Refresh: dovecot 2.4.2 ,apline 3.23.2, f2b-exp 0.10.3, prips 1.2.2

This commit updates dovecot to 2.4.2, refreshes the mailserver container
to the latest Alpine release and includes minor version bumps for
fail2ban-exporter and prips.

BREAKING CHANGE: Dovecot 2.4 significantly changed its configuration
format and requires manual porting. See
https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html
for a list of changes.

The commit updates dovecot/.. config snippets accordingly. To update:

0. Stop the mailserver: `systemctl stop mailserver`
1. Back up `_server_workspace_/etc/dovecot`.
2. Update VERSION to use mailserver v1.4.0
3. CAREFULLY Replace your mailserver's
    `_server_workspace_/etc/dovecot/...`
  with the release's
    `dovecot/...`
  0. If you did not modify any of the files, it's safe to delete
     `_server_workspace_/etc/dovecot/...`
     and just copy the release's `dovecot/...` to
     `_server_workspace_/etc/dovecot/...`.
  1. If you made modifications in files shipped with mailserver, you
     will need to port these to the new syntax.
  2. If you made modifications in default config files shipped with
     Alpine (and included in the mailserver container) you will need to
     port these, too.
4. Start the mailserver: `systemctl start mailserver` (and also any
   optional contrib or monitoring services as required).

Signed-off-by: Thilo Fromm <thilo.alexander@gmail.com>

Author: t-lo

Dockerfile

@@ -1,9 +1,9 @@
 # First, build the metrics exporter and the "prips" (print ip ranges) tool.
-ARG alpine_version=3.21.0
+ARG alpine_version=3.23.2
 FROM alpine:$alpine_version AS builder
 ARG postfix_exporter_version=0.3.0
-ARG fail2ban_exporter_version=0.10.2
-ARG prips_version=1.2.0
+ARG fail2ban_exporter_version=0.10.3
+ARG prips_version=1.2.2
 
 RUN apk update \
     && apk add go gcc make musl-dev

dovecot/conf.d/10-auth.conf

@@ -2,7 +2,7 @@
 ## Authentication processes
 ##
 
-disable_plaintext_auth = yes
+auth_allow_cleartext = no
 
 #auth_cache_size = 0
 #auth_cache_ttl = 1 hour
@@ -23,7 +23,7 @@ disable_plaintext_auth = yes
 # the standard variables here, eg. %Lu would lowercase the username, %n would
 # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
 # "-AT-". This translation is done after auth_username_translation changes.
-auth_username_format = %Lu
+auth_username_format = %{user}
 
 #auth_master_user_separator =
 

dovecot/conf.d/10-logging.conf

@@ -20,21 +20,12 @@ syslog_facility = mail
 # Log unsuccessful authentication attempts and the reasons why they failed.
 auth_verbose = yes
 
-#auth_verbose_passwords = no
-#auth_debug = no
-#auth_debug_passwords = no
+#auth_verbose_passwords = yes
+#auth_debug = yes
+#auth_debug_passwords = yes
 #mail_debug = no
 #verbose_ssl = no
 
-# mail_log plugin provides more event logging for mail processes.
-plugin {
-  # Events to log. Also available: flag_change append
-  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
-  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
-  # size and vsize are available only for expunge and copy events.
-  #mail_log_fields = uid box msgid size
-}
-
 ## Log formatting.
 
 #log_timestamp = "%b %d %H:%M:%S "

dovecot/conf.d/10-mail.conf

@@ -15,7 +15,8 @@
 #   mail_location = mbox:~/mail:INBOX=/var/mail/%u
 #   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
 #
-mail_location = maildir:/host/mail/inboxes/%d/%u/Maildir
+mail_driver = maildir
+mail_path = ~/Maildir
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.

dovecot/conf.d/10-metrics.conf

@@ -16,42 +16,66 @@
 
 metric auth_success {
   filter = event=auth_request_finished AND success=yes
-  group_by = user
+  group_by user {
+  }
 }
 #
 metric auth_failures {
   filter = event=auth_request_finished AND NOT success=yes
-  group_by = user
+  group_by user {
+  }
 }
 #
 metric imap_command {
   filter = event=imap_command_finished
-  group_by = user cmd_name tagged_reply_state
+  group_by user {
+  }
+  group_by cmd_name {
+  }
+  group_by tagged_reply_state {
+  }
 }
 #
 metric smtp_command {
   filter = event=smtp_server_command_finished
-  group_by = user cmd_name status_code
+  group_by user {
+  }
+  group_by cmd_name {
+  }
+  group_by status_code {
+  }
 }
 #
 metric mail_delivery {
   filter = event=mail_delivery_finished
-  group_by = user
+  group_by user {
+  }
 }
 
 metric sieve_action {
   filter = event=sieve_action_finished
-  group_by = user action_name
+  group_by user {
+  }
+  group_by action_name {
+  }
 }
 
 metric sieve_success {
   filter = event=sieve_runtime_script_finished AND error = ""
-  group_by = user script_name
+  group_by user {
+  }
+  group_by script_name {
+  }
 }
 
 metric sieve_error {
   filter = event=sieve_runtime_script_finished AND NOT error = ""
-  group_by = user script_name error
+  group_by user {
+  }
+  group_by script_name {
+  }
+  group_by error {
+  }
 }
 
 ##

dovecot/conf.d/10-ssl.conf.tmpl

@@ -4,34 +4,9 @@
 
 ssl = required
 
-ssl_cert = </etc/letsencrypt/live/${HOSTNAME}/fullchain.pem
-ssl_key = </etc/letsencrypt/live/${HOSTNAME}/privkey.pem
+ssl_server_cert_file= /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem
+ssl_server_key_file = /etc/letsencrypt/live/${HOSTNAME}/privkey.pem
 
-#ssl_key_password =
-#ssl_ca = 
-#ssl_require_crl = yes
+ssl_server_dh_file = /etc/dovecot/dh.pem
 
-#ssl_client_ca_dir =
-#ssl_client_ca_file =
-#ssl_client_require_valid_cert = yes
-#ssl_verify_client_cert = no
-
-#ssl_cert_username_field = commonName
-
-#ssl_dh = </etc/dovecot/dh.pem
-
-#ssl_min_protocol = TLSv1.2
-
-#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
-# To disable non-EC DH, use:
-#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
-
-#ssl_curve_list =
-
-ssl_prefer_server_ciphers = yes
-
-#ssl_crypto_device =
-
-#   compression - Enable compression.
-#   no_ticket - Disable SSL session tickets.
-#ssl_options =
+ssl_server_prefer_ciphers = server

dovecot/conf.d/20-lmtp.conf

@@ -36,5 +36,7 @@
 
 protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).
-  mail_plugins = $mail_plugins sieve
+  mail_plugins {
+    sieve = yes
+  }
 }

dovecot/conf.d/20-managesieve.conf

@@ -2,11 +2,6 @@
 ## ManageSieve specific settings
 ##
 
-# Uncomment to enable managesieve protocol:
-protocols = $protocols sieve
-
-# Service definitions
-
 service managesieve-login {
   inet_listener sieve {
     port = 4190
@@ -28,10 +23,10 @@ service managesieve-login {
   #vsz_limit = 64M
 }
 
-#service managesieve {
+service managesieve {
   # Max. number of ManageSieve processes (connections)
   #process_limit = 1024
-#}
+}
 
 # Service configuration
 
@@ -49,7 +44,6 @@ protocol sieve {
   # Space separated list of plugins to load (none known to be useful so far).
   # Do NOT try to load IMAP plugins here.
   #mail_plugins =
-
   # MANAGESIEVE logout format string:
   #  %i - total number of bytes read from client
   #  %o - total number of bytes sent to client
@@ -66,7 +60,7 @@ protocol sieve {
   # To fool ManageSieve clients that are focused on CMU's timesieved you can
   # specify the IMPLEMENTATION capability that Dovecot reports to clients.
   # For example: 'Cyrus timsieved v2.2.13'
-  #managesieve_implementation_string = Dovecot Pigeonhole
+  managesieve_implementation_string = Dovecot Pigeonhole
 
   # Explicitly specify the SIEVE and NOTIFY capability reported by the server
   # before login. If left unassigned these will be reported dynamically

dovecot/conf.d/90-sieve-extprograms.conf

@@ -6,7 +6,7 @@
 # sieve_extensions or sieve_global_extensions settings. Restricting these
 # extensions to a global context using sieve_global_extensions is recommended.
 
-plugin {
+#plugin {
 
   # The directory where the program sockets are located for the
   # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
@@ -23,7 +23,7 @@ plugin {
   #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
   #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
   #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
-}
+#}
 
 # An example program service called 'do-something' to pipe messages to
 #service do-something {

dovecot/conf.d/90-sieve.conf

@@ -21,22 +21,12 @@
 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
 # information.
 
-plugin {
-  # The location of the user's main Sieve script or script storage. The LDA
-  # Sieve plugin uses this to find the active script for Sieve filtering at
-  # delivery. The "include" extension uses this location for retrieving
-  # :personal" scripts. This is also where the  ManageSieve service will store
-  # the user's scripts, if supported.
-  # 
-  # Currently only the 'file:' location type supports ManageSieve operation.
-  # Other location types like 'dict:' and 'ldap:' can currently only
-  # be used as a read-only script source ().
-  #
-  # For the 'file:' type: use the ';active=' parameter to specify where the
-  # active script symlink is located.
-  # For other types: use the ';name=' parameter to specify the name of the
-  # default/active script.
-  sieve = file:~/sieve;active=~/.dovecot.sieve
+#plugin {
+sieve_script personal {
+    type = personal
+    path = /host/mail/inboxes/%{user | domain}/%{user}/sieve
+    active_path = /host/mail/inboxes/%{user | domain}/%{user}/.dovecot.sieve
+}
 
   # The default Sieve script when the user has none. This is the location of a
   # global sieve script file, which gets executed ONLY if user's personal Sieve
@@ -202,4 +192,4 @@ plugin {
   # Enables showing byte code addresses in the trace output, rather than only
   # the source line numbers.
   #sieve_trace_addresses = no 
-}
+#}