For the upgrade create a new docker-compose.yml file and mailu.env file via setup.mailu.io. After that any old settings can be reapplied to mailu.env. Before making any changes, carefully read the [configuration reference](https://mailu.io/2.0/configuration.html). New settings have been introduced and some settings have been removed. Multiple changes have been made to the docker-compose.yml file and mailu.env file. If Tika is enabled, then 1GB to 2GB of extra memory is required.
Before starting the new Mailu deployment, check the following two topics:
POSTFIX_LOG_FILE has been deprecated and is ignored by Mailu. If POSTFIX_LOG_FILE was used, then refer to the the new FAQ entry `How can I view and export the logs of a Mailu container?` how to configure similar functionality.
If a reverse proxy is used on the same host, consider switching to traefik using the updated instructions. Refer to `Using an external reverse proxy` on mailu.io. With these updated instructions Mailu will handle requesting all certificates. It is not required anymore to copy certificates from the reverse proxy to Mailu.
After starting the new Mailu deployment, check the following two topics.
docker compose exec imap doveadm user '*'|while read u; do docker compose exec imap doveadm index -u $u '*'; done
```
Check if the the hardened memory allocator can be enabled.
View the admin container logs via `docker compose logs admin`
```
WARNING:root:Your CPU has Advanced Vector Extensions available, we recommend you enable hardened-malloc earlier in the boot process by adding LD_PRELOAD=/usr/lib/libhardened_malloc.so to your mailu.env
```
**Only** if the above message is logged, then the hardened malloc can be enabled by adding the following line to `mailu.env`.
```
LD_PRELOAD=/usr/lib/libhardened_malloc.so
```
Recreate all docker containers (`docker compose up -d`) for the changes to be propagated.
Please note that once you have upgraded to 2024.03, that you won't be able to roll-back to earlier versions.
- Features: Add support for managesieve ([#81](https://github.com/Mailu/Mailu/issues/81))
- Features: Enhance RESTful API user retrieval with quota used bytes. This is the current size of the user's email box in bytes. ([#2824](https://github.com/Mailu/Mailu/issues/2824))
- Features: Implement a feature to force users to change their password
Prune all active sessions of users when their password is changed ([#2877](https://github.com/Mailu/Mailu/issues/2877))
- Features: Add Traditional Chinese translation ([#2948](https://github.com/Mailu/Mailu/issues/2948))
- Features: Enhance RESTful API with functionality for managing authentication tokens of users ([#2974](https://github.com/Mailu/Mailu/issues/2974))
- Features: Add "download zonefile" button to domain configuration and un-split dkim key in dns table ([#3023](https://github.com/Mailu/Mailu/issues/3023))
- Features: Ensure that we encourage users to also pin ISRG X2 in their TLSA records ([#3191](https://github.com/Mailu/Mailu/issues/3191))
- Bugfixes: Letsencrypt only works if port 80 is reachable. Users behind reverse-proxies don't read instructions... this makes the common misconfiguration work too. ([#2720](https://github.com/Mailu/Mailu/issues/2720))
- Bugfixes: Fix breaking bug in config-import command line command.
Import yml's containing dkim keys (the element 'dkim_key:') failed to import using `config-import`. ([#2747](https://github.com/Mailu/Mailu/issues/2747))
- Bugfixes: Fix a bug preventing POP3 from being usable ([#2756](https://github.com/Mailu/Mailu/issues/2756))
- Bugfixes: Fix downloading attachments through snappymail. ([#2776](https://github.com/Mailu/Mailu/issues/2776))
- Bugfixes: In front, config.py can be called several times. LD_PRELOAD may have already been removed from ENV ([#2789](https://github.com/Mailu/Mailu/issues/2789))
- Bugfixes: The SMTP container wasn't logging things like it should
The health-check of dovecot was creating zombies
Document that COMPRESSION=zstd is now possible (see #2139) ([#2793](https://github.com/Mailu/Mailu/issues/2793))
- Bugfixes: Allow other supported languages in Roundcube's spellchecker ([#2798](https://github.com/Mailu/Mailu/issues/2798))
- Bugfixes: Fix SCAN_MACROS: OLETOOLS wasn't always enabled/disabled like it should have been ([#2805](https://github.com/Mailu/Mailu/issues/2805))
- Bugfixes: Healthcheck of clamav image created zombie processes ([#2811](https://github.com/Mailu/Mailu/issues/2811))
- Bugfixes: Don't send out of office messages to no\-?reply@ ([#2823](https://github.com/Mailu/Mailu/issues/2823))
- Bugfixes: Authentication failed for email clients when the password contained a non latin-1 character. ([#2837](https://github.com/Mailu/Mailu/issues/2837))
- Bugfixes: Increase the number of postfix workers, this should reduce the number of time Mailu replies with "451 4.3.2 Internal server error". To be clear, well behaved MTAs will retry so no email have been lost. ([#2869](https://github.com/Mailu/Mailu/issues/2869))
- Bugfixes: Setup:
Regular expression for checking the Mailu storage path was invalid.
Added checks to make sure JavaScript is enabled and that all JS files could be loaded. The setup site malfunctions if this is not the case.
Added server side validation of entered values in setup.
Simplified setup by removing the settings for configuring the WEB_* settings. Advanced users can still modify mailu.env. ([#2890](https://github.com/Mailu/Mailu/issues/2890))
- Bugfixes: Fix GPG operations from Roundcube - calling gpg with full path was blocked ([#2892](https://github.com/Mailu/Mailu/issues/2892))
- Bugfixes: Switch the admin container from port 80 to port 8080. This should solve issues related to capabilities not working as expected
Document that systemd-resolve may need to be configured to validate DNSSEC
Ensure that dovecot is not attempting to bind a v6 socket if SUBNET6 is not configured ([#2906](https://github.com/Mailu/Mailu/issues/2906))
- Bugfixes: Moving emails to the Junk folder may have created zombies (rspamc)
Ensure that the spam reporting works even if the email isn't COPYed to the mailbox ([#2908](https://github.com/Mailu/Mailu/issues/2908))
- Bugfixes: Ensure that we delete any pre-exising PID files
Make Rspamd retry for longer when connecting to clamav ([#2917](https://github.com/Mailu/Mailu/issues/2917))
- Bugfixes: fix fetchmail when used with POP3: disregard "folders" ([#2928](https://github.com/Mailu/Mailu/issues/2928))
- Bugfixes: Upgrade to alpine 3.18.4: this will fix a bug whereby musl wasn't retrying using TCP when it received truncated DNS replies from its upstream. In practice, this has been seen in the wild when postfix complains of:
"Host or domain name not found. Name service error for name=outlook-com.olc.protection.outlook.com type=AAAA: Host found but no data record of requested type" ([#2934](https://github.com/Mailu/Mailu/issues/2934))
- Bugfixes: forbidden_file_extension.map could not be overridden. This file can be overriden to tweak with file extensions are allowed.
The instructions on https://mailu.io/master/antispam.html#can-i-change-the-list-of-authorized-file-attachments work again. ([#2937](https://github.com/Mailu/Mailu/issues/2937))
- Bugfixes: Fixed log filter not filtering out log messages for dovecot/nginx/postfix.
Fixed postfix not logging to standard out.
Fixed not all containers logging to journald.
Removed POSTFIX_LOG_FILE functionality. Added documentation on how to achieve the same (log to file) via journald & rsyslogd (see new FAQ entry 'How can I view and export the logs of a Mailu container?'). ([#2939](https://github.com/Mailu/Mailu/issues/2939))
- Bugfixes: Update hardened malloc as the original package is not available from alpine anymore.
The newer version of hardened malloc requires AVX2: Disable it by default at startup and hint in the logs when it should be enabled instead.
Upgrade snappymail to v2.29.1 ([#2959](https://github.com/Mailu/Mailu/issues/2959))
- Bugfixes: Fix letsencrypt on master ([#2962](https://github.com/Mailu/Mailu/issues/2962))
- Bugfixes: - Switch from fts-xapian to fts-flatcurve. This should address the problem with indexes getting too big and will be the default in dovecot 2.4
- Enable full-text search of email attachments if configured (via Tika: you'll need to re-run setup)
If you would like more than english to be supported, please ensure you update your FULL_TEXT_SEARCH configuration variable.
You may also want to dispose of old indexes using a command such as:
docker compose exec imap doveadm user '*'|while read u; do docker compose exec imap doveadm index -u $u '*'; done ([#2971](https://github.com/Mailu/Mailu/issues/2971))
- Bugfixes: Ensure that we do not silently discard PUAs flagged by clamav. Instead we will reject emails. ([#3048](https://github.com/Mailu/Mailu/issues/3048))
- Bugfixes: Slow down the turtle policy (see #3075) ([#3075](https://github.com/Mailu/Mailu/issues/3075))
- Bugfixes: Ensure we do not block logins from webmails when there is a valid SSO session ([#3094](https://github.com/Mailu/Mailu/issues/3094))
- Bugfixes: Ensure that the form validator related to forwarding addresses allows for uppercase ([#3095](https://github.com/Mailu/Mailu/issues/3095))
- Bugfixes: Long term fix against SMTP smuggling (disable bare_newline), see https://www.postfix.org/smtp-smuggling.html ([#3101](https://github.com/Mailu/Mailu/issues/3101))
- Bugfixes: Add required quotes to traefik-certdumper to ensure that shell characters are usable. ([#3129](https://github.com/Mailu/Mailu/issues/3129))
- Bugfixes: Add a semicolum to DMARC records ([#3150](https://github.com/Mailu/Mailu/issues/3150))
- Bugfixes: Fix ooo/sieve replies when proxy protocol is in use ([#3172](https://github.com/Mailu/Mailu/issues/3172))
- Bugfixes: update Simplified Chinese (zh) translation ([#3175](https://github.com/Mailu/Mailu/issues/3175))
- Bugfixes: Ensure that nginx and dovecot are reloaded ([#3179](https://github.com/Mailu/Mailu/issues/3179))
- Bugfixes: Ensure we always send ISRG_X1 root when LE is configured. Switch to the non-crossigned version as the other one will expire in September ([#3187](https://github.com/Mailu/Mailu/issues/3187))
For full details see the [releases page](https://mailu.io/2.0/releases.html)
Upgrade should run fine as long as you generate a new docker-compose.yml file and mailu.env file via setup.mailu.io.
After that any old settings can be reapplied to mailu.env.
Before making any changes, carefully read the [configuration reference](https://mailu.io/2.0/configuration.html). New settings have been introduced and some settings have been removed.
Multiple changes have been made to the docker-compose.yml file and mailu.env file.
If you use Fail2Ban, then the Fail2Ban intructions have been improved. It is mandatory to remove your Fail2Ban config and re-apply it using the instructions from the [documentation](https://mailu.io/2.0/faq.html#do-you-support-fail2ban).
Please note that once you have upgraded to 2.0 you won't be able to roll-back to earlier versions
After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
- Features: Provide auto-configuration files (autodiscover, autoconfig & mobileconfig); Please update your DNS records ([#224](https://github.com/Mailu/Mailu/issues/224))
- Features: Introduction of the Mailu RESTful API. The full Mailu config can be changed via the Mailu API.
See the section Mailu RESTful API & the section configuration reference in the documentation for more information. ([#445](https://github.com/Mailu/Mailu/issues/445))
- Features: Allow other folders to be synced by fetchmail ([#711](https://github.com/Mailu/Mailu/issues/711))
- Features: Update the webmail images.
Roundcube
- Switch to base image (alpine)
- Switch to php-fpm
SnappyMail
- Switch to base image
- Upgrade php7 to php8. ([#1521](https://github.com/Mailu/Mailu/issues/1521))
- Features: Implement Header authentication via external proxy ([#1972](https://github.com/Mailu/Mailu/issues/1972))
- Features: Add FETCHMAIL_ENABLED to toggle the fetchmail functionality in the admin interface ([#2127](https://github.com/Mailu/Mailu/issues/2127))
- Features: Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly ([#2213](https://github.com/Mailu/Mailu/issues/2213))
- Features: Add support for custom NGINX config in /etc/nginx/conf.d. ([#2221](https://github.com/Mailu/Mailu/issues/2221))
- Features: Added ability to mark spam mails as read or unread when moving to junk folder. ([#2278](https://github.com/Mailu/Mailu/issues/2278))
- Features: Switch from RainLoop to SnappyMail. SnappyMail has better performance and is more secure. ([#2295](https://github.com/Mailu/Mailu/issues/2295))
- Features: Configurable default spam threshold used for new users ([#2328](https://github.com/Mailu/Mailu/issues/2328))
- Features: Create a GUI for WILDCARD_SENDERS ([#2372](https://github.com/Mailu/Mailu/issues/2372))
- Features: Prevent signups with accounts for which an SQL-LIKE alias exists. ([#2429](https://github.com/Mailu/Mailu/issues/2429))
- Features: Introduce TLS_PERMISSIVE, a new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so. ([#2449](https://github.com/Mailu/Mailu/issues/2449))
- Features: Upgrade the anti-spoofing rule. We shouldn't assume that Mailu is the only MTA allowed to send emails on behalf of the domains it hosts... but we should also ensure that both the envelope from and header from are checked. ([#2475](https://github.com/Mailu/Mailu/issues/2475))
- Features: Implement the required glue to make "doveadm -A" work ([#2498](https://github.com/Mailu/Mailu/issues/2498))
- Features: Implement a minimum length for passwords of 8 characters. Check passwords upon login against HaveIBeenPwned and warn users if their passwords are compromised. ([#2500](https://github.com/Mailu/Mailu/issues/2500))
- Features: Implement OLETools and block bad macros in office documents ([#2510](https://github.com/Mailu/Mailu/issues/2510))
- Features: Switch to GrapheneOS's hardened_malloc ([#2525](https://github.com/Mailu/Mailu/issues/2525))
- Features: New override system for Rspamd. In the old system, all files were placed in the Rspamd overrides folder.
These overrides would override everything, including the Mailu Rspamd config.
Now overrides are placed in /overrides.
If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file.
It works as following.
* If the override file overrides a Mailu defined config file,
it will be included in the Mailu config file with lowest priority.
It will merge with existing sections.
* If the override file does not override a Mailu defined config file,
then the file will be placed in the rspamd local.d folder.
It will merge with existing sections.
For more information, see the description of the local.d folder on the rspamd website:
- Features: Adds a button to the roundcube interface that gets you back to the admin interface ([#2591](https://github.com/Mailu/Mailu/issues/2591))
- Features: Drop postfix rsyslog localhost messages with IPv6 address ([#2594](https://github.com/Mailu/Mailu/issues/2594))
- Features: Isolate radicale and webmail on their own network. This ensures they don't have privileged access to any of the other containers. ([#2613](https://github.com/Mailu/Mailu/issues/2613))
- Features: Improved IPv6 support ([#2630](https://github.com/Mailu/Mailu/issues/2630))
- Features: Provide a changelog for minor releases. The github release will now:
* Provide the changelog message from the newsfragment of the PR that triggered the backport.
* Provide a github link to the PR/issue of the PR that was backported.
Switch to building multi-arch images. The images build for pull requests, master and production
are now multi-arch images for the architectures:
* linux/amd64
* linux/arm64/v8
* linux/arm/v7
Enhance CI/CD workflow with retry functionality. All steps for building images are now automatically
retried. If a build temporarily fails due to a network error, the retried step will still succeed. ([#2653](https://github.com/Mailu/Mailu/issues/2653))
- Features: Add Czech translation for web administration interface. ([#2676](https://github.com/Mailu/Mailu/issues/2676))
- Features: Allow inbound to http and mail ports to accept the PROXY protocol ([#2717](https://github.com/Mailu/Mailu/issues/2717))
- Bugfixes: Add an option so that emails fetched with fetchmail don't go through the filters (closes #1231) ([#1231](https://github.com/Mailu/Mailu/issues/1231))
- Bugfixes: Allow '+' in the localpart of email addresses to forward to ([#1236](https://github.com/Mailu/Mailu/issues/1236))
- Bugfixes: Do not update the updated_at field of the User model when quota_bytes_used is updated ([#1363](https://github.com/Mailu/Mailu/issues/1363))
- Bugfixes: Remove postfix's master.pid on startup if there is no other instance running ([#1483](https://github.com/Mailu/Mailu/issues/1483))
- Bugfixes: updated Dockerfile to alpine 3.14.3 to address several CVEs ([#2099](https://github.com/Mailu/Mailu/issues/2099))
- Bugfixes: The gpg-agent package was missing due to updating to a new debian version.
This fix adds gpg-agent back to the roundcube image.
It is used for the enigmail roundcube plugin. ([#2117](https://github.com/Mailu/Mailu/issues/2117))
- Bugfixes: Fix CI/CD workflow. Tags were not set to the correct commit hash. ([#2124](https://github.com/Mailu/Mailu/issues/2124))
- Bugfixes: Fix a bug preventing mailu from being usable when no webmail is configured ([#2125](https://github.com/Mailu/Mailu/issues/2125))
- Bugfixes: Enable unbound by default. Mailu now requires a DNSSEC validating DNS resolver and experience has shown that this may not be the default everywhere yet. ([#2135](https://github.com/Mailu/Mailu/issues/2135))
- Bugfixes: Pin the root certificate differently for DANE. If you have setup a TLSA record following previous suggestion from Mailu please update it. ([#2138](https://github.com/Mailu/Mailu/issues/2138))
- Bugfixes: Remove the misleading text in mailu.env that zstd and lz4 are supported for dovecot mail compression.
Zstd and lz4 are not supported. The reason is that the alpine project does not compile this
into the dovecot package.
Users who want this funcionality, can kindly request the alpine project to compile dovecot
with lz4&zstd support. ([#2139](https://github.com/Mailu/Mailu/issues/2139))
- Bugfixes: Update roundcube to 1.5.2 to fixe an XSS ([#2141](https://github.com/Mailu/Mailu/issues/2141))
- Bugfixes: matching rainloop php to roundcube's: timezone is a parameter in mailu.env ([#2193](https://github.com/Mailu/Mailu/issues/2193))
- Bugfixes: Added the /overrides directory in the roundcube config.inc.php file ([#2195](https://github.com/Mailu/Mailu/issues/2195))
- Bugfixes: Configuring pwstore_scheme in carddav plugin with des_key because Mailu is incompatible with encrypted
- Bugfixes: Switch from DST_ROOT_X3 to ISRG_X1 as alpine is not shipping the former anymore ([#2199](https://github.com/Mailu/Mailu/issues/2199))
- Bugfixes: Will update /etc/nginx/nginx.conf and /etc/nginx/http.d/rainloop.conf in webmail container to support MESSAGE_SIZE_LIMIT ([#2207](https://github.com/Mailu/Mailu/issues/2207))
- Bugfixes: Add input validation for domain creation ([#2210](https://github.com/Mailu/Mailu/issues/2210))
- Bugfixes: Make public announcement bypass the filters. They may still time-out before being sent if there is a large number of users. ([#2231](https://github.com/Mailu/Mailu/issues/2231))
- Bugfixes: Work around a bug in coredns: set the DO flag on our DNSSEC queries. Add a new FAQ entry to explain our DNSSEC requirements and ensure that our error message points to it. ([#2239](https://github.com/Mailu/Mailu/issues/2239))
- Bugfixes: Fetchmail: Missing support for '*_ADDRESS' env vars ([#2246](https://github.com/Mailu/Mailu/issues/2246))
- Bugfixes: Fix broken setup. Not all dependencies were pinned resulting in a broken update being pulled. ([#2249](https://github.com/Mailu/Mailu/issues/2249))
- Bugfixes: Fix a bug where rspamd may trigger HFILTER_HOSTNAME_UNKNOWN if part of the delivery chain was using ipv6 ([#2260](https://github.com/Mailu/Mailu/issues/2260))
- Bugfixes: Update to Alpine Linux 3.14.4 which contains a security fix for openssl. ([#2281](https://github.com/Mailu/Mailu/issues/2281))
- Bugfixes: Fixed AUTH_RATELIMIT_IP not working on imap/pop3/smtp. ([#2284](https://github.com/Mailu/Mailu/issues/2284))
- Bugfixes: update alpine linux docker image to version 3.14.5 which includes a security fix for zlib’s CVE-2018-25032. ([#2302](https://github.com/Mailu/Mailu/issues/2302))
- Bugfixes: postfix: wrap IPv6 CIDRs in square brackets for RELAYNETS ([#2325](https://github.com/Mailu/Mailu/issues/2325))
- Bugfixes: Disable the built-in nginx resolver for traffic going through the mail plugin. This will silence errors about DNS resolution when the connecting host has no rDNS. ([#2346](https://github.com/Mailu/Mailu/issues/2346))
- Bugfixes: Re-enable the built-in nginx resolver for traffic going through the mail plugin.
This is required for passing rDNS/ptr information to postfix.
Without this rspamd will flag all messages with DHFILTER_HOSTNAME_UNKNOWN due to the missing rDNS/ptr info. ([#2368](https://github.com/Mailu/Mailu/issues/2368))
- Bugfixes: Roundcube overrides now also include .inc.php files. Only .inc.php should be used moving forward. ([#2388](https://github.com/Mailu/Mailu/issues/2388))
- Bugfixes: Forwarding emails user setting did not support 1 letter domains. ([#2402](https://github.com/Mailu/Mailu/issues/2402))
- Bugfixes: Update roundcube to 1.5.3
Update rcmcarddav plugin to 4.4.2 ([#2415](https://github.com/Mailu/Mailu/issues/2415))
- Bugfixes: Switch from mysqlclient to mysql-connector explicitely ([#2432](https://github.com/Mailu/Mailu/issues/2432))
- Bugfixes: Enable rspamd's autolearn feature to ensure that its bayes classifier has enough HAM to make it usable. Previously the bayes module would never work unless some HAM had been learnt manually. ([#2447](https://github.com/Mailu/Mailu/issues/2447))
- Bugfixes: Fix a bug preventing users without IMAP access to access the webmails ([#2451](https://github.com/Mailu/Mailu/issues/2451))
- Bugfixes: Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES ([#2467](https://github.com/Mailu/Mailu/issues/2467))
- Bugfixes: Quote SMTP SIZE to avoid splitting keyword and parameter in EHLO response ([#2485](https://github.com/Mailu/Mailu/issues/2485))
- Bugfixes: Upgrade to alpine 3.16.2 ([#2497](https://github.com/Mailu/Mailu/issues/2497))
- Bugfixes: Fix: include start and end dates in the auto-reply period ([#2512](https://github.com/Mailu/Mailu/issues/2512))
- Bugfixes: Fix creation of deep structures using import in update mode ([#2601](https://github.com/Mailu/Mailu/issues/2601))
- Bugfixes: Speak HAPROXY protocol in between front and smtp and front and imap. This ensures the backend is aware of the real client IP and whether TLS was used. ([#2603](https://github.com/Mailu/Mailu/issues/2603))
- Bugfixes: Fix a bug introduced in master whereby anything locally generated (sieve, autoresponder, ...) would be blocked by the anti-spoofing rules ([#2633](https://github.com/Mailu/Mailu/issues/2633))
- Bugfixes: Fix sieve/out of office replies by adding SUBNET to rspamd's local_networks ([#2635](https://github.com/Mailu/Mailu/issues/2635))
- Bugfixes: Uses the correct From address (instead of an SRS alias) in the sieve/vacation module ([#2640](https://github.com/Mailu/Mailu/issues/2640))
- Bugfixes: Tell roundcube to use UTF8 instead of 'UTF7-IMAP' when creating sieve scripts. ([#2650](https://github.com/Mailu/Mailu/issues/2650))
- Bugfixes: Tweak the snuffleupagus rules to make roundcube's caldav work ([#2693](https://github.com/Mailu/Mailu/issues/2693))
- Bugfixes: Proxy authentication was using the real client ip instead of the proxy
IP for checking the PROXY_AUTH_WHITELIST. ([#2708](https://github.com/Mailu/Mailu/issues/2708))
- Improved Documentation: remove the / in the location to avoid http 404 ([#2185](https://github.com/Mailu/Mailu/issues/2185))
Upgrade should run fine as long as you generate a new compose or stack configuration and upgrade your mailu.env. Please note that once you have upgraded to 1.9 you won't be able to roll-back to earlier versions without resetting user passwords.
One major change for the docker compose file is that the antispam container needs a fixed hostname [#1837](https://github.com/Mailu/Mailu/issues/1837).
Please note that the shipped image for PostgreSQL database is fully deprecated now. To migrate to the official PostgreSQL image, you can follow our guide [here](https://mailu.io/master/database.html#mailu-postgresql)
- Features: Document how to setup client autoconfig using an override ([#224](https://github.com/Mailu/Mailu/issues/224))
- Features: Add support for timezones ([#1154](https://github.com/Mailu/Mailu/issues/1154))
- Features: Ensure that RCVD_NO_TLS_LAST doesn't add to the spam score (as TLS usage can't be determined) ([#1705](https://github.com/Mailu/Mailu/issues/1705))
- Features: Add support for ECDSA certificates when letsencrypt is used. This means dropping compatibility for android <4.1.1
Add LETSENCRYPT_SHORTCHAIN to your configuration to avoid sending ISRG Root X1 (this will break compatibility with android <7.1.1)
Disable AUTH command on port 25
Disable TLS tickets, reconfigure the cache to improve Forward Secrecy
Prevent clear-text credentials from being sent to relays ([#1922](https://github.com/Mailu/Mailu/issues/1922))
- Features: Improved the SSO page. Warning! The new endpoints /sso and /static are introduced.
These endpoints are now used for handling sign on requests and shared static files.
You may want to update your reverse proxy to proxy /sso and /static to Mailu (to the front service).
The example section of using a reverse proxy is updated with this information.
- New SSO page is used for logging in Admin or Webmail.
- Made SSO page available separately. SSO page can now be used without Admin accessible (ADMIN=false).
- Introduced stub /static which is used by all sites for accessing static files.
- Removed the /admin/ prefix to reduce complexity of routing with Mailu. Admin is accessible directly via /admin instead of /admin/ui
Note: Failed logon attempts are logged in the logs of admin. You can watch this with fail2ban. ([#1929](https://github.com/Mailu/Mailu/issues/1929))
- Features: Disable the login page if SESSION_COOKIE_SECURE is incompatible with how Mailu is accessed as this seems to be a common misconfiguration. ([#1996](https://github.com/Mailu/Mailu/issues/1996))
- Features: Derive a new subkey (from SECRET_KEY) for SRS ([#2002](https://github.com/Mailu/Mailu/issues/2002))
- Features: allow sending emails as user+detail@domain.tld ([#2007](https://github.com/Mailu/Mailu/issues/2007))
- Features: rspamd: get dkim keys via REST API instead of filesystem ([#2017](https://github.com/Mailu/Mailu/issues/2017))
- Features: updated roundcube to 1.5 and carddav to 4.2.2 using php8 ([#2035](https://github.com/Mailu/Mailu/issues/2035))
- Features: use dovecot-fts-xapian from alpine package ([#2072](https://github.com/Mailu/Mailu/issues/2072))
- Features: Make the rate limit apply to a subnet rather than a specific IP (/24 for v4 and /56 for v6) ([#116](https://github.com/Mailu/Mailu/issues/116))
- Features: Add instructions on how to create DNS records for email client auto-configuration (RFC6186 style) ([#224](https://github.com/Mailu/Mailu/issues/224))
- Features: Remove the Received header with PRIMARY_HOSTNAME [PUBLIC_IP] ([#466](https://github.com/Mailu/Mailu/issues/466))
- Features: Centralize the authentication of webmails behind the admin interface ([#783](https://github.com/Mailu/Mailu/issues/783))
- Features: Add sending quotas per user ([#1031](https://github.com/Mailu/Mailu/issues/1031))
- Features: Allow specific users to send emails from any address using the WILDCARD_SENDERS setting ([#1096](https://github.com/Mailu/Mailu/issues/1096))
- Features: Use semantic versioning for building releases.
- Add versioning (tagging) for branch x.y (1.8). E.g. 1.8.0, 1.8.1 etc.
- docker repo will contain x.y (latest) and x.y.z (pinned version) images.
- The X.Y.Z tag is incremented automatically. E.g. if 1.8.0 already exists, then the next merge on 1.8 will result in the new tag 1.8.1 being used.
- Make the version available in the image.
- For X.Y and X.Y.Z write the version (X.Y.Z) into /version on the image and add a label with version=X.Y.Z
- This means that the latest X.Y image shows the pinned version (X.Y.Z e.g. 1.8.1) it was based on. Via the tag X.Y.Z you can see the commit hash that triggered the built.
- For master write the commit hash into /version on the image and add a label with version={commit hash}
- Release shows a static message (see RELEASE_TEMPLATE.md) that explains how to reach the newsfragments folder and change the branch to the tag (x.y.z) mentioned in the release. Now you can get the changelog by reading all newsfragment files in this folder. ([#1182](https://github.com/Mailu/Mailu/issues/1182))
- Features: Add a credential cache to speedup authentication requests. ([#1194](https://github.com/Mailu/Mailu/issues/1194))
- Features: Introduces postfix logging via syslog with these features:
- stdout logging still enabled
- internal test request log messages (healthcheck) are filtered out by rsyslog
- optional logging to file via POSTFIX_LOG_FILE env variable
To use logging to file configure in mailu.env
- ``POSTFIX_LOG_FILE``: The file to log the mail log to ([#1441](https://github.com/Mailu/Mailu/issues/1441))
- Features: Make smtp_tls_policy_maps easily configurable ([#1558](https://github.com/Mailu/Mailu/issues/1558))
- Features: Implement a language selector for the admin interface. ([#1567](https://github.com/Mailu/Mailu/issues/1567))
- Features: Add cli commands config-import and config-export ([#1604](https://github.com/Mailu/Mailu/issues/1604))
- Features: Implement SECRET_KEY_FILE and DB_PW_FILE variables for usage with Docker secrets. ([#1607](https://github.com/Mailu/Mailu/issues/1607))
- Features: Add possibility to enforce inbound STARTTLS via INBOUND_TLS_LEVEL=true ([#1610](https://github.com/Mailu/Mailu/issues/1610))
- Features: Refactor the rate limiter to ensure that it performs as intented. ([#1612](https://github.com/Mailu/Mailu/issues/1612))
- Features: Enable OCSP stapling for the http server within nginx. ([#1618](https://github.com/Mailu/Mailu/issues/1618))
- Features: Enable support of all hash types passlib supports. ([#1662](https://github.com/Mailu/Mailu/issues/1662))
- Features: Support configuring lz4 and zstd compression for dovecot. ([#1694](https://github.com/Mailu/Mailu/issues/1694))
- Features: Switch to bcrypt_sha256, replace PASSWORD_SCHEME with CREDENTIAL_ROUNDS and dynamically update existing hashes on first login ([#1753](https://github.com/Mailu/Mailu/issues/1753))
- Features: Implement AdminLTE 3 for the admin interface. ([#1764](https://github.com/Mailu/Mailu/issues/1764))
- Features: Implement MTA-STS and DANE validation. Introduce DEFER_ON_TLS_ERROR (default: True) to harden or loosen the policy enforcement. ([#1798](https://github.com/Mailu/Mailu/issues/1798))
- Features: Remove cyrus-sasl-plain as it's not packaged by alpine anymore. SASL-login is still available and used when relaying. ([#1851](https://github.com/Mailu/Mailu/issues/1851))
- Features: Hebrew translation has been completed. ([#1873](https://github.com/Mailu/Mailu/issues/1873))
- Features: Log authentication attempts on the admin portal ([#1926](https://github.com/Mailu/Mailu/issues/1926))
- Features: AdminLTE3 design optimizations, asset compression and caching
The relevant fetchmail files are now retained in the /data folder (in the fetchmail image).
See the docker-compose.yml file for the relevant volume mapping.
If you already had your own mapping, you must double check the volume mapping and take action. ([#1223](https://github.com/Mailu/Mailu/issues/1223))
- Bugfixes: Ensure that the podop socket is always owned by the postfix user (wasn't the case when build using non-standard base images... typically for arm64) ([#1294](https://github.com/Mailu/Mailu/issues/1294))
- Bugfixes: Fix "extract_host_port" function to support containers with custom / dynamic ports ([#1669](https://github.com/Mailu/Mailu/issues/1669))
- Bugfixes: Fix CVE-2021-23240, CVE-2021-3156 and CVE-2021-23239 for postgresql
by force-upgrading sudo. ([#1760](https://github.com/Mailu/Mailu/issues/1760))
- Bugfixes: Fix roundcube environment configuration for databases ([#1831](https://github.com/Mailu/Mailu/issues/1831))
- Bugfixes: Alpine has removed support for btree and hash in postfix... please use lmdb instead ([#1917](https://github.com/Mailu/Mailu/issues/1917))
- Bugfixes: Webmail and Radicale (webdav) were not useable with domains with special characters such as umlauts.
Webmail and radicale now use punycode for logging in.
Punycode was not used in the HTTP headers. This resulted in illegal non-ASCII HTTP headers. ([#1952](https://github.com/Mailu/Mailu/issues/1952))
- Bugfixes: Ensure that we do not trust the source-ip address set in headers if REAL_IP_HEADER isn't set. If you are using Mailu behind a reverse proxy, please ensure that you do read the documentation. ([#1960](https://github.com/Mailu/Mailu/issues/1960))
- Bugfixes: Reverse proxy documentation has been updated to reflect new security hardening from PR#1959.
If you do not set the configuration parameters in Mailu what reverse proxy header to trust,
then Mailu will not have access to the real ip address of the connecting client.
It is very important to configure this when using a reverse proxy. ([#1962](https://github.com/Mailu/Mailu/issues/1962))
- Bugfixes: Fixed roundcube sso login not working. ([#1990](https://github.com/Mailu/Mailu/issues/1990))
- Bugfixes: The DB_PORT and ROUNDCUBE_DB_PORT environment variables were not actually used. They are removed from the documentation. For using different ports you can already use the notation host:port . ([#2073](https://github.com/Mailu/Mailu/issues/2073))
- Bugfixes: Ensure that webmail tokens expire in sync with sessions ([#2080](https://github.com/Mailu/Mailu/issues/2080))
- Bugfixes: Introduce SESSION_TIMEOUT (1h) and PERMANENT_SESSION_LIFETIME (30d) ([#2094](https://github.com/Mailu/Mailu/issues/2094))
- Bugfixes: Hide the login of the user in sent emails ([#1638](https://github.com/Mailu/Mailu/issues/1638))
- Bugfixes: SSO login page to webmail did not work if WEB_WEBMAIL=/ was set. ([#2078](https://github.com/Mailu/Mailu/issues/2078))
- Bugfixes: #2079 Webmail token check does not work if WEBMAIL_ADDRESS is set to a hostname.
#2081 Fix typo in nginx config for webmail port (10043 to 10143) ([#2079](https://github.com/Mailu/Mailu/issues/2079))
- Bugfixes: Alias, relay and fetchmail lists in the admin interface were missing the edit button. ([#2093](https://github.com/Mailu/Mailu/issues/2093))
- Bugfixes: Fix bug introduced by enhanced session management ([#2098](https://github.com/Mailu/Mailu/issues/2102))
This 2Gb does not entail any other software running on the box.
So in total you require at least 3GB of memory and 1GB swap when antivirus is enabled. ([#470](https://github.com/Mailu/Mailu/issues/470))
- Improved Documentation: Added documentation for how to switch the database back-end used by Mailu.
Added documentation for migrating from the deprecated Mailu PostgreSQL image to a different PostgreSQL database. ([#1037](https://github.com/Mailu/Mailu/issues/1037))
- Improved Documentation: Add documentation for Traefik 2 in Reverse Proxy ([#1503](https://github.com/Mailu/Mailu/issues/1503))
- Features: Update version of roundcube webmail and carddav plugin. This is a security update. ([#1841](https://github.com/Mailu/Mailu/issues/1841))
- Features: Update version of rainloop webmail to 1.16.0. This is a security update. ([#1845](https://github.com/Mailu/Mailu/issues/1845))
- Features: Changed default value of AUTH_RATELIMIT_SUBNET to false. Increased default value of the rate limit in setup utility (AUTH_RATELIMIT) to a higher value. ([#1867](https://github.com/Mailu/Mailu/issues/1867))
- Features: Update jquery used in setup. Set pinned versions in requirements.txt for setup. This is a security update. ([#1880](https://github.com/Mailu/Mailu/issues/1880))
- Bugfixes: Replace PUBLIC_HOSTNAME and PUBLIC_IP in "Received" headers to ensure that no undue spam points are attributed ([#191](https://github.com/Mailu/Mailu/issues/191))
dovecot which contains a fixed dovecot version. ([#1720](https://github.com/Mailu/Mailu/issues/1720))
- Bugfixes: Antispam service now uses a static hostname. Rspamd history is only retained when the service has a fixed hostname. ([#1837](https://github.com/Mailu/Mailu/issues/1837))
- Bugfixes: Fix a bug preventing colons from being used in passwords when using radicale/webdav. ([#1861](https://github.com/Mailu/Mailu/issues/1861))
- Bugfixes: Remove dot in blueprint name to prevent critical flask startup error in setup. ([#1874](https://github.com/Mailu/Mailu/issues/1874))
- Bugfixes: fix punycode encoding of domain names ([#1891](https://github.com/Mailu/Mailu/issues/1891))
- Improved Documentation: Update fail2ban documentation to use systemd backend instead of filepath for journald ([#1857](https://github.com/Mailu/Mailu/issues/1857))
- Misc: Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading. ([#1783](https://github.com/Mailu/Mailu/issues/1783))
- Features: Add support for backward-forwarding using SRS ([#328](https://github.com/Mailu/Mailu/issues/328))
- Features: Add options to support different architectures builds ([#985](https://github.com/Mailu/Mailu/issues/985))
- Features: Add support for Traefik v2 certificate dumping ([#1011](https://github.com/Mailu/Mailu/issues/1011))
- Features: Resolve hosts to IPs if only HOST_* is set. If *_ADDRESS is set, leave it unresolved. ([#1113](https://github.com/Mailu/Mailu/issues/1113))
- Features: - Use nginx as http endpoint on kubernetes to simplify ingress ([#1158](https://github.com/Mailu/Mailu/issues/1158))
- Features: Advertise correct mail capabilities through the front-container, this also enables support for PIPELINING in mail-protocols and IMAP IDLE which is a (potential) performance gain. ([#1160](https://github.com/Mailu/Mailu/issues/1160))
- Features: Change default password scheme to PBKDF2 ([#1194](https://github.com/Mailu/Mailu/issues/1194))
- Features: Enable access log of admin service only for log levels of INFO and finer ([#1197](https://github.com/Mailu/Mailu/issues/1197))
- Features: japanese loca is now available ([#1207](https://github.com/Mailu/Mailu/issues/1207))
- Features: Allow to reject virus mails by setting ANTIVITUS_ACTION=reject ([#1259](https://github.com/Mailu/Mailu/issues/1259))
- Features: Update roundcube to 1.4.0 and enable the new elastic skin ([#1267](https://github.com/Mailu/Mailu/issues/1267))
- Features: The roundcube container does support mysql now (no setup integration yet) ([#1268](https://github.com/Mailu/Mailu/issues/1268))
- Features: Added CardDAV-Plugin for webmail roundcube. ([#1298](https://github.com/Mailu/Mailu/issues/1298))
- Features: Allow users to use server-sided full-text-search again by adding the dovecot fts-xapian plugin ([#1320](https://github.com/Mailu/Mailu/issues/1320))
- Features: Relay a domain to a nonstandard SMTP port by adding ":<port_num>" to the remote hostname or IP address. ([#1357](https://github.com/Mailu/Mailu/issues/1357))
- Features: Allow to enforce TLS for outbound mail by setting OUTBOUND_TLS_LEVEL=encrypt for postfix. ([#1478](https://github.com/Mailu/Mailu/issues/1478))
- Features: Introduce option to disable dovecot full-text-search by an enviroment variable. ([#1538](https://github.com/Mailu/Mailu/issues/1538))
- Features: Add support for AUTH LOGIN authentication mechanism for relaying email via smart hosts. ([#1635](https://github.com/Mailu/Mailu/issues/1635))
- Bugfixes: Fix the password encoding upon authentication ([#1139](https://github.com/Mailu/Mailu/issues/1139))
- Bugfixes: Fix piping mail into rspamd when moving from/to junk-folder ([#1177](https://github.com/Mailu/Mailu/issues/1177))
- Bugfixes: Separate HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI because of different ports ([#1190](https://github.com/Mailu/Mailu/issues/1190))
- Bugfixes: Make postfix mailqueue persistent ([#1208](https://github.com/Mailu/Mailu/issues/1208))
- Bugfixes: Kubernetes manifests updated to be compatible with Kubernetes 1.16 (breaks compatibility with older k8s versions) ([#1241](https://github.com/Mailu/Mailu/issues/1241))
- Bugfixes: Use pip package for radicale to fix failing builds caused by [alpine]upstream package rebuild against different python version ([#1255](https://github.com/Mailu/Mailu/issues/1255))
- Bugfixes: Enable the From header for message delivery report in Roundcube and ensure DKIM Signature ([#1381](https://github.com/Mailu/Mailu/issues/1381))
- Bugfixes: Fix alias resolution in regard to case: A specifically matching alias of wrong case is now preferred over a wildcard alias that might have »eaten« it previously. ([#1387](https://github.com/Mailu/Mailu/issues/1387))
- Bugfixes: Show SPF records in accordance with RFC 7208: Previously we instructed admins to create SPF and TXT records, where only TXT records are correct now. !! Attention !! You need to manually remove the SPF-typed records and keep only TXT in your DNS. ([#1394](https://github.com/Mailu/Mailu/issues/1394))
- Bugfixes: Cover relearning messages when moving bewteen Ham and Spam status ([#1438](https://github.com/Mailu/Mailu/issues/1438))
- Bugfixes: Defining POSTMASTER through setup tool apply also to DMARC_RUA and DMARC_RUF settings ([#1463](https://github.com/Mailu/Mailu/issues/1463))
- Features: Don’t use complicated rsyslogd logging in postfix anymore, instead start the daemon directly — configured to log to stdout. ([#1049](https://github.com/Mailu/Mailu/issues/1049))
- Features: Update alpine to 3.10 and clean up the ensuing problems. ([#1051](https://github.com/Mailu/Mailu/issues/1051))
- Features: Update user password in commandline ([#1066](https://github.com/Mailu/Mailu/issues/1066))
- Features: use HTTP/1.1 for proxyied connections ([#1070](https://github.com/Mailu/Mailu/issues/1070))
- Features: Update Rainloop to 1.13.0 ([#1071](https://github.com/Mailu/Mailu/issues/1071))
- Features: Use python package socrate instead of Mailustart ([#1082](https://github.com/Mailu/Mailu/issues/1082))
- Bugfixes: Use ldez/traefik-certs-dumper in our certificate dumper to have a more robust solution ([#820](https://github.com/Mailu/Mailu/issues/820))
- Bugfixes: Make aliases optionally case-insensitive: After attempting to resolve an alias in its preserved case, also attempt to match it case-insensitively ([#867](https://github.com/Mailu/Mailu/issues/867))
- Feature: Kubernetes support ([#576](https://github.com/Mailu/Mailu/issues/576))
- Feature: Option to bounce or reject email when recipient is unknown ([#583](https://github.com/Mailu/Mailu/issues/583), [#626](https://github.com/Mailu/Mailu/issues/626))
- Feature: implement healthchecks for all containers ([#631](https://github.com/Mailu/Mailu/issues/631))
- Feature: Option to send front logs to journald or syslog ([#584](https://github.com/Mailu/Mailu/issues/584), [#661](https://github.com/Mailu/Mailu/issues/661))
- Feature: Support bcrypt and PBKDF2 ([#647](https://github.com/Mailu/Mailu/issues/647), [#667](https://github.com/Mailu/Mailu/issues/667))
- Enhancement: Add original Delivered-To header to received messages ([#433](https://github.com/Mailu/Mailu/issues/433))
- Enhancement: Use HOST_ADMIN in "Forwarding authentication server" ([#436](https://github.com/Mailu/Mailu/issues/436), [#437](https://github.com/Mailu/Mailu/issues/437))
- Enhancement: Use POD_ADDRESS_RANGE for Dovecot ([#448](https://github.com/Mailu/Mailu/issues/448))
- Enhancement: Using configurable filenames for TLS certs ([#468](https://github.com/Mailu/Mailu/issues/468))
- Enhancement: Use PHP 7.2 for rainloop and roundcube ([#606](https://github.com/Mailu/Mailu/issues/606), [#642](https://github.com/Mailu/Mailu/issues/642))
- Enhancement: Add logging at critical places in python start.py scripts. Implement LOG_LEVEL to control verbosity ([#588](https://github.com/Mailu/Mailu/issues/588))