Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update ghcr.io/docker-mailserver/docker-mailserver docker tag to v13.2.0 #778

Merged
merged 2 commits into from
Jan 8, 2024
Merged

chore(deps): update ghcr.io/docker-mailserver/docker-mailserver docker tag to v13.2.0 #778

merged 2 commits into from
Jan 8, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 4, 2024

Mend Renovate

This PR contains the following updates:

Package Update Change
ghcr.io/docker-mailserver/docker-mailserver (source) minor 13.1.0 -> 13.2.0

Release Notes

docker-mailserver/docker-mailserver (ghcr.io/docker-mailserver/docker-mailserver)

v13.2.0

Compare Source

Security

DMS is now secured against the recently published spoofing attack "SMTP Smuggling" that affected Postfix (#​3727):

  • Postfix upgraded from 3.5.18 to 3.5.23 which provides the long-term fix with smtpd_forbid_bare_newline = yes
  • If you are unable to upgrade to this release of DMS, you may follow these instructions for applying the short-term workaround.
  • This change should not cause compatibility concerns for legitimate mail clients, however if you use software like netcat to send mail to DMS (like our test-suite previously did) it may now be rejected (especially with the the short-term workaround smtpd_data_restrictions = reject_unauth_pipelining).
  • NOTE: This Postfix update also includes the new parameter smtpd_forbid_bare_newline_exclusions which defaults to $mynetworks for excluding trusted mail clients excluded from the restriction.
    • With our default PERMIT_DOCKER=none this is not a concern.
    • Presently the Docker daemon config has user-proxy: true enabled by default.
      • On a host that can be reached by IPv6, this will route to a DMS IPv4 only container implicitly through the Docker network bridge gateway which rewrites the source address.
      • If your PERMIT_DOCKER setting allows that gateway IP, then it is part of $mynetworks and this attack would not be prevented from such connections.
      • If this affects your deployment, refer to our IPv6 docs for advice on handling IPv6 correctly in Docker. Alternatively use our postfix-main.cf to set smtpd_forbid_bare_newline_exclusions= as empty.
Updates
  • The test suite now uses swaks instead of nc, which has multiple benefits (#​3732):
    • swaks handles pipelining correctly, hence we can now use reject_unauth_pipelining in Postfix's configuration.
    • swaks provides better CLI options that make many files superflous.
    • swaks can also replace openssl s_client and handles authentication on submission ports better.
  • Postfix:
    • We now defer rejection from unauthorized pipelining until the SMTP DATA command via smtpd_data_restrictions (i.e. at the end of the mail transfer transaction) (#​3744)
      • Prevously our configuration only handled this during the client and recipient restriction stages. Postfix will flag this activity when encountered, but the rejection now is handled at DATA where unauthorized pipelining would have been valid from this point.
      • If you had the Amavis service enabled (default), this restriction was already in place. Otherwise the concerns expressed with smtpd_data_restrictions = reject_unauth_pipelining from the security section above apply. We have permitted trusted clients ($mynetworks or authenticated) to bypass this restriction.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@f2c-ci-robot f2c-ci-robot
Copy link

f2c-ci-robot bot commented Jan 4, 2024

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@f2c-ci-robot f2c-ci-robot
Copy link

f2c-ci-robot bot commented Jan 4, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wanghe-fit2cloud wanghe-fit2cloud merged commit 5a24e6d into dev Jan 8, 2024
1 check was pending
@wanghe-fit2cloud wanghe-fit2cloud deleted the renovate/ghcr.io-docker-mailserver-docker-mailserver-13.x branch January 8, 2024 02:35
moonrailgun pushed a commit to moonrailgun/appstore that referenced this pull request Mar 19, 2024
@okxlin
Merge pull request 1Panel-dev#778 from okxlin/renovate/yourselfhosted…
c9d5b3f 
…-slash-0.x

chore(deps): update yourselfhosted/slash docker tag to v0.5.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge/release-note-label-needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@wanghe-fit2cloud