Security release.
If you're using Mailserver on a host that has a routable IPv6 address you should update.
If you're still using Mailserver v1.1.x and don't want to upgrade to the new separate systemd services for monitoring, please consider cherry-picking e3ae638 to your start_mailserver.sh.
This release works around an oddity with docker-proxy's IPv6 to IPv4 routing on ports exported with -p / --publish. Published ports accept connections from both IPv4 and IPv6 remotes on the host by default. IPv4 connections will be routed into the container with their original remote source address. However, IPv6 connections will be converted into IPv4 and will have the docker host IP as source address. The connection will look like it is originating from within the mailserver container's private network.
In other words, all external hosts connecting via IPv6 will be treated like local connections.
Since local networks have a different (often elevated) trust relationship with the mailserver, this potentially has security implications, depending on the respective local set-up.
The release works around this by explicitly publishing all ports on 0.0.0.0, thus forcing IPv4.
Release version information
- alpine: 3.20.0
- postfix: postfix-3.9.0-r1
- certbot: certbot-2.10.0-r1
- opendkim: opendkim-2.11.0-r3
- opendmarc: opendmarc-1.4.2-r1
- caddy: caddy-2.7.6-r5
- dovecot: dovecot-2.3.21-r17
- fail2ban: fail2ban-1.1.0-r0
- supervisor: supervisor-4.2.5-r5
- Postfix prometheus exporter: 0.3.0
- Fail2Ban prometheus exporter: 0.10.1