update docker-mailserver to 7.0.0

[reneploetz]

Fixes #445

Proposed Changes

• updated docker-mailserver image to 7.0.0
• added volume for mail logs
• use SPAMASSASSIN_SPAM_TO_INBOX to deliver spam to INBOX, upstreams new default is bouncing: https://github.com/tomav/docker-mailserver#spamassassin_spam_to_inbox
  • migrate REPORT_RECIPIENT to the new PFLOGSUMM_TRIGGER=logrotate

Notes

• all REPORT* options have been deprecated upstream and were split into PFLOGSUMM and LOGWATCH_ to allow individual configuration between pflogsum (postfix reports) and logwatch mail reports. The latter reports are new and disabled per default. I opted for migrating the options to PFLOGSUMM_* only to have the same behaviour as before. One might consider to enable logwatch reporting, too.
• the PFLOGSUMM_TRIGGER option does allow a new option "daily_cron" which creates report on a daily basis instead of a logrotating basis. This might be more accurate for some users, but I opted to keep the old behaviour which is encoded as "logrotate"
• we should consider setting POSTFIX_INET_PROTOCOLS to "ipv4" to allow running this container on non-ipv6-enabled hosts in a more secure manner: https://github.com/tomav/docker-mailserver/issues/1405#issuecomment-590106498 or https://github.com/tomav/docker-mailserver#permit_docker I cannot test the issue myself as my hosting provider is IPv4 only.

[reneploetz]

Hi @reneploetz,

thank you very much for your pr. I have just a small comment which i made inline.

Not too sure about your IPv4 comment. Afair the Docker network is IPv4 only anyways so I don't think this setting will have any real influence.

I read the whole discussion in the upstream ticket again and I think you are right that POSTFIX_INET_PROTOCOLS will not help, but the underlying problem - users might accidently create an open relay - might still be present. I'm unable to verify this tough.

Based on the upstream discussion, the conditions are:

• IPv6 is enabled on the host
• Docker is running in IPv4 only mode (which is the default)
• a port is bound (exposed) to all interfaces (default of this container)

The problem appears to be that if you connect to the host system using the IPv6 address, then Docker will translate this address to IPv4 to allow external systems to connect to the container. The problem is that the translation is working like a NAT - Docker is replacing the source address (which is the external IP) with the IP of the Docker gateway. The gateway server might be a trusted network for postfix tough - so it might be allowed to sent mails without authentication and thus creating an open relay server if you connect via IPv6.

To mitigate this, the upstream tickets suggests to either enable IPv6 in docker or bind to IPv4 only as stated here: https://github.com/tomav/docker-mailserver/issues/1405#issuecomment-590115647 Upstream decided to post a warning for the PERMIT_DOCKER setting to make users aware of the issue.

But I feel that this discussion is probably better done in a separate ticket anyway. So I would suggest to merge this first and maybe think about what to do afterwards if you feel that there is something that should be done.

[fbartels]

Thanks again. Your pr has just been merged.