From eec9d1201f91619b83e6b5d6b6cda80fe0f7a971 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 21 Apr 2023 14:42:25 +0200 Subject: [PATCH 1/5] Fix logs in the SMTP container --- core/postfix/Dockerfile | 2 +- core/postfix/conf/main.cf | 1 + core/postfix/conf/master.cf | 1 + core/postfix/start.py | 1 - towncrier/newsfragments/2793.bugfix | 1 + 5 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 towncrier/newsfragments/2793.bugfix diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile index f9a5ac24..578294df 100644 --- a/core/postfix/Dockerfile +++ b/core/postfix/Dockerfile @@ -15,7 +15,7 @@ COPY start.py / RUN echo $VERSION >/version #EXPOSE 25/tcp 10025/tcp -HEALTHCHECK --start-period=350s CMD /usr/sbin/postfix status +HEALTHCHECK --start-period=30s CMD ! /usr/libexec/postfix/master -t VOLUME ["/queue"] diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 2e038f61..3e63dd91 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -6,6 +6,7 @@ mydomain = {{ DOMAIN }} myhostname = {{ HOSTNAMES.split(",")[0] }} myorigin = $mydomain +maillog_file = /dev/stdout # Queue location queue_directory = /queue diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf index 569ea718..f88a19b3 100644 --- a/core/postfix/conf/master.cf +++ b/core/postfix/conf/master.cf @@ -52,6 +52,7 @@ discard unix - - n - - discard lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache +postlog unix-dgram n - n - 1 postlogd {# Ensure that the rendered file ends with a newline #} {{- "\n" }} diff --git a/core/postfix/start.py b/core/postfix/start.py index 149e4dae..56adba4f 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -11,7 +11,6 @@ from podop import run_server from socrate import system, conf system.set_env(log_filters=[ - r'the Postfix mail system is running\: \d+$', r'(dis)?connect from localhost\[(\:\:1|127\.0\.0\.1)\]( quit=1 commands=1)?$', r'haproxy read\: short protocol header\: QUIT$', r'discarding EHLO keywords\: PIPELINING$', diff --git a/towncrier/newsfragments/2793.bugfix b/towncrier/newsfragments/2793.bugfix new file mode 100644 index 00000000..d57c9bb9 --- /dev/null +++ b/towncrier/newsfragments/2793.bugfix @@ -0,0 +1 @@ +The SMTP container wasn't logging things like it should From 36fcb9b830f8fae3e7ccbc48da4cd33cb581ed15 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 21 Apr 2023 17:27:59 +0200 Subject: [PATCH 2/5] dovecot is creating zombies --- core/dovecot/Dockerfile | 2 +- core/dovecot/conf/dovecot.conf | 7 ------- core/dovecot/start.py | 2 +- towncrier/newsfragments/2793.bugfix | 1 + 4 files changed, 3 insertions(+), 9 deletions(-) diff --git a/core/dovecot/Dockerfile b/core/dovecot/Dockerfile index d2260c98..97aa26ce 100644 --- a/core/dovecot/Dockerfile +++ b/core/dovecot/Dockerfile @@ -16,7 +16,7 @@ COPY start.py / RUN echo $VERSION >/version EXPOSE 110/tcp 143/tcp 993/tcp 4190/tcp 2525/tcp -HEALTHCHECK CMD echo PING|nc -w2 localhost 5001|grep "PONG" +HEALTHCHECK CMD kill -0 `cat /run/dovecot/master.pid` VOLUME ["/mail"] diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf index ebcd97aa..11138694 100644 --- a/core/dovecot/conf/dovecot.conf +++ b/core/dovecot/conf/dovecot.conf @@ -95,13 +95,6 @@ service auth-worker { } } -service health-check { - executable = script -p health-check.sh - inet_listener health-check { - port = 5001 - } -} - ############### # IMAP & POP ############### diff --git a/core/dovecot/start.py b/core/dovecot/start.py index afc0d6f6..a8ac474c 100755 --- a/core/dovecot/start.py +++ b/core/dovecot/start.py @@ -9,7 +9,7 @@ import sys from podop import run_server from socrate import system, conf -system.set_env(log_filters=r'waitpid\(\) returned unknown PID \d+$') +system.set_env() def start_podop(): system.drop_privs_to('mail') diff --git a/towncrier/newsfragments/2793.bugfix b/towncrier/newsfragments/2793.bugfix index d57c9bb9..591e33e8 100644 --- a/towncrier/newsfragments/2793.bugfix +++ b/towncrier/newsfragments/2793.bugfix @@ -1 +1,2 @@ The SMTP container wasn't logging things like it should +The health-check of dovecot was creating zombies From e71c653c8ccb40bfe08100c226eb95ccc34979b3 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 22 Apr 2023 08:24:36 +0200 Subject: [PATCH 3/5] fix #2139 --- docs/configuration.rst | 2 ++ setup/flavors/compose/mailu.env | 2 +- towncrier/newsfragments/2793.bugfix | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index 2e9f8ef5..1fb0fbb4 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -241,6 +241,8 @@ but slows down the performance of modern devices. The ``TLS_PERMISSIVE`` (default: true) setting controls whether ciphers and protocols offered on port 25 for STARTTLS are optimized for maximum compatibility. We **strongly recommend** that you do **not** change this setting on the basis that any encryption beats no encryption. If you are subject to compliance requirements and are not afraid of losing emails as a result of artificially reducing compatibility, set it to 'false'. Keep in mind that servers that are running a software stack old enough to not be compatible with the current TLS requirements will either a) deliver in plaintext b) bounce emails c) silently drop emails; moreover, modern servers will benefit from various downgrade protections (DOWNGRD, RFC7507) making the security argument mostly a moot point. +The ``COMPRESSION`` (default: unset) setting controls whether emails are stored compressed at rest on disk. Valid values are ``gz``, ``bz2`` or ``zstd``. If the underlying filesystem supports compression natively you should use it instead of this setting as it will be more efficient and will improve compatibility with 3rd party tools. + .. _reverse_proxy_headers: The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env index 090f4d3a..eae69104 100644 --- a/setup/flavors/compose/mailu.env +++ b/setup/flavors/compose/mailu.env @@ -105,7 +105,7 @@ WELCOME_SUBJECT={{ welcome_subject or 'Welcome to your new email account' }} WELCOME_BODY={{ welcome_body or 'Welcome to your new email account, if you can read this, then it is configured properly!' }} # Maildir Compression -# choose compression-method, default: none (value: gz, bz2) +# choose compression-method, default: none (value: gz, bz2, zstd) COMPRESSION={{ compression }} # change compression-level, default: 6 (value: 1-9) COMPRESSION_LEVEL={{ compression_level }} diff --git a/towncrier/newsfragments/2793.bugfix b/towncrier/newsfragments/2793.bugfix index 591e33e8..12727762 100644 --- a/towncrier/newsfragments/2793.bugfix +++ b/towncrier/newsfragments/2793.bugfix @@ -1,2 +1,3 @@ The SMTP container wasn't logging things like it should The health-check of dovecot was creating zombies +Document that COMPRESSION=zstd is now possible (see #2139) From 68e60c05ae51d928cb5c5d876a5f4d2125b6e032 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 22 Apr 2023 10:36:03 +0200 Subject: [PATCH 4/5] COMPRESSION_LEVEL too --- docs/configuration.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index 1fb0fbb4..394e27f7 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -241,7 +241,9 @@ but slows down the performance of modern devices. The ``TLS_PERMISSIVE`` (default: true) setting controls whether ciphers and protocols offered on port 25 for STARTTLS are optimized for maximum compatibility. We **strongly recommend** that you do **not** change this setting on the basis that any encryption beats no encryption. If you are subject to compliance requirements and are not afraid of losing emails as a result of artificially reducing compatibility, set it to 'false'. Keep in mind that servers that are running a software stack old enough to not be compatible with the current TLS requirements will either a) deliver in plaintext b) bounce emails c) silently drop emails; moreover, modern servers will benefit from various downgrade protections (DOWNGRD, RFC7507) making the security argument mostly a moot point. -The ``COMPRESSION`` (default: unset) setting controls whether emails are stored compressed at rest on disk. Valid values are ``gz``, ``bz2`` or ``zstd``. If the underlying filesystem supports compression natively you should use it instead of this setting as it will be more efficient and will improve compatibility with 3rd party tools. +The ``COMPRESSION`` (default: unset) setting controls whether emails are stored compressed at rest on disk. Valid values are ``gz``, ``bz2`` or ``zstd`` and additional settings can be configured via ``COMPRESSION_LEVEL``, see `zlib_save_level`_ for accepted values. If the underlying filesystem supports compression natively you should use it instead of this setting as it will be more efficient and will improve compatibility with 3rd party tools. + +.. _`zlib_save_level`: https://doc.dovecot.org/settings/plugin/zlib-plugin/#plugin_setting-zlib-zlib_save_level .. _reverse_proxy_headers: From 7e46e1491eede46cc04dd74d61973f829fabb10b Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 22 Apr 2023 10:37:44 +0200 Subject: [PATCH 5/5] as requested in review --- core/dovecot/start.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/dovecot/start.py b/core/dovecot/start.py index a8ac474c..2a5de1ec 100755 --- a/core/dovecot/start.py +++ b/core/dovecot/start.py @@ -9,7 +9,7 @@ import sys from podop import run_server from socrate import system, conf -system.set_env() +system.set_env(log_filters=r'Error\: SSL context initialization failed, disabling SSL\: Can\'t load SSL certificate \(ssl_cert setting\)\: The certificate is empty$') def start_podop(): system.drop_privs_to('mail')