remove: Diffie-Hellman parameters for Postfix & Dovecot

This patch removes all custom DH parameters from DMS. The documentation update is NOT included in this patch yet. ref: #4538 Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
chore: apt - Migrate format from .list to .sources (DEB822) (#4556 )
2025-08-22 01:50:59 +00:00 · 2025-08-18 22:58:15 +02:00 · 2025-08-18 12:45:20 +12:00 · 2025-08-17 13:20:21 +02:00
14 changed files with 33 additions and 130 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,16 @@ All notable changes to this project will be documented in this file. The format
 - **SpamAssassin:**
  - Removed Pyzor + Razor due to maintenance concerns. From observations it is unlikely to have any notable regression ([#4548](https://github.com/docker-mailserver/docker-mailserver/pull/4548))

+### Updated
+
+- **Internal:**
+  - Aligning with the change in upstream Debian, APT package repositories added by DMS have migrated the format from `.list` to `.sources` ([DEB822](https://repolib.readthedocs.io/en/latest/deb822-format.html)) ([#4556](https://github.com/docker-mailserver/docker-mailserver/pull/4556))
+  - Third-party sourced CLI tools updated ([#4557](https://github.com/docker-mailserver/docker-mailserver/pull/4557)):
+    - `jaq` from `2.1.0` to [`2.3.0`](https://github.com/01mf02/jaq/releases/tag/v2.3.0)
+    - `step` CLI from `0.28.2` to [`0.28.7`](https://github.com/smallstep/cli/releases/tag/v0.28.7))
+- **Dovecot**
+  - Updated the FTS plugin Xapian from `1.9` to [`1.9.1`](https://github.com/grosjo/fts-xapian/releases/tag/1.9.1) which adds Dovecot 2.4 compatibility ([#4557](https://github.com/docker-mailserver/docker-mailserver/pull/4557))
+
 ## [v15.1.0](https://github.com/docker-mailserver/docker-mailserver/compare/v15.1.0...HEAD)

 > [!NOTE]
--- a/6
+++ b/6
@ -191,12 +191,6 @@ COPY target/getmail/getmailrc_general /etc/getmailrc_general
 COPY target/getmail/getmail-service.sh /usr/local/bin/
 COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/

-# DH parameters for DHE cipher suites, ffdhe4096 is the official standard 4096-bit DH params now part of TLS 1.3
-# This file is for TLS <1.3 handshakes that rely on DHE cipher suites
-# Handled at build to avoid failures by doveadm validating ssl_dh filepath in 10-ssl.auth (eg generate-accounts)
-COPY target/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
-COPY target/shared/ffdhe4096.pem /etc/dovecot/dh.pem
-
 COPY \
  target/postfix/header_checks.pcre \
  target/postfix/sender_header_filter.pcre \
--- a/docs/content/config/security/ssl.md
+++ b/docs/content/config/security/ssl.md
@ -908,6 +908,8 @@ fi

 ## Custom DH Parameters

+TODO
+
 By default DMS uses [`ffdhe4096`][ffdhe4096-src] from [IETF RFC 7919][ietf::rfc::ffdhe]. These are standardized pre-defined DH groups and the only available DH groups for TLS 1.3. It is [discouraged to generate your own DH parameters][dh-avoid-selfgenerated] as it is often less secure.

 Despite this, if you must use non-standard DH parameters or you would like to swap `ffdhe4096` for a different group (eg `ffdhe2048`); Add your own PEM encoded DH params file via a volume to `/tmp/docker-mailserver/dhparams.pem`. This will replace DH params for both Dovecot and Postfix services during container startup.
--- a/target/dovecot/10-ssl.conf
+++ b/target/dovecot/10-ssl.conf
@ -45,11 +45,6 @@ ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName

-# SSL DH parameters
-# Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.
-# `docker-mailserver` is configured to use the recommended pre-defined 4096-bit DHE Group at https://github.com/internetstandards/dhe_groups
-ssl_dh = </etc/dovecot/dh.pem
-
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
 ssl_min_protocol = TLSv1.2
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@ -45,7 +45,6 @@ smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES, SHA1
-smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
 smtpd_tls_CApath = /etc/ssl/certs
 smtp_tls_CApath = /etc/ssl/certs

--- a/target/scripts/build/compile.sh
+++ b/target/scripts/build/compile.sh
@ -18,7 +18,7 @@ function _install_build_deps() {
 }

 function _build_package() {
-  local XAPIAN_VERSION='1.9'
+  local XAPIAN_VERSION='1.9.1'
  curl -fsSL "https://github.com/grosjo/fts-xapian/releases/download/${XAPIAN_VERSION}/dovecot-fts-xapian-${XAPIAN_VERSION}.tar.gz" \
    | tar -xz
  cd "fts-xapian-${XAPIAN_VERSION}"
--- a/target/scripts/build/packages.sh
+++ b/target/scripts/build/packages.sh
@ -60,12 +60,12 @@ function _install_utils() {
  _log 'debug' 'Installing utils sourced from Github'

  _log 'trace' 'Installing jaq'
-  local JAQ_TAG='v2.1.0'
+  local JAQ_TAG='v2.3.0'
  curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/local/bin/jaq
  chmod +x /usr/local/bin/jaq

  _log 'trace' 'Installing step'
-  local STEP_RELEASE='0.28.2'
+  local STEP_RELEASE='0.28.7'
  curl -sSfL "https://github.com/smallstep/cli/releases/download/v${STEP_RELEASE}/step_linux_${STEP_RELEASE}_${ARCH_B}.tar.gz" \
    | tar -xz --directory /usr/local/bin --no-same-owner --strip-components=2 "step_${STEP_RELEASE}/bin/step"

@ -161,10 +161,15 @@ function _install_dovecot() {
    # - 2.3.21: https://salsa.debian.org/debian/dovecot/-/tree/stable/bookworm-backports

    _log 'trace' 'Adding third-party package repository (Dovecot)'
-    curl -fsSL https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 | gpg --dearmor > /usr/share/keyrings/upstream-dovecot.gpg
-    echo \
-      "deb [signed-by=/usr/share/keyrings/upstream-dovecot.gpg] https://repo.dovecot.org/ce-2.4-latest/debian/${VERSION_CODENAME} ${VERSION_CODENAME} main" \
-      > /etc/apt/sources.list.d/upstream-dovecot.list
+    curl -fsSL https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 \
+      | gpg --dearmor >/usr/share/keyrings/upstream-dovecot.gpg
+    cat >/etc/apt/sources.list.d/upstream-dovecot.sources <<EOF
+Types: deb
+URIs: https://repo.dovecot.org/ce-2.4-latest/debian/${VERSION_CODENAME}
+Suites: ${VERSION_CODENAME}
+Components: main
+Signed-By: /usr/share/keyrings/upstream-dovecot.gpg
+EOF

    # Refresh package index:
    apt-get "${QUIET}" update
@ -188,10 +193,15 @@ function _install_rspamd() {
  # NOTE: Debian 12 provides Rspamd 3.4 (too old) and Rspamd discourages it's use

  _log 'trace' 'Adding third-party package repository (Rspamd)'
-  curl -fsSL https://rspamd.com/apt-stable/gpg.key | gpg --dearmor > /usr/share/keyrings/upstream-rspamd.gpg
-  echo \
-    "deb [signed-by=/usr/share/keyrings/upstream-rspamd.gpg] https://rspamd.com/apt-stable/ ${VERSION_CODENAME} main" \
-    > /etc/apt/sources.list.d/upstream-rspamd.list
+  curl -fsSL https://rspamd.com/apt-stable/gpg.key \
+    | gpg --dearmor >/usr/share/keyrings/upstream-rspamd.gpg
+  cat >/etc/apt/sources.list.d/upstream-rspamd.sources <<EOF
+Types: deb
+URIs: https://rspamd.com/apt-stable/
+Suites: ${VERSION_CODENAME}
+Components: main
+Signed-By: /usr/share/keyrings/upstream-rspamd.gpg
+EOF

  # Refresh package index:
  apt-get "${QUIET}" update
--- a/target/scripts/helpers/ssl.sh
+++ b/target/scripts/helpers/ssl.sh
@ -1,22 +1,5 @@
 #!/bin/bash

-function _setup_dhparam() {
-  local DH_SERVICE=$1
-  local DH_DEST=$2
-  local DH_CUSTOM='/tmp/docker-mailserver/dhparams.pem'
-
-  _log 'debug' "Setting up ${DH_SERVICE} dhparam"
-
-  if [[ -f ${DH_CUSTOM} ]]; then # use custom supplied dh params (assumes they're probably insecure)
-    _log 'trace' "${DH_SERVICE} will use custom provided DH parameters"
-    _log 'warn' "Using self-generated dhparams is considered insecure - unless you know what you are doing, please remove '${DH_CUSTOM}'"
-
-    cp -f "${DH_CUSTOM}" "${DH_DEST}"
-  else # use official standardized dh params (provided via Dockerfile)
-    _log 'trace' "${DH_SERVICE} will use official standardized DH parameters (ffdhe4096)."
-  fi
-}
-
 function _setup_ssl() {
  _log 'debug' 'Setting up SSL'

--- a/target/scripts/start-mailserver.sh
+++ b/target/scripts/start-mailserver.sh
@ -48,7 +48,6 @@ function _register_functions() {
  if [[ ${SMTP_ONLY} -ne 1 ]]; then
    _register_setup_function '_setup_dovecot'
    _register_setup_function '_setup_dovecot_sieve'
-    _register_setup_function '_setup_dovecot_dhparam'
    _register_setup_function '_setup_dovecot_quota'
    _register_setup_function '_setup_spam_subject'
    _register_setup_function '_setup_spam_to_junk'
--- a/target/scripts/startup/setup.d/dovecot.sh
+++ b/target/scripts/startup/setup.d/dovecot.sh
@ -236,7 +236,3 @@ function _setup_dovecot_inet_protocols() {

  sedfile -i "s|^#listen =.*|listen = ${PROTOCOL}|g" /etc/dovecot/dovecot.conf
 }
-
-function _setup_dovecot_dhparam() {
-  _setup_dhparam 'Dovecot' '/etc/dovecot/dh.pem'
-}
--- a/target/scripts/startup/setup.d/postfix.sh
+++ b/target/scripts/startup/setup.d/postfix.sh
@ -49,9 +49,6 @@ EOF
  __postfix__log 'trace' 'Setting up Postfix vhost'
  _create_postfix_vhost

-  __postfix__log 'trace' 'Setting up DH Parameters'
-  _setup_dhparam 'Postfix' '/etc/postfix/dhparams.pem'
-
  __postfix__log 'trace' "Configuring message size limit to '${POSTFIX_MESSAGE_SIZE_LIMIT}'"
  postconf "message_size_limit = ${POSTFIX_MESSAGE_SIZE_LIMIT}"

--- a/target/shared/ffdhe4096.pem
+++ b/target/shared/ffdhe4096.pem
@ -1,13 +0,0 @@
-----BEGIN DH PARAMETERS-----
-MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
-7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
-nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
-8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
-iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
-zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----
--- a/target/shared/ffdhe4096.pem.sha512sum
+++ b/target/shared/ffdhe4096.pem.sha512sum
@ -1 +0,0 @@
-716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25  ffdhe4096.pem
--- a/test/tests/parallel/set1/tls/dhparams.bats
+++ b/test/tests/parallel/set1/tls/dhparams.bats
@ -1,68 +0,0 @@
-load "${REPOSITORY_ROOT}/test/helper/setup"
-load "${REPOSITORY_ROOT}/test/helper/common"
-
-# Test case
-# ---------
-# By default, this image is using audited FFDHE groups (https://github.com/docker-mailserver/docker-mailserver/pull/1463)
-# Reference used (22/04/2020) - Page 27 (ffdhe4096 RFC 7919, regarded as sufficient):
-# https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
-
-BATS_TEST_NAME_PREFIX='[Security] TLS (DH Parameters) '
-
-CONTAINER1_NAME='dms-test_tls-dh-params_default'
-CONTAINER2_NAME='dms-test_tls-dh-params_custom'
-
-function teardown() { _default_teardown ; }
-
-# Verify Postfix and Dovecot are using the default `ffdhe4096.pem` from Dockerfile build.
-# Verify that the file `ffdhe4096.pem` has not been modified (checksum verification against trusted third-party copy).
-@test "Default" {
-  export CONTAINER_NAME=${CONTAINER1_NAME}
-  local DH_PARAMS_DEFAULT='target/shared/ffdhe4096.pem'
-  local DH_CHECKSUM_DEFAULT=$(sha512sum "${DH_PARAMS_DEFAULT}" | awk '{print $1}')
-
-  _init_with_defaults
-  _common_container_setup
-
-  _should_match_service_copies "${DH_CHECKSUM_DEFAULT}"
-
-  # Verify integrity of the default supplied DH Params (ffdhe4096, should be equivalent to `target/shared/ffdhe4096.pem.sha512sum`):
-  # 716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25
-  local DH_CHECKSUM_MOZILLA
-  DH_CHECKSUM_MOZILLA=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
-  assert_equal "${DH_CHECKSUM_DEFAULT}" "${DH_CHECKSUM_MOZILLA}"
-}
-
-# When custom DHE parameters are supplied by the user to `/tmp/docker-mailserver/dhparams.pem`:
-# - Verify Postfix and Dovecot use the custom `custom-dhe-params.pem` (contents tested is actually `ffdhe2048.pem`).
-# - A warning is raised about usage of potentially insecure parameters.
-@test "Custom" {
-  export CONTAINER_NAME=${CONTAINER2_NAME}
-  local DH_PARAMS_CUSTOM='test/files/ssl/custom-dhe-params.pem'
-  local DH_CHECKSUM_CUSTOM=$(sha512sum "${DH_PARAMS_CUSTOM}" | awk '{print $1}')
-
-  _init_with_defaults
-  cp "${DH_PARAMS_CUSTOM}" "${TEST_TMP_CONFIG}/dhparams.pem"
-  _common_container_setup
-
-  _should_match_service_copies "${DH_CHECKSUM_CUSTOM}"
-
-  # Should emit a warning:
-  run docker logs "${CONTAINER_NAME}"
-  assert_success
-  assert_output --partial 'Using self-generated dhparams is considered insecure - unless you know what you are doing, please remove'
-}
-
-# Ensures the docker image services (Postfix and Dovecot) have the expected DH files:
-function _should_match_service_copies() {
-  local DH_CHECKSUM=$1
-
-  function __should_have_expected_checksum() {
-    _run_in_container_bash "sha512sum ${1} | awk '{print \$1}'"
-    assert_success
-    assert_output "${DH_CHECKSUM}"
-  }
-
-  __should_have_expected_checksum '/etc/dovecot/dh.pem'
-  __should_have_expected_checksum '/etc/postfix/dhparams.pem'
-}
				`@ -1 +0,0 @@`
				`716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25 ffdhe4096.pem`