Mailu 1.9 is available now. The helm-chart repo is not in sync yet with the new Mailu 1.9 release. If you use helm-chart (kubernetes), we advise to stick to version 1.8 for now.
See the section `Upgrading` for important information in regard to upgrading to Mailu 1.9.
Highlights
````````````````````````````````
Quite a lot of new features have been implemented. Of these new features we'd like to highlight these:
Security
^^^^^^^^
The session management has been improved in the Mailu Admin interface and webmails.
Sessions will automatically expire when the internet browser is closed.
Measures have also been implemented to safe guard against attackers hijacking sessions (anti session fixation).
The rate limiting has seen many improvements. Rate limiting is used for SMTP/IMAP/POP3 login attempts and login attempts via the login page. We now have rate limiting on IP addresses and user accounts (email addresses)
- Rate limiting on IP
- IP failed authentication x amount times, regardless the target login account.
- Guessing email addresses also counts for this. E.g. trying to login for a non existing email address.
- Rate limiting on user account
- Login attempts for this user failed x amount times. All IPs cannot login using this user when the rate limit is applied. This protects against botnets.
- Exemption based on device tokens. A successful login attempt awards the device with a token. This device token allows access even when the user account is rate limited. This functionality is handled automatically by Mailu.
With this improved rate limiting in place, it is more difficult to attack Mailu systems. Of course it is still important to use strong passwords.
Updated Admin interface
^^^^^^^^^^^^^^^^^^^^^^^
The Web Administration interface makes use of AdminLTE. The AdminLTE2 technology has been upgraded to AdminLTE3. This cost a lot of effort due to the changes between AdminLTE2 and AdminLTE3.
As a result the webpage looks more modern. All tables now have a filter and columns that can be sorted. If you have many users or domains, this will be a very welcome new feature!
A language selector has been added. On the login page and in the Web Admin Interface, the language selector can be accessed in the top right.
Import/Export command on steroids
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The Mailu command line has been enhanced with the new config-export and config-import command.
**Everything** that can be configured in the Mailu Web Administration Interface can now be exported and imported via yaml files.
So via YAML files, you can now bulk configure a complete new installation, without the need to access the Mailu Web Administration Interface.
It is also possible to create new users or import new users (with password hashes) using the config-import.
With this new command it is very easy to switch to a different database management system for the Mailu database. Simply dump your configuration to yaml file.
After setting up your new Mailu system with the different DBMS, you can import the yaml file with all Mailu configuration.
For more information, see the :ref:`Mailu command line <config-export>` page.
New SSO login page
^^^^^^^^^^^^^^^^^^
A new single sign on login page is introduced which handles logins for the Mailu Web Administration Interface and webmail.
With a single SSO page that handles all logins for Mailu, it is possible to look into adding support for two factor authentication.
All failed login attempts are logged to the Admin service. Fail2ban can be used to monitor these failed logon attempts and temporarily blacklist attackers.
Now all login attempts can be monitored with Fail2Ban.
See the :ref:`updated Fail2Ban documentation <Fail2Ban>` for more information.
Semantic versioning
^^^^^^^^^^^^^^^^^^^
From Mailu 1.9, we will use semantic versioning. First we only had x.y (e.g. 1.9) releases. For every update to an existing version, we will create an additional x.y.z (e.g. 1.9.1) release.
- The X.Y (1.9) tag will always feature the latest version.
- The X.Y.Z (1.9.1) tag is a pinned version. This release is not updated. You can use this to update in a controlled manner. At a convenient time, you can choose to switch to a newer version (e.g 1.9.2). The X.Y.Z tag is incremented automatically when an update is pushed for the X.Y release.
The images now also contain the release it was built for.
- Every docker image will have a docker label with the version.
- Every docker image will have the file /version with the same version information.
- Master images will contain the commit hash that initiated the built of the image.
- X.Y and X.Y.Z images will have the X.Y.Z version that triggered the built.
On the github project we will automatically create releases for each X.Y.Z release. Via this release you can check what commit hash the tag is assigned to.
With this improvement in our CI/CD workflow, it is possible to be notified when an update is released via github releases. It is also possible to use pinned versions to update in a controlled manner.
New Functionality & Improvements
````````````````````````````````
For a list of all the changes (including bug fixes) refer to `CHANGELOG.md` in the root folder of the Mailu github project.
A short summary of the new features:
- Roundcube and Rainloop have been updated.
- All dependencies have been updated to the latest security update
- AdminLTE (used by Admin service) is updated to AdminLTE3.
- Much improved rate limiting.
- Rate limiting small subnets instead of single IP addresses.
- Rate limiting for accounts that do not exist.
- Rate limiting for existing accounts (failed logon attempts).
- Device-tokens are introduced to ensure genuine users are not locked out
- Domain details page is enhanced with DNS client auto-configuration (RFC6186) entries.
- Centralize the authentication of webmails behind the admin interface.
- The new single sign on page opens up the possiblity to introduce 2 factor authentication in the future.
- Add sending quotas per user (configured in mailu.env). This determines how many emails each user can send every day.
- Allow specific users to send emails from any address using the WILDCARD_SENDERS setting (mailu.env.).
- Use semantic versioning for building releases.
- Internal improviments to improve performance of authentication requests.
- Introduded a language selector for the Admin interface.
- Add cli commands config-import and config-export for importing/exporting Mailu config via YAML.
- Enable support of all hash types passlib supports.
- Switch to bcrypt_sha256 (stronger hashing of passwords in Mailu database)/
- Introduce MTA-STS and DANE validation.
- Added Hebrew translation.
- Log authentication attempts on the admin portal. Fail2ban can now be used to monitor login attempts on Admin/Webmail.
- Remove Mailu PostgreSQL.
- Admin/Webmail sessions expire now. This can be tweakers via mailu.env.
Upgrading
`````````
Upgrade should run fine as long as you generate a new compose or stack configuration and upgrade your mailu.env.
If you use a reverse proxy in front of Mailu, it is vital to configure the newly introduced environment variables `REAL_IP_HEADER`` and `REAL_IP_FROM`.
These settings tell Mailu that the HTTP header with the remote client IP address from the reverse proxy can be trusted.
For more information see the :ref:`configuration reference <reverse_proxy_headers>`.
If you use Fail2Ban, you configure Fail2Ban to monitor failed logon attempts for the web-facing frontend (Admin/Webmail). See the :ref:`updated Fail2Ban documentation <Fail2Ban>` for more information.
The full 1.8 release is finally ready. There have been some changes in the contributors team. Many people from the contributors team have stepped back due to changed priorities in their life.
We are very grateful for all their contributions and hope we will see them back again in the future.
This is the main reason why it took so long for 1.8 to be fully released.
Fortunately more people have decided to join the project. Some very nice contributions have been made which will become part of the next 1.9 release.
We hope that future Mailu releases will be released more quickly now we have more active contributors again.
For a list of all changes refer to `CHANGELOG.md` in the root folder of the Mailu github project. Please read the 'Override location changes' section further on this page. It contains important information for the people who use the overrides folder.
New Functionality & Improvements
````````````````````````````````
Here’s a short summary of new features:
- Roundcube and Rainloop have been updated.
- All dependencies have been updated to the latest security update.
- Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading.
The shipped image for PostgreSQL is not maintained anymore from release 1.8.
We recommend switching to an external PostgreSQL image as soon as possible.
Override location changes
^^^^^^^^^^^^^^^^^^^^^^^^^
If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
It has become known that the SPF DNS records generated by the admin interface are not completely standard compliant anymore. Please check the DNS records for your domains and compare them to what the new admin-interface instructs you to use. In most cases, this should be a simple copy-paste operation for you ….
Fixed hostname for antispam service
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For history to be retained in Rspamd, the antispam container requires a static hostname. When you re-generate your docker-compose.yml file (or helm-chart), this will be covered.
Release 1.8 has come a long way again. Due to corona the project slowed down to a crawl. Fortunately new contributors have joined the team what enabled us to still release Mailu 1.8 this year.
Please note that the current 1.8 is what we call a "soft release": It’s there for everyone to see and use, but to limit possible user-impact of this very big release, it’s not yet the default in the setup-utility for new users. When upgrading, please treat it with some care, and be sure to always have backups!
For a list of all changes refer to `CHANGELOG.md` in the root folder of the Mailu github project. Please read the 'Override location changes' section. It contains important information for the people who use the overrides folder.
If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
It has become known that the SPF DNS records generated by the admin interface are not completely standard compliant anymore. Please check the DNS records for your domains and compare them to what the new admin-interface instructs you to use. In most cases, this should be a simple copy-paste operation for you ….