Apply suggestions from code review

Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -20,7 +20,7 @@ body:
     id: context
     attributes:
       label: Context
-      description: Tell us how your request is related to DMS, one of its components or another issue / PR. Also **link all conected issues and PRs here**!
+      description: Tell us how your request is related to DMS, one of its components or another issue / PR. Also **link all connected issues and PRs here**!
     validations:
       required: true
   - type: textarea

.github/workflows/docs-preview-deploy.yml

@@ -64,7 +64,7 @@ jobs:
       PREVIEW_SITE_PREFIX: pullrequest-${{ needs.pr-context.outputs.PR_NUMBER }}
     steps:
       - name: 'Retrieve and extract the built docs preview'
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: preview-build
           path: ${{ env.BUILD_DIR }}

.github/workflows/docs-production-deploy.yml

@@ -109,7 +109,7 @@ jobs:
   update-latest-symlink:
     permissions:
       contents: write
-    name: 'update `latest` symlink if neccessary'
+    name: 'update `latest` symlink if necessary'
     runs-on: ubuntu-22.04
     if: startsWith(github.ref, 'refs/tags/')
     needs: add-version-to-docs

.github/workflows/generic_publish.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: 'Prepare tags'
         id: prep
-        uses: docker/metadata-action@v5.7.0
+        uses: docker/metadata-action@v5.8.0
         with:
           images: |
             ${{ secrets.DOCKER_REPOSITORY }}

.github/workflows/generic_vulnerability-scan.yml

@@ -55,7 +55,7 @@ jobs:
           provenance: false
 
       - name: 'Run the Anchore Grype scan action'
-        uses: anchore/scan-action@v6.5.0
+        uses: anchore/scan-action@v6.5.1
         id: scan
         with:
           image: mailserver-testing:ci

CHANGELOG.md

@@ -2,10 +2,16 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v15.0.2...HEAD)
+## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v15.1.0...HEAD)
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+## [v15.1.0](https://github.com/docker-mailserver/docker-mailserver/compare/v15.1.0...HEAD)
+
+> [!NOTE]
+>
+> This release is the last release before we start with breaking changes for the transition to Debian 13.
+
 ### Added
 
 - **Environment Variables:**
@@ -23,6 +29,7 @@ All notable changes to this project will be documented in this file. The format
 - **Internal:**
   - The DMS _Config Volume_ (`/tmp/docker-mailserver`) will now ensure it's file tree is accessible for services when the volume was created with missing executable bit ([#4487](https://github.com/docker-mailserver/docker-mailserver/pull/4487))
   - Removed the build-time hostname workaround for Postfix as Debian has since patched their post-install script ([#4493](https://github.com/docker-mailserver/docker-mailserver/pull/4493))
+  - Fixed various typos across codebase ([#4552](https://github.com/docker-mailserver/docker-mailserver/pull/4552))
 
 ### Updates
 
@@ -34,6 +41,11 @@ All notable changes to this project will be documented in this file. The format
   - Refactored `setup config dkim` (`open-dkim`) ([#4375](https://github.com/docker-mailserver/docker-mailserver/pull/4375))
   - `setup email list` and the default `ENABLE_QUOTAS=1` ENV now better communicates when config is incompatible ([#4453](https://github.com/docker-mailserver/docker-mailserver/pull/4453))
 
+### Removed
+
+- **Fail2Ban**
+  - Removed `postfix-sasl` jail by default as it is covered by `postfix[mode=extra]` already ([#4535](https://github.com/docker-mailserver/docker-mailserver/pull/4535))
+
 ## [v15.0.2](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.2)
 
 ### Fixes
@@ -150,7 +162,7 @@ The most noteworthy change of this release is the update of the container's base
     - Removed custom installations of Fail2Ban, getmail6 and Rspamd
     - Updated packages lists and added comments for maintainability
 - OpenDMARC upgrade: `v1.4.0` => `v1.4.2` ([#3841](https://github.com/docker-mailserver/docker-mailserver/pull/3841))
-  - Previous versions of OpenDMARC would place incoming mail from domains announcing `p=quarantaine` (_that fail the DMARC check_) into the [Postfix "hold" queue](https://www.postfix.org/QSHAPE_README.html#hold_queue) until administrative intervention.
+  - Previous versions of OpenDMARC would place incoming mail from domains announcing `p=quarantine` (_that fail the DMARC check_) into the [Postfix "hold" queue](https://www.postfix.org/QSHAPE_README.html#hold_queue) until administrative intervention.
   - [OpenDMARC v1.4.2 has disabled that feature by default](https://github.com/trusteddomainproject/OpenDMARC/issues/105), but it can be enabled again by adding the setting `HoldQuarantinedMessages true` to [`/etc/opendmarc.conf`](https://github.com/docker-mailserver/docker-mailserver/blob/v13.3.1/target/opendmarc/opendmarc.conf) (_provided from DMS_).
     - [Our `user-patches.sh` feature](https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/override-defaults/user-patches/) provides a convenient approach to updating that config file.
     - Please let us know if you disagree with the upstream default being carried with DMS, or the value of providing alternative configuration support within DMS.
@@ -325,11 +337,11 @@ DMS is now secured against the [recently published spoofing attack "SMTP Smuggli
 
 - The test suite now uses `swaks` instead of `nc`, which has multiple benefits ([#3732](https://github.com/docker-mailserver/docker-mailserver/pull/3732)):
   - `swaks` handles pipelining correctly, hence we can now use `reject_unauth_pipelining` in Postfix's configuration.
-  - `swaks` provides better CLI options that make many files superflous.
+  - `swaks` provides better CLI options that make many files superfluous.
   - `swaks` can also replace `openssl s_client` and handles authentication on submission ports better.
 - **Postfix:**
   - We now defer rejection from unauthorized pipelining until the SMTP `DATA` command via `smtpd_data_restrictions` (_i.e. at the end of the mail transfer transaction_) ([#3744](https://github.com/docker-mailserver/docker-mailserver/pull/3744))
-    - Prevously our configuration only handled this during the client and recipient restriction stages. Postfix will flag this activity when encountered, but the rejection now is handled at `DATA` where unauthorized pipelining would have been valid from this point.
+    - Previously our configuration only handled this during the client and recipient restriction stages. Postfix will flag this activity when encountered, but the rejection now is handled at `DATA` where unauthorized pipelining would have been valid from this point.
     - If you had the Amavis service enabled (default), this restriction was already in place. Otherwise the concerns expressed with `smtpd_data_restrictions = reject_unauth_pipelining` from the security section above apply. We have permitted trusted clients (_`$mynetworks` or authenticated_) to bypass this restriction.
 
 ## [v13.1.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.1.0)
@@ -560,7 +572,7 @@ Notable changes are:
 - Rspamd feature is promoted from preview status
 - Services no longer use `chroot`
 - Fail2Ban major version upgrade
-- ARMv7 platform is no longer suppoted
+- ARMv7 platform is no longer supported
 - TLS 1.2 is the minimum supported protocol
 - SMTP authentication on port 25 disabled
 - The value of `smtpd_sender_restrictions` for Postfix has replaced the value ([#3127](https://github.com/docker-mailserver/docker-mailserver/pull/3127)):

Dockerfile

@@ -7,7 +7,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 ARG DOVECOT_COMMUNITY_REPO=0
 ARG LOG_LEVEL=trace
 
-FROM docker.io/debian:12-slim AS stage-base
+FROM docker.io/debian:13-slim AS stage-base
 
 ARG DEBIAN_FRONTEND
 ARG DOVECOT_COMMUNITY_REPO
@@ -20,11 +20,6 @@ SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 # -----------------------------------------------
 
 COPY target/bin/sedfile /usr/local/bin/sedfile
-RUN <<EOF
-  chmod +x /usr/local/bin/sedfile
-  adduser --quiet --system --group --disabled-password --home /var/lib/clamav --no-create-home --uid 200 clamav
-EOF
-
 COPY target/scripts/build/packages.sh /build/
 COPY target/scripts/helpers/log.sh /usr/local/bin/helpers/log.sh
 
@@ -209,8 +204,7 @@ COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
 
 # DH parameters for DHE cipher suites, ffdhe4096 is the official standard 4096-bit DH params now part of TLS 1.3
 # This file is for TLS <1.3 handshakes that rely on DHE cipher suites
-# Handled at build to avoid failures by doveadm validating ssl_dh filepath in 10-ssl.auth (eg generate-accounts)
-COPY target/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
+# Handled at build to avoid failures by doveadm validating ssl_server_dh_file filepath in 10-ssl.auth (eg generate-accounts)
 COPY target/shared/ffdhe4096.pem /etc/dovecot/dh.pem
 
 COPY \

config-examples/fail2ban-jail.cf

@@ -29,9 +29,6 @@ enabled = true
 # https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760
 mode = extra
 
-[postfix-sasl]
-enabled = true
-
 # This jail is used for manual bans.
 # To ban an IP address use: setup.sh fail2ban ban <IP>
 [custom]

demo-setups/relay-compose.yaml

@@ -107,7 +107,7 @@ configs:
   # - Use an ECDSA cert that's been signed by a self-signed CA for TLS cert verification.
   # - This cert is only valid for mail.example.test, mail.destination.test, smtp.relay-service.test
 
-  # `swaks` run in the container will need to reference this CA cert file for successful verficiation (optional).
+  # `swaks` run in the container will need to reference this CA cert file for successful verification (optional).
   tls-ca-cert:
     content: |
       -----BEGIN CERTIFICATE-----

docs/content/config/account-management/overview.md

@@ -142,7 +142,7 @@ This page provides a technical reference for account management in DMS.
     - A subaddress has a tag delimiter (_default: `+`_), followed by the tag: `<local-part>+<tag>@<domain-part>`
     - The subaddress `user+github@example.com` would deliver mail to the same mailbox as `user@example.com`.
     - Tags are dynamic. Anything between the `+` and `@` is understood as the tag, no additional configuration required.
-    - Only the first occurence of the tag delimiter is recognized. Any additional occurences become part of the tag value itself.
+    - Only the first occurrence of the tag delimiter is recognized. Any additional occurrences become part of the tag value itself.
 
 ??? tip "When is subaddressing useful?"
 

docs/content/config/advanced/full-text-search.md

@@ -35,7 +35,7 @@ While indexing is memory intensive, you can configure the plugin to limit the am
         # disable indexing of folders
         # fts_autoindex_exclude = \Trash
 
-        # Index attachements
+        # Index attachments
         # fts_decoder = decode2text
     }
 

docs/content/config/environment.md

@@ -733,7 +733,7 @@ Controls the spam score threshold for triggering an action on mail that has a hi
 
 - **1** => will activate SpamAssassin short circuiting for bayes spam detection.
 
-This will uncomment the respective line in `/etc/spamassasin/local.cf`
+This will uncomment the respective line in `/etc/spamassassin/local.cf`
 
 !!! warning
 
@@ -743,7 +743,7 @@ This will uncomment the respective line in `/etc/spamassasin/local.cf`
 
 - **1** => will activate SpamAssassin short circuiting for bayes ham detection
 
-This will uncomment the respective line in `/etc/spamassasin/local.cf`
+This will uncomment the respective line in `/etc/spamassassin/local.cf`
 
 !!! warning
 

docs/content/config/security/fail2ban.md

@@ -37,7 +37,7 @@ Enabling Fail2Ban support can be done via ENV, but also requires granting at lea
           --env ENABLE_FAIL2BAN=1
         ```
 
-!!! warning "Security risk of adding non-default capabilties"
+!!! warning "Security risk of adding non-default capabilities"
 
     DMS bundles F2B into the image for convenience to simplify integration and deployment.
 
@@ -78,6 +78,15 @@ This following configuration files inside the `docker-data/dms/config/` volume w
 [github-file-f2bjail]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-jail.cf
 [github-file-f2bconfig]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-fail2ban.cf
 
+### SASL
+
+The `postfix` jail comes with `mode=extra` by default, which covers SASL login errors for our default SASL provider. Hence, the `postfix-sasl` jail has been disabled. If you switch to another SASL provider (e.g., SASLauthd), you may want to turn the `postfix-sasl` jail back on:
+
+```ini title="docker-data/dms/config/fail2ban-jail.cf"
+[postfix-sasl]
+enabled = true
+```
+
 ### Viewing All Bans
 
 When just running

docs/content/config/security/ssl.md

@@ -791,7 +791,7 @@ Add this to `docker-data/dms/config/dovecot.cf`:
 
 ```cf
 ssl = yes
-disable_plaintext_auth=no
+auth_allow_cleartext = yes
 ```
 
 These options in conjunction mean:

docs/content/examples/use-cases/ios-mail-push-support.md

@@ -2,6 +2,15 @@
 title: 'Advanced | iOS Mail Push Support'
 ---
 
+!!! warning "Status - August 2025"
+
+    Apple has since deprecated their API used for certificate renewal (_see [this Apple Developer thread][apple::dev-push-issue-reference]_) as it is currently implemented in `dovecot-xaps-daemon` for `XAPPLEPUSHSERVICE`. There is no actionable resolution for this issue known at this time.
+
+    [Apple has communicated plans][apple::push-open-standard] to implement an open IETF standard for push notifications.
+
+[apple::dev-push-issue-reference]: https://developer.apple.com/forums/thread/778671?answerId=850357022#850357022
+[apple::push-open-standard]: https://github.com/stalwartlabs/stalwart/issues/747#issuecomment-3142925679
+
 ## Introduction
 
 iOS Mail currently does not support the IMAP idle extension. Therefore users can only either check manually or configure intervals for fetching mails in their mail account preferences when using the default configuration.

docs/content/faq.md

@@ -374,7 +374,7 @@ DMS does not manage those concerns, verify they are not causing your delivery pr
 - [mail-tester](https://www.mail-tester.com/) can test your deliverability.
 - [helloinbox](https://www.helloinbox.email/) provides a checklist of things to improve your deliverability.
 
-### SpamAssasin
+### SpamAssassin
 
 #### How can I manage my custom SpamAssassin rules?
 

target/amavis/postfix-amavis.cf

@@ -7,7 +7,7 @@ smtp-amavis     unix    -       -       n       -       2       smtp
   -o syslog_name=postfix/$service_name
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
-  -o disable_dns_lookups=yes
+  -o smtp_dns_support_level=disabled
   -o max_use=20
   -o smtp_tls_security_level=none
   -o smtp_tls_wrappermode=no

target/bin/listmailuser

@@ -73,7 +73,7 @@ function _bytes_to_human_readable_size() {
     echo '~'
   # Otherwise a value in KibiBytes (1024 bytes == 1k) is expected (Dovecots internal representation):
   elif [[ ${1:-} =~ ^[0-9]+$ ]]; then
-    # kibibytes to bytes, converted to approproate IEC unit (eg: MiB):
+    # kibibytes to bytes, converted to appropriate IEC unit (eg: MiB):
     echo $(( 1024 * ${1} )) | numfmt --to=iec
   else
     _exit_with_error "Supplied non-number argument '${1:-}' to '_bytes_to_human_readable_size()'"

target/bin/rspamd-dkim

@@ -256,7 +256,7 @@ EOF
     cp "${DEFAULT_CONFIG_FILE}" "${RSPAMD_OVERRIDE_D}/dkim_signing.conf"
     chown _rspamd:_rspamd "${DEFAULT_CONFIG_FILE}" "${RSPAMD_OVERRIDE_D}/dkim_signing.conf"
 
-    _log 'debug' 'Restarting Rspamd as initial DKIM configuration was suppplied'
+    _log 'debug' 'Restarting Rspamd as initial DKIM configuration was supplied'
     supervisorctl restart rspamd
   fi
 }

target/bin/setup

@@ -74,7 +74,7 @@ ${ORANGE}EXAMPLES${RESET}
         to input a password afterwards since no password was supplied.
 
     ${LWHITE}setup config dkim keysize 2048 domain 'example.com,not-example.com'${RESET}
-        Creates keys of length 2048 for the domains in comma-seperated list.
+        Creates keys of length 2048 for the domains in comma-separated list.
         This is necessary when using LDAP as the required domains cannot be inferred.
 
     ${LWHITE}setup config dkim help${RESET}

target/dovecot/10-auth.conf

@@ -7,7 +7,7 @@
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
 # See also ssl=required setting.
-#disable_plaintext_auth = yes
+#auth_allow_cleartext = no
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
 # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
@@ -96,7 +96,7 @@
 # Space separated list of wanted authentication mechanisms:
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 #   gss-spnego
-# NOTE: See also disable_plaintext_auth setting.
+# NOTE: See also auth_allow_cleartext setting.
 auth_mechanisms = plain login
 
 ##

target/dovecot/10-logging.conf

@@ -41,9 +41,6 @@ auth_verbose_passwords = sha1:6
 # isn't finding your mails.
 #mail_debug = no
 
-# Show protocol level SSL errors.
-verbose_ssl = no
-
 # mail_log plugin provides more event logging for mail processes.
 plugin {
   # Events to log. Also available: flag_change append

target/dovecot/10-mail.conf

@@ -10,25 +10,13 @@
 # If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
 # isn't enough. You'll also need to tell Dovecot where the other mailboxes are
 # kept. This is called the "root mail directory", and it must be the first
-# path given in the mail_location setting.
-#
-# There are a few special variables you can use, eg.:
-#
-#   %u - username
-#   %n - user part in user@domain, same as %u if there's no domain
-#   %d - domain part in user@domain, empty if there's no domain
-#   %h - home directory
-#
-# See doc/wiki/Variables.txt for full list. Some examples:
-#
-#   mail_location = maildir:~/Maildir
-#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
-#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
-#
-# <doc/wiki/MailLocation.txt>
-#
+# path given in the mail_driver+mail_path settings.
+
+# ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_driver
+mail_driver = maildir
+# ref: https://doc.dovecot.org/main/core/config/mail_location.html#mail_path
+mail_path = /var/mail/%d/%n
 mail_home = /var/mail/%d/%n/home/
-mail_location = maildir:/var/mail/%d/%n
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
@@ -206,7 +194,9 @@ mail_privileged_group = docker
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = $mail_plugins quota
+mail_plugins {
+  quota = yes
+}
 
 ##
 ## Mailbox handling optimizations

target/dovecot/10-ssl.conf

@@ -9,8 +9,8 @@
 # dropping root privileges, so keep the key file unreadable by anyone but root.
 # These [snakeoil files actually exist](https://askubuntu.com/questions/396120/what-is-the-purpose-of-the-ssl-cert-snakeoil-key), but shouldn't ever be used in production!
 # As `SSL_TYPE` env is required by docker-mailserver, these "snakeoil" files will be replaced on container startup.
-ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
-ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
+ssl_server_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ssl_server_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 # Fallback/Hybrid cert support. docker-mailserver will enable these when using ENV vars `SSL_ALT_CERT_PATH` and `SSL_ALT_KEY_PATH`.
 #ssl_alt_cert = </path/to/alternative/cert.pem
 #ssl_alt_key = </path/to/alternative/key.pem
@@ -48,7 +48,7 @@ ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
 # SSL DH parameters
 # Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.
 # `docker-mailserver` is configured to use the recommended pre-defined 4096-bit DHE Group at https://github.com/internetstandards/dhe_groups
-ssl_dh = </etc/dovecot/dh.pem
+ssl_server_dh_file = /etc/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
@@ -57,8 +57,8 @@ ssl_min_protocol = TLSv1.2
 # SSL ciphers to use
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
-# Prefer the server's order of ciphers over client's.
-ssl_prefer_server_ciphers = yes
+# ref: https://doc.dovecot.org/main/core/summaries/settings.html#ssl_server_prefer_ciphers
+ssl_server_prefer_ciphers = server
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =

target/dovecot/20-imap.conf

@@ -1,4 +1,6 @@
 protocol imap {
-    # allow IMAP clients to ask quota usage
-    mail_plugins = $mail_plugins imap_quota
+  # allow IMAP clients to ask quota usage
+  mail_plugins {
+    imap_quota = yes
+  }
 }

target/dovecot/20-lmtp.conf

@@ -15,5 +15,7 @@
 
 protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).
-  mail_plugins = $mail_plugins sieve
+  mail_plugins {
+    sieve = yes
+  }
 }

target/dovecot/auth-passwdfile.inc

@@ -1,20 +1,24 @@
 # Authentication for passwd-file users. Included from 10-auth.conf.
 #
-# Documentation
-#   PassDB: https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
-#   UserDB: https://doc.dovecot.org/configuration_manual/authentication/user_databases_userdb/
-#
-# !!! Attention !!!
-#   Do not add `scheme=SHA512-CRYPT` to the userdb args. This is not supported.
+# ref: https://doc.dovecot.org/main/core/config/auth/databases/passwd_file.html
 
-passdb {
+passdb passwd-file {
   driver = passwd-file
-  mechanisms = plain login
-  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb
+  mechanisms_filter = plain login
+  default_password_scheme = SHA512-CRYPT
+  auth_username_format = %{user}
+  passwd_file_path = /etc/dovecot/userdb
 }
 
-userdb {
+userdb passwd-file {
   driver = passwd-file
-  args = username_format=%u /etc/dovecot/userdb
-  default_fields = uid=docker gid=docker home=/var/mail/%d/%u/home/
+  auth_username_format = %{user}
+  passwd_file_path = /etc/dovecot/userdb
+  # Default field values to use when they're not set for user accounts sourced via `/etc/dovecot/userdb`.
+  # NOTE: That file is created from `postfix-accounts.cf` + `postfix-virtual.cf`
+  fields {
+    uid:default = docker
+    gid:default = docker
+    home:default = /var/mail/%{user | domain}/%{user | username}/home/
+  }
 }

target/fail2ban/jail.local

@@ -29,9 +29,6 @@ enabled = true
 # https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760
 mode = extra
 
-[postfix-sasl]
-enabled = true
-
 # This jail is used for manual bans.
 # To ban an IP address use: setup.sh fail2ban ban <IP>
 [custom]

target/postfix/main.cf

@@ -45,7 +45,6 @@ smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES, SHA1
-smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
 smtpd_tls_CApath = /etc/ssl/certs
 smtp_tls_CApath = /etc/ssl/certs
 

target/scripts/build/compile.sh

@@ -18,7 +18,7 @@ function _install_build_deps() {
 }
 
 function _build_package() {
-  local XAPIAN_VERSION='1.9'
+  local XAPIAN_VERSION='1.9.1'
   curl -fsSL "https://github.com/grosjo/fts-xapian/releases/download/${XAPIAN_VERSION}/dovecot-fts-xapian-${XAPIAN_VERSION}.tar.gz" \
     | tar -xz
   cd "fts-xapian-${XAPIAN_VERSION}"

target/scripts/build/packages.sh

@@ -6,7 +6,7 @@
 # -o pipefail :: exit on error in pipes
 set -eE -u -o pipefail
 
-VERSION_CODENAME='bookworm'
+VERSION_CODENAME='trixie'
 
 # shellcheck source=../helpers/log.sh
 source /usr/local/bin/helpers/log.sh
@@ -28,12 +28,17 @@ function _pre_installation_steps() {
   local EARLY_PACKAGES=(
     # Avoid logging unnecessary warnings:
     apt-utils
+    # we need this early for the creation of accounts like 'clamav'
+    adduser
     # Required for adding third-party repos (/etc/apt/sources.list.d) as alternative package sources (eg: Dovecot CE and Rspamd):
     apt-transport-https ca-certificates curl gnupg
     # Avoid problems with SA / Amavis (https://github.com/docker-mailserver/docker-mailserver/pull/3403#pullrequestreview-1596689953):
     systemd-standalone-sysusers
   )
   apt-get "${QUIET}" install --no-install-recommends "${EARLY_PACKAGES[@]}" 2>/dev/null
+
+  chmod +x /usr/local/bin/sedfile
+  adduser --quiet --system --group --disabled-password --home /var/lib/clamav --no-create-home --uid 200 clamav
 }
 
 # Install third-party commands to /usr/local/bin
@@ -60,12 +65,12 @@ function _install_utils() {
   _log 'debug' 'Installing utils sourced from Github'
 
   _log 'trace' 'Installing jaq'
-  local JAQ_TAG='v2.1.0'
+  local JAQ_TAG='v2.3.0'
   curl -sSfL "https://github.com/01mf02/jaq/releases/download/${JAQ_TAG}/jaq-$(uname -m)-unknown-linux-gnu" -o /usr/local/bin/jaq
   chmod +x /usr/local/bin/jaq
 
   _log 'trace' 'Installing step'
-  local STEP_RELEASE='0.28.2'
+  local STEP_RELEASE='0.28.7'
   curl -sSfL "https://github.com/smallstep/cli/releases/download/v${STEP_RELEASE}/step_linux_${STEP_RELEASE}_${ARCH_B}.tar.gz" \
     | tar -xz --directory /usr/local/bin --no-same-owner --strip-components=2 "step_${STEP_RELEASE}/bin/step"
 
@@ -83,7 +88,7 @@ function _install_packages() {
 
   local ANTI_VIRUS_SPAM_PACKAGES=(
     clamav clamav-daemon
-    # spamassassin is used only with amavisd-new, while pyzor + razor are used by spamassasin
+    # spamassassin is used only with amavisd-new, while pyzor + razor are used by spamassassin
     amavisd-new spamassassin pyzor razor
   )
 
@@ -91,7 +96,7 @@ function _install_packages() {
   local CODECS_PACKAGES=(
     altermime arj bzip2
     cabextract cpio file
-    gzip lhasa liblz4-tool
+    gzip lhasa lz4
     lrzip lzop nomarch
     p7zip-full pax rpm2cpio
     unrar-free unzip xz-utils
@@ -154,17 +159,22 @@ function _install_dovecot() {
   # NOTE: AMD64 / x86_64 is the only supported arch from the Dovecot CE repo (thus noDMS built for ARM64 / aarch64)
   # Repo: https://repo.dovecot.org/ce-2.4-latest/debian/bookworm/dists/bookworm/main/
   # Docs: https://repo.dovecot.org/#debian
-  if [[ ${DOVECOT_COMMUNITY_REPO} -eq 1 ]] && [[ "$(uname --machine)" == "x86_64" ]]; then
+  if [[ ${DOVECOT_COMMUNITY_REPO:-0} -eq 1 ]] && [[ $(uname --machine) == x86_64 ]]; then
     # WARNING: Repo only provides Debian Bookworm package support for Dovecot CE 2.4+.
     # As Debian Bookworm only packages Dovecot 2.3.x, building DMS with this alternative package repo may not yet be compatible with DMS:
     # - 2.3.19: https://salsa.debian.org/debian/dovecot/-/tree/stable/bookworm
     # - 2.3.21: https://salsa.debian.org/debian/dovecot/-/tree/stable/bookworm-backports
 
     _log 'trace' 'Adding third-party package repository (Dovecot)'
-    curl -fsSL https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 | gpg --dearmor > /usr/share/keyrings/upstream-dovecot.gpg
-    echo \
-      "deb [signed-by=/usr/share/keyrings/upstream-dovecot.gpg] https://repo.dovecot.org/ce-2.4-latest/debian/${VERSION_CODENAME} ${VERSION_CODENAME} main" \
-      > /etc/apt/sources.list.d/upstream-dovecot.list
+    curl -fsSL https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 \
+      | gpg --dearmor >/usr/share/keyrings/upstream-dovecot.gpg
+    cat >/etc/apt/sources.list.d/upstream-dovecot.sources <<EOF
+Types: deb
+URIs: https://repo.dovecot.org/ce-2.4-latest/debian/${VERSION_CODENAME}
+Suites: ${VERSION_CODENAME}
+Components: main
+Signed-By: /usr/share/keyrings/upstream-dovecot.gpg
+EOF
 
     # Refresh package index:
     apt-get "${QUIET}" update
@@ -182,18 +192,23 @@ function _install_dovecot() {
 }
 
 function _install_rspamd() {
-  # NOTE: DMS only supports the rspamd package via using the third-party repo maintained by Rspamd (AMD64 + ARM64):
-  # Repo: https://rspamd.com/apt-stable/dists/bookworm/main/
-  # Docs: https://rspamd.com/downloads.html#debian-and-ubuntu-linux
-  # NOTE: Debian 12 provides Rspamd 3.4 (too old) and Rspamd discourages it's use
+  # NOTE: DMS only supports the rspamd package via using the third-party
+  # repo maintained by Rspamd (AMD64 + ARM64):
+  # ref: https://rspamd.com/downloads.html#debian-and-ubuntu-linux
 
+  # TODO (Debian 13) re-enable later
   _log 'trace' 'Adding third-party package repository (Rspamd)'
-  curl -fsSL https://rspamd.com/apt-stable/gpg.key | gpg --dearmor > /usr/share/keyrings/upstream-rspamd.gpg
-  echo \
-    "deb [signed-by=/usr/share/keyrings/upstream-rspamd.gpg] https://rspamd.com/apt-stable/ ${VERSION_CODENAME} main" \
-    > /etc/apt/sources.list.d/upstream-rspamd.list
+  curl -fsSL https://rspamd.com/apt-stable/gpg.key \
+    | gpg --dearmor >/usr/share/keyrings/upstream-rspamd.gpg
+  cat >/etc/apt/sources.list.d/upstream-rspamd.sources <<EOF
+Types: deb
+Enabled: No
+URIs: https://rspamd.com/apt-stable/
+Suites: ${VERSION_CODENAME}
+Components: main
+Signed-By: /usr/share/keyrings/upstream-rspamd.gpg
+EOF
 
-  # Refresh package index:
   apt-get "${QUIET}" update
 
   _log 'debug' 'Installing Rspamd'

target/scripts/helpers/database/manage/postfix-accounts.sh

@@ -56,7 +56,7 @@ function _manage_accounts_dovecotmaster_delete { _manage_accounts 'delete' "${DA
 #
 
 # These validation helpers rely on:
-# - Exteral vars to be declared prior to calling them (MAIL_ACCOUNT, PASSWD, DATABASE).
+# - External vars to be declared prior to calling them (MAIL_ACCOUNT, PASSWD, DATABASE).
 # - Calling external method '__usage' as part of error handling.
 
 # Also used by setquota, delquota

target/scripts/helpers/dns.sh

@@ -7,7 +7,7 @@ function _get_label_count() {
 }
 
 # Sets HOSTNAME and DOMAINNAME globals used throughout the scripts,
-# and any subprocesses called that intereact with it.
+# and any subprocesses called that interact with it.
 function _obtain_hostname_and_domainname() {
   # Normally this value would match the output of `hostname` which mirrors `/proc/sys/kernel/hostname`,
   # However for legacy reasons, the system ENV `HOSTNAME` was replaced here with `hostname -f` instead.

target/scripts/helpers/error.sh

@@ -93,7 +93,7 @@ function _trap_err_signal() {
 
   # shellcheck disable=SC2317
   function __log_unexpected_error() {
-    local MESSAGE="Unexpected error occured :: script = ${SCRIPT:-${0}} "
+    local MESSAGE="Unexpected error occurred :: script = ${SCRIPT:-${0}} "
     MESSAGE+=" | function = ${1:-none (global)}"
     MESSAGE+=" | command = ${2:-?}"
     MESSAGE+=" | line = ${3:-?}"

target/scripts/helpers/ssl.sh

@@ -8,7 +8,7 @@ function _setup_dhparam() {
   _log 'debug' "Setting up ${DH_SERVICE} dhparam"
 
   if [[ -f ${DH_CUSTOM} ]]; then # use custom supplied dh params (assumes they're probably insecure)
-    _log 'trace' "${DH_SERVICE} will use custom provided DH paramters"
+    _log 'trace' "${DH_SERVICE} will use custom provided DH parameters"
     _log 'warn' "Using self-generated dhparams is considered insecure - unless you know what you are doing, please remove '${DH_CUSTOM}'"
 
     cp -f "${DH_CUSTOM}" "${DH_DEST}"
@@ -51,8 +51,8 @@ function _setup_ssl() {
 
     # Dovecot configuration
     sedfile -i -r \
-      -e "s|^(ssl_key =).*|\1 <${DOVECOT_KEY}|" \
-      -e "s|^(ssl_cert =).*|\1 <${DOVECOT_CERT}|" \
+      -e "s|^(ssl_server_key_file =).*|\1 <${DOVECOT_KEY}|" \
+      -e "s|^(ssl_server_cert_file =).*|\1 <${DOVECOT_CERT}|" \
       "${DOVECOT_CONFIG_SSL}"
   }
 
@@ -345,18 +345,21 @@ function _setup_ssl() {
         -e '/smtpd_tls_auth_only/s|yes|no|' \
         "${POSTFIX_CONFIG_MASTER}"
 
-      # Dovecot configuration:
-      # https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/
-      # > The plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they’re assumed to be secure anyway.
-      # > This applies to all connections where the local and the remote IP addresses are equal.
-      # > Also IP ranges specified by login_trusted_networks setting are assumed to be secure.
-      #
-      # no => insecure auth allowed, yes (default) => plaintext auth only allowed over a secure connection (insecure connection acceptable for non-plaintext auth)
-      local DISABLE_PLAINTEXT_AUTH='no'
-      # no => disabled, yes => optional (secure connections not required), required (default) => mandatory (only secure connections allowed)
-      local DOVECOT_SSL_ENABLED='no'
-      sed -i -r "s|^#?(disable_plaintext_auth =).*|\1 ${DISABLE_PLAINTEXT_AUTH}|" /etc/dovecot/conf.d/10-auth.conf
-      sed -i -r "s|^(ssl =).*|\1 ${DOVECOT_SSL_ENABLED}|" "${DOVECOT_CONFIG_SSL}"
+      # These two settings `auth_allow_cleartext` + `ssl` impact if TLS for connections is required,
+      # which can vary by auth mechanism used and context of the connecting client:
+      # - https://doc.dovecot.org/2.4.1/core/config/ssl.html#how-to-specify-when-ssl-tls-is-required
+      # - https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_allow_cleartext
+      # - https://doc.dovecot.org/2.4.1/core/summaries/settings.html#ssl
+
+      # NOTE: Trusted clients (`secured` connections) almost always allow cleartext auth,
+      # with the exception of some when `ssl=required` as detailed in Dovecot docs:
+      # https://doc.dovecot.org/2.4.1/core/config/ssl.html#secured-connections
+
+      # Allow cleartext auth (mechanisms that don't protect secrets) without requiring an encrypted connection
+      sed -i -r "s|^#?(auth_allow_cleartext =).*|\1 yes|" /etc/dovecot/conf.d/10-auth.conf
+
+      # Disable TLS listeners on ports (`ssl=no`), unencrypted traffic only
+      sed -i -r "s|^(ssl =).*|\1 no|" "${DOVECOT_CONFIG_SSL}"
       ;;
 
     ( 'snakeoil' ) # This is a temporary workaround for testing only, using the insecure snakeoil cert.

target/scripts/startup/setup-stack.sh

@@ -9,7 +9,7 @@ function _register_setup_function() {
 
 function _setup() {
   # Requires `shopt -s globstar` because of `**` which in
-  # turn is required as we're decending through directories
+  # turn is required as we're descending through directories
   for FILE in /usr/local/bin/setup.d/**/*.sh; do
     # shellcheck source=/dev/null
     source "${FILE}"

target/scripts/startup/setup.d/postfix.sh

@@ -49,9 +49,6 @@ EOF
   __postfix__log 'trace' 'Setting up Postfix vhost'
   _create_postfix_vhost
 
-  __postfix__log 'trace' 'Setting up DH Parameters'
-  _setup_dhparam 'Postfix' '/etc/postfix/dhparams.pem'
-
   __postfix__log 'trace' "Configuring message size limit to '${POSTFIX_MESSAGE_SIZE_LIMIT}'"
   postconf "message_size_limit = ${POSTFIX_MESSAGE_SIZE_LIMIT}"
 

target/scripts/startup/setup.d/security/rspamd.sh

@@ -227,7 +227,7 @@ function __rspamd__setup_learning() {
     sedfile -i -E '/^}/d' /etc/dovecot/conf.d/90-sieve.conf
     cat >>/etc/dovecot/conf.d/90-sieve.conf << EOF
 
-  # From anyhwere to Junk
+  # From anywhere to Junk
   imapsieve_mailbox1_name = Junk
   imapsieve_mailbox1_causes = COPY
   imapsieve_mailbox1_before = file:${SIEVE_PIPE_BIN_DIR}/learn-spam.sieve

test/helper/change-detection.bash

@@ -30,7 +30,7 @@ function _wait_until_expected_count_is_matched() {
   }
 
   # WARNING: Keep in mind it is a '>=' comparison.
-  # If you provide an explict count to match, ensure it is not too low to cause a false-positive.
+  # If you provide an explicit count to match, ensure it is not too low to cause a false-positive.
   function __has_expected_count() {
     # shellcheck disable=SC2317
     [[ $(__get_count) -ge "${EXPECTED_COUNT}" ]]

test/helper/tls.bash

@@ -15,7 +15,7 @@ load "${REPOSITORY_ROOT}/test/helper/common"
 
 # For certs actually provisioned from LetsEncrypt the Root CA cert should not need to be provided,
 # as it would already be available by default in `/etc/ssl/certs`, requiring only the cert chain (fullchain.pem).
-function _should_succesfully_negotiate_tls() {
+function _should_successfully_negotiate_tls() {
   local FQDN=${1}
   # shellcheck disable=SC2031
   local CA_CERT=${2:-${TEST_CA_CERT}}

test/tests/parallel/set1/spam_virus/disabled_clamav_spamassassin.bats

@@ -2,7 +2,7 @@ load "${REPOSITORY_ROOT}/test/helper/setup"
 load "${REPOSITORY_ROOT}/test/helper/common"
 
 BATS_TEST_NAME_PREFIX='[ClamAV + SA] (disabled) '
-CONTAINER_NAME='dms-test_clamav-spamassasin_disabled'
+CONTAINER_NAME='dms-test_clamav-spamassassin_disabled'
 
 function setup_file() {
   _init_with_defaults

test/tests/parallel/set1/spam_virus/fail2ban.bats

@@ -34,7 +34,7 @@ function teardown_file() {
 }
 
 @test "localhost is not banned because ignored" {
-  _run_in_container fail2ban-client status postfix-sasl
+  _run_in_container fail2ban-client status postfix
   assert_success
   refute_output --regexp '.*IP list:.*127\.0\.0\.1.*'
 
@@ -49,7 +49,7 @@ function teardown_file() {
 }
 
 @test "fail2ban-jail.cf overrides" {
-  for FILTER in 'dovecot' 'postfix' 'postfix-sasl'; do
+  for FILTER in 'dovecot' 'postfix'; do
     _run_in_container fail2ban-client get "${FILTER}" bantime
     assert_output 1234
 
@@ -62,7 +62,6 @@ function teardown_file() {
     _run_in_container fail2ban-client -d
     assert_output --partial "['set', 'dovecot', 'addaction', 'nftables-multiport']"
     assert_output --partial "['set', 'postfix', 'addaction', 'nftables-multiport']"
-    assert_output --partial "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']"
   done
 }
 
@@ -87,12 +86,12 @@ function teardown_file() {
 
   # Checking that CONTAINER2_IP is banned in "${CONTAINER1_NAME}"
   CONTAINER2_IP=$(_get_container_ip "${CONTAINER2_NAME}")
-  run _repeat_in_container_until_success_or_timeout 10 "${CONTAINER_NAME}" /bin/bash -c "fail2ban-client status postfix-sasl | grep -F '${CONTAINER2_IP}'"
+  run _repeat_in_container_until_success_or_timeout 10 "${CONTAINER_NAME}" /bin/bash -c "fail2ban-client status postfix | grep -F '${CONTAINER2_IP}'"
   assert_success
   assert_output --partial 'Banned IP list:'
 
   # Checking that CONTAINER2_IP is banned by nftables
-  _run_in_container_bash 'nft list set inet f2b-table addr-set-postfix-sasl'
+  _run_in_container_bash 'nft list set inet f2b-table addr-set-postfix'
   assert_success
   assert_output --partial "elements = { ${CONTAINER2_IP} }"
 }
@@ -100,17 +99,13 @@ function teardown_file() {
 # NOTE: Depends on previous test case, if no IP was banned at this point, it passes regardless..
 @test "unban ip works" {
   CONTAINER2_IP=$(_get_container_ip "${CONTAINER2_NAME}")
-  _run_in_container fail2ban-client set postfix-sasl unbanip "${CONTAINER2_IP}"
+  _run_in_container fail2ban-client set postfix unbanip "${CONTAINER2_IP}"
   assert_success
 
   # Checking that CONTAINER2_IP is unbanned in "${CONTAINER1_NAME}"
-  _run_in_container fail2ban-client status postfix-sasl
+  _run_in_container fail2ban-client status postfix
   assert_success
   refute_output --partial "${CONTAINER2_IP}"
-
-  # Checking that CONTAINER2_IP is unbanned by nftables
-  _run_in_container_bash 'nft list set inet f2b-table addr-set-postfix-sasl'
-  refute_output --partial "${CONTAINER2_IP}"
 }
 
 @test "bans work properly (single IP)" {
@@ -157,7 +152,7 @@ function teardown_file() {
 
 @test "FAIL2BAN_BLOCKTYPE is really set to drop" {
   # ban IPs here manually so we can be sure something is inside the jails
-  for JAIL in dovecot postfix-sasl custom; do
+  for JAIL in dovecot custom; do
     _run_in_container fail2ban-client set "${JAIL}" banip 192.33.44.55
     assert_success
   done
@@ -165,11 +160,10 @@ function teardown_file() {
   _run_in_container nft list table inet f2b-table
   assert_success
   assert_output --partial 'tcp dport { 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-dovecot drop'
-  assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995 } ip saddr @addr-set-postfix-sasl drop'
   assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-custom drop'
 
   # unban the IPs previously banned to get a clean state again
-  for JAIL in dovecot postfix-sasl custom; do
+  for JAIL in dovecot custom; do
     _run_in_container fail2ban-client set "${JAIL}" unbanip 192.33.44.55
     assert_success
   done

test/tests/parallel/set1/spam_virus/rspamd_dkim.bats

@@ -194,7 +194,7 @@ function __create_key() {
   local KEYSIZE=${4:-2048}
   local FORCE=${5:-}
 
-  # Not quoting is intended here as we would othewise provide
+  # Not quoting is intended here as we would otherwise provide
   # the argument "''" (empty string), which would cause errors
   # shellcheck disable=SC2086
   _run_in_container setup config dkim ${FORCE} \

test/tests/parallel/set1/tls/letsencrypt.bats

@@ -45,7 +45,7 @@ function _initial_setup() {
 
   # Test that certificate files exist for the configured `hostname`:
   _should_have_valid_config "${TARGET_DOMAIN}" 'privkey.pem' 'fullchain.pem'
-  _should_succesfully_negotiate_tls "${TARGET_DOMAIN}"
+  _should_successfully_negotiate_tls "${TARGET_DOMAIN}"
   _should_not_support_fqdn_in_cert 'example.test'
 }
 
@@ -65,7 +65,7 @@ function _initial_setup() {
 
   #test domain has certificate files
   _should_have_valid_config "${TARGET_DOMAIN}" 'privkey.pem' 'fullchain.pem'
-  _should_succesfully_negotiate_tls "${TARGET_DOMAIN}"
+  _should_successfully_negotiate_tls "${TARGET_DOMAIN}"
   _should_not_support_fqdn_in_cert 'mail.example.test'
 }
 
@@ -148,7 +148,7 @@ function _initial_setup() {
     # The difference in support is:
     # - `example.test` should no longer be valid.
     # - `mail.example.test` should remain valid, but also allow any other subdomain/hostname.
-    _should_succesfully_negotiate_tls 'mail.example.test'
+    _should_successfully_negotiate_tls 'mail.example.test'
     _should_support_fqdn_in_cert 'fake.example.test'
     _should_not_support_fqdn_in_cert 'example.test'
   }

test/tests/parallel/set2/tls_cipherlists.bats

@@ -198,7 +198,7 @@ function get_cipherlist() {
   local TLS_VERSION=$1
 
   if [[ ${TLS_VERSION} == "TLSv1_3" ]]; then
-    # TLS v1.3 cipher suites are not user defineable and not unique to the available certificate(s).
+    # TLS v1.3 cipher suites are not user definable and not unique to the available certificate(s).
     # They do not support server enforced order either.
     echo '"TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256"'
   else

test/tests/parallel/set3/container_configuration/process_check_restart.bats

@@ -159,7 +159,7 @@ function _should_restart_when_killed() {
 
   # Should kill the process successfully:
   # (which should then get restarted by supervisord)
-  # NOTE: The process name from `pkill --echo` does not always match the equivalent processs name from `pgrep --list-full`.
+  # NOTE: The process name from `pkill --echo` does not always match the equivalent process name from `pgrep --list-full`.
   # The oldest process returned (if multiple) should be the top-level process launched by supervisord,
   # the PID will verify the target process was killed correctly:
   local PID=$(_exec_in_container pgrep --full --oldest "${PROCESS}")

test/tests/parallel/set3/scripts/setup_cli.bats

@@ -117,7 +117,7 @@ function teardown_file() { _default_teardown ; }
   assert_success
 
   # NOTE: Sometimes the directory still exists, possibly from change detection
-  # of the previous test (`email udpate`) triggering. Therefore, the function
+  # of the previous test (`email update`) triggering. Therefore, the function
   # `wait_until_change_detection_event_completes was added to the
   # `setup.sh email update` test.
   _repeat_in_container_until_success_or_timeout 60 "${CONTAINER_NAME}" bash -c '[[ ! -d /var/mail/example.com/user ]]'

test/tests/serial/mail_with_ldap.bats

@@ -122,7 +122,7 @@ function setup_file() {
 
   # Extra ENV needed to support specific test-cases:
   local ENV_SUPPORT=(
-    # Required for openssl commands to be successul:
+    # Required for openssl commands to be successful:
     # NOTE: snakeoil cert is created (for `docker-mailserver.invalid`) via Debian post-install script for Postfix package.
     # TODO: Use proper TLS cert
     --env SSL_TYPE='snakeoil'
@@ -404,7 +404,7 @@ function _should_exist_in_ldap_tables() {
   # Each LDAP config file sets `query_filter` to lookup a key in LDAP (values defined in `.ldif` test files)
   # `mail` (ldap-users), `mailAlias` (ldap-aliases), `mailGroupMember` (ldap-groups)
   # `postmap` is queried with the mail account address, and the LDAP service should respond with
-  # `result_attribute` which is the LDAP `mail` value (should match what we'r'e quering `postmap` with)
+  # `result_attribute` which is the LDAP `mail` value (should match what we'r'e querying `postmap` with)
 
   _run_in_container postmap -q "${MAIL_ACCOUNT}" ldap:/etc/postfix/ldap-users.cf
   assert_success

test/tests/serial/sedfile.bats

@@ -68,7 +68,7 @@ function setup() {
   assert_output 'foo bar'
 }
 
-@test 'checking sedfile substitude failure (strict)' {
+@test 'checking sedfile substitute failure (strict)' {
   # try to change 'baz' to 'something' and fail
   _run_in_container sedfile --strict -i 's|baz|something|' "${TEST_FILE}"
   assert_failure