diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fb595ce..d69ea664 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ POSTFIX_LOG_FILE has been deprecated and is ignored by Mailu. If POSTFIX_LOG_FIL If a reverse proxy is used on the same host, consider switching to traefik using the updated instructions. Refer to `Using an external reverse proxy` on mailu.io. With these updated instructions Mailu will handle requesting all certificates. It is not required anymore to copy certificates from the reverse proxy to Mailu. After starting the new Mailu deployment, check the following two topics. -The dovecot indexes should be recreated: +The dovecot full-text-search indexes should be recreated: From `bash` run: ``` find /mailu/mail -type d -name xapian-indexes -prune -exec rm -r {} \+ @@ -31,14 +31,14 @@ View the admin container logs via `docker compose logs admin` WARNING:root:Your CPU has Advanced Vector Extensions available, we recommend you enable hardened-malloc earlier in the boot process by adding LD_PRELOAD=/usr/lib/libhardened_malloc.so to your mailu.env ``` -**Only** if the above message is logged, then the hardened malloc can be enabled by adding the following line to `mailu.env`. +**Only** if the above message is logged, then the hardened malloc can be enabled sooner by adding the following line to `mailu.env`. ``` LD_PRELOAD=/usr/lib/libhardened_malloc.so ``` Recreate all docker containers (`docker compose up -d`) for the changes to be propagated. -Please note that once you have upgraded to 2024.06, that you won't be able to roll-back to earlier versions. +Please note that once you have upgraded to 2024.06, you won't be able to roll-back to earlier versions. - Features: Introduce new settings for configuring proxying and TLS. Disable POP3, IMAP and SUBMISSION by default, see https://nostarttls.secvuln.info/ diff --git a/docs/releases.rst b/docs/releases.rst index d15a646f..ab2ee1cc 100644 --- a/docs/releases.rst +++ b/docs/releases.rst @@ -46,7 +46,7 @@ The following translations for the Admin webui have been added: All language translations are handled by the community. If you see a translation error for your native language, consider submitting a pull request to address this. Download zonefile on domain details page -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ On the domain details page a download option is added for downloading the zone file. This zone file can be used to easily import all Mailu DNS settings. Roundcube spellchecker @@ -85,6 +85,14 @@ The environment variable `AUTH_REQUIRE_TOKENS` has been introduced. This setting It is recommended to use authentication tokens instead of passwords for connecting email clients to Mailu as verifying them is less resource intensive server-side and they are not subject to rate limits (since they cannot be brute-forced online by a potential attacker). +Improved PROXY PROTOCOL and open ports settings +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It is now possible to explicitly configure what ports must use the PROXY PROTOCOL. Refer to PROXY_PROTOCOL in the configuration reference for more information. + +The newly introduced PORTS variable can be used to configure what service should be enabled. efer to PORTS in the configuration reference for more information. + + Change in behaviour ``````````````````` @@ -99,6 +107,18 @@ Emails marked by clamav are rejected now. These used to be silently dropped ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In the past emails marked by clamav (the virusscanner) were dropped. Now these emails are rejected. That means that the person who sent the email receives a reply that the email was rejected due to the email being flagged by clamav. +STARTTLS ports disabled by default +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +By default the STARTTLS ports are disabled. That means that the ports for the following protocols are closed: + +* IMAP (143) +* POP3 (110) +* Submission (587) + +For more information why only enabled implicit TLS is safer than also allowing opportunistic TLS, please refer to `https://nostarttls.secvuln.info `_ . +To re-enable these ports, use the PORTS variable. For more information refer to the configuration reference. + + Upgrading `````````