merged with upstream

2025-01-14 19:54:22 +01:00 · 2025-01-14 19:54:22 +01:00 · 7803b68764
commit 7803b68764
parent ed41173183
1 changed files with 143 additions and 44 deletions
--- a/.env
+++ b/.env
@ -3,7 +3,7 @@
 # -----------------------------------------------

 # DOCUMENTATION FOR THESE VARIABLES IS FOUND UNDER
-# https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/
+# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/

 # -----------------------------------------------
 # --- General Section ---------------------------
@ -30,9 +30,11 @@ LOG_LEVEL=info
 # debug => Also show debug messages
 SUPERVISOR_LOGLEVEL=

-# 0 => mail state in default directories
-# 1 => consolidate all states into a single directory (`/var/mail-state`) to allow persistence using docker volumes
-ONE_DIR=1
+# Support for deployment where these defaults are not compatible (eg: some NAS appliances):
+# /var/mail vmail User ID (default: 5000)
+DMS_VMAIL_UID=
+# /var/mail vmail Group ID (default: 5000)
+DMS_VMAIL_GID=

 # **empty** => use FILE
 # LDAP => use LDAP authentication
@ -105,15 +107,35 @@ ENABLE_OPENDKIM=1
 #   0   => Disabled
 ENABLE_OPENDMARC=1

-# 1 => Enables POP3 service
-# empty => disables POP3
+
+# Enabled `policyd-spf` in Postfix's configuration. You will likely want to set this
+# to `0` in case you're using Rspamd (`ENABLE_RSPAMD=1`).
+#
+# - 0     => Disabled
+# - **1** => Enabled
+ENABLE_POLICYD_SPF=1
+
+# Enables POP3 service
+# - **0** => Disabled
+# - 1     => Enabled
 ENABLE_POP3=

+# Enables IMAP service
+# - 0     => Disabled
+# - **1** => Enabled
+ENABLE_IMAP=1
+
 # Enables ClamAV, and anti-virus scanner.
 #   1   => Enabled
 # **0** => Disabled
 ENABLE_CLAMAV=0

+# Add the value of this ENV as a prefix to the mail subject when spam is detected.
+# NOTE: This subject prefix may be redundant (by default spam is delivered to a junk folder).
+#       It provides value when your junk mail is stored alongside legitimate mail instead of a separate location (like with `SPAMASSASSIN_SPAM_TO_INBOX=1` or `MOVE_SPAM_TO_JUNK=0` or a POP3 only setup, without IMAP).
+# NOTE: When not using Docker Compose, other CRI may not support quote-wrapping the value here to preserve any trailing white-space.
+SPAM_SUBJECT=
+
 # Enables Rspamd
 # **0** => Disabled
 #   1   => Enabled
@ -125,6 +147,49 @@ ENABLE_RSPAMD=0
 # 1 => Enabled
 ENABLE_RSPAMD_REDIS=

+# When enabled,
+#
+# 1. the "[autolearning][rspamd-autolearn]" feature is turned on;
+# 2. the Bayes classifier will be trained when moving mails from or to the Junk folder (with the help of Sieve scripts).
+#
+# **0** => disabled
+# 1     => enabled
+RSPAMD_LEARN=0
+
+# This settings controls whether checks should be performed on emails coming
+# from authenticated users (i.e. most likely outgoing emails). The default value
+# is `0` in order to align better with SpamAssassin. We recommend reading
+# through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
+# decide for yourself whether you need and want this feature.
+#
+# Note that DKIM signing of e-mails will still happen.
+RSPAMD_CHECK_AUTHENTICATED=0
+
+# Controls whether the Rspamd Greylisting module is enabled.
+# This module can further assist in avoiding spam emails by greylisting
+# e-mails with a certain spam score.
+#
+# **0** => disabled
+# 1     => enabled
+RSPAMD_GREYLISTING=0
+
+# Can be used to enable or disable the Hfilter group module.
+#
+# - 0     => Disabled
+# - **1** => Enabled
+RSPAMD_HFILTER=1
+
+# Can be used to control the score when the HFILTER_HOSTNAME_UNKNOWN symbol applies. A higher score is more punishing. Setting it to 15 is equivalent to rejecting the email when the check fails.
+#
+# Default: 6
+RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=6
+
+# Can be used to enable or disable the (still experimental) neural module.
+#
+# - **0** => Disabled
+# - 1     => Enabled
+RSPAMD_NEURAL=0
+
 # Amavis content filter (used for ClamAV & SpamAssassin)
 # 0 => Disabled
 # 1 => Enabled
@ -142,7 +207,7 @@ AMAVIS_LOGLEVEL=0
 # 1     => DNS block lists are enabled
 ENABLE_DNSBL=0

-# If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`:
+# If you enable Fail2Ban, don't forget to add the following lines to your `compose.yaml`:
 #    cap_add:
 #      - NET_ADMIN
 # Otherwise, `nftables` won't be able to ban IPs.
@ -166,14 +231,14 @@ POSTSCREEN_ACTION=enforce
 # 1 => only launch postfix smtp
 SMTP_ONLY=

-# Please read [the SSL page in the documentation](https://docker-mailserver.github.io/docker-mailserver/edge/config/security/ssl) for more information.
+# Please read [the SSL page in the documentation](https://docker-mailserver.github.io/docker-mailserver/latest/config/security/ssl) for more information.
 #
 # empty => SSL disabled
 # letsencrypt => Enables Let's Encrypt certificates
 # custom => Enables custom certificates
 # manual => Let's you manually specify locations of your SSL certificates for non-standard cases
 # self-signed => Enables self-signed certificates
-SSL_TYPE=letsencrypt
+SSL_TYPE=

 # These are only supported with `SSL_TYPE=manual`.
 # Provide the path to your cert and key files that you've mounted access to within the container.
@ -197,17 +262,17 @@ VIRUSMAILS_DELETE_DELAY=
 # `lmtp:<kopano-host>:2003` (use kopano as mailstore)
 POSTFIX_DAGENT=

-# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default).
+# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
 #
 # empty => 0
 POSTFIX_MAILBOX_SIZE_LIMIT=5120000000

-# See https://docker-mailserver.github.io/docker-mailserver/edge/config/user-management/accounts/#notes
+# See https://docker-mailserver.github.io/docker-mailserver/latest/config/account-management/overview/#quotas
 # 0 => Dovecot quota is disabled
 # 1 => Dovecot quota is enabled
 ENABLE_QUOTAS=1

-# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)
+# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
 #
 # empty => 10240000 (~10 MB)
 POSTFIX_MESSAGE_SIZE_LIMIT=26214400
@ -282,6 +347,16 @@ REPORT_SENDER=
 # Note: This variable can also determine the interval for Postfix's log summary reports, see [`PFLOGSUMM_TRIGGER`](#pflogsumm_trigger).
 LOGROTATE_INTERVAL=weekly

+# Defines how many log files are kept by logrorate
+LOGROTATE_COUNT=4
+
+
+# If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration.
+#
+# - **0** => Disabled
+# - 1 => Enabled
+POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
+
 # Choose TCP/IP protocols for postfix to use
 # **all** => All possible protocols.
 # ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker.
@ -290,6 +365,12 @@ LOGROTATE_INTERVAL=weekly
 # Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
 POSTFIX_INET_PROTOCOLS=all

+# Enables MTA-STS support for outbound mail.
+# More details: https://docker-mailserver.github.io/docker-mailserver/v13.3/config/best-practices/mta-sts/
+# - **0** ==> MTA-STS disabled
+# - 1 => MTA-STS enabled
+ENABLE_MTA_STS=1
+
 # Choose TCP/IP protocols for dovecot to use
 # **all** => Listen on all interfaces
 # ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
@ -304,9 +385,6 @@ DOVECOT_INET_PROTOCOLS=all

 ENABLE_SPAMASSASSIN=0

-# deliver spam messages in the inbox (eventually tagged using SA_SPAM_SUBJECT)
-SPAMASSASSIN_SPAM_TO_INBOX=1
-
 # KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
 # If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
 # - **0** => KAM disabled
@ -315,21 +393,24 @@ SPAMASSASSIN_SPAM_TO_INBOX=1
 # Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
 ENABLE_SPAMASSASSIN_KAM=0

+# deliver spam messages to the inbox (tagged using SPAM_SUBJECT)
+SPAMASSASSIN_SPAM_TO_INBOX=1
+
 # spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
 MOVE_SPAM_TO_JUNK=1

-# add spam info headers if at, or above that level:
+# spam messages will be marked as read
+MARK_SPAM_AS_READ=0
+
+# add 'spam info' headers at, or above this level
 SA_TAG=2.0

-# add 'spam detected' headers at that level
+# add 'spam detected' headers at, or above this level
 SA_TAG2=6.31

 # triggers spam evasive actions
 SA_KILL=10.0

-# add tag to subject if spam detected
-SA_SPAM_SUBJECT=***SPAM*****
-
 # -----------------------------------------------
 # --- Fetchmail Section -------------------------
 # -----------------------------------------------
@ -338,25 +419,45 @@ ENABLE_FETCHMAIL=0

 # The interval to fetch mail in seconds
 FETCHMAIL_POLL=300
+# Use multiple fetchmail instances (1 per poll entry in fetchmail.cf)
+# Supports multiple IMAP IDLE connections when a server is used across multiple poll entries
+# https://otremba.net/wiki/Fetchmail_(Debian)#Immediate_Download_via_IMAP_IDLE
+FETCHMAIL_PARALLEL=0
+
+# Enable or disable `getmail`.
+#
+# - **0** => Disabled
+# - 1 => Enabled
+ENABLE_GETMAIL=0
+
+# The number of minutes for the interval. Min: 1; Default: 5.
+GETMAIL_POLL=5
+
+# -----------------------------------------------
+# --- OAUTH2 Section ----------------------------
+# -----------------------------------------------
+
+# empty => OAUTH2 authentication is disabled
+# 1 => OAUTH2 authentication is enabled
+ENABLE_OAUTH2=
+
+# Specify the user info endpoint URL of the oauth2 provider
+# Example: https://oauth2.example.com/userinfo/
+OAUTH2_INTROSPECTION_URL=

 # -----------------------------------------------
 # --- LDAP Section ------------------------------
 # -----------------------------------------------

-# A second container for the ldap service is necessary (i.e. https://github.com/osixia/docker-openldap)
-
-# with the :edge tag, use ACCOUNT_PROVISIONER=LDAP
-# empty => LDAP authentification is disabled
-# 1 => LDAP authentification is enabled
-ENABLE_LDAP=
+# A second container for the ldap service is necessary (i.e. https://hub.docker.com/r/bitnami/openldap/)

 # empty => no
 # yes => LDAP over TLS enabled for Postfix
 LDAP_START_TLS=

-# If you going to use the mailserver in combination with docker-compose you can set the service name here
-# empty => mail.domain.com
-# Specify the dns-name/ip-address where the ldap-server
+# empty => mail.example.com
+# Specify the `<dns-name>` / `<ip-address>` where the LDAP server is reachable via a URI like: `ldaps://mail.example.com`.
+# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
 LDAP_SERVER_HOST=

 # empty => ou=people,dc=domain,dc=com
@ -443,11 +544,11 @@ SASLAUTHD_MECHANISMS=
 SASLAUTHD_MECH_OPTIONS=

 # empty => Use value of LDAP_SERVER_HOST
-# Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL.
+# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
 SASLAUTHD_LDAP_SERVER=

 # empty => Use value of LDAP_BIND_DN
-# specify an object with priviliges to search the directory tree
+# specify an object with privileges to search the directory tree
 # e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
 # e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
 SASLAUTHD_LDAP_BIND_DN=
@ -528,8 +629,8 @@ SRS_SECRET=

 # Setup relaying all mail through a default relay host
 #
-# empty => don't configure default relay host
-# default host and optional port to relay all mail through
+# Set a default host to relay all mail through (optionally include a port)
+# Example: [mail.example.com]:587
 DEFAULT_RELAY_HOST=

 # -----------------------------------------------
@ -539,24 +640,22 @@ DEFAULT_RELAY_HOST=
 # Setup relaying for multiple domains based on the domain name of the sender
 # optionally uses usernames and passwords in postfix-sasl-password.cf and relay host mappings in postfix-relaymap.cf
 #
-# empty => don't configure relay host
-# default host to relay mail through
+# Set a default host to relay mail through
+# Example: mail.example.com
 RELAY_HOST=

 # empty => 25
 # default port to relay mail
 RELAY_PORT=25

+# -----------------------------------------------
+# --- Relay Host Credentials Section ------------
+# -----------------------------------------------
+
+# Configure a relay user and password to use with RELAY_HOST / DEFAULT_RELAY_HOST
+
 # empty => no default
-# default relay username (if no specific entry exists in postfix-sasl-password.cf)
 RELAY_USER=

 # empty => no default
-# password for default relay user
-RELAY_PASSWORD=
-
-# -----------------------------------------------
-# --- Custom Config Section ---------------------
-# -----------------------------------------------
-
-ENABLE_MTA_STS=1
+RELAY_PASSWORD=