Apply suggestions from code review

Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>

.github/workflows/docs-production-deploy.yml

@@ -26,7 +26,7 @@ jobs:
     permissions:
       contents: write
     name: 'Deploy Docs'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
 
@@ -73,7 +73,7 @@ jobs:
     permissions:
       contents: write
     name: 'Update `versions.json` if necessary'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: startsWith(github.ref, 'refs/tags/')
     # Avoid race condition with pushing to `gh-pages` branch by waiting for `deploy` to complete first
     needs: deploy
@@ -110,7 +110,7 @@ jobs:
     permissions:
       contents: write
     name: 'update `latest` symlink if necessary'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: startsWith(github.ref, 'refs/tags/')
     needs: add-version-to-docs
     steps:

.github/workflows/generic_build.yml

@@ -23,7 +23,7 @@ permissions:
 jobs:
   build-image:
     name: 'Build'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       build-cache-key: ${{ steps.derive-image-cache-key.outputs.digest }}
     steps:

.github/workflows/generic_publish.yml

@@ -14,7 +14,7 @@ permissions:
 jobs:
   publish-images:
     name: 'Publish'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v4

.github/workflows/generic_test.yml

@@ -13,7 +13,7 @@ permissions:
 jobs:
   run-tests:
     name: 'Test'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
         part: [serial, parallel/set1, parallel/set2, parallel/set3]

.github/workflows/generic_vulnerability-scan.yml

@@ -19,7 +19,7 @@ jobs:
     permissions:
       contents: read         # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v4

.github/workflows/handle_stalled.yml

@@ -12,7 +12,7 @@ jobs:
     permissions:
       issues: write
       pull-requests: write
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Close stale issues
         uses: actions/stale@v9

.github/workflows/linting.yml

@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   lint:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@v4

CHANGELOG.md

@@ -6,6 +6,11 @@ All notable changes to this project will be documented in this file. The format
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+### Removed
+
+- **SpamAssassin:**
+  - Removed Pyzor + Razor due to maintenance concerns. From observations it is unlikely to have any notable regression ([#4548](https://github.com/docker-mailserver/docker-mailserver/pull/4548))
+
 ## [v15.1.0](https://github.com/docker-mailserver/docker-mailserver/compare/v15.1.0...HEAD)
 
 > [!NOTE]

Dockerfile

@@ -7,7 +7,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 ARG DOVECOT_COMMUNITY_REPO=0
 ARG LOG_LEVEL=trace
 
-FROM docker.io/debian:12-slim AS stage-base
+FROM docker.io/debian:13-slim AS stage-base
 
 ARG DEBIAN_FRONTEND
 ARG DOVECOT_COMMUNITY_REPO
@@ -20,11 +20,6 @@ SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 # -----------------------------------------------
 
 COPY target/bin/sedfile /usr/local/bin/sedfile
-RUN <<EOF
-  chmod +x /usr/local/bin/sedfile
-  adduser --quiet --system --group --disabled-password --home /var/lib/clamav --no-create-home --uid 200 clamav
-EOF
-
 COPY target/scripts/build/packages.sh /build/
 COPY target/scripts/helpers/log.sh /usr/local/bin/helpers/log.sh
 
@@ -151,22 +146,6 @@ RUN <<EOF
   chmod 644 /etc/amavis/conf.d/*
 EOF
 
-# overcomplication necessary for CI
-# hadolint ignore=SC2086
-RUN <<EOF
-  for _ in {1..10}; do
-    su - amavis -c "razor-admin -create"
-    sleep 3
-    if su - amavis -c "razor-admin -register"; then
-      EC=0
-      break
-    else
-      EC=${?}
-    fi
-  done
-  exit ${EC}
-EOF
-
 # -----------------------------------------------
 # --- Fail2Ban, DKIM & DMARC --------------------
 # -----------------------------------------------
@@ -209,8 +188,7 @@ COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
 
 # DH parameters for DHE cipher suites, ffdhe4096 is the official standard 4096-bit DH params now part of TLS 1.3
 # This file is for TLS <1.3 handshakes that rely on DHE cipher suites
-# Handled at build to avoid failures by doveadm validating ssl_dh filepath in 10-ssl.auth (eg generate-accounts)
-COPY target/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
+# Handled at build to avoid failures by doveadm validating ssl_server_dh_file filepath in 10-ssl.auth (eg generate-accounts)
 COPY target/shared/ffdhe4096.pem /etc/dovecot/dh.pem
 
 COPY \

docs/content/config/environment.md

@@ -656,8 +656,8 @@ Mail is not yet considered spam at this spam score, but for purposes like diagno
     X-Spam-Level: ****
     X-Spam-Status: No, score=4.162 tagged_above=2 required=4
             tests=[BODY_SINGLE_WORD=1, DKIM_ADSP_NXDOMAIN=0.8,
-            NO_DNS_FOR_FROM=0.379, NO_RECEIVED=-0.001, NO_RELAYS=-0.001,
-            PYZOR_CHECK=1.985] autolearn=no autolearn_force=no
+            NO_DNS_FOR_FROM=0.379, NO_RECEIVED=-0.001, NO_RELAYS=-0.001]
+            autolearn=no autolearn_force=no
     ```
 
     !!! info "The `X-Spam-Score` is `4.162`"

docs/content/config/security/ssl.md

@@ -791,7 +791,7 @@ Add this to `docker-data/dms/config/dovecot.cf`:
 
 ```cf
 ssl = yes
-disable_plaintext_auth=no
+auth_allow_cleartext = yes
 ```
 
 These options in conjunction mean:

target/amavis/postfix-amavis.cf

@@ -7,7 +7,7 @@ smtp-amavis     unix    -       -       n       -       2       smtp
   -o syslog_name=postfix/$service_name
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
-  -o disable_dns_lookups=yes
+  -o smtp_dns_support_level=disabled
   -o max_use=20
   -o smtp_tls_security_level=none
   -o smtp_tls_wrappermode=no

target/dovecot/10-auth.conf

@@ -7,7 +7,7 @@
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
 # See also ssl=required setting.
-#disable_plaintext_auth = yes
+#auth_allow_cleartext = no
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
 # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
@@ -96,7 +96,7 @@
 # Space separated list of wanted authentication mechanisms:
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 #   gss-spnego
-# NOTE: See also disable_plaintext_auth setting.
+# NOTE: See also auth_allow_cleartext setting.
 auth_mechanisms = plain login
 
 ##

target/dovecot/10-logging.conf

@@ -41,9 +41,6 @@ auth_verbose_passwords = sha1:6
 # isn't finding your mails.
 #mail_debug = no
 
-# Show protocol level SSL errors.
-verbose_ssl = no
-
 # mail_log plugin provides more event logging for mail processes.
 plugin {
   # Events to log. Also available: flag_change append

target/dovecot/10-mail.conf

@@ -10,25 +10,13 @@
 # If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
 # isn't enough. You'll also need to tell Dovecot where the other mailboxes are
 # kept. This is called the "root mail directory", and it must be the first
-# path given in the mail_location setting.
-#
-# There are a few special variables you can use, eg.:
-#
-#   %u - username
-#   %n - user part in user@domain, same as %u if there's no domain
-#   %d - domain part in user@domain, empty if there's no domain
-#   %h - home directory
-#
-# See doc/wiki/Variables.txt for full list. Some examples:
-#
-#   mail_location = maildir:~/Maildir
-#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
-#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
-#
-# <doc/wiki/MailLocation.txt>
-#
+# path given in the mail_driver+mail_path settings.
+
+# ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_driver
+mail_driver = maildir
+# ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_path
+mail_path = /var/mail/%d/%n
 mail_home = /var/mail/%d/%n/home/
-mail_location = maildir:/var/mail/%d/%n
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
@@ -206,7 +194,9 @@ mail_privileged_group = docker
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = $mail_plugins quota
+mail_plugins {
+  quota = yes
+}
 
 ##
 ## Mailbox handling optimizations

target/dovecot/10-ssl.conf

@@ -9,8 +9,8 @@
 # dropping root privileges, so keep the key file unreadable by anyone but root.
 # These [snakeoil files actually exist](https://askubuntu.com/questions/396120/what-is-the-purpose-of-the-ssl-cert-snakeoil-key), but shouldn't ever be used in production!
 # As `SSL_TYPE` env is required by docker-mailserver, these "snakeoil" files will be replaced on container startup.
-ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
-ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
+ssl_server_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ssl_server_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 # Fallback/Hybrid cert support. docker-mailserver will enable these when using ENV vars `SSL_ALT_CERT_PATH` and `SSL_ALT_KEY_PATH`.
 #ssl_alt_cert = </path/to/alternative/cert.pem
 #ssl_alt_key = </path/to/alternative/key.pem
@@ -48,7 +48,7 @@ ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
 # SSL DH parameters
 # Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.
 # `docker-mailserver` is configured to use the recommended pre-defined 4096-bit DHE Group at https://github.com/internetstandards/dhe_groups
-ssl_dh = </etc/dovecot/dh.pem
+ssl_server_dh_file = /etc/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
@@ -57,8 +57,8 @@ ssl_min_protocol = TLSv1.2
 # SSL ciphers to use
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
-# Prefer the server's order of ciphers over client's.
-ssl_prefer_server_ciphers = yes
+# ref: https://doc.dovecot.org/main/core/summaries/settings.html#ssl_server_prefer_ciphers
+ssl_server_prefer_ciphers = server
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =

target/dovecot/20-imap.conf

@@ -1,4 +1,6 @@
 protocol imap {
-    # allow IMAP clients to ask quota usage
-    mail_plugins = $mail_plugins imap_quota
+  # allow IMAP clients to ask quota usage
+  mail_plugins {
+    imap_quota = yes
+  }
 }

target/dovecot/20-lmtp.conf

@@ -15,5 +15,7 @@
 
 protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).
-  mail_plugins = $mail_plugins sieve
+  mail_plugins {
+    sieve = yes
+  }
 }

target/dovecot/auth-passwdfile.inc

@@ -1,20 +1,24 @@
 # Authentication for passwd-file users. Included from 10-auth.conf.
 #
-# Documentation
-#   PassDB: https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
-#   UserDB: https://doc.dovecot.org/configuration_manual/authentication/user_databases_userdb/
-#
-# !!! Attention !!!
-#   Do not add `scheme=SHA512-CRYPT` to the userdb args. This is not supported.
+# ref: https://doc.dovecot.org/main/core/config/auth/databases/passwd_file.html
 
-passdb {
+passdb passwd-file {
   driver = passwd-file
-  mechanisms = plain login
-  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb
+  mechanisms_filter = plain login
+  default_password_scheme = SHA512-CRYPT
+  auth_username_format = %{user}
+  passwd_file_path = /etc/dovecot/userdb
 }
 
-userdb {
+userdb passwd-file {
   driver = passwd-file
-  args = username_format=%u /etc/dovecot/userdb
-  default_fields = uid=docker gid=docker home=/var/mail/%d/%u/home/
+  auth_username_format = %{user}
+  passwd_file_path = /etc/dovecot/userdb
+  # Default field values to use when they're not set for user accounts sourced via `/etc/dovecot/userdb`.
+  # NOTE: That file is created from `postfix-accounts.cf` + `postfix-virtual.cf`
+  fields {
+    uid:default = docker
+    gid:default = docker
+    home:default = /var/mail/%{user | domain}/%{user | username}/home/
+  }
 }

target/postfix/main.cf

@@ -45,7 +45,6 @@ smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES, SHA1
-smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
 smtpd_tls_CApath = /etc/ssl/certs
 smtp_tls_CApath = /etc/ssl/certs
 

target/scripts/build/packages.sh

@@ -6,7 +6,7 @@
 # -o pipefail :: exit on error in pipes
 set -eE -u -o pipefail
 
-VERSION_CODENAME='bookworm'
+VERSION_CODENAME='trixie'
 
 # shellcheck source=../helpers/log.sh
 source /usr/local/bin/helpers/log.sh
@@ -28,12 +28,17 @@ function _pre_installation_steps() {
   local EARLY_PACKAGES=(
     # Avoid logging unnecessary warnings:
     apt-utils
+    # we need this early for the creation of accounts like 'clamav'
+    adduser
     # Required for adding third-party repos (/etc/apt/sources.list.d) as alternative package sources (eg: Dovecot CE and Rspamd):
     apt-transport-https ca-certificates curl gnupg
     # Avoid problems with SA / Amavis (https://github.com/docker-mailserver/docker-mailserver/pull/3403#pullrequestreview-1596689953):
     systemd-standalone-sysusers
   )
   apt-get "${QUIET}" install --no-install-recommends "${EARLY_PACKAGES[@]}" 2>/dev/null
+
+  chmod +x /usr/local/bin/sedfile
+  adduser --quiet --system --group --disabled-password --home /var/lib/clamav --no-create-home --uid 200 clamav
 }
 
 # Install third-party commands to /usr/local/bin
@@ -83,15 +88,15 @@ function _install_packages() {
 
   local ANTI_VIRUS_SPAM_PACKAGES=(
     clamav clamav-daemon
-    # spamassassin is used only with amavisd-new, while pyzor + razor are used by spamassassin
-    amavisd-new spamassassin pyzor razor
+    # spamassassin is used only with amavisd-new
+    amavisd-new spamassassin
   )
 
   # predominantly for Amavis support
   local CODECS_PACKAGES=(
     altermime arj bzip2
     cabextract cpio file
-    gzip lhasa liblz4-tool
+    gzip lhasa lz4
     lrzip lzop nomarch
     p7zip-full pax rpm2cpio
     unrar-free unzip xz-utils
@@ -154,7 +159,7 @@ function _install_dovecot() {
   # NOTE: AMD64 / x86_64 is the only supported arch from the Dovecot CE repo (thus noDMS built for ARM64 / aarch64)
   # Repo: https://repo.dovecot.org/ce-2.4-latest/debian/bookworm/dists/bookworm/main/
   # Docs: https://repo.dovecot.org/#debian
-  if [[ ${DOVECOT_COMMUNITY_REPO} -eq 1 ]] && [[ "$(uname --machine)" == "x86_64" ]]; then
+  if [[ ${DOVECOT_COMMUNITY_REPO:-0} -eq 1 ]] && [[ $(uname --machine) == x86_64 ]]; then
     # WARNING: Repo only provides Debian Bookworm package support for Dovecot CE 2.4+.
     # As Debian Bookworm only packages Dovecot 2.3.x, building DMS with this alternative package repo may not yet be compatible with DMS:
     # - 2.3.19: https://salsa.debian.org/debian/dovecot/-/tree/stable/bookworm
@@ -187,14 +192,15 @@ function _install_rspamd() {
   # Docs: https://rspamd.com/downloads.html#debian-and-ubuntu-linux
   # NOTE: Debian 12 provides Rspamd 3.4 (too old) and Rspamd discourages it's use
 
-  _log 'trace' 'Adding third-party package repository (Rspamd)'
-  curl -fsSL https://rspamd.com/apt-stable/gpg.key | gpg --dearmor > /usr/share/keyrings/upstream-rspamd.gpg
-  echo \
-    "deb [signed-by=/usr/share/keyrings/upstream-rspamd.gpg] https://rspamd.com/apt-stable/ ${VERSION_CODENAME} main" \
-    > /etc/apt/sources.list.d/upstream-rspamd.list
+  # TODO (Debian 13) re-enable later
+  # _log 'trace' 'Adding third-party package repository (Rspamd)'
+  # curl -fsSL https://rspamd.com/apt-stable/gpg.key | gpg --dearmor > /usr/share/keyrings/upstream-rspamd.gpg
+  # echo \
+  #   "deb [signed-by=/usr/share/keyrings/upstream-rspamd.gpg] https://rspamd.com/apt-stable/ ${VERSION_CODENAME} main" \
+  #   > /etc/apt/sources.list.d/upstream-rspamd.list
 
-  # Refresh package index:
-  apt-get "${QUIET}" update
+  # # Refresh package index:
+  # apt-get "${QUIET}" update
 
   _log 'debug' 'Installing Rspamd'
   apt-get "${QUIET}" install rspamd redis-server

target/scripts/helpers/ssl.sh

@@ -51,8 +51,8 @@ function _setup_ssl() {
 
     # Dovecot configuration
     sedfile -i -r \
-      -e "s|^(ssl_key =).*|\1 <${DOVECOT_KEY}|" \
-      -e "s|^(ssl_cert =).*|\1 <${DOVECOT_CERT}|" \
+      -e "s|^(ssl_server_key_file =).*|\1 <${DOVECOT_KEY}|" \
+      -e "s|^(ssl_server_cert_file =).*|\1 <${DOVECOT_CERT}|" \
       "${DOVECOT_CONFIG_SSL}"
   }
 
@@ -345,18 +345,21 @@ function _setup_ssl() {
         -e '/smtpd_tls_auth_only/s|yes|no|' \
         "${POSTFIX_CONFIG_MASTER}"
 
-      # Dovecot configuration:
-      # https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/
-      # > The plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they’re assumed to be secure anyway.
-      # > This applies to all connections where the local and the remote IP addresses are equal.
-      # > Also IP ranges specified by login_trusted_networks setting are assumed to be secure.
-      #
-      # no => insecure auth allowed, yes (default) => plaintext auth only allowed over a secure connection (insecure connection acceptable for non-plaintext auth)
-      local DISABLE_PLAINTEXT_AUTH='no'
-      # no => disabled, yes => optional (secure connections not required), required (default) => mandatory (only secure connections allowed)
-      local DOVECOT_SSL_ENABLED='no'
-      sed -i -r "s|^#?(disable_plaintext_auth =).*|\1 ${DISABLE_PLAINTEXT_AUTH}|" /etc/dovecot/conf.d/10-auth.conf
-      sed -i -r "s|^(ssl =).*|\1 ${DOVECOT_SSL_ENABLED}|" "${DOVECOT_CONFIG_SSL}"
+      # These two settings `auth_allow_cleartext` + `ssl` impact if TLS for connections is required,
+      # which can vary by auth mechanism used and context of the connecting client:
+      # - https://doc.dovecot.org/2.4.1/core/config/ssl.html#how-to-specify-when-ssl-tls-is-required
+      # - https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_allow_cleartext
+      # - https://doc.dovecot.org/2.4.1/core/summaries/settings.html#ssl
+
+      # NOTE: Trusted clients (`secured` connections) almost always allow cleartext auth,
+      # with the exception of some when `ssl=required` as detailed in Dovecot docs:
+      # https://doc.dovecot.org/2.4.1/core/config/ssl.html#secured-connections
+
+      # Allow cleartext auth (mechanisms that don't protect secrets) without requiring an encrypted connection
+      sed -i -r "s|^#?(auth_allow_cleartext =).*|\1 yes|" /etc/dovecot/conf.d/10-auth.conf
+
+      # Disable TLS listeners on ports (`ssl=no`), unencrypted traffic only
+      sed -i -r "s|^(ssl =).*|\1 no|" "${DOVECOT_CONFIG_SSL}"
       ;;
 
     ( 'snakeoil' ) # This is a temporary workaround for testing only, using the insecure snakeoil cert.

target/scripts/startup/setup.d/postfix.sh

@@ -49,9 +49,6 @@ EOF
   __postfix__log 'trace' 'Setting up Postfix vhost'
   _create_postfix_vhost
 
-  __postfix__log 'trace' 'Setting up DH Parameters'
-  _setup_dhparam 'Postfix' '/etc/postfix/dhparams.pem'
-
   __postfix__log 'trace' "Configuring message size limit to '${POSTFIX_MESSAGE_SIZE_LIMIT}'"
   postconf "message_size_limit = ${POSTFIX_MESSAGE_SIZE_LIMIT}"