docker-mailserver · georglauterbach · Jan 24, 2024 · Dec 3, 2023 · Dec 3, 2023 · Dec 3, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,33 @@ All notable changes to this project will be documented in this file. The format
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+The most noteworthy change of this release is the update of the container's base image from Debian 11 ("Bullseye") to Debian 12 ("Bookworm"). This update alone involves breaking changes and requires a careful update!
+
+### Breaking
+
+- **Updated base image to Debian 12** ([#3403](https://github.com/docker-mailserver/docker-mailserver/pull/3403))
+  - Changed the default of `DOVECOT_COMMUNITY_REPO` to `0` (disabled) - the Dovecot community repo will (for now) not be the default when building the DMS.
+    - While Debian 12 (Bookworm) was released in June 2023 and the latest Dovecot `2.3.21` in Sep 2023, as of Jan 2024 there is no [Dovecot community repo available for Debian 12](https://repo.dovecot.org).
+    - This results in the Dovecot version being downgraded from `2.3.21` (DMS v13.3) to `2.3.19`, which [may affect functionality when you've explicitly configured for these features](https://github.com/dovecot/core/blob/30cde20f63650d8dcc4c7ad45418986f03159946/NEWS#L1-L158):
+      - OAuth2 (_mostly regarding JWT usage, or POST requests (`introspection_mode = post`) with `client_id` + `client_secret`_).
+      - Lua HTTP client (_DNS related_).
+  - Updated packages. For an overview, [we have a review comment on the PR that introduces Debian 12](https://github.com/docker-mailserver/docker-mailserver/pull/3403#issuecomment-1694563615)
+    - Notable major version bump: `openssl 3`, `clamav 1`, `spamassassin 4`, `redis-server 7`.
+    - Notable minor version bump: `postfix 3.5.23 => 3.7.9`
+    - Notable minor version bump + downgrade: `dovecot 2.3.13 => 2.3.19` (_Previous release provided `2.3.21` via community repo, `2.3.19` is now the default_)
+  - Updates to `packages.sh`:
+    - The script now uses `/etc/os-release` to determine the release name of Debian
+    - Removed custom installations of Fail2Ban, getmail6 and Rspamd
+    - Updated packages lists and added comments for maintainability
+- **Postfix:**
+  - Postfix upgrade from 3.5 to 3.7 ([#3403](https://github.com/docker-mailserver/docker-mailserver/pull/3403))
+    - `compatibility_level` was raised from `2` to `3.6`
+    - Postfix has deprecated the usage of `whitelist` / `blacklist` in config parameters and logging in favor of `allowlist` / `denylist` and similar variations. ([#3403](https://github.com/docker-mailserver/docker-mailserver/pull/3403/files#r1306356328))
+      - This [may affect monitoring / analysis of logs output from Postfix](https://www.postfix.org/COMPATIBILITY_README.html#respectful_logging) that expects to match patterns on the prior terminology used.
+      - DMS `main.cf` has renamed `postscreen_dnsbl_whitelist_threshold` to `postscreen_dnsbl_allowlist_threshold` as part of this change.
+    - `smtpd_relay_restrictions` (relay policy) is now evaluated after `smtpd_recipient_restrictions` (spam policy). Previously it was evaluated before `smtpd_recipient_restrictions`. Mail to be relayed via DMS must now pass through the spam policy first.
+    - The TLS fingerprint policy has changed the default from MD5 to SHA256 (_DMS does not modify this Postfix parameter, but may affect any user customizations that do_).
+
 ## [v13.3.1](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.3.1)
 
 ### Fixes

diff --git a/Dockerfile b/Dockerfile
@@ -4,10 +4,10 @@
 # This is in preparation for more granular stages (eg ClamAV and Fail2Ban split into their own)
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG DOVECOT_COMMUNITY_REPO=1
+ARG DOVECOT_COMMUNITY_REPO=0
 ARG LOG_LEVEL=trace
 
-FROM docker.io/debian:11-slim AS stage-base
+FROM docker.io/debian:12-slim AS stage-base
 
 ARG DEBIAN_FRONTEND
 ARG DOVECOT_COMMUNITY_REPO
@@ -30,8 +30,6 @@ COPY target/scripts/helpers/log.sh /usr/local/bin/helpers/log.sh
 
 RUN /bin/bash /build/packages.sh && rm -r /build
 
-
-
 # -----------------------------------------------
 # --- Compile deb packages ----------------------
 # -----------------------------------------------
@@ -130,7 +128,8 @@ COPY \
 
 # hadolint ignore=SC2016
 RUN <<EOF
-  sedfile -i -r 's/^(CRON)=0/\1=1/g' /etc/default/spamassassin
+  # ref: https://github.com/docker-mailserver/docker-mailserver/pull/3403#discussion_r1306282387
+  echo 'CRON=1' >/etc/default/spamassassin
   sedfile -i -r 's/^\$INIT restart/supervisorctl restart amavis/g' /etc/spamassassin/sa-update-hooks.d/amavisd-new
   mkdir /etc/spamassassin/kam/
   curl -sSfLo /etc/spamassassin/kam/kam.sa-channels.mcgrail.com.key https://mcgrail.com/downloads/kam.sa-channels.mcgrail.com.key
@@ -189,7 +188,6 @@ RUN <<EOF
   ln -sf /var/log/mail/fail2ban.log /var/log/fail2ban.log
   # disable sshd jail
   rm /etc/fail2ban/jail.d/defaults-debian.conf
-  mkdir /var/run/fail2ban
 EOF
 
 COPY target/opendkim/opendkim.conf /etc/opendkim.conf
@@ -266,8 +264,9 @@ RUN <<EOF
   sedfile -i -e 's/^\(POLICYHELPER=\).*/\1/' /usr/sbin/invoke-rc.d
   # prevent syslog warning about imklog permissions
   sedfile -i -e 's/^module(load=\"imklog\")/#module(load=\"imklog\")/' /etc/rsyslog.conf
-  # prevent email when /sbin/init or init system is not existing
-  sedfile -i -e 's|invoke-rc.d rsyslog rotate > /dev/null|/usr/bin/supervisorctl signal hup rsyslog >/dev/null|g' /usr/lib/rsyslog/rsyslog-rotate
+  # this change is for our alternative process manager rather than part of
+  # a fix related to the change preceding it.
+  echo -e '\n/usr/bin/supervisorctl signal hup rsyslog >/dev/null' >>/usr/lib/rsyslog/rsyslog-rotate
 EOF
 
 # -----------------------------------------------

diff --git a/target/bin/debug-getmail b/target/bin/debug-getmail
@@ -15,5 +15,5 @@ else
 fi
 
 for FILE in /etc/getmailrc.d/getmailrc*; do
-  /usr/local/bin/getmail --getmaildir "${GETMAILDIR}" --rcfile "${FILE}" --dump | tail -n +7
+  getmail --getmaildir "${GETMAILDIR}" --rcfile "${FILE}" --dump | tail -n +6
 done
diff --git a/target/bin/getmail-cron b/target/bin/getmail-cron
@@ -2,6 +2,6 @@
 
 for FILE in /etc/getmailrc.d/getmailrc*; do
   if ! pgrep -f "${FILE}$" &>/dev/null; then
-    /usr/local/bin/getmail --getmaildir /var/lib/getmail --rcfile "${FILE}"
+    getmail --getmaildir /var/lib/getmail --rcfile "${FILE}"
   fi
 done
diff --git a/target/postfix/main.cf b/target/postfix/main.cf
@@ -86,7 +86,7 @@ postscreen_dnsbl_sites =
     list.dnswl.org=127.0.[0..255].1*-3
     list.dnswl.org=127.0.[0..255].[2..3]*-4
 postscreen_dnsbl_threshold = 3
-postscreen_dnsbl_whitelist_threshold = -1
+postscreen_dnsbl_allowlist_threshold = -1
 postscreen_greet_action = enforce
 postscreen_bare_newline_action = enforce
 
@@ -121,7 +121,4 @@ smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
 # http://www.postfix.org/COMPATIBILITY_README.html
 # If backwards-compaitibilty log messages appear, fix them by explicitly adding
 # the legacy or new default value (alternatively raise the compatibility_level)
-#
-# TODO: The next compatibility_level is 3.6, when Postfix 3.6 is available consider
-# bumping this value after taking the compaitibilty changes into account.
-compatibility_level = 2
+compatibility_level = 3.6
diff --git a/target/scripts/build/compile.sh b/target/scripts/build/compile.sh
@@ -17,7 +17,7 @@ function _compile_dovecot_fts_xapian() {
   tar xzvf dovecot-fts-xapian.tar.gz
   cd fts-xapian-1.5.5
   USER=root dh_make -p dovecot-fts-xapian-1.5.5 --single --native --copyright gpl2 -y
-  rm debian/*.ex debian/*.EX
+  rm debian/*.ex
   cp PACKAGES/DEB/control debian/
   cp PACKAGES/DEB/changelog debian/
   cp PACKAGES/DEB/compat debian/