Merge branch 'master' into patch-1

In Docker Compose `.env` files are parsed properly when values are wrapped with quotes. Trailing white-space is also discarded, like it would be with shell variables.

This is not the case with `docker run` or other CRI like `podman` (_including it's compose equivalent support_). Those will parse the quotes to be included in a literal string value. Trailing white-space is also retained.

Hence a default with a trailing space is not compatible across CRI. This change documents the default with additional context on how to include a trailing white-space with a custom value for the users CRI choice. It additionally clearly communicates the opt-out value for this feature.

.gitattributes

@@ -10,7 +10,7 @@
 *.yml               text
 ### Documentation (Project, Tests, Docs site)
 *.md                text
-### TLS certs (test/test-files/) + DHE params (target/shared/)
+### TLS certs (test/files/) + DHE params (target/shared/)
 *.pem               text
 *.pem.sha512sum     text
 
@@ -20,9 +20,8 @@
 
 ## BUILD:
 .dockerignore       text
-Dockerfile          text
+Dockerfile          text eol=lf
 Makefile
-VERSION
 
 ## EXAMPLE (RUNTIME):
 *.env               text
@@ -75,8 +74,8 @@ target/postsrsd/**  text
 #################################################
 
 ## BATS
-*.bash              text
-*.bats              text
+*.bash              text eol=lf
+*.bats              text eol=lf
 
 ## CONFIG (test/config/)
 ### OpenLDAP image
@@ -90,9 +89,9 @@ TrustedHosts        text
 whitelist_recipients text
 
 ## MISC
-### test/config/ + test/test-files/
+### test/config/ + test/files/
 *.txt               text
-### test/linting/ (.ecrc.json) + test/test-files/ (*.acme.json):
+### test/linting/ (.ecrc.json) + test/files/ (*.acme.json):
 *.json              text
 
 #################################################

.github/workflows/docs-preview-deploy.yml

@@ -25,7 +25,7 @@ jobs:
 
       # The official Github Action for downloading artifacts does not support multi-workflow
       - name: 'Download build artifact'
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           run_id: ${{ github.event.workflow_run.id }}

.github/workflows/docs-preview-prepare.yml

@@ -73,7 +73,7 @@ jobs:
           tar --zstd -cf artifact.tar.zst pr.env ${{ env.BUILD_DIR }}
 
       - name: 'Upload artifact for workflow transfer'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: preview-build
           path: artifact.tar.zst

.github/workflows/generic_publish.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: 'Prepare tags'
         id: prep
-        uses: docker/metadata-action@v5.3.0
+        uses: docker/metadata-action@v5.5.0
         with:
           images: |
             ${{ secrets.DOCKER_REPOSITORY }}

.github/workflows/generic_vulnerability-scan.yml

@@ -55,13 +55,13 @@ jobs:
           provenance: false
 
       - name: 'Run the Anchore Grype scan action'
-        uses: anchore/scan-action@v3.3.8
+        uses: anchore/scan-action@v3.4.0
         id: scan
         with:
           image: mailserver-testing:ci
           fail-build: false
 
       - name: 'Upload vulnerability report'
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/linting.yml

@@ -1,6 +1,9 @@
 name: Lint
 
 on:
+  # A workflow that creates a PR will not trigger this workflow,
+  # Providing a manual trigger as a workaround
+  workflow_dispatch:
   pull_request:
   push:
     branches: [ master ]

.gitignore

@@ -3,6 +3,7 @@
 #################################################
 
 .env
+compose.override.yaml
 docs/site/
 docker-data/
 

CHANGELOG.md

@@ -2,31 +2,106 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v13.0.0...HEAD)
+## [Unreleased](https://github.com/docker-mailserver/docker-mailserver/compare/v13.2.0...HEAD)
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+### Features
+
+- **Authentication with OIDC / OAuth 2.0** 🎉
+  - DMS now supports authentication via OAuth2 (_via `XOAUTH2` or `OAUTHBEARER` SASL mechanisms_) from capable services (_like Roundcube_).
+    - This does not replace the need for an `ACCOUNT_PROVISIONER` (`FILE` / `LDAP`), which is required for an account to receive or send mail.
+    - Successful authentication (_via Dovecot PassDB_) still requires an existing account (_lookup via Dovecot UserDB_).
+- **MTA-STS** (_Optional support for mandatory outgoing TLS encryption_)
+  - If enabled and the outbound recipient has an MTA-STS policy set, TLS is mandatory for delivering to that recipient.
+    - Enable via the ENV `ENABLE_MTA_STS=1`
+    - Supported by major email service providers like Gmail, Yahoo and Outlook.
+
+### Updates
+
+- **Tests**:
+  - Refactored mail sending ([#3747](https://github.com/docker-mailserver/docker-mailserver/pull/3747) & [#3772](https://github.com/docker-mailserver/docker-mailserver/pull/3772)):
+    - This change is a follow-up to [#3732](https://github.com/docker-mailserver/docker-mailserver/pull/3732) from DMS v13.2.
+    - `swaks` version is now the latest from Github releases instead of the Debian package.
+    - `_nc_wrapper`, `_send_mail` and related helpers expect the `.txt` filepath extension again.
+    - `sending.bash` helper methods were refactored to better integrate `swaks` and accommodate different usage contexts.
+    - `test/files/emails/existing/` files were removed similar to previous removal of SMTP auth files as they became redundant with `swaks`.
+- **Internal:**
+  - tests: Replace `wc -l` with `grep -c` ([#3752](https://github.com/docker-mailserver/docker-mailserver/pull/3752))
+  - Postfix is now configured with `smtputf8_enable = no` in our default `main.cf` config (_instead of during container startup_). ([#3750](https://github.com/docker-mailserver/docker-mailserver/pull/3750))
+- **Rspamd** ([#3726](https://github.com/docker-mailserver/docker-mailserver/pull/3726)):
+  - symbol scores for SPF, DKIM & DMARC were updated to more closely align with [RFC7489](https://www.rfc-editor.org/rfc/rfc7489#page-24); please note though that complete alignment is undesirable, because other symbols might be added as well, which changes the overall score calculation again, see [this issue](https://github.com/docker-mailserver/docker-mailserver/issues/3690#issuecomment-1866871996)
+- **Docs:**
+  - Revised the SpamAssassin ENV docs to better communicate configuration and their relation to other ENV settings. ([#3756](https://github.com/docker-mailserver/docker-mailserver/pull/3756))
+
+
+### Fixes
+
+- **Internal:**
+  - `.gitattributes`: Always use LF line endings on checkout for files with shell script content ([#3755](https://github.com/docker-mailserver/docker-mailserver/pull/3755))
+  - Fix missing 'jaq' binary for ARM architecture ([#3766](https://github.com/docker-mailserver/docker-mailserver/pull/3766))
+
+## [v13.2.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.2.0)
+
+### Security
+
+DMS is now secured against the [recently published spoofing attack "SMTP Smuggling"](https://www.postfix.org/smtp-smuggling.html) that affected Postfix ([#3727](https://github.com/docker-mailserver/docker-mailserver/pull/3727)):
+
+- Postfix upgraded from `3.5.18` to `3.5.23` which provides the [long-term fix with `smtpd_forbid_bare_newline = yes`](https://www.postfix.org/smtp-smuggling.html#long)
+- If you are unable to upgrade to this release of DMS, you may follow [these instructions](https://github.com/docker-mailserver/docker-mailserver/issues/3719#issuecomment-1870865118) for applying the [short-term workaround](https://www.postfix.org/smtp-smuggling.html#short).
+- This change should not cause compatibility concerns for legitimate mail clients, however if you use software like `netcat` to send mail to DMS (_like our test-suite previously did_) it may now be rejected (_especially with the the short-term workaround `smtpd_data_restrictions = reject_unauth_pipelining`_).
+- **NOTE:** This Postfix update also includes the new parameter [`smtpd_forbid_bare_newline_exclusions`](https://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline_exclusions) which defaults to `$mynetworks` for excluding trusted mail clients excluded from the restriction.
+  - With our default `PERMIT_DOCKER=none` this is not a concern.
+  - Presently the Docker daemon config has `user-proxy: true` enabled by default.
+    - On a host that can be reached by IPv6, this will route to a DMS IPv4 only container implicitly through the Docker network bridge gateway which rewrites the source address.
+    - If your `PERMIT_DOCKER` setting allows that gateway IP, then it is part of `$mynetworks` and this attack would not be prevented from such connections.
+    - If this affects your deployment, refer to [our IPv6 docs](https://docker-mailserver.github.io/docker-mailserver/v13.2/config/advanced/ipv6/) for advice on handling IPv6 correctly in Docker. Alternatively [use our `postfix-main.cf`](https://docker-mailserver.github.io/docker-mailserver/v13.2/config/advanced/override-defaults/postfix/) to set `smtpd_forbid_bare_newline_exclusions=` as empty.
+
+### Updates
+
+- The test suite now uses `swaks` instead of `nc`, which has multiple benefits ([#3732](https://github.com/docker-mailserver/docker-mailserver/pull/3732)):
+  - `swaks` handles pipelining correctly, hence we can now use `reject_unauth_pipelining` in Postfix's configuration.
+  - `swaks` provides better CLI options that make many files superflous.
+  - `swaks` can also replace `openssl s_client` and handles authentication on submission ports better.
+- **Postfix:**
+  - We now defer rejection from unauthorized pipelining until the SMTP `DATA` command via `smtpd_data_restrictions` (_i.e. at the end of the mail transfer transaction_) ([#3744](https://github.com/docker-mailserver/docker-mailserver/pull/3744))
+    - Prevously our configuration only handled this during the client and recipient restriction stages. Postfix will flag this activity when encountered, but the rejection now is handled at `DATA` where unauthorized pipelining would have been valid from this point.
+    - If you had the Amavis service enabled (default), this restriction was already in place. Otherwise the concerns expressed with `smtpd_data_restrictions = reject_unauth_pipelining` from the security section above apply. We have permitted trusted clients (_`$mynetworks` or authenticated_) to bypass this restriction.
+
+## [v13.1.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.1.0)
+
 ### Added
 
+- **Dovecot:**
+  - ENV `ENABLE_IMAP` ([#3703](https://github.com/docker-mailserver/docker-mailserver/pull/3703))
 - **Tests:**
   - You can now use `make run-local-instance` to run a DMS image that was built locally to test changes ([#3663](https://github.com/docker-mailserver/docker-mailserver/pull/3663))
-- Log a warning when update-check is enabled, but no stable release image is used ([#3684](https://github.com/docker-mailserver/docker-mailserver/pull/3684))
+- **Internal**:
+  - Log a warning when update-check is enabled, but no stable release image is used ([#3684](https://github.com/docker-mailserver/docker-mailserver/pull/3684))
 
 ### Updates
 
 - **Documentation:**
-  - Raise awareness in the troubleshooting page for a common misconfiguration when deviating from our advice by using a bare domain ([#3680](https://github.com/docker-mailserver/docker-mailserver/pull/3680))
+  - Debugging - Raise awareness in the troubleshooting page for a common misconfiguration when deviating from our advice by using a bare domain ([#3680](https://github.com/docker-mailserver/docker-mailserver/pull/3680))
+  - Debugging - Raise awareness of temporary downtime during certificate renewal that can cause a failure to deliver local mail ([#3718](https://github.com/docker-mailserver/docker-mailserver/pull/3718))
 - **Internal:**
   - Postfix configures `virtual_mailbox_maps` and `virtual_transport` during startup instead of using defaults (configured for Dovecot) via our `main.cf` ([#3681](https://github.com/docker-mailserver/docker-mailserver/pull/3681))
+- **Rspamd:**
+  - Upgraded to version `3.7.5`. This was previously inconsistent between our AMD64 (`3.5`) and ARM64 (`3.4`) images ([#3686](https://github.com/docker-mailserver/docker-mailserver/pull/3686))
 
 ### Fixed
 
 - **Internal**:
   - The container startup welcome log message now references `DMS_RELEASE` ([#3676](https://github.com/docker-mailserver/docker-mailserver/pull/3676))
   - `VERSION` was incremented for prior releases to be notified of the v13.0.1 patch release ([#3676](https://github.com/docker-mailserver/docker-mailserver/pull/3676))
+  - `VERSION` is no longer included in the image ([#3711](https://github.com/docker-mailserver/docker-mailserver/pull/3711))
   - Update-check: fix 'read' exit status ([#3688](https://github.com/docker-mailserver/docker-mailserver/pull/3688))
+  - `ENABLE_QUOTAS=0` no longer tries to remove non-existent config ([#3715](https://github.com/docker-mailserver/docker-mailserver/pull/3715))
+  - The `postgrey` service now writes logs to the supervisor directory like all other services. Previously this was `/var/log/mail/mail.log` ([#3724](https://github.com/docker-mailserver/docker-mailserver/pull/3724))
 - **Rspamd:**
   - Switch to official arm64 packages to avoid segfaults ([#3686](https://github.com/docker-mailserver/docker-mailserver/pull/3686))
+- **CI / Automation:**
+  - The lint workflow can now be manually triggered by maintainers ([#3714]https://github.com/docker-mailserver/docker-mailserver/pull/3714)
 
 ## [v13.0.1](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.0.1)
 

Dockerfile

@@ -106,6 +106,14 @@ EOF
 # -----------------------------------------------
 
 COPY target/rspamd/local.d/ /etc/rspamd/local.d/
+COPY target/rspamd/scores.d/* /etc/rspamd/scores.d/
+
+# -----------------------------------------------
+# --- OAUTH2 ------------------------------------
+# -----------------------------------------------
+
+COPY target/dovecot/auth-oauth2.conf.ext /etc/dovecot/conf.d
+COPY target/dovecot/dovecot-oauth2.conf.ext /etc/dovecot
 
 # -----------------------------------------------
 # --- LDAP & SpamAssassin's Cron ----------------
@@ -191,6 +199,15 @@ COPY target/opendmarc/opendmarc.conf /etc/opendmarc.conf
 COPY target/opendmarc/default-opendmarc /etc/default/opendmarc
 COPY target/opendmarc/ignore.hosts /etc/opendmarc/ignore.hosts
 
+# --------------------------------------------------
+# --- postfix-mta-sts-daemon -----------------------
+# --------------------------------------------------
+COPY target/mta-sts-daemon/mta-sts-daemon.yml /etc/mta-sts-daemon.yml
+RUN <<EOF
+  mkdir /var/run/mta-sts
+  chown -R _mta-sts:root /var/run/mta-sts
+EOF
+
 # --------------------------------------------------
 # --- Fetchmail, Getmail, Postfix & Let'sEncrypt ---
 # --------------------------------------------------
@@ -277,8 +294,6 @@ RUN <<EOF
   update-locale
 EOF
 
-COPY VERSION /
-
 COPY \
   target/bin/* \
   target/scripts/*.sh \
@@ -320,7 +335,7 @@ LABEL org.opencontainers.image.title="docker-mailserver"
 LABEL org.opencontainers.image.vendor="The Docker Mailserver Organization"
 LABEL org.opencontainers.image.authors="The Docker Mailserver Organization on GitHub"
 LABEL org.opencontainers.image.licenses="MIT"
-LABEL org.opencontainers.image.description="A fullstack but simple mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.). Only configuration files, no SQL database."
+LABEL org.opencontainers.image.description="A fullstack but simple mail server (SMTP, IMAP, LDAP, Anti-spam, Anti-virus, etc.). Only configuration files, no SQL database."
 LABEL org.opencontainers.image.url="https://github.com/docker-mailserver"
 LABEL org.opencontainers.image.documentation="https://github.com/docker-mailserver/docker-mailserver/blob/master/README.md"
 LABEL org.opencontainers.image.source="https://github.com/docker-mailserver/docker-mailserver"

README.md

@@ -11,7 +11,7 @@
 
 ## :page_with_curl: About
 
-A production-ready fullstack but simple containerized mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.). Only configuration files, no SQL database. Keep it simple and versioned. Easy to deploy and upgrade. Originally created by @tomav, this project is now maintained by volunteers since January 2021.
+A production-ready fullstack but simple containerized mail server (SMTP, IMAP, LDAP, Anti-spam, Anti-virus, etc.). Only configuration files, no SQL database. Keep it simple and versioned. Easy to deploy and upgrade. Originally created by @tomav, this project is now maintained by volunteers since January 2021.
 
 ## :bulb: Documentation
 
@@ -48,3 +48,4 @@ If you have issues, please search through [the documentation][documentation::web
 - Support for [LetsEncrypt](https://letsencrypt.org/), manual and self-signed certificates
 - A [setup script](https://docker-mailserver.github.io/docker-mailserver/latest/config/setup.sh) for easy configuration and maintenance
 - SASLauthd with LDAP authentication
+- OAuth2 authentication (_via `XOAUTH2` or `OAUTHBEARER` SASL mechanisms_)

VERSION

@@ -1 +1 @@
-13.0.1
+13.2.0

docs/content/config/advanced/auth-oauth2.md

@@ -0,0 +1,69 @@
+---
+title: 'Advanced | Basic OAuth2 Authentication'
+---
+
+## Introduction
+
+!!! warning "This is only a supplement to the existing account provisioners"
+
+    Accounts must still be managed via the configured [`ACCOUNT_PROVISIONER`][env::account-provisioner] (FILE or LDAP).
+
+    Reasoning for this can be found in [#3480][gh-pr::oauth2]. Future iterations on this feature may allow it to become a full account provisioner.
+
+[gh-pr::oauth2]: https://github.com/docker-mailserver/docker-mailserver/pull/3480
+[env::account-provisioner]: ../environment.md#account_provisioner
+
+The present OAuth2 support provides the capability for 3rd-party applications such as Roundcube to authenticate with DMS (dovecot) by using a token obtained from an OAuth2 provider, instead of passing passwords around.
+
+## Example (Authentik & Roundcube)
+
+This example assumes you have:
+
+- A working DMS server set up
+- An Authentik server set up ([documentation](https://goauthentik.io/docs/installation/))
+- A Roundcube server set up (either [docker](https://hub.docker.com/r/roundcube/roundcubemail/) or [bare metal](https://github.com/roundcube/roundcubemail/wiki/Installation))
+
+!!! example "Setup Instructions"
+
+    === "1. Docker Mailserver"
+        Edit the following values in `mailserver.env`:
+        ```env
+        # -----------------------------------------------
+        # --- OAUTH2 Section ----------------------------
+        # -----------------------------------------------
+
+        # empty => OAUTH2 authentication is disabled
+        # 1 => OAUTH2 authentication is enabled
+        ENABLE_OAUTH2=1
+
+        # Specify the user info endpoint URL of the oauth2 provider
+        OAUTH2_INTROSPECTION_URL=https://authentik.example.com/application/o/userinfo/
+        ```
+
+    === "2. Authentik"
+        1. Create a new OAuth2 provider
+        2. Note the client id and client secret
+        3. Set the allowed redirect url to the equivalent of `https://roundcube.example.com/index.php/login/oauth` for your RoundCube instance.
+
+    === "3. Roundcube"
+        Add the following to `oauth2.inc.php` ([documentation](https://github.com/roundcube/roundcubemail/wiki/Configuration)):
+
+        ```php
+        $config['oauth_provider'] = 'generic';
+        $config['oauth_provider_name'] = 'Authentik';
+        $config['oauth_client_id'] = '<insert client id here>';
+        $config['oauth_client_secret'] = '<insert client secret here>';
+        $config['oauth_auth_uri'] = 'https://authentik.example.com/application/o/authorize/';
+        $config['oauth_token_uri'] = 'https://authentik.example.com/application/o/token/';
+        $config['oauth_identity_uri'] = 'https://authentik.example.com/application/o/userinfo/';
+
+        // Optional: disable SSL certificate check on HTTP requests to OAuth server. For possible values, see:
+        // http://docs.guzzlephp.org/en/stable/request-options.html#verify
+        $config['oauth_verify_peer'] = false;
+
+        $config['oauth_scope'] = 'email openid profile';
+        $config['oauth_identity_fields'] = ['email'];
+
+        // Boolean: automatically redirect to OAuth login when opening Roundcube without a valid session
+        $config['oauth_login_redirect'] = false;
+        ```

docs/content/config/advanced/optional-config.md

@@ -33,7 +33,7 @@ This is a list of all configuration files and directories which are optional or
 - **ldap-aliases.cf:** Configuration for the virtual alias mapping `virtual_alias_maps`. See the [`setup-stack.sh`][github-commit-setup-stack.sh-L411] script.
 - **ldap-domains.cf:** Configuration for the virtual domain mapping `virtual_mailbox_domains`. See the [`setup-stack.sh`][github-commit-setup-stack.sh-L411] script.
 - **whitelist_clients.local:** Whitelisted domains, not considered by postgrey. Enter one host or domain per line.
-- **spamassassin-rules.cf:** Antispam rules for Spamassassin. (Docs: [FAQ - SpamAssassin Rules][docs-faq-spamrules])
+- **spamassassin-rules.cf:** Anti-spam rules for Spamassassin. (Docs: [FAQ - SpamAssassin Rules][docs-faq-spamrules])
 - **fail2ban-fail2ban.cf:** Additional config options for `fail2ban.cf`. (Docs: [Fail2Ban][docs-fail2ban])
 - **fail2ban-jail.cf:** Additional config options for fail2ban's jail behaviour. (Docs: [Fail2Ban][docs-fail2ban])
 - **amavis.cf:** replaces the `/etc/amavis/conf.d/50-user` file

docs/content/config/best-practices/dkim_dmarc_spf.md

@@ -157,7 +157,10 @@ DKIM is currently supported by either OpenDKIM or Rspamd:
         check_pubkey = true; # you want to use this in the beginning
 
         selector = "mail";
-        path = "/tmp/docker-mailserver/opendkim/keys/$domain/$selector.private"; # this will automatically match keys for domains
+        # The path location is searched for a DKIM key with these variables:
+        # - `$domain` is sourced from the MIME mail message `From` header
+        # - `$selector` is configured for `mail` (as a default fallback)
+        path = "/tmp/docker-mailserver/dkim/keys/$domain/$selector.private";
 
         # domain specific configurations can be provided below:
         domain {

docs/content/config/best-practices/mta-sts.md

@@ -0,0 +1,30 @@
+---
+title: 'Best practices | MTA-STS'
+hide:
+  - toc # Hide Table of Contents for this page
+---
+
+MTA-STS is an optional mechanism for a domain to signal support for STARTTLS.
+
+- It can be used to prevent man-in-the-middle-attacks from hiding STARTTLS support that would force DMS to send outbound mail through an insecure connection.
+- MTA-STS is an alternative to DANE without the need of DNSSEC.
+- MTA-STS is supported by some of the biggest mail providers like Google Mail and Outlook.
+
+## Supporting MTA-STS for outbound mail
+
+Enable this feature via the ENV setting [`ENABLE_MTA_STS=1`](../environment.md#enable_mta_sts).
+
+!!! warning "If you have configured DANE"
+
+    Enabling MTA-STS will by default override DANE if both are configured for a domain.
+
+    This can be partially addressed by configuring a dane-only policy resolver before the MTA-STS entry in `smtp_tls_policy_maps`. See the [`postfix-mta-sts-resolver` documentation][postfix-mta-sts-resolver::dane] for further details.
+
+[postfix-mta-sts-resolver::dane]: https://github.com/Snawoot/postfix-mta-sts-resolver#warning-mta-sts-policy-overrides-dane-tls-authentication
+
+## Supporting MTA-STS for inbound mail
+
+While this feature in DMS supports ensuring STARTTLS is used when mail is sent to another mail server, you may setup similar for mail servers sending mail to DMS.
+
+This requires configuring your DNS and hosting the MTA-STS policy file via a webserver. A good introduction can be found on [dmarcian.com](https://dmarcian.com/mta-sts/).
+

docs/content/config/debugging.md

@@ -55,6 +55,8 @@ Common logs related to this are:
 
 If your logs look like this, you likely have [assigned the same FQDN to the DMS `hostname` and your mail accounts][gh-issues::dms-fqdn-misconfigured] which is not supported by default. You can either adjust your DMS `hostname` or follow [this FAQ advice][docs::faq-bare-domain]
 
+It is also possible that [DMS services are temporarily unavailable][gh-issues::dms-services-unavailable] when configuration changes are detected, producing the 2nd error. Certificate updates may be a less obvious trigger.
+
 ## Steps for Debugging DMS
 
 1. **Increase log verbosity**: Very helpful for troubleshooting problems during container startup. Set the environment variable [`LOG_LEVEL`][docs-environment-log-level] to `debug` or `trace`.
@@ -126,6 +128,7 @@ This could be from outdated software, or running a system that isn't able to pro
 
 [gh-issues]: https://github.com/docker-mailserver/docker-mailserver/issues
 [gh-issues::dms-fqdn-misconfigured]: https://github.com/docker-mailserver/docker-mailserver/issues/3679#issuecomment-1837609043
+[gh-issues::dms-services-unavailable]: https://github.com/docker-mailserver/docker-mailserver/issues/3679#issuecomment-1848083358
 [gh-macos-support]: https://github.com/docker-mailserver/docker-mailserver/issues/3648#issuecomment-1822774080
 [gh-discuss-roundcube-fail2ban]: https://github.com/orgs/docker-mailserver/discussions/3273#discussioncomment-5654603
 

docs/content/config/environment.md

@@ -54,7 +54,15 @@ The Group ID assigned to the static vmail group for `/var/mail` (_Mail storage m
 
 Configures the provisioning source of user accounts (including aliases) for user queries and authentication by services managed by DMS (_Postfix and Dovecot_).
 
-User provisioning via OIDC is planned for the future, see [this tracking issue](https://github.com/docker-mailserver/docker-mailserver/issues/2713).
+!!! tip "OAuth2 Support"
+
+    Presently DMS supports OAuth2 only as an supplementary authentication method. 
+
+    - A third-party service must provide a valid token for the user which Dovecot validates with the authentication service provider. To enable this feature reference the [OAuth2 configuration example guide][docs::auth::oauth2-config-guide].
+    - User accounts must be provisioned to receive mail via one of the supported `ACCOUNT_PROVISIONER` providers.
+    - User provisioning via OIDC is planned for the future, see [this tracking issue](https://github.com/docker-mailserver/docker-mailserver/issues/2713).
+
+[docs::auth::oauth2-config-guide]: ./advanced/auth-oauth2.md
 
 - **empty** => use FILE
 - LDAP => use LDAP authentication
@@ -108,6 +116,15 @@ This enables DNS block lists in _Postscreen_. If you want to know which lists we
 - **0** => DNS block lists are disabled
 - 1     => DNS block lists are enabled
 
+##### ENABLE_MTA_STS
+
+Enables MTA-STS support for outbound mail.
+
+- **0** => Disabled
+- 1 => Enabled
+
+See [MTA-STS](best-practices/mta-sts.md) for further explanation.
+
 ##### ENABLE_OPENDKIM
 
 Enables the OpenDKIM service.
@@ -131,9 +148,14 @@ Enabled `policyd-spf` in Postfix's configuration. You will likely want to set th
 
 ##### ENABLE_POP3
 
-- **empty** => POP3 service disabled
+- **0** => POP3 service disabled
 - 1 => Enables POP3 service
 
+##### ENABLE_IMAP
+
+- 0 => Disabled
+- **1** => Enabled
+
 ##### ENABLE_CLAMAV
 
 - **0** => ClamAV is disabled
@@ -223,9 +245,9 @@ Provide any valid URI. Examples:
 - `lmtps:inet:<host>:<port>` (secure lmtp with starttls)
 - `lmtp:<kopano-host>:2003` (use kopano as mailstore)
 
-##### POSTFIX\_MAILBOX\_SIZE\_LIMIT
+##### POSTFIX_MAILBOX_SIZE_LIMIT
 
-Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default).
+Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
 
 - **empty** => 0 (no limit)
 
@@ -236,9 +258,9 @@ Set the mailbox size limit for all users. If set to zero, the size will be unlim
 
 See [mailbox quota][docs-accounts-quota].
 
-##### POSTFIX\_MESSAGE\_SIZE\_LIMIT
+##### POSTFIX_MESSAGE_SIZE_LIMIT
 
-Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)
+Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
 
 - **empty** => 10240000 (~10 MB)
 
@@ -311,28 +333,32 @@ Note: More information at <https://dovecot.org/doc/dovecot-example.conf>
 
 ##### MOVE_SPAM_TO_JUNK
 
-When enabled, e-mails marked with the
-
-1. `X-Spam: Yes` header added by Rspamd
-2. `X-Spam-Flag: YES` header added by SpamAssassin (requires [`SPAMASSASSIN_SPAM_TO_INBOX=1`](#spamassassin_spam_to_inbox))
-
-will be automatically moved to the Junk folder (with the help of a Sieve script).
-
 - 0 => Spam messages will be delivered in the mailbox.
 - **1** => Spam messages will be delivered in the `Junk` folder.
 
+Routes mail identified as spam into the recipient(s) Junk folder (_via a Dovecot Sieve script_).
+
+!!! info
+
+    Mail is received as spam when it has been marked with either header:
+
+    - `X-Spam: Yes` (_added by Rspamd_)
+    - `X-Spam-Flag: YES` (_added by SpamAssassin - requires [`SPAMASSASSIN_SPAM_TO_INBOX=1`](#spamassassin_spam_to_inbox)_)
+
 ##### MARK_SPAM_AS_READ
 
-Enable to treat received spam as "read" (_avoids notification to MUA client of new mail_).
-
-Mail is received as spam when it has been marked with either header:
-
-1. `X-Spam: Yes` (_by Rspamd_)
-2. `X-Spam-Flag: YES` (_by SpamAssassin - requires [`SPAMASSASSIN_SPAM_TO_INBOX=1`](#spamassassin_spam_to_inbox)_)
-
 - **0** => disabled
 - 1 => Spam messages will be marked as read
 
+Enable to treat received spam as "read" (_avoids notification to MUA client of new mail_).
+
+!!! info
+
+    Mail is received as spam when it has been marked with either header:
+
+    - `X-Spam: Yes` (_added by Rspamd_)
+    - `X-Spam-Flag: YES` (_added by SpamAssassin - requires [`SPAMASSASSIN_SPAM_TO_INBOX=1`](#spamassassin_spam_to_inbox)_)
+
 #### Rspamd
 
 ##### ENABLE_RSPAMD
@@ -510,63 +536,170 @@ Changes the interval in which log files are rotated.
 - **0** => SpamAssassin is disabled
 - 1 => SpamAssassin is enabled
 
-##### SPAMASSASSIN_SPAM_TO_INBOX
+??? info "SpamAssassin analyzes incoming mail and assigns a spam score"
 
-- 0 => Spam messages will be bounced (_rejected_) without any notification (_dangerous_).
-- **1** => Spam messages will be delivered to the inbox and tagged as spam using `SA_SPAM_SUBJECT`.
+    Integration with Amavis involves processing mail based on the assigned spam score via [`SA_TAG`, `SA_TAG2` and `SA_KILL`][amavis-docs::spam-score].
+
+    These settings have equivalent ENV supported by DMS for easy adjustments, as documented below.
+
+[amavis-docs::spam-score]: https://www.ijs.si/software/amavisd/amavisd-new-docs.html#tagkill
 
 ##### ENABLE_SPAMASSASSIN_KAM
 
-[KAM](https://mcgrail.com/template/projects#KAM1) is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation. If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
-
 - **0** => KAM disabled
 - 1 => KAM enabled
 
+[KAM](https://mcgrail.com/template/projects#KAM1) is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation. If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
+
+##### SPAMASSASSIN_SPAM_TO_INBOX
+
+- 0 => (_Amavis action: `D_BOUNCE`_): Spam messages will be bounced (_rejected_) without any notification (_dangerous_).
+- **1** => (_Amavis action: `D_PASS`_): Spam messages will be delivered to the inbox.
+
+!!! note
+
+    The Amavis action configured by this setting:
+
+    - Influences the behaviour of the [`SA_KILL`](#sa_kill) setting.
+    - Applies to the Amavis config parameters `$final_spam_destiny` and `$final_bad_header_destiny`.
+
+!!! note "This ENV setting is related to"
+
+    - [`MOVE_SPAM_TO_JUNK=1`](#move_spam_to_junk)
+    - [`MARK_SPAM_AS_READ=1`](#mark_spam_as_read)
+    - [`SA_SPAM_SUBJECT`](#sa_spam_subject)
+
 ##### SA_TAG
 
-- **2.0** => add spam info headers if at, or above that level
+- **2.0** => add 'spam info' headers at, or above this spam score
 
-Note: this SpamAssassin setting needs `ENABLE_SPAMASSASSIN=1`
+Mail is not yet considered spam at this spam score, but for purposes like diagnostics it can be useful to identify mail with a spam score at a lower bound than `SA_TAG2`.
+
+??? example "`X-Spam` headers appended to mail"
+
+    Send a simple mail to a local DMS account `hello@example.com`:
+
+    ```bash
+    docker exec dms swaks --server 0.0.0.0 --to hello@example.com --body 'spam'
+    ```
+
+    Inspecting the raw mail you will notice several `X-Spam` headers were added to the mail like this:
+
+    ```
+    X-Spam-Flag: NO
+    X-Spam-Score: 4.162
+    X-Spam-Level: ****
+    X-Spam-Status: No, score=4.162 tagged_above=2 required=4
+            tests=[BODY_SINGLE_WORD=1, DKIM_ADSP_NXDOMAIN=0.8,
+            NO_DNS_FOR_FROM=0.379, NO_RECEIVED=-0.001, NO_RELAYS=-0.001,
+            PYZOR_CHECK=1.985] autolearn=no autolearn_force=no
+    ```
+
+    !!! info "The `X-Spam-Score` is `4.162`"
+    
+        High enough for `SA_TAG` to trigger adding these headers, but not high enough for `SA_TAG2` (_which would set `X-Spam-Flag: YES` instead_).
 
 ##### SA_TAG2
 
-- **6.31** => add 'spam detected' headers at that level
+- **6.31** => add 'spam detected' headers at, or above this level
 
-Note: this SpamAssassin setting needs `ENABLE_SPAMASSASSIN=1`
+When a spam score is high enough, mark mail as spam (_Appends the mail header: `X-Spam-Flag: YES`_).
+
+!!! info "Interaction with other ENV"
+
+    - [`SA_SPAM_SUBJECT`](#sa_spam_subject) modifies the mail subject to better communicate spam mail to the user.
+    - [`MOVE_SPAM_TO_JUNK=1`](#move_spam_to_junk): The mail is still delivered, but to the recipient(s) junk folder instead. This feature reduces the usefulness of `SA_SPAM_SUBJECT`.
 
 ##### SA_KILL
 
-- **10.0** => triggers spam evasive actions
+- **10.0** => quarantine + triggers action to handle spam
 
-!!! note "This SpamAssassin setting needs `ENABLE_SPAMASSASSIN=1`"
+Controls the spam score threshold for triggering an action on mail that has a high spam score.
 
-    By default, DMS is configured to quarantine spam emails.
+??? tip "Choosing an appropriate `SA_KILL` value"
 
-    If emails are quarantined, they are compressed and stored in a location dependent on the `ONE_DIR` setting above. To inhibit this behaviour and deliver spam emails, set this to a very high value e.g. `100.0`.
+    The value should be high enough to be represent confidence in mail as spam:
 
-    If `ONE_DIR=1` (default) the location is `/var/mail-state/lib-amavis/virusmails/`, or if `ONE_DIR=0`: `/var/lib/amavis/virusmails/`. These paths are inside the docker container.
+    - Too low: The action taken may prevent legitimate mail (ham) that was incorrectly detected as spam from being delivered successfully.
+    - Too high: Allows more spam to bypass the `SA_KILL` trigger (_how to treat mail with high confidence that it is actually spam_).
+
+    Experiences from DMS users with these settings has been [collected here][gh-issue::sa-tunables-insights], along with [some direct configuration guides][gh-issue::sa-tunables-guides] (_under "Resources for references"_).
+
+[gh-issue::sa-tunables-insights]: https://github.com/docker-mailserver/docker-mailserver/pull/3058#issuecomment-1420268148
+[gh-issue::sa-tunables-guides]: https://github.com/docker-mailserver/docker-mailserver/pull/3058#issuecomment-1416547911
+
+??? info "Trigger action"
+
+    DMS will configure Amavis with either of these actions based on the DMS [`SPAMASSASSIN_SPAM_TO_INBOX`](#spamassassin_spam_to_inbox) ENV setting:
+
+    - `D_PASS` (**default**):
+        - Accept mail and deliver it to the recipient(s), despite the high spam score. A copy is still stored in quarantine.
+        - This is a good default to start with until you are more confident in an `SA_KILL` threshold that won't accidentally discard / bounce legitimate mail users are expecting to arrive but is detected as spam.
+    - `D_BOUNCE`:
+        - Additionally sends a bounce notification (DSN).
+        - The [DSN is suppressed][amavis-docs::actions] (_no bounce sent_) when the spam score exceeds the Amavis `$sa_dsn_cutoff_level` config setting (default: `10`). With the DMS `SA_KILL` default also being `10`, no DSN will ever be sent.
+    - `D_REJECT` / `D_DISCARD`:
+        - These two aren't configured by DMS, but are valid alternative action values if configuring Amavis directly.
+
+??? note "Quarantined mail"
+
+    When mail has a spam score that reaches the `SA_KILL` threshold:
+
+    - [It will be quarantined][amavis-docs::quarantine] regardless of the `SA_KILL` action to perform.
+    - With `D_PASS` the delivered mail also appends an `X-Quarantine-ID` mail header. The ID value of this header is part of the quarantined file name.
+
+    If emails are quarantined, they are compressed and stored at a location dependent on the [`ONE_DIR`](#one_dir) setting:
+
+    - `ONE_DIR=1` (default): `/var/mail-state/lib-amavis/virusmails/`
+    - `ONE_DIR=0`: `/var/lib/amavis/virusmails/`
+
+    !!! tip
+
+        Easily list mail stored in quarantine with `find` and the quarantine path:
+
+        ```bash
+        find /var/lib/amavis/virusmails -type f
+        ```
+
+[amavis-docs::actions]: https://www.ijs.si/software/amavisd/amavisd-new-docs.html#actions
+[amavis-docs::quarantine]: https://www.ijs.si/software/amavisd/amavisd-new-docs.html#quarantine
 
 ##### SA_SPAM_SUBJECT
 
-- **\*\*\*SPAM\*\*\*** => add tag to subject if spam detected
+Adds a prefix to the subject header when mail is marked as spam (_via [`SA_TAG2`](#sa_tag2)_).
 
-Note: this SpamAssassin setting needs `ENABLE_SPAMASSASSIN=1`. Add the SpamAssassin score to the subject line by inserting the keyword \_SCORE\_: **\*\*\*SPAM(\_SCORE\_)\*\*\***.
+- **`'***SPAM*** '`** => A string value to use as a mail subject prefix.
+- `undef` => Opt-out of modifying the subject for mail marked as spam.
+
+??? example "Including trailing white-space"
+
+    Add trailing white-space by quote wrapping the value: `SA_SPAM_SUBJECT='[SPAM] '`
+
+??? example "Including the associated spam score"
+
+    The [`_SCORE_` tag][sa-docs::score-tag] will be substituted with the SpamAssassin score: `SA_SPAM_SUBJECT=***SPAM(_SCORE_)***`.
+
+[sa-docs::score-tag]: https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html#rewrite_header-subject-from-to-STRING
 
 ##### SA_SHORTCIRCUIT_BAYES_SPAM
 
 - **1** => will activate SpamAssassin short circuiting for bayes spam detection.
 
-This will uncomment the respective line in ```/etc/spamassasin/local.cf```
+This will uncomment the respective line in `/etc/spamassasin/local.cf`
 
-Note: activate this only if you are confident in your bayes database for identifying spam.
+!!! warning
+
+    Activate this only if you are confident in your bayes database for identifying spam.
 
 ##### SA_SHORTCIRCUIT_BAYES_HAM
 
 - **1** => will activate SpamAssassin short circuiting for bayes ham detection
 
-This will uncomment the respective line in ```/etc/spamassasin/local.cf```
+This will uncomment the respective line in `/etc/spamassasin/local.cf`
 
-Note: activate this only if you are confident in your bayes database for identifying ham.
+!!! warning
+
+    Activate this only if you are confident in your bayes database for identifying ham.
 
 #### Fetchmail
 
@@ -600,10 +733,20 @@ Enable or disable `getmail`.
 
 - **5** => `getmail` The number of minutes for the interval. Min: 1; Max: 30; Default: 5.
 
+
+#### OAUTH2
+
+##### ENABLE_OAUTH2
+
+- **empty** => OAUTH2 authentication is disabled
+- 1 => OAUTH2 authentication is enabled
+
+##### OAUTH2_INTROSPECTION_URL
+
+- => Specify the user info endpoint URL of the oauth2 provider (_eg: `https://oauth2.example.com/userinfo/`_)
+
 #### LDAP
 
-
-
 ##### LDAP_START_TLS
 
 - **empty** => no

docs/content/faq.md

@@ -378,18 +378,7 @@ When you run DMS with the ENV variable `ONE_DIR=1` (default), this directory wil
 
 #### How can I manage my custom SpamAssassin rules?
 
-Antispam rules are managed in `docker-data/dms/config/spamassassin-rules.cf`.
-
-#### What are acceptable `SA_SPAM_SUBJECT` values?
-
-For no subject set `SA_SPAM_SUBJECT=undef`.
-
-For a trailing white-space subject one can define the whole variable with quotes in `compose.yaml`:
-
-```yaml
-environment:
-  - "SA_SPAM_SUBJECT=[SPAM] "
-```
+Anti-spam rules are managed in `docker-data/dms/config/spamassassin-rules.cf`.
 
 #### Why are SpamAssassin `x-headers` not inserted into my `subdomain.example.com` subdomain emails?
 
@@ -479,59 +468,39 @@ The following configuration works nicely:
         file: ./docker-data/dms/cron/sa-learn
     ```
 
-With the default settings, SpamAssassin will require 200 mails trained for spam (for example with the method explained above) and 200 mails trained for ham (using the same command as above but using `--ham` and providing it with some ham mails). Until you provided these 200+200 mails, SpamAssassin will not take the learned mails into account. For further reference, see the [SpamAssassin Wiki](https://wiki.apache.org/spamassassin/BayesNotWorking).
+With the default settings, SpamAssassin will require 200 mails trained for spam (for example with the method explained above) and 200 mails trained for ham (using the same command as above but using `--ham` and providing it with some ham mails).
+
+- Until you provided these 200+200 mails, SpamAssassin will not take the learned mails into account.
+- For further reference, see the [SpamAssassin Wiki](https://wiki.apache.org/spamassassin/BayesNotWorking).
 
 #### How do I have more control about what SpamAssassin is filtering?
 
-By default, SPAM and INFECTED emails are put to a quarantine which is not very straight forward to access. Several config settings are affecting this behavior:
+This is related to Amavis processing the mail after SpamAssassin has analyzed it and assigned a spam score.
 
-First, make sure you have the proper thresholds set:
+- DMS provides some [common SA tunables via ENV][docs::env::sa_env].
+- Additional configuration can be managed with the DMS config volume by providing `docker-data/dms/config/amavis.cf`.
 
-```conf
-SA_TAG=-100000.0
-SA_TAG2=3.75
-SA_KILL=100000.0
-```
+#### How can I send quarantined mail to a mailbox?
 
-- The very negative value in `SA_TAG` makes sure, that all emails have the SpamAssassin headers included.
-- `SA_TAG2` is the actual threshold to set the YES/NO flag for spam detection.
-- `SA_KILL` needs to be very high, to make sure nothing is bounced at all (`SA_KILL` superseeds `SPAMASSASSIN_SPAM_TO_INBOX`)
+SPAM and INFECTED emails that [reach the `SA_KILL` threshold are archived into quarantine][docs::env::sa_kill].
 
-Make sure everything (including SPAM) is delivered to the inbox and not quarantined:
-
-```conf
-SPAMASSASSIN_SPAM_TO_INBOX=1
-```
-
-Use `MOVE_SPAM_TO_JUNK=1` or create a sieve script which puts spam to the Junk folder:
-
-```sieve
-require ["comparator-i;ascii-numeric","relational","fileinto"];
-
-if header :contains "X-Spam-Flag" "YES" {
-  fileinto "Junk";
-} elsif allof (
-  not header :matches "x-spam-score" "-*",
-  header :value "ge" :comparator "i;ascii-numeric" "x-spam-score" "3.75"
-) {
-  fileinto "Junk";
-}
-```
-
-Create a dedicated mailbox for emails which are infected/bad header and everything amavis is blocking by default and put its address into `docker-data/dms/config/amavis.cf`
+Instead of a quarantine folder, you can use a dedicated mailbox instead. Create an account like `quarantine@example.com` and create `docker-data/dms/config/amavis.cf`:
 
 ```cf
-$clean_quarantine_to      = "amavis\@example.com";
-$virus_quarantine_to      = "amavis\@example.com";
-$banned_quarantine_to     = "amavis\@example.com";
-$bad_header_quarantine_to = "amavis\@example.com";
-$spam_quarantine_to       = "amavis\@example.com";
+$clean_quarantine_to      = "quarantine\@example.com";
+$virus_quarantine_to      = "quarantine\@example.com";
+$banned_quarantine_to     = "quarantine\@example.com";
+$bad_header_quarantine_to = "quarantine\@example.com";
+$spam_quarantine_to       = "quarantine\@example.com";
 ```
 
 [fail2ban-customize]: ./config/security/fail2ban.md
 [docs-maintenance]: ./config/advanced/maintenance/update-and-cleanup.md
 [docs-override-postfix]: ./config/advanced/override-defaults/postfix.md
 [docs-userpatches]: ./config/advanced/override-defaults/user-patches.md
+[docs-optional-configuration]: ./config/advanced/optional-config.md
+[docs::env::sa_env]: ./config/environment.md#spamassassin
+[docs::env::sa_kill]: ./config/environment.md#sa_kill
 [github-comment-baredomain]: https://github.com/docker-mailserver/docker-mailserver/issues/3048#issuecomment-1432358353
 [github-comment-override-hostname]: https://github.com/docker-mailserver/docker-mailserver/issues/1731#issuecomment-753968425
 [github-issue-95]: https://github.com/docker-mailserver/docker-mailserver/issues/95
@@ -542,4 +511,3 @@ $spam_quarantine_to       = "amavis\@example.com";
 [github-issue-1792]: https://github.com/docker-mailserver/docker-mailserver/pull/1792
 [hanscees-userpatches]: https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-user-patches.sh
 [mail-state-folders]: https://github.com/docker-mailserver/docker-mailserver/blob/c7e498194546416fb7231cb03254e77e085d18df/target/scripts/startup/misc-stack.sh#L24-L33
-[docs-optional-configuration]: ./config/advanced/optional-config.md

docs/content/index.md

@@ -14,7 +14,7 @@ This documentation provides you not only with the basic setup and configuration
 
 ## About
 
-`docker-mailserver`, or DMS for short, is a production-ready fullstack but simple mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.). It employs only configuration files, no SQL database. The image is focused around the slogan "Keep it simple and versioned".
+`docker-mailserver`, or DMS for short, is a production-ready fullstack but simple mail server (SMTP, IMAP, LDAP, Anti-spam, Anti-virus, etc.). It employs only configuration files, no SQL database. The image is focused around the slogan "Keep it simple and versioned".
 
 ## Contents
 

docs/mkdocs.yml

@@ -1,6 +1,6 @@
 # Site specific:
 site_name: 'Docker Mailserver'
-site_description: 'A fullstack but simple mail-server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) using Docker.'
+site_description: 'A fullstack but simple mail-server (SMTP, IMAP, LDAP, Anti-spam, Anti-virus, etc.) using Docker.'
 site_author: 'docker-mailserver (Github Organization)'
 copyright: '<p>&copy <a href="https://github.com/docker-mailserver"><em>Docker Mailserver Organization</em></a><br/><span>This project is licensed under the MIT license.</span></p>'
 
@@ -122,8 +122,9 @@ nav:
     - 'Environment Variables': config/environment.md
     - 'User Management': config/user-management.md
     - 'Best Practices':
-      - 'DKIM, DMARC & SPF': config/best-practices/dkim_dmarc_spf.md
       - 'Auto-discovery': config/best-practices/autodiscover.md
+      - 'DKIM, DMARC & SPF': config/best-practices/dkim_dmarc_spf.md
+      - 'MTA-STS': config/best-practices/mta-sts.md
     - 'Security':
       - 'Understanding the Ports': config/security/understanding-the-ports.md
       - 'SSL/TLS': config/security/ssl.md
@@ -142,6 +143,7 @@ nav:
           - 'Postfix': config/advanced/override-defaults/postfix.md
           - 'Modifications via Script': config/advanced/override-defaults/user-patches.md
         - 'LDAP Authentication': config/advanced/auth-ldap.md
+        - 'OAuth2 Authentication': config/advanced/auth-oauth2.md
         - 'Email Filtering with Sieve': config/advanced/mail-sieve.md
         - 'Email Gathering with Fetchmail': config/advanced/mail-fetchmail.md
         - 'Email Gathering with Getmail': config/advanced/mail-getmail.md

mailserver.env

@@ -119,10 +119,16 @@ ENABLE_OPENDMARC=1
 # - **1** => Enabled
 ENABLE_POLICYD_SPF=1
 
-# 1 => Enables POP3 service
-# empty => disables POP3
+# Enables POP3 service
+# - **0** => Disabled
+# - 1     => Enabled
 ENABLE_POP3=
 
+# Enables IMAP service
+# - 0     => Disabled
+# - **1** => Enabled
+ENABLE_IMAP=1
+
 # Enables ClamAV, and anti-virus scanner.
 #   1   => Enabled
 # **0** => Disabled
@@ -248,7 +254,7 @@ VIRUSMAILS_DELETE_DELAY=
 # `lmtp:<kopano-host>:2003` (use kopano as mailstore)
 POSTFIX_DAGENT=
 
-# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default).
+# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
 #
 # empty => 0
 POSTFIX_MAILBOX_SIZE_LIMIT=
@@ -258,7 +264,7 @@ POSTFIX_MAILBOX_SIZE_LIMIT=
 # 1 => Dovecot quota is enabled
 ENABLE_QUOTAS=1
 
-# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)
+# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
 #
 # empty => 10240000 (~10 MB)
 POSTFIX_MESSAGE_SIZE_LIMIT=
@@ -348,6 +354,12 @@ POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
 # Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
 POSTFIX_INET_PROTOCOLS=all
 
+# Enables MTA-STS support for outbound mail.
+# More details: https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/mail-mta-sts/
+# - **0** ==> MTA-STS disabled
+# - 1 => MTA-STS enabled
+ENABLE_MTA_STS=0
+
 # Choose TCP/IP protocols for dovecot to use
 # **all** => Listen on all interfaces
 # ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
@@ -362,9 +374,6 @@ DOVECOT_INET_PROTOCOLS=all
 
 ENABLE_SPAMASSASSIN=0
 
-# deliver spam messages in the inbox (eventually tagged using SA_SPAM_SUBJECT)
-SPAMASSASSIN_SPAM_TO_INBOX=1
-
 # KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
 # If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
 # - **0** => KAM disabled
@@ -373,23 +382,29 @@ SPAMASSASSIN_SPAM_TO_INBOX=1
 # Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
 ENABLE_SPAMASSASSIN_KAM=0
 
+# deliver spam messages to the inbox (tagged using SA_SPAM_SUBJECT)
+SPAMASSASSIN_SPAM_TO_INBOX=1
+
 # spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
 MOVE_SPAM_TO_JUNK=1
 
 # spam messages wil be marked as read
 MARK_SPAM_AS_READ=0
 
-# add spam info headers if at, or above that level:
+# add 'spam info' headers at, or above this level
 SA_TAG=2.0
 
-# add 'spam detected' headers at that level
+# add 'spam detected' headers at, or above this level
 SA_TAG2=6.31
 
 # triggers spam evasive actions
 SA_KILL=10.0
 
 # add tag to subject if spam detected
-SA_SPAM_SUBJECT=***SPAM*****
+# The value `undef` opts-out of this feature. The value shown below is the default.
+# NOTE: By default spam is delivered to a junk folder, reducing the value of adding a subject prefix.
+# NOTE: If not using Docker Compose, other CRI may require the single quotes removed.
+#SA_SPAM_SUBJECT='***SPAM*** '
 
 # -----------------------------------------------
 # --- Fetchmail Section -------------------------
@@ -413,6 +428,18 @@ ENABLE_GETMAIL=0
 # The number of minutes for the interval. Min: 1; Max: 30.
 GETMAIL_POLL=5
 
+# -----------------------------------------------
+# --- OAUTH2 Section ----------------------------
+# -----------------------------------------------
+
+# empty => OAUTH2 authentication is disabled
+# 1 => OAUTH2 authentication is enabled
+ENABLE_OAUTH2=
+
+# Specify the user info endpoint URL of the oauth2 provider
+# Example: https://oauth2.example.com/userinfo/
+OAUTH2_INTROSPECTION_URL=
+
 # -----------------------------------------------
 # --- LDAP Section ------------------------------
 # -----------------------------------------------

target/bin/setquota

@@ -59,10 +59,14 @@ function _quota_request_if_missing() {
   fi
 }
 
+
+# Dovecot docs incorrectly refer to these units with names for SI types (base 10),
+# But then mentions they're actually treated as IEC type (base 2):
+# https://doc.dovecot.org/settings/types/#size
 function _quota_unit_is_valid() {
   if ! grep -qE "^([0-9]+(B|k|M|G|T)|0)\$" <<< "${QUOTA}"; then
     __usage
-    _exit_with_error 'Invalid quota format. e.g. 302M (B (byte), k (kilobyte), M (megabyte), G (gigabyte) or T (terabyte))'
+    _exit_with_error 'Invalid quota format. e.g. 302M (B (byte), k (kibibyte), M (mebibyte), G (gibibyte) or T (tebibyte))'
   fi
 }
 

target/dovecot/10-auth.conf

@@ -123,6 +123,7 @@ auth_mechanisms = plain login
 #!include auth-sql.conf.ext
 #!include auth-ldap.conf.ext
 !include auth-passwdfile.inc
+#!include auth-oauth2.conf.ext
 #!include auth-checkpassword.conf.ext
 #!include auth-vpopmail.conf.ext
 #!include auth-static.conf.ext

target/dovecot/auth-oauth2.conf.ext

@@ -0,0 +1,7 @@
+auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
+
+passdb {
+    driver = oauth2
+    mechanisms = xoauth2 oauthbearer
+    args = /etc/dovecot/dovecot-oauth2.conf.ext
+}

target/dovecot/dovecot-oauth2.conf.ext

@@ -0,0 +1,4 @@
+introspection_url =
+# Dovecot defaults:
+introspection_mode = auth
+username_attribute = email

target/mta-sts-daemon/mta-sts-daemon.yml

@@ -0,0 +1,7 @@
+# Docs: https://github.com/Snawoot/postfix-mta-sts-resolver/blob/master/man/mta-sts-daemon.yml.5.adoc
+path: /var/run/mta-sts/daemon.sock
+mode: 0666
+cache:
+  type: sqlite
+  options:
+    filename: "/var/lib/mta-sts/cache.db"

target/postfix/main.cf

@@ -5,6 +5,9 @@ biff = no
 append_dot_mydomain = no
 readme_directory = no
 
+# Disabled as not compatible with Dovecot
+smtputf8_enable = no
+
 # Basic configuration
 # myhostname =
 alias_maps = hash:/etc/aliases
@@ -51,12 +54,19 @@ smtpd_helo_required = yes
 smtpd_delay_reject = yes
 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain
-smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain
+smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 smtpd_sender_restrictions = $dms_smtpd_sender_restrictions
 smtpd_discard_ehlo_keywords = silent-discard, dsn
+smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining
 disable_vrfy_command = yes
 
+# Security - Prevent SMTP Smuggling attack
+# https://www.postfix.org/smtp-smuggling.html#long
+smtpd_forbid_bare_newline = yes
+# It is possible to exclude clients on trusted networks from this restriction (the upstream default is `$mynetwork`):
+# smtpd_forbid_bare_newline_exclusions = $mynetworks
+
 # Custom defined parameters for DMS:
 dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
 # Submission ports 587 and 465 support for SPOOF_PROTECTION=1

target/rspamd/local.d/actions.conf

@@ -1,9 +1,12 @@
 # documentation: https://rspamd.com/doc/configuration/metrics.html#actions
 # and            https://rspamd.com/doc/configuration/metrics.html
 
-#greylist = 4;
-#add_header = 6;
-#rewrite_subject = 7;
-#reject = 15;
+# These values work in conjunction with the symbol scores in
+# `scores.d/*.conf`. When adjusting them, make sure to understand
+# and to be able to explain the impact on the whole system.
+greylist = 4;
+add_header = 6;
+rewrite_subject = 7;
+reject = 11;
 
 subject = "***SPAM*** %s"

target/rspamd/scores.d/policies_group.conf

@@ -0,0 +1,108 @@
+# Please refer to
+# https://github.com/docker-mailserver/docker-mailserver/issues/3690
+# for understanding this file and its scores' values.
+
+symbols = {
+    # SPF
+    "R_SPF_ALLOW" {
+        weight = -1;
+        description = "SPF verification allows sending";
+        groups = ["spf"];
+    }
+    "R_SPF_NA" {
+        weight = 1.5;
+        description = "Missing SPF record";
+        one_shot = true;
+        groups = ["spf"];
+    }
+    "R_SPF_SOFTFAIL" {
+        weight = 2.5;
+        description = "SPF verification soft-failed";
+        groups = ["spf"];
+    }
+    "R_SPF_FAIL" {
+        weight = 4.5;
+        description = "SPF verification failed";
+        groups = ["spf"];
+    }
+
+    "R_SPF_NEUTRAL" { # == R_SPF_NA
+        weight = 1.5;
+        description = "SPF policy is neutral";
+        groups = ["spf"];
+    }
+    "R_SPF_DNSFAIL" { # == R_SPF_SOFTFAIL
+        weight = 2.5;
+        description = "SPF DNS failure";
+        groups = ["spf"];
+    }
+    "R_SPF_PERMFAIL" { # == R_SPF_FAIL
+        weight = 4.5;
+        description = "SPF record is malformed or persistent DNS error";
+        groups = ["spf"];
+    }
+
+    # DKIM
+    "R_DKIM_ALLOW" {
+        weight = -1;
+        description = "DKIM verification succeed";
+        one_shot = true;
+        groups = ["dkim"];
+    }
+    "R_DKIM_NA" {
+        weight = 0;
+        description = "Missing DKIM signature";
+        one_shot = true;
+        groups = ["dkim"];
+    }
+    "R_DKIM_TEMPFAIL" {
+        weight = 1.5;
+        description = "DKIM verification soft-failed";
+        groups = ["dkim"];
+    }
+    "R_DKIM_PERMFAIL" {
+        weight = 4.5;
+        description = "DKIM verification hard-failed (invalid)";
+        groups = ["dkim"];
+    }
+
+    "R_DKIM_REJECT" { # == R_DKIM_PERMFAIL
+        weight = 4.5;
+        description = "DKIM verification failed";
+        one_shot = true;
+        groups = ["dkim"];
+    }
+
+    # DMARC
+    "DMARC_NA" {
+        weight = 1;
+        description = "No DMARC record";
+        groups = ["dmarc"];
+    }
+    "DMARC_POLICY_QUARANTINE" {
+        weight = 1.5;
+        description = "DMARC quarantine policy";
+        groups = ["dmarc"];
+    }
+    "DMARC_POLICY_REJECT" {
+        weight = 2;
+        description = "DMARC reject policy";
+        groups = ["dmarc"];
+    }
+
+    "DMARC_POLICY_ALLOW" { # no equivalent
+        weight = -1;
+        description = "DMARC permit policy";
+        groups = ["dmarc"];
+    }
+    "DMARC_POLICY_ALLOW_WITH_FAILURES" { # no equivalent
+        weight = -0.5;
+        description = "DMARC permit policy with DKIM/SPF failure";
+        groups = ["dmarc"];
+    }
+    "DMARC_POLICY_SOFTFAIL" { # == DMARC_POLICY_QUARANTINE
+        weight = 1.5;
+        description = "DMARC soft-failed";
+        groups = ["dmarc"];
+    }
+}

target/scripts/build/packages.sh

@@ -68,7 +68,7 @@ function _install_packages() {
   )
 
   POSTFIX_PACKAGES=(
-    pflogsumm postgrey postfix-ldap
+    pflogsumm postgrey postfix-ldap postfix-mta-sts-resolver
     postfix-pcre postfix-policyd-spf-python postsrsd
   )
 
@@ -192,7 +192,15 @@ function _install_getmail() {
 
 function _install_utils() {
   _log 'debug' 'Installing utils sourced from Github'
-  curl -sL https://github.com/01mf02/jaq/releases/latest/download/jaq-v1.2.0-x86_64-unknown-linux-musl -o /usr/bin/jaq && chmod +x /usr/bin/jaq
+  _log 'trace' 'Installing jaq'
+  curl -sL "https://github.com/01mf02/jaq/releases/latest/download/jaq-v1.2.0-$(uname -m)-unknown-linux-gnu" -o /usr/bin/jaq && chmod +x /usr/bin/jaq
+
+  _log 'trace' 'Installing swaks'
+  local SWAKS_VERSION='20240103.0'
+  local SWAKS_RELEASE="swaks-${SWAKS_VERSION}"
+  curl -sSfL "https://github.com/jetmore/swaks/releases/download/v${SWAKS_VERSION}/${SWAKS_RELEASE}.tar.gz" | tar -xz
+  mv "${SWAKS_RELEASE}/swaks" /usr/local/bin
+  rm -r "${SWAKS_RELEASE}"
 }
 
 function _remove_data_after_package_installations() {

target/scripts/start-mailserver.sh

@@ -71,6 +71,11 @@ function _register_functions() {
       ;;
   esac
 
+  if [[ ${ENABLE_OAUTH2} -eq 1 ]]; then
+      _environment_variables_oauth2
+      _register_setup_function '_setup_oauth2'
+  fi
+
   if [[ ${ENABLE_SASLAUTHD} -eq 1 ]]; then
     _environment_variables_saslauthd
     _register_setup_function '_setup_saslauthd'
@@ -115,6 +120,11 @@ function _register_functions() {
   _register_setup_function '_setup_apply_fixes_after_configuration'
   _register_setup_function '_environment_variables_export'
 
+  if [[ ${ENABLE_MTA_STS} -eq 1 ]]; then
+    _register_setup_function '_setup_mta_sts'
+    _register_start_daemon '_start_daemon_mta_sts_daemon'
+  fi
+
   # ? >> Daemons
 
   _register_start_daemon '_start_daemon_cron'

target/scripts/startup/daemons-stack.sh

@@ -38,6 +38,7 @@ function _start_daemon_opendkim       { _default_start_daemon 'opendkim'       ;
 function _start_daemon_opendmarc      { _default_start_daemon 'opendmarc'      ; }
 function _start_daemon_postgrey       { _default_start_daemon 'postgrey'       ; }
 function _start_daemon_postsrsd       { _default_start_daemon 'postsrsd'       ; }
+function _start_daemon_mta_sts_daemon { _default_start_daemon 'mta-sts-daemon' ; }
 function _start_daemon_rspamd         { _default_start_daemon 'rspamd'         ; }
 function _start_daemon_rspamd_redis   { _default_start_daemon 'rspamd-redis'   ; }
 function _start_daemon_rsyslog        { _default_start_daemon 'rsyslog'        ; }

target/scripts/startup/setup.d/dovecot.sh

@@ -6,12 +6,10 @@ function _setup_dovecot() {
   cp -a /usr/share/dovecot/protocols.d /etc/dovecot/
   # disable pop3 (it will be eventually enabled later in the script, if requested)
   mv /etc/dovecot/protocols.d/pop3d.protocol /etc/dovecot/protocols.d/pop3d.protocol.disab
+  # disable imap (it will be eventually enabled later in the script, if requested)
+  mv /etc/dovecot/protocols.d/imapd.protocol /etc/dovecot/protocols.d/imapd.protocol.disab
   mv /etc/dovecot/protocols.d/managesieved.protocol /etc/dovecot/protocols.d/managesieved.protocol.disab
-  sed -i -e 's|#ssl = yes|ssl = yes|g' /etc/dovecot/conf.d/10-master.conf
-  sed -i -e 's|#port = 993|port = 993|g' /etc/dovecot/conf.d/10-master.conf
-  sed -i -e 's|#port = 995|port = 995|g' /etc/dovecot/conf.d/10-master.conf
-  sed -i -e 's|#ssl = yes|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
-  sed -i 's|^postmaster_address = .*$|postmaster_address = '"${POSTMASTER_ADDRESS}"'|g' /etc/dovecot/conf.d/15-lda.conf
+    sedfile -i 's|^postmaster_address = .*$|postmaster_address = '"${POSTMASTER_ADDRESS}"'|g' /etc/dovecot/conf.d/15-lda.conf
 
   if ! grep -q -E '^stats_writer_socket_path=' /etc/dovecot/dovecot.conf; then
     printf '\n%s\n' 'stats_writer_socket_path=' >>/etc/dovecot/dovecot.conf
@@ -37,9 +35,21 @@ function _setup_dovecot() {
 
   esac
 
+  if [[ ${ENABLE_POP3} -eq 1 || ${ENABLE_IMAP} -eq 1 ]]; then
+    sedfile -i -e 's|#ssl = yes|ssl = yes|g' /etc/dovecot/conf.d/10-master.conf
+    sedfile -i -e 's|#ssl = yes|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf
+  fi
+
   if [[ ${ENABLE_POP3} -eq 1 ]]; then
     _log 'debug' 'Enabling POP3 services'
     mv /etc/dovecot/protocols.d/pop3d.protocol.disab /etc/dovecot/protocols.d/pop3d.protocol
+    sedfile -i -e 's|#port = 995|port = 995|g' /etc/dovecot/conf.d/10-master.conf
+  fi
+
+  if [[ ${ENABLE_IMAP} -eq 1 ]]; then
+    _log 'debug' 'Enabling IMAP services'
+    mv /etc/dovecot/protocols.d/imapd.protocol.disab /etc/dovecot/protocols.d/imapd.protocol
+    sedfile -i -e 's|#port = 993|port = 993|g' /etc/dovecot/conf.d/10-master.conf
   fi
 
   [[ -f /tmp/docker-mailserver/dovecot.cf ]] && cp /tmp/docker-mailserver/dovecot.cf /etc/dovecot/local.conf
@@ -89,23 +99,20 @@ function _setup_dovecot_quota() {
     # disable dovecot quota in docevot confs
     if [[ -f /etc/dovecot/conf.d/90-quota.conf ]]; then
       mv /etc/dovecot/conf.d/90-quota.conf /etc/dovecot/conf.d/90-quota.conf.disab
-      sed -i \
+      sedfile -i \
         "s|mail_plugins = \$mail_plugins quota|mail_plugins = \$mail_plugins|g" \
         /etc/dovecot/conf.d/10-mail.conf
-      sed -i \
+      sedfile -i \
         "s|mail_plugins = \$mail_plugins imap_quota|mail_plugins = \$mail_plugins|g" \
         /etc/dovecot/conf.d/20-imap.conf
     fi
-
-    # disable quota policy check in postfix
-    sed -i "s|check_policy_service inet:localhost:65265||g" /etc/postfix/main.cf
   else
     if [[ -f /etc/dovecot/conf.d/90-quota.conf.disab ]]; then
       mv /etc/dovecot/conf.d/90-quota.conf.disab /etc/dovecot/conf.d/90-quota.conf
-      sed -i \
+      sedfile -i \
         "s|mail_plugins = \$mail_plugins|mail_plugins = \$mail_plugins quota|g" \
         /etc/dovecot/conf.d/10-mail.conf
-      sed -i \
+      sedfile -i \
         "s|mail_plugins = \$mail_plugins|mail_plugins = \$mail_plugins imap_quota|g" \
         /etc/dovecot/conf.d/20-imap.conf
     fi
@@ -113,11 +120,11 @@ function _setup_dovecot_quota() {
     local MESSAGE_SIZE_LIMIT_MB=$((POSTFIX_MESSAGE_SIZE_LIMIT / 1000000))
     local MAILBOX_LIMIT_MB=$((POSTFIX_MAILBOX_SIZE_LIMIT / 1000000))
 
-    sed -i \
+    sedfile -i \
       "s|quota_max_mail_size =.*|quota_max_mail_size = ${MESSAGE_SIZE_LIMIT_MB}$([[ ${MESSAGE_SIZE_LIMIT_MB} -eq 0 ]] && echo "" || echo "M")|g" \
       /etc/dovecot/conf.d/90-quota.conf
 
-    sed -i \
+    sedfile -i \
       "s|quota_rule = \*:storage=.*|quota_rule = *:storage=${MAILBOX_LIMIT_MB}$([[ ${MAILBOX_LIMIT_MB} -eq 0 ]] && echo "" || echo "M")|g" \
       /etc/dovecot/conf.d/90-quota.conf
 
@@ -127,7 +134,7 @@ function _setup_dovecot_quota() {
     fi
 
     # enable quota policy check in postfix
-    sed -i -E \
+    sedfile -i -E \
       "s|(reject_unknown_recipient_domain)|\1, check_policy_service inet:localhost:65265|g" \
       /etc/postfix/main.cf
   fi
@@ -188,5 +195,5 @@ function _setup_dovecot_dhparam() {
 
 function _setup_dovecot_hostname() {
   _log 'debug' 'Applying hostname to Dovecot'
-  sed -i "s|^#hostname =.*$|hostname = '${HOSTNAME}'|g" /etc/dovecot/conf.d/15-lda.conf
+  sedfile -i "s|^#hostname =.*$|hostname = '${HOSTNAME}'|g" /etc/dovecot/conf.d/15-lda.conf
 }

target/scripts/startup/setup.d/mail_state.sh

@@ -24,6 +24,7 @@ function _setup_save_states() {
     [[ ${ENABLE_FAIL2BAN}     -eq 1 ]] && SERVICEDIRS+=('lib/fail2ban')
     [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && SERVICEDIRS+=('lib/fetchmail')
     [[ ${ENABLE_GETMAIL}      -eq 1 ]] && SERVICEDIRS+=('lib/getmail')
+    [[ ${ENABLE_MTA_STS}      -eq 1 ]] && SERVICEDIRS+=('lib/mta-sts')
     [[ ${ENABLE_POSTGREY}     -eq 1 ]] && SERVICEDIRS+=('lib/postgrey')
     [[ ${ENABLE_RSPAMD}       -eq 1 ]] && SERVICEDIRS+=('lib/rspamd')
     [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && SERVICEDIRS+=('lib/redis')
@@ -84,6 +85,7 @@ function _setup_save_states() {
     [[ ${ENABLE_AMAVIS}       -eq 1 ]] && chown -R amavis:amavis             "${STATEDIR}/lib-amavis"
     [[ ${ENABLE_CLAMAV}       -eq 1 ]] && chown -R clamav:clamav             "${STATEDIR}/lib-clamav"
     [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && chown -R fetchmail:nogroup         "${STATEDIR}/lib-fetchmail"
+    [[ ${ENABLE_MTA_STS}      -eq 1 ]] && chown -R _mta-sts:_mta-sts         "${STATEDIR}/lib-mta-sts"
     [[ ${ENABLE_POSTGREY}     -eq 1 ]] && chown -R postgrey:postgrey         "${STATEDIR}/lib-postgrey"
     [[ ${ENABLE_RSPAMD}       -eq 1 ]] && chown -R _rspamd:_rspamd           "${STATEDIR}/lib-rspamd"
     [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && chown -R redis:redis               "${STATEDIR}/lib-redis"

target/scripts/startup/setup.d/mta-sts.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+
+function _setup_mta_sts() {
+  _log 'trace' 'Adding MTA-STS lookup to the Postfix TLS policy map'
+  _add_to_or_update_postfix_main smtp_tls_policy_maps 'socketmap:unix:/var/run/mta-sts/daemon.sock:postfix'
+}

target/scripts/startup/setup.d/oauth2.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+function _setup_oauth2() {
+  _log 'debug' 'Setting up OAUTH2'
+
+  # Enable OAuth2 PassDB (Authentication):
+  sedfile -i -e '/\!include auth-oauth2\.conf\.ext/s/^#//' /etc/dovecot/conf.d/10-auth.conf
+  _replace_by_env_in_file 'OAUTH2_' '/etc/dovecot/dovecot-oauth2.conf.ext'
+
+  return 0
+}

target/scripts/startup/setup.d/postfix.sh

@@ -19,9 +19,6 @@ function _setup_postfix_early() {
     postconf "inet_protocols = ${POSTFIX_INET_PROTOCOLS}"
   fi
 
-  __postfix__log 'trace' "Disabling SMTPUTF8 support"
-  postconf 'smtputf8_enable = no'
-
   __postfix__log 'trace' "Configuring SASLauthd"
   if [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && [[ ! -f /etc/postfix/sasl/smtpd.conf ]]; then
     cat >/etc/postfix/sasl/smtpd.conf << EOF

target/scripts/startup/setup.d/security/misc.sh

@@ -111,7 +111,7 @@ function __setup__security__spamassassin() {
 
     if [[ ${SPAMASSASSIN_SPAM_TO_INBOX} -eq 1 ]]; then
       _log 'trace' 'Configuring Spamassassin/Amavis to send SPAM to inbox'
-      _log 'debug'  'SPAM_TO_INBOX=1 is set. SA_KILL will be ignored.'
+      _log 'debug'  "'SPAMASSASSIN_SPAM_TO_INBOX=1' is set. The 'SA_KILL' ENV will be ignored."
 
       sed -i "s|\$final_spam_destiny.*=.*$|\$final_spam_destiny = D_PASS;|g" /etc/amavis/conf.d/49-docker-mailserver
       sed -i "s|\$final_bad_header_destiny.*=.*$|\$final_bad_header_destiny = D_PASS;|g" /etc/amavis/conf.d/49-docker-mailserver
@@ -265,7 +265,7 @@ EOF
     chown dovecot:root /usr/lib/dovecot/sieve-global/after/spam_to_junk.{sieve,svbin}
 
     if [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && [[ ${SPAMASSASSIN_SPAM_TO_INBOX} -eq 0 ]]; then
-      _log 'warning' "'SPAMASSASSIN_SPAM_TO_INBOX=0' but it is required to be 1 for 'MOVE_SPAM_TO_JUNK=1' to work"
+      _log 'warn' "'SPAMASSASSIN_SPAM_TO_INBOX=0' but it is required to be 1 for 'MOVE_SPAM_TO_JUNK=1' to work"
     fi
   else
     _log 'debug' 'Spam emails will not be moved to the Junk folder'
@@ -290,7 +290,7 @@ EOF
     chown dovecot:root /usr/lib/dovecot/sieve-global/after/spam_mark_as_read.{sieve,svbin}
 
     if [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && [[ ${SPAMASSASSIN_SPAM_TO_INBOX} -eq 0 ]]; then
-      _log 'warning' "'SPAMASSASSIN_SPAM_TO_INBOX=0' but it is required to be 1 for 'MARK_SPAM_AS_READ=1' to work"
+      _log 'warn' "'SPAMASSASSIN_SPAM_TO_INBOX=0' but it is required to be 1 for 'MARK_SPAM_AS_READ=1' to work"
     fi
   else
     _log 'debug' 'Spam emails will not be marked as read'

target/scripts/startup/variables-stack.sh

@@ -83,10 +83,12 @@ function __environment_variables_general_setup() {
   VARS[ENABLE_FETCHMAIL]="${ENABLE_FETCHMAIL:=0}"
   VARS[ENABLE_GETMAIL]="${ENABLE_GETMAIL:=0}"
   VARS[ENABLE_MANAGESIEVE]="${ENABLE_MANAGESIEVE:=0}"
+  VARS[ENABLE_OAUTH2]="${ENABLE_OAUTH2:=0}"
   VARS[ENABLE_OPENDKIM]="${ENABLE_OPENDKIM:=1}"
   VARS[ENABLE_OPENDMARC]="${ENABLE_OPENDMARC:=1}"
   VARS[ENABLE_POLICYD_SPF]="${ENABLE_POLICYD_SPF:=1}"
   VARS[ENABLE_POP3]="${ENABLE_POP3:=0}"
+  VARS[ENABLE_IMAP]="${ENABLE_IMAP:=1}"
   VARS[ENABLE_POSTGREY]="${ENABLE_POSTGREY:=0}"
   VARS[ENABLE_QUOTAS]="${ENABLE_QUOTAS:=1}"
   VARS[ENABLE_RSPAMD]="${ENABLE_RSPAMD:=0}"
@@ -150,6 +152,12 @@ function __environment_variables_general_setup() {
   VARS[UPDATE_CHECK_INTERVAL]="${UPDATE_CHECK_INTERVAL:=1d}"
 }
 
+function _environment_variables_oauth2() {
+  _log 'debug' 'Setting OAUTH2-related environment variables now'
+
+  VARS[OAUTH2_INTROSPECTION_URL]="${OAUTH2_INTROSPECTION_URL:=}"
+}
+
 # This function handles environment variables related to LDAP.
 # NOTE: SASLAuthd and Dovecot LDAP support inherit these common ENV.
 function _environment_variables_ldap() {

target/supervisor/conf.d/supervisor-app.conf

@@ -83,8 +83,8 @@ startsecs=0
 stopwaitsecs=55
 autostart=false
 autorestart=true
-stdout_logfile=/var/log/mail/mail.log
-stderr_logfile=/var/log/mail/mail.log
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
 command=/usr/sbin/postgrey --inet=127.0.0.1:10023 --syslog-facility=mail --delay="%(ENV_POSTGREY_DELAY)s" --max-age="%(ENV_POSTGREY_MAX_AGE)s" --auto-whitelist-clients="%(ENV_POSTGREY_AUTO_WHITELIST_CLIENTS)s" --greylist-text="%(ENV_POSTGREY_TEXT)s"
 
 [program:amavis]
@@ -157,3 +157,15 @@ autostart=false
 stdout_logfile=/var/log/supervisor/%(program_name)s.log
 stderr_logfile=/var/log/supervisor/%(program_name)s.log
 command=/bin/bash -l -c /usr/local/bin/update-check.sh
+
+# Docs: https://github.com/Snawoot/postfix-mta-sts-resolver/blob/master/man/mta-sts-daemon.1.adoc
+[program:mta-sts-daemon]
+startsecs=0
+stopwaitsecs=55
+autostart=false
+autorestart=true
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+command=/usr/bin/mta-sts-daemon --config /etc/mta-sts-daemon.yml
+user=_mta-sts
+environment=HOME=/var/lib/mta-sts

test/config/oauth2/provider.py

@@ -0,0 +1,56 @@
+# OAuth2 mock service
+#
+# Dovecot will query this service with the token it was provided.
+# If the session for the token is valid, a response provides an attribute to perform a UserDB lookup on (default: email).
+
+import json
+import base64
+from http.server import BaseHTTPRequestHandler, HTTPServer
+
+# OAuth2.0 Bearer token (paste into https://jwt.io/ to check it's contents).
+# You should never need to edit this unless you REALLY need to change the issuer.
+token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vcHJvdmlkZXIuZXhhbXBsZS50ZXN0OjgwMDAvIiwic3ViIjoiODJjMWMzMzRkY2M2ZTMxMWFlNGFhZWJmZTk0NmM1ZTg1OGYwNTVhZmYxY2U1YTM3YWE3Y2M5MWFhYjE3ZTM1YyIsImF1ZCI6Im1haWxzZXJ2ZXIiLCJ1aWQiOiI4OU4zR0NuN1M1Y090WkZNRTVBeVhNbmxURFdVcnEzRmd4YWlyWWhFIn0.zuCytArbphhJn9XT_y9cBdGqDCNo68tBrtOwPIsuKNyF340SaOuZa0xarZofygytdDpLtYr56QlPTKImi-n1ZWrHkRZkwrQi5jQ-j_n2hEAL0vUToLbDnXYfc5q2w7z7X0aoCmiK8-fV7Kx4CVTM7riBgpElf6F3wNAIcX6R1ijUh6ISCL0XYsdogf8WUNZipXY-O4R7YHXdOENuOp3G48hWhxuUh9PsUqE5yxDwLsOVzCTqg9S5gxPQzF2eCN9J0I2XiIlLKvLQPIZ2Y_K7iYvVwjpNdgb4xhm9wuKoIVinYkF_6CwIzAawBWIDJAbix1IslkUPQMGbupTDtOgTiQ"
+
+# This is the string the user-facing client (e.g. Roundcube) should send via IMAP to Dovecot.
+# We include the user and the above token separated by '\1' chars as per the XOAUTH2 spec.
+xoauth2 = base64.b64encode(f"user=user1@localhost.localdomain\1auth=Bearer {token}\1\1".encode("utf-8"))
+# If changing the user above, use the new output from the below line with the contents of the AUTHENTICATE command in test/test-files/auth/imap-oauth2-auth.txt
+print("XOAUTH2 string: " + str(xoauth2))
+
+
+class HTTPRequestHandler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        auth = self.headers.get("Authorization")
+        if auth is None:
+            self.send_response(401)
+            self.end_headers()
+            return
+        if len(auth.split()) != 2:
+            self.send_response(401)
+            self.end_headers()
+            return
+        auth = auth.split()[1]
+        # Valid session, respond with JSON containing the expected `email` claim to match as Dovecot username:
+        if auth == token:
+            self.send_response(200)
+            self.send_header('Content-Type', 'application/json')
+            self.end_headers()
+            self.wfile.write(json.dumps({
+                "email": "user1@localhost.localdomain",
+                "email_verified": True,
+                "sub": "82c1c334dcc6e311ae4aaebfe946c5e858f055aff1ce5a37aa7cc91aab17e35c"
+            }).encode("utf-8"))
+        else:
+            self.send_response(401)
+        self.end_headers()
+
+server = HTTPServer(('', 80), HTTPRequestHandler)
+print("Starting server", flush=True)
+
+try:
+    server.serve_forever()
+except KeyboardInterrupt:
+    print()
+    print("Received keyboard interrupt")
+finally:
+    print("Exiting")

test/files/auth/imap-oauth2-auth.txt

@@ -0,0 +1,4 @@
+a0 NOOP See test/config/oauth2/provider.py to generate the below XOAUTH2 string
+a1 AUTHENTICATE XOAUTH2 dXNlcj11c2VyMUBsb2NhbGhvc3QubG9jYWxkb21haW4BYXV0aD1CZWFyZXIgZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKb2RIUndPaTh2Y0hKdmRtbGtaWEl1WlhoaGJYQnNaUzUwWlhOME9qZ3dNREF2SWl3aWMzVmlJam9pT0RKak1XTXpNelJrWTJNMlpUTXhNV0ZsTkdGaFpXSm1aVGswTm1NMVpUZzFPR1l3TlRWaFptWXhZMlUxWVRNM1lXRTNZMk01TVdGaFlqRTNaVE0xWXlJc0ltRjFaQ0k2SW0xaGFXeHpaWEoyWlhJaUxDSjFhV1FpT2lJNE9VNHpSME51TjFNMVkwOTBXa1pOUlRWQmVWaE5ibXhVUkZkVmNuRXpSbWQ0WVdseVdXaEZJbjAuenVDeXRBcmJwaGhKbjlYVF95OWNCZEdxRENObzY4dEJydE93UElzdUtOeUYzNDBTYU91WmEweGFyWm9meWd5dGREcEx0WXI1NlFsUFRLSW1pLW4xWldySGtSWmt3clFpNWpRLWpfbjJoRUFMMHZVVG9MYkRuWFlmYzVxMnc3ejdYMGFvQ21pSzgtZlY3S3g0Q1ZUTTdyaUJncEVsZjZGM3dOQUljWDZSMWlqVWg2SVNDTDBYWXNkb2dmOFdVTlppcFhZLU80UjdZSFhkT0VOdU9wM0c0OGhXaHh1VWg5UHNVcUU1eXhEd0xzT1Z6Q1RxZzlTNWd4UFF6RjJlQ045SjBJMlhpSWxMS3ZMUVBJWjJZX0s3aVl2VndqcE5kZ2I0eGhtOXd1S29JVmluWWtGXzZDd0l6QWF3QldJREpBYml4MUlzbGtVUFFNR2J1cFREdE9nVGlRAQE=
+a2 EXAMINE INBOX
+a3 LOGOUT

test/files/emails/amavis/virus.txt

@@ -1,11 +1,7 @@
-HELO mail.external.tld
-MAIL FROM: virus@external.tld
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
-Subject: Test Message amavis-virus.txt
+Subject: Test Message amavis/virus.txt
 
 Content-type: multipart/mixed; boundary="emailboundary"
 MIME-version: 1.0
@@ -27,6 +23,3 @@ ACAA/4EAAAAAZWljYXIuY29tUEsFBgAAAAABAAEANwAAAGsAAAAAAA==
 
 
 --emailboundary--
-
-.
-QUIT

test/files/emails/auth/added-smtp-auth-spoofed-alias.txt

@@ -1,14 +1,5 @@
-EHLO mail
-AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu
-bXlwYXNzd29yZA==
-MAIL FROM: alias1@localhost.localdomain
-RCPT TO: user1@localhost.localdomain
-DATA
 From: user1_alias <alias1@localhost.localdomain>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail.
-
-.
-QUIT

test/files/emails/auth/added-smtp-auth-spoofed.txt

@@ -1,14 +1,5 @@
-EHLO mail
-AUTH LOGIN YWRkZWRAbG9jYWxob3N0LmxvY2FsZG9tYWlu
-bXlwYXNzd29yZA==
-MAIL FROM: user2@localhost.localdomain
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Not_My_Business <user2@localhost.localdomain>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail.
-
-.
-QUIT

test/files/emails/auth/ldap-smtp-auth-spoofed-alias.txt

@@ -1,15 +1,5 @@
-EHLO mail
-AUTH LOGIN
-c29tZS51c2VyQGxvY2FsaG9zdC5sb2NhbGRvbWFpbg==
-c2VjcmV0
-MAIL FROM: postmaster@localhost.localdomain
-RCPT TO: some.user@localhost.localdomain
-DATA
 From: alias_address <postmaster@localhost.localdomain>
 To: Existing Local User <some.user@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail from ldap-smtp-auth-spoofed-alias.txt
-
-.
-QUIT

test/files/emails/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt

@@ -1,15 +1,5 @@
-EHLO mail
-AUTH LOGIN
-c29tZS51c2VyLmVtYWlsQGxvY2FsaG9zdC5sb2NhbGRvbWFpbgo=
-c2VjcmV0
-MAIL FROM: randomspoofedaddress@localhost.localdomain
-RCPT TO: some.user@localhost.localdomain
-DATA
 From: spoofed_address <randomspoofedaddress@localhost.localdomain>
 To: Existing Local User <some.user@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail from ldap-smtp-auth-spoofed-sender-with-filter-exception.txt
-
-.
-QUIT

test/files/emails/auth/ldap-smtp-auth-spoofed.txt

@@ -1,15 +1,5 @@
-EHLO mail
-AUTH LOGIN
-c29tZS51c2VyQGxvY2FsaG9zdC5sb2NhbGRvbWFpbg==
-c2VjcmV0
-MAIL FROM: ldap@localhost.localdomain
-RCPT TO: user1@localhost.localdomain
-DATA
 From: forged_address <ldap@localhost.localdomain>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message
 This is a test mail.
-
-.
-QUIT

test/files/emails/postgrey.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Docker Mail Server <dockermailserver@external.tld>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Postgrey Test Message
 This is a test mail.
-
-.
-QUIT

test/files/emails/postscreen.txt

@@ -0,0 +1,5 @@
+From: Docker Mail Server <user@external.tld>
+To: Existing Local User <user1@localhost.localdomain>
+Date: Sat, 22 May 2010 07:43:25 -0400
+Subject: Test Message postscreen.txt
+This is a test mail for postscreen.

test/files/emails/privacy.txt

@@ -1,15 +1,6 @@
-EHLO mail
-AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu
-bXlwYXNzd29yZA==
-mail from: <user1@localhost.localdomain>
-rcpt to: <user1@localhost.localdomain>
-data
 From: Some User <user1@localhost.localdomain>
 To: Some User <user1@localhost.localdomain>
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
   Gecko/20100101 Thunderbird/52.2.1
 Subject: Test ESMTP Auth LOGIN and remove privacy
 This is a test mail.
-
-.
-QUIT

test/files/emails/quota-exceeded.txt

@@ -1,7 +1,3 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: quotauser@otherdomain.tld
-DATA
 From: Docker Mail Server <user@external.tld>
 To: Existing Local User <quotauser@otherdomain.tld>
 Date: Sat, 22 May 2010 07:43:25 -0400
@@ -20,6 +16,3 @@ Et voluptatum nobis ut odio voluptatem et quibusdam fugit ut libero sapiente vel
 Sit sint obcaecati et reiciendis tenetur aut dolorum culpa. Ab veritatis maxime qui necessitatibus facilis eum voluptate asperiores non totam omnis. Nam modi officia in reiciendis odit sit rerum laudantium est rerum voluptatem ut fugit cupiditate! Sit atque sint aut delectus omnis ut asperiores enim quo reprehenderit quae! In quasi nemo ut error totam ut quia harum ut commodi tenetur? Non quod dolorum eum explicabo labore vel asperiores quas est perferendis nulla eum nemo tenetur. Ut libero blanditiis ex voluptatibus repudiandae ab reiciendis nemo id debitis impedit hic quia incidunt sed quam excepturi ut magnam odit. Qui dolor deleniti aut sunt voluptas aut blanditiis distinctio nam omnis deleniti hic omnis rerum eum magni voluptatem. Nam labore facere eum molestiae dolorum ea consectetur praesentium ut cupiditate iste ad magnam aut neque maiores! Et excepturi ducimus ut nemo voluptas eum voluptas nihil hic perferendis quos vel quasi nesciunt est praesentium dolore hic quia quis. Et maxime ducimus ea cupiditate voluptatem ad quia dolores!
 
 Sed quos quaerat vel aperiam minus non sapiente quia ut ratione dolore eum officiis rerum. Non dolor vitae qui facilis dignissimos aut voluptate odit et ullam consequuntur. Et laudantium perspiciatis sit nisi temporibus a temporibus itaque ut iure dolor a voluptatum mollitia eos officia nobis et quibusdam voluptas. Amet eligendi eos nulla corporis et blanditiis nihil vel eveniet veritatis et sunt perferendis id molestiae eius! Quo harum quod aut nemo autem ut adipisci sint sed quia sunt. Aut voluptas error ut quae perferendis eos adipisci internos. Nam rerum fugiat aut minima nostrum quo repellendus quas exercitationem tenetur. Et molestiae architecto id quibusdam reprehenderit et magnam aliquam! Quo tempora veritatis At dolorem sint ex nulla blanditiis At voluptas laudantium est molestiae exercitationem et sequi voluptates aut ipsa atque. Et animi ipsum aut atque recusandae ea nemo ullam non quisquam quos sit libero sint vel libero delectus. Eos labore quidem a velit obcaecati nam explicabo consequatur eos maxime blanditiis? Et ipsam molestiae non quia explicabo ex galisum repudiandae et tempora veniam. Sed optio repellendus ut consequatur temporibus et harum quas hic ipsa officia? Aut dolores ipsum sit nulla dignissimos id quia perferendis aut dolores dolor et quibusdam porro aut Quis consequatur.
-
-.
-QUIT

test/files/emails/sieve/pipe.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: user2@otherdomain.tld
-DATA
 From: Sieve-pipe-test <sieve.pipe@external.tld>
 To: Existing Local User <user2@otherdomain.tld>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Sieve pipe test message
 This is a test mail to sieve pipe.
-
-.
-QUIT

test/files/emails/sieve/spam-folder.txt

@@ -1,12 +1,5 @@
-HELO mail.external.tld
-MAIL FROM: user@external.tld
-RCPT TO: user1@localhost.localdomain
-DATA
 From: Spambot <spam@spam.com>
 To: Existing Local User <alias2@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message sieve-spam-folder.txt
 This is a test mail.
-
-.
-QUIT