mailcow
diff --git a/‎.github/workflows/update_postscreen_access_list.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/update_postscreen_access_list.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎data/Dockerfiles/acme/acme.sh‎
Lines changed: 19 additions & 0 deletions b/‎data/Dockerfiles/acme/acme.sh‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎data/Dockerfiles/dovecot/Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎data/Dockerfiles/dovecot/Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎data/Dockerfiles/phpfpm/Dockerfile‎
Lines changed: 4 additions & 4 deletions b/‎data/Dockerfiles/phpfpm/Dockerfile‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎data/Dockerfiles/postfix/postfix.sh‎
Lines changed: 3 additions & 0 deletions b/‎data/Dockerfiles/postfix/postfix.sh‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎data/Dockerfiles/rspamd/Dockerfile‎
Lines changed: 3 additions & 3 deletions b/‎data/Dockerfiles/rspamd/Dockerfile‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎data/Dockerfiles/sogo/Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎data/Dockerfiles/sogo/Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎data/conf/dovecot/auth/mailcowauth.php‎
Lines changed: 11 additions & 4 deletions b/‎data/conf/dovecot/auth/mailcowauth.php‎
Lines changed: 11 additions & 4 deletions
@@ -22,7 +22,7 @@ jobs:
           bash helper-scripts/update_postscreen_whitelist.sh
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v7
+      uses: peter-evans/create-pull-request@v8
       with:
         token: ${{ secrets.mailcow_action_Update_postscreen_access_cidr_pat }}
         commit-message: update postscreen_access.cidr
 
@@ -246,6 +246,25 @@ while true; do
     done
     VALIDATED_CONFIG_DOMAINS+=("${VALIDATED_CONFIG_DOMAINS_SUBDOMAINS[*]}")
   done
+
+  # Fetch alias domains where target domain has MTA-STS enabled
+  if [[ ${AUTODISCOVER_SAN} == "y" ]]; then
+    SQL_ALIAS_DOMAINS=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT ad.alias_domain FROM alias_domain ad INNER JOIN mta_sts m ON ad.target_domain = m.domain WHERE ad.active = 1 AND m.active = 1" -Bs)
+    if [[ $? -eq 0 ]]; then
+      while read alias_domain; do
+        if [[ -z "${alias_domain}" ]]; then
+          # ignore empty lines
+          continue
+        fi
+        # Only add mta-sts subdomain for alias domains
+        if [[ "mta-sts.${alias_domain}" != "${MAILCOW_HOSTNAME}" ]]; then
+          if check_domain "mta-sts.${alias_domain}"; then
+            VALIDATED_CONFIG_DOMAINS+=("mta-sts.${alias_domain}")
+          fi
+        fi
+      done <<< "${SQL_ALIAS_DOMAINS}"
+    fi
+  fi
   fi
 
   if check_domain ${MAILCOW_HOSTNAME}; then
 
@@ -3,7 +3,7 @@ FROM alpine:3.21
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
-ARG GOSU_VERSION=1.17
+ARG GOSU_VERSION=1.19
 
 ENV LANG=C.UTF-8
 ENV LC_ALL=C.UTF-8
 
@@ -3,15 +3,15 @@ FROM php:8.2-fpm-alpine3.21
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 # renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG APCU_PECL_VERSION=5.1.27
+ARG APCU_PECL_VERSION=5.1.28
 # renovate: datasource=github-tags depName=Imagick/imagick versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG IMAGICK_PECL_VERSION=3.8.0
+ARG IMAGICK_PECL_VERSION=3.8.1
 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?<version>.*)$
 ARG MAILPARSE_PECL_VERSION=3.1.9
 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG MEMCACHED_PECL_VERSION=3.3.0
+ARG MEMCACHED_PECL_VERSION=3.4.0
 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG REDIS_PECL_VERSION=6.2.0
+ARG REDIS_PECL_VERSION=6.3.0
 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?<version>.*)$
 ARG COMPOSER_VERSION=2.8.6
 
 
@@ -329,14 +329,17 @@ query = SELECT goto FROM alias
           SELECT id FROM alias
             WHERE address='%s'
             AND (active='1' OR active='2')
+            AND sender_allowed='1'
         ), (
           SELECT id FROM alias
             WHERE address='@%d'
             AND (active='1' OR active='2')
+            AND sender_allowed='1'
         )
       )
     )
     AND active='1'
+    AND sender_allowed='1'
     AND (domain IN
       (SELECT domain FROM domain
         WHERE domain='%d'
 
@@ -1,9 +1,9 @@
-FROM debian:bookworm-slim
+FROM debian:trixie-slim
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG RSPAMD_VER=rspamd_3.13.2-1~8bf602278
-ARG CODENAME=bookworm
+ARG RSPAMD_VER=rspamd_3.14.2-82~90302bc
+ARG CODENAME=trixie
 ENV LC_ALL=C
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
 
@@ -6,7 +6,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 ARG DEBIAN_VERSION=bookworm
 ARG SOGO_DEBIAN_REPOSITORY=https://packagingv2.sogo.nu/sogo-nightly-debian/
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
-ARG GOSU_VERSION=1.17
+ARG GOSU_VERSION=1.19
 ENV LC_ALL=C
 
 # Prerequisites
 
@@ -80,14 +80,21 @@
 }
 if ($result === false){
   // If it's a SOGo Request, don't check for protocol access
-  $service = ($isSOGoRequest) ? false : array($post['service'] => true);
-  $result = apppass_login($post['username'], $post['password'], $service, array(
+  if ($isSOGoRequest) {
+    $service = 'SOGO';
+    $post['service'] = 'NONE';
+  } else {
+    $service = $post['service'];
+  }
+
+  $result = apppass_login($post['username'], $post['password'], array(
+    'service' => $post['service'],
     'is_internal' => true,
     'remote_addr' => $post['real_rip']
   ));
   if ($result) {
-    error_log('MAILCOWAUTH: App auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
-    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
+    error_log('MAILCOWAUTH: App auth for user ' . $post['username'] . " with service " . $service . " from IP " . $post['real_rip']);
+    set_sasl_log($post['username'], $post['real_rip'], $service);
   }
 }
 if ($result === false){
Original file line number	Diff line number	Diff line change
`@@ -329,14 +329,17 @@ query = SELECT goto FROM alias`
`329`	`329`	`SELECT id FROM alias`
`330`	`330`	`WHERE address='%s'`
`331`	`331`	`AND (active='1' OR active='2')`
	`332`	`+ AND sender_allowed='1'`
`332`	`333`	`), (`
`333`	`334`	`SELECT id FROM alias`
`334`	`335`	`WHERE address='@%d'`
`335`	`336`	`AND (active='1' OR active='2')`
	`337`	`+ AND sender_allowed='1'`
`336`	`338`	`)`
`337`	`339`	`)`
`338`	`340`	`)`
`339`	`341`	`AND active='1'`
	`342`	`+ AND sender_allowed='1'`
`340`	`343`	`AND (domain IN`
`341`	`344`	`(SELECT domain FROM domain`
`342`	`345`	`WHERE domain='%d'`