🥚🐄 Moopril Update 2024 | Security Update

What's Changed

With the Moopril update, two security vulnerabilities in mailcow will be closed.

1. CVE-2024-31204: XSS Vulnerability via Exception Handler
2. CVE-2024-30270: Path Traversal and Arbitrary Code Execution Vulnerability

Thanks to Paul Gerste from Sonar for reporting the security vulnerabilities!

• chore(deps): update thollander/actions-comment-pull-request action to v2.5.0 by @renovate in #5747
• Translations update from Weblate by @milkmaker in #5762
• sogo: upgrade to 5.10.0 by @DerLinkman in #5765
• Translations update from Weblate by @milkmaker in #5777
• [Web]Small change about zh-cn translation by @aaadddfgh in #5789
• [Postfix] update postscreen_access.cidr by @milkmaker in #5770
• Remove one GmbH in Dockerfiles by @MAGICCC in #5743
• Translations update from Weblate by @milkmaker in #5810
• Update French translation by @yvan-algoo in #5805
• Translations update from Weblate by @milkmaker in #5813
• [Postfix] update postscreen_access.cidr by @milkmaker in #5811
• Translations update from Weblate by @milkmaker in #5815
• [Rspamd] Set local_addrs lo mailcow networks by @dragoangel in #5812
• [Rspamd] milter update Content-Type and Content-Transfer-Encoding header by @FreddleSpl0it in #5751
• [Web] fix exception handler and rspamd_maps function by @FreddleSpl0it in #5818

New Contributors

• @aaadddfgh made their first contribution in #5789

Full Changelog: 2024-02...2024-04

🐥🐄 Febmooary 2024 Update | ClamAV Security Update

What's Changed

• [Web] fix blank /debug page with invalid timezone by @FreddleSpl0it in #5728
• [Web] fix setting unchecked checkboxes on domain adding by @FreddleSpl0it in #5730
• [Web] display human readable domainnames instead of punycode by @FreddleSpl0it in #5729
• [Rspamd] apply domain wide footer to alias domains by @FreddleSpl0it in #5727
• [Netfilter] respect ban time limits by @Habetdin in #5679
• Translations update from Weblate by @milkmaker in #5732
• Translations update from Weblate by @milkmaker in #5740

Full Changelog: 2024-01e...2024-02
Updated Blog Page here: https://mailcow.email/posts/2024/release-2024-02/

🦾6️⃣4️⃣ 🐄 Janmooary 2024 Update Revision E | Corrections for the ARM64 Update

What's Changed

• [Netfilter] fix mailcow isolation rule for iptables by @FreddleSpl0it & @tomudding in #5700
• [Netfilter] set IP check more relaxed on NFTables.py by @amorfo77 in #5711
• [SOGo] Fixed SOGo crash on older kernels < 5.10.0-X by @DerLinkman in 5a97027
• [Dovecot] Fixed Wrong Timezone Logging by @DerLinkman in d08ccbc
• [Unbound] Increased checks interval back to 30s by @DerLinkman in 63bb8e8
• [Unbound] Removed netcat checks from unbound healthchecks by @DerLinkman in 63426c3

We are aware of the “issue” with SOGo and the error message in the editor. We have already reached out, and once the fix is implemented, we will seamlessly patch the provided SOGo version with the 2024-01e release. This avoids the need for a new subrelease like the current one.

Full Changelog: 2024-01d...2024-01e
Updated Blog Page here: https://mailcow.email/posts/2024/release-2024-01/

Hotfix for 2024-01c: Dovecot Replication Error fix

If you encountered the bug that watchdog is reporting something about Dovecot replication please apply this patch.

If you have problems regarding PHP-FPM and Redis connection issues: #5697 please set the DISABLE_NETFILTER_ISOLATION_RULE to y instead of n inside mailcow.conf and restart the mailcow stack with docker compose down and up -d afterwards

Issue has been fixed in: 57e67ea many, many thanks to @tomudding for quickly finding it!

What's Changed

• [Dovecot] fix repl-health.sh by @FreddleSpl0it in a310493
• Updated the Netfilter Image (Original buggy image has been overpatched directly at dockerhub).

Full Changelog: 2024-01c...2024-01d

What's Changed

• 2024-01d by @DerLinkman in #5699

Full Changelog: 2024-01c...2024-01d

🦾6️⃣4️⃣ 🐄 Janmooary 2024 Update Revision C | Netfilter Security Update

⚠️This update includes a security fix, so we highly recommend that all users upgrade to this latest version to ensure the security of their systems. ⚠️

Users who are unable to update and share their system with potential attackers on the same network, such as with some hosting providers, should apply the following iptables/nftables rule:

iptables:
iptables -I DOCKER-USER ! -i br-mailcow -o br-mailcow -p tcp -m multiport --dport 3306,6379,8983,12345 -j DROP

nftables:
nft insert rule ip "filter" "DOCKER-USER" iifname != "br-mailcow" oifname "br-mailcow" tcp dport {3306, 6379, 8983, 12345} counter packets 0 bytes 0 drop

Read the Security advisory here: GHSA-gmpj-5xcm-xxx6

What's Changed

• chore(deps): update peter-evans/create-pull-request action to v6 by @renovate in #5683
• sogo: fix ACL allow authenticated users + rebuild on Bookworm by @DerLinkman in #5688
• [Postfix] update postscreen_access.cidr by @milkmaker in #5686
• [Netfilter] add mailcow isolation rule to MAILCOW chain by @FreddleSpl0it in #5696

Full Changelog: 2024-01b...2024-01c
Blog: https://mailcow.email/posts/2024/release-2024-01/

🦾6️⃣4️⃣ 🐄 Janmooary 2024 Update | Revision B

What's Changed

• Allow user skip unbound healthcheck by @KagurazakaNyaa in #5652
• Test for openrc configuration file instead of alpine by @lu-zero in #5660
• fix: watchdog webhook body variables injector by @Candinya in #5647
• fix: rollback curl bug by @DerLinkman in #5662

New Contributors

• @KagurazakaNyaa made their first contribution in #5652
• @lu-zero made their first contribution in #5660
• @Candinya made their first contribution in #5647

Full Changelog: 2024-01a...2024-01b
Blog Page: https://mailcow.email/de/posts/2024/release-2024-01/

🦾6️⃣4️⃣ 🐄 Janmooary 2024 Update | Revision A

What's Changed

• unbound: increased healthcheck timeout by @DerLinkman in #5650

Full Changelog: 2024-01...2024-01a

🦾6️⃣4️⃣ 🐄 Janmooary 2024 Update | The Multiarch (x86 + ARM64) & Performance Update

⚠️ DO A BACKUP BEFORE UPDATING TO BE ON THE SAFE SITE ⚠️

What's Changed

• Add new SOGoMailHideInlineAttachments option to sogo.conf in #5624
• [Postfix] update postscreen_access.cidr by @milkmaker in #5625
• Fixed bg color of form elements in dark mode by @feldsam in #5616
• [Postfix] Remove pipeling from ehlo keywords as we block it in data by @dragoangel in #5621
• [Rspamd] add option to skip domain wide footer on reply e-mails by @FreddleSpl0it in #5612
• Update Dockerfiles to Alpine 3.19 by @MAGICCC in #5592
• [Web] use template for default values in mbox and domain creation by @FreddleSpl0it in #5615
• chore(deps): update dependency composer/composer to v2.6.6 by @renovate in #5581
• chore(deps): update dependency tianon/gosu to v1.17 by @renovate in #5550
• chore(deps): update dependency phpredis/phpredis to v6.0.2 by @renovate in #5549
• chore(deps): update dependency krakjoe/apcu to v5.1.23 by @renovate in #5522
• unbound: rewrote of healthcheck by @DerLinkman in #5639
• mailcow Multiarch (x86 and ARM64) support by @DerLinkman in #5587
• Implemented Server Side processing for domains and mailboxes datatables by @feldsam in #5523

Full Changelog: 2023-12a...2024-01
Blog Post: https://mailcow.email/posts/2024/release-2024-01

🛷 🐄 Moocember 2023 Update Revision A | Postfix CVE-2023-51764 Security Update

What's Changed

• chore(deps): update dependency nextcloud/server to v28.0.1 by @renovate in #5614
• Translations update from Weblate by @milkmaker in #5617
• [Postfix] Do not remove X-Mailer header by @feldsam in #5504
• Translations update from Weblate by @milkmaker in #5622
• [Postfix] set smtpd_forbid_bare_newline = yes

Full Changelog: 2023-12...2023-12a

🛷 🐄 Moocember 2023 Update | Netfilter NFTables Support and Banlist Endpoint

What's Changed

• Update actions/stale action to v9 by @renovate in #5579
• Translations update from Weblate by @milkmaker in #5583
• [Netfilter] add nftables support by @FreddleSpl0it thanks to @amorfo77 in #5585
• [Web] add f2b_banlist endpoint by @FreddleSpl0it in #5313
• Watchdog: Allow sending notifications via webhooks by @felixoi in #4968
• Allow suppressing watchdog start notification by @smarsching in #5453
• Translations update from Weblate by @milkmaker in #5590
• Update dependency nextcloud/server to v28 by @renovate in #5589
• Translations update from Weblate by @milkmaker in #5591
• Translations update from Weblate by @milkmaker in #5598
• Guideline Improvement + Issue Template adjusting by @DerLinkman in #5602
• chore(deps): update alpine docker tag to v3.19 by @renovate in #5603

New Contributors

• @felixoi made their first contribution in #4968
• @smarsching made their first contribution in #5453

Full Changelog: 2023-11a...2023-12