Mailu 2024.03 is available. This release contains new features and many bug fixes. Please at least read the section `upgrading` before attempting to upgrade to the new release.
Previously the sieve filters could only be edited via the webmail client. It is now also possible to use an external sieve client for manageming the sieve rules. Configure the sieve client to connect to Mailu on the default sieve port 4190.
RESTful API enhancements
^^^^^^^^^^^^^^^^^^^^^^^^
The User interface is enhanced with the quota bytes used (quota_bytes_used) attribute. This attribute states the usage (in bytes) of the mailbox. In combination with the attribute quota_bytes, it is possible to check how much storage an user has left via the RESTful API.
The new `token` endpoint allows the management of authentication tokens. It is recommened to create authentication tokens for all users and configure the email clients to use these authentication tokens for connecting to Mailu.
Force password change
^^^^^^^^^^^^^^^^^^^^^
A setting is introduced to force an user to change its password. After changing the password, all sessions are invalidated.
This setting can be configured via:
* Admin webui
* Mailu cli command `config-import`
* RESTful API via the User endpoint and attribute `change_pw_next_login`
Translations
^^^^^^^^^^^^
The following translations for the Admin webui have been added:
* Chinese
* Persion (a.k.a Farsi)
* Ukrainian
All language translations are handled by the community. If you see a translation error for your native language, consider submitting a pull request to address this.
Download zonefile on domain details page
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
On the domain details page a download option is added for downloading the zone file. This zone file can be used to easily import all Mailu DNS settings.
Roundcube spellchecker
^^^^^^^^^^^^^^^^^^^^^^
The roundcube spellchecker can be configured to support different languages than English. For how to configure alternative languages, refer to the FAQ entry: `How can I add more languages to roundcube's spellchecker`.
Improved mailbox indexer and full attachment indexing
The dovecot indexer indexes all emails for the server-side search functionality. It is used when searching via the webmail client. In email clients it might be required to enable server-side searching.
The dovecot indexer has been switched from fts-xapian to fts-flatcurve. In the future this will be the new default indexer for dovecot. This indexer is quicker and results in smaller index files.
Apache Tika has been added to Mailu to add support for attachments indexing. As a result the server-side search functionality does not only search through emails, but also through the attachments of emails.
Refer to `FULL_TEXT_SEARCH` in the `configuration reference` to enable indexing for non-English languages.
After upgrading, the new indexes are not automatically created. To create these after upgrading Mailu:
docker compose exec imap doveadm user '*'|while read u; do docker compose exec imap doveadm index -u $u '*'; done
Introduction AUTH_REQUIRE_TOKENS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The environment variable `AUTH_REQUIRE_TOKENS` has been introduced. This setting can be enabled to force email clients to use authentication tokens (instead of passwords) for authenticating to Mailu. Note that authentication tokens can now also be generated via the RESTful API.
It is recommended to use authentication tokens instead of passwords for connecting email clients to Mailu.
Change in behaviour
```````````````````
POSTFIX_LOG_FILE removed
^^^^^^^^^^^^^^^^^^^^^^^^
The setting POSTFIX_LOG_FILE and its functionality has been removed from Mailu. To log to file (for any container) it is possible to use journald and rsyslogd.
The new FAQ entry `How can I view and export the logs of a Mailu container?` describes how log files can be viewed via journald. It also provides instructions for how to install and configure rsyslogd for saving container logs to file system (including log rotation).
The hardened malloc is disabled by default
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Mailu is shipped with a hardened memory allocator. This is a security-focused general purpose memory allocator which provides substantial hardening against heap corruption vulnerabilities.
It can only be enabled when the used CPU supports Advanced Vector Extensions (AVX2 on x86_64, lrcpc on ARM64).
After upgrading Mailu, check the logs of the admin container (`docker compose logs admin`. If it shows the following line, then it can be enabled:
..code-block:: bash
WARNING:root:Your CPU has Advanced Vector Extensions available, we recommend you enable hardened-malloc earlier in the boot process by adding LD_PRELOAD=/usr/lib/libhardened_malloc.so to your mailu.env
**Only** if the above message is logged, then the hardened malloc can be enabled by adding the following line to `mailu.env`.
..code-block:: bash
LD_PRELOAD=/usr/lib/libhardened_malloc.so
Recreate all docker containers (`docker compose up -d`) for the changes to be propagated.
Emails marked by clamav are rejected now. These used to be silently dropped
In the past emails marked by clamav (the virusscanner) were dropped. Now these emails are rejected. That means that the person who sent the email receives a reply that the email was rejected due to the email being flagged by clamav.
Via setup.mailu.io generate the new docker-compose.yml file and mailu.env file. If tika is enabled (enabling searching through attachments), then 1 to 2GB of extra RAM memory is required. Re-add any customizations in mailu.env. Before making changes to mailu.env, check the `configuration reference` page on mailu.io. Check if the setting is still in use before adding it to the new `mailu.env` file.
If POSTFIX_LOG_FILE was used, refer to the new FAQ entry `How can I view and export the logs of a Mailu container?` on how to configure similar functionality. POSTFIX_LOG_FILE is deprecated. Mailu will ignore this setting.
If a reverse proxy is used on the same host, consider switching to traefik using the updated instructions. Refer to `Using an external reverse proxy` on mailu.io. With these updated instructions Mailu will handle requesting all certificates. It is not required anymore to copy certificates from the reverse proxy to Mailu.
After upgrading
^^^^^^^^^^^^^^^
After upgrading Mailu, perform the followings tasks.
docker compose exec imap doveadm user '*'|while read u; do docker compose exec imap doveadm index -u $u '*'; done
Enabled the hardened memory allocator
*************************************
View the admin container logs via `docker compose logs admin`
..code-block:: bash
WARNING:root:Your CPU has Advanced Vector Extensions available, we recommend you enable hardened-malloc earlier in the boot process by adding LD_PRELOAD=/usr/lib/libhardened_malloc.so to your mailu.env
**Only** if the above message is logged, then the hardened malloc can be enabled by adding the following line to `mailu.env`.
..code-block:: bash
LD_PRELOAD=/usr/lib/libhardened_malloc.so
Recreate all docker containers (`docker compose up -d`) for the changes to be propagated.
Mailu 2.0 is finally available. It is vital to read the `Upgrading` section before upgrading to Mailu 2.0 as it introduces major features and breaking changes from 1.9.
It won't let any email which pretends to be for any of the local domains through unless they pass DMARC. This means that if you intend on sending emails for a domain hosted on the Mailu instance to the Mailu instance from somwhere else, you must setup DMARC.
In line with security best practices from `NIST (Special Publication 800-63B) <https://pages.nist.gov/800-63-3/sp800-63b.html#5111-memorized-secret-authenticators>`_, we have introduced a password policy.
- to prevent crendential bruteforce (an attacker trying to guess a password), we limit the maximal amount of attempts an attacker has for a given account (from any IP address).
- to prevent password spraying (an attacker trying the same common password on all accounts he can enumerate), we limit the maximal number of non-existing accounts an attacker can attempt to authenticate against from a given network subnet.
We have also implemented state-of-the-art features such as `Device Cookies <https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies>`_ and IP-whitelisting post-authentication to ensure we don't lock genuine users out.
Rate-limiters have a bad name because they are often misunderstood. If you have used Mailu's rate-limiter in the past and had a bad experience please consider giving it another try after upgrading.
Users who only use the /admin endpoint can now bookmark https://test.mailu.io/admin. When logging in, it is possible to use the `Enter` key again to login (this will not login the webmail but admin).
`OLETools <https://github.com/decalage2/oletools>`_ is introduced to block bad macros in Microsoft Office documents. OLETools is able to scan Microsoft Office documents and determine if a macro is malicous.
By default attachments with know bad/executable file extensions (such as ``.exe``) are blocked. See the FAQ for more information on updating the list of blocked file extensions.
Reverse proxies can connect to Mailu with the `proxy protocol <https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt>`_ for HTTP and Mail. Below is a small example for Traefik connecting via proxy protocol to Mailu
We have gone further than ever. Now Mailu containers drop their privileges and communicate on separate networks. They also share the same base image where on x86 `a Hardened memory allocator <https://github.com/GrapheneOS/hardened_malloc>`_ is configured.
- Features: Prevent signups with accounts for which an SQL-LIKE alias exists.
- Features: Introduce TLS_PERMISSIVE, a new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so.
If you use ``TLS_FLAVOR=letsencrypt``, add autoconfig.myhostname.com to the setting ``HOSTNAMES=`` in mailu.env to generate a certificate for the autoconfig endpoint as well.
- outbound SMTP connections from Mailu are now enjoying some protection against active attackers thanks to DANE and MTA-STS support. Specific policies can be configured for specific destinations thanks to ``tls_policy_maps`` and configuring your system to publish a policy has been documented in the FAQ.
- outbound emails can now be rate-limited (to mitigate SPAM in case an account is taken over)
- long term storage of passwords has been rethought to enable stronger protection against offline attackers (switch to iterated and salted SHA+bcrypt) while enabling much better performance (credential cache). Please encourage your users to use tokens where appropriate and keep in mind that existing hashes will be converted on first use to the new format.
- session handling has been reworked from the grounds up: they have been switched from client side (cookies) to server-side, unified (SSO, expiry, lifetime) across all web-facing applications and some mitigations against session fixation have been implemented.
- rate limiting has seen many improvements: It is now deployed on all entry points (SMTP/IMAP/POP3/WEB/WEBMAIL) and configured to defeat both password bruteforces (thanks to a limit against total number of failed attempts against an account over a period) and password spraying (thanks to a limit for each client on the total number of non-existing accounts that can be queried). Exemption mechanisms have been put in place (device tokens, dynamic IP whitelists) to ensure that genuine clients and users won't be affected by default and the default configuration thought to fit most use-cases.
- if you use letsencrypt, Mailu is now configured to offer both RSA and ECC certificates to clients; It will OSCP staple its replies where appropriate
The Web Administration interface makes use of AdminLTE. The AdminLTE2 technology has been upgraded to AdminLTE3. This cost a lot of effort due to the changes between AdminLTE2 and AdminLTE3.
As a result the webpage looks more modern. All tables now have a filter and columns that can be sorted. If you have many users or domains, this will be a very welcome new feature!
With this new command it is very easy to switch to a different database management system for the Mailu database. Simply dump your configuration to yaml file.
After setting up your new Mailu system with the different DBMS, you can import the yaml file with all Mailu configuration.
For more information, see the :ref:`Mailu command line <config-export>` page.
A new single sign on login page is introduced which handles logins for the Mailu Web Administration Interface and webmail. It has enabled a drastic attack-surface reduction and will enable us to add support for two factor authentication in the future.
See the :ref:`updated Fail2Ban documentation <Fail2Ban>` for more information.
Semantic versioning
^^^^^^^^^^^^^^^^^^^
From Mailu 1.9, we will use semantic versioning. First we only had x.y (e.g. 1.9) releases. For every update to an existing version, we will create an additional x.y.z (e.g. 1.9.1) release.
- The X.Y (1.9) tag will always feature the latest version.
- The X.Y.Z (1.9.1) tag is a pinned version. This release is not updated. You can use this to update in a controlled manner. At a convenient time, you can choose to switch to a newer version (e.g 1.9.2). The X.Y.Z tag is incremented automatically when an update is pushed for the X.Y release.
The images now also contain the release it was built for.
- Every docker image will have a docker label with the version.
- Every docker image will have the file /version with the same version information.
- Master images will contain the commit hash that initiated the built of the image.
- X.Y and X.Y.Z images will have the X.Y.Z version that triggered the built.
On the github project we will automatically create releases for each X.Y.Z release. Via this release you can check what commit hash the tag is assigned to.
With this improvement in our CI/CD workflow, it is possible to be notified when an update is released via github releases. It is also possible to use pinned versions to update in a controlled manner.
Upgrade should run fine as long as you generate a new compose or stack configuration and upgrade your mailu.env. Please note that once you have upgraded to 1.9 you won't be able to roll-back to earlier versions without resetting user passwords.
If you use a reverse proxy in front of Mailu, it is vital to configure the newly introduced environment variables `REAL_IP_HEADER`` and `REAL_IP_FROM`.
These settings tell Mailu that the HTTP header with the remote client IP address from the reverse proxy can be trusted.
For more information see the :ref:`configuration reference <reverse_proxy_headers>`.
If you use Fail2Ban, you configure Fail2Ban to monitor failed logon attempts for the web-facing frontend (Admin/Webmail). See the :ref:`updated Fail2Ban documentation <Fail2Ban>` for more information.
The full 1.8 release is finally ready. There have been some changes in the contributors team. Many people from the contributors team have stepped back due to changed priorities in their life.
We are very grateful for all their contributions and hope we will see them back again in the future.
Fortunately more people have decided to join the project. Some very nice contributions have been made which will become part of the next 1.9 release.
We hope that future Mailu releases will be released more quickly now we have more active contributors again.
For a list of all changes refer to `CHANGELOG.md` in the root folder of the Mailu github project. Please read the 'Override location changes' section further on this page. It contains important information for the people who use the overrides folder.
New Functionality & Improvements
````````````````````````````````
Here’s a short summary of new features:
- Roundcube and Rainloop have been updated.
- All dependencies have been updated to the latest security update.
- Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading.
The shipped image for PostgreSQL is not maintained anymore from release 1.8.
We recommend switching to an external PostgreSQL image as soon as possible.
Override location changes
^^^^^^^^^^^^^^^^^^^^^^^^^
If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
It has become known that the SPF DNS records generated by the admin interface are not completely standard compliant anymore. Please check the DNS records for your domains and compare them to what the new admin-interface instructs you to use. In most cases, this should be a simple copy-paste operation for you ….
Fixed hostname for antispam service
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For history to be retained in Rspamd, the antispam container requires a static hostname. When you re-generate your docker-compose.yml file (or helm-chart), this will be covered.
Release 1.8 has come a long way again. Due to corona the project slowed down to a crawl. Fortunately new contributors have joined the team what enabled us to still release Mailu 1.8 this year.
Please note that the current 1.8 is what we call a "soft release": It’s there for everyone to see and use, but to limit possible user-impact of this very big release, it’s not yet the default in the setup-utility for new users. When upgrading, please treat it with some care, and be sure to always have backups!
For a list of all changes refer to `CHANGELOG.md` in the root folder of the Mailu github project. Please read the 'Override location changes' section. It contains important information for the people who use the overrides folder.
If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
It has become known that the SPF DNS records generated by the admin interface are not completely standard compliant anymore. Please check the DNS records for your domains and compare them to what the new admin-interface instructs you to use. In most cases, this should be a simple copy-paste operation for you ….
