifications
[Web] Fix transport validation for hostnames
[Web] Generate longer passwords for app passwords
[Web] Generate longer passwords for app passwords (edit was missing)
[Web] Get all app passwd ids for a single user by using get/app-passwd/all/user@domain
[Web] Hide app passwords from logs
[Web] hide echoed var
[Web] Make mobile usage less annoying; anchors for maps; sidebar for maps
[Web] Minor style fix and re-enable app passwds
[Web] Remove “add domain” from table when not admin, fixes #3267
[Web] Remove tracking for custom-mailcow css
[Web] Revert dropup to dropdown
[Web] Revert some style changes, mobile view should be fixes/better with bootstrap 4
[Web, Rspamd] Add bad language map, add map to mailcow UI
[Web] Show hint when SOGo admin login is enabed, fix sieve preset in API
[Web] Small adjustments to presets
[Web] Update languages
[Web] Various fixes for app passwd functions