Description
This release fixes some issues with Dovecot Quotas (enabled by default), the SSL_DOMAIN
ENV (rarely needed), DKIM and DMARC support.
Additionally there are some minor improvements and internal changes with HOSTNAME
/ DOMAINNAME
handling, SSL_TYPE=letsencrypt
and ACME cert extraction (Traefik specific) that should resolve some edge cases with handling cert renewals.
WARNING: This release had a small regression affecting the detection of changes for certificates provisioned in /etc/letsencrypt
with the config ENV SSL_TYPE=letsencrypt
, unless you use Traefik's acme.json
. If you rely on this functionality to restart Postfix and Dovecot when updating your cert files, this will not work and it is advised to upgrade to v10.4.0
or newer prior to renewal of your certificates.
Changelog
- [fix] The Dovecot
userdb
will now additionally create "dummy" accounts for basic alias maps (alias maps to a single real account managed by Dovecot, relaying to external providers aren't affected) whenENABLE_QUOTAS=1
(default) as a workaround for Postfixquota-status
plugin querying Dovecot with inbound mail for a user, which Postfix uses to reject mail if quota has been exceeded (to avoid risk of blacklisting from spammers abusing backscatter) #2248- NOTE: If using aliases that map to another alias or multiple addresses, this remains a risk.
- [fix]
setup email list
command will no longer attempt to query Dovecot quota status whenENABLE_QUOTAS
is disabled #2264 - [fix]
SSL_DOMAIN
ENV should now work much more reliably #2274, #2278, #2279 - [fix] DKIM - Removed
refile:
(regex type) from KeyTable entry inopendkim.conf
, fixes validation error output fromopendkim-testkey
#2249 - [fix] DMARC - Removed quotes around the hostname value in
opendmarc.conf
. This avoids an authentication failure where an OpenDKIM header was previously ignored #2291 - [fix] When using
ONE_DIR=1
(default), thespool-postfix
folder now has the correct permissions carried over. This resolves some failures notably with sieve filters #2273 - [improvement] Warnings are now logged for ClamAV and SpamAssassin if they are enabled but Amavis is disabled (which is required for them to work correctly) #2251
- [improvement]
user-patches.sh
is now invoked viabash
to assist Kubernetes deployments withConfigMap
#2295
Internal
These changes are primarily internal and are only likely relevant to users that maintain their own modifications related to the changed files.
- [chore] Redundant config from Postfix
master.cf
has been removed, it should not affect any users as our images have not included any of the related processes #2272 - [refactor]
check-for-changes.sh
was carrying some duplicate code fromsetup-stack.sh
that was falling out of sync, they now share common code #2260 - [refactor]
acme.json
extraction was refactored into a CLI utility and updated to Python 3 (required for future upgrade to Debian 11 Bullseye base image) #2274 - [refactor] As part of the Traefik
acme.json
andSSL_DOMAIN
work, logic forSSL_TYPE=letsencrypt
was also revised #2278 - [improvement] Some minor tweaks to how we derive the internal
HOSTNAME
andDOMAINNAME
from user configuredhostname
anddomainname
settings #2280
New Contributors
- @frugan-it made their first contribution in #2249
- @2b made their first contribution in #2252
- @eglia made their first contribution in #2291
- @sjmudd made their first contribution in #2304
- @MohammedNoureldin made their first contribution in #2303
Full Changelog: v10.2.0...v10.3.0