chore(deps): update ghcr.io/docker-mailserver/docker-mailserver docker tag to v13.2.0 #778
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
13.1.0
->13.2.0
Release Notes
docker-mailserver/docker-mailserver (ghcr.io/docker-mailserver/docker-mailserver)
v13.2.0
Compare Source
Security
DMS is now secured against the recently published spoofing attack "SMTP Smuggling" that affected Postfix (#3727):
3.5.18
to3.5.23
which provides the long-term fix withsmtpd_forbid_bare_newline = yes
netcat
to send mail to DMS (like our test-suite previously did) it may now be rejected (especially with the the short-term workaroundsmtpd_data_restrictions = reject_unauth_pipelining
).smtpd_forbid_bare_newline_exclusions
which defaults to$mynetworks
for excluding trusted mail clients excluded from the restriction.PERMIT_DOCKER=none
this is not a concern.user-proxy: true
enabled by default.PERMIT_DOCKER
setting allows that gateway IP, then it is part of$mynetworks
and this attack would not be prevented from such connections.postfix-main.cf
to setsmtpd_forbid_bare_newline_exclusions=
as empty.Updates
swaks
instead ofnc
, which has multiple benefits (#3732):swaks
handles pipelining correctly, hence we can now usereject_unauth_pipelining
in Postfix's configuration.swaks
provides better CLI options that make many files superflous.swaks
can also replaceopenssl s_client
and handles authentication on submission ports better.DATA
command viasmtpd_data_restrictions
(i.e. at the end of the mail transfer transaction) (#3744)DATA
where unauthorized pipelining would have been valid from this point.smtpd_data_restrictions = reject_unauth_pipelining
from the security section above apply. We have permitted trusted clients ($mynetworks
or authenticated) to bypass this restriction.Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.