feat(dms): update mailserver.env.

1 files changed, 177 insertions, 61 deletions

diff --git a/template/mailserver.env.template b/template/mailserver.env.template
index 559912a..d8d3117 100644
--- a/template/mailserver.env.template
+++ b/template/mailserver.env.template
@@ -3,7 +3,7 @@
 # -----------------------------------------------
 
 # DOCUMENTATION FOR THESE VARIABLES IS FOUND UNDER
-# https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/
+# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/
 
 # -----------------------------------------------
 # --- General Section ---------------------------
@@ -30,9 +30,11 @@ LOG_LEVEL=info
 # debug => Also show debug messages
 SUPERVISOR_LOGLEVEL=
 
-# 0 => mail state in default directories
-# 1 => consolidate all states into a single directory (`/var/mail-state`) to allow persistence using docker volumes
-ONE_DIR=1
+# Support for deployment where these defaults are not compatible (eg: some NAS appliances):
+# /var/mail vmail User ID (default: 5000)
+DMS_VMAIL_UID=
+# /var/mail vmail Group ID (default: 5000)
+DMS_VMAIL_GID=
 
 # **empty** => use FILE
 # LDAP => use LDAP authentication
@@ -86,11 +88,8 @@ TLS_LEVEL=
 
 # Configures the handling of creating mails with forged sender addresses.
 #
-# empty => (not recommended, but default for backwards compatibility reasons)
-#           Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address.
-#           See also https://en.wikipedia.org/wiki/Email_spoofing
-# 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses.
-#       Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
+# **0** => (not recommended) Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address (see also https://en.wikipedia.org/wiki/Email_spoofing).
+# 1 => Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
 SPOOF_PROTECTION=
 
 # Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/master/README.md#sender-rewriting-scheme-crash-course) for further explanation.
@@ -98,15 +97,103 @@ SPOOF_PROTECTION=
 #  - 1 => Enabled
 ENABLE_SRS=0
 
-# 1 => Enables POP3 service
-# empty => disables POP3
+# Enables the OpenDKIM service.
+# **1** => Enabled
+#   0   => Disabled
+ENABLE_OPENDKIM=0
+
+# Enables the OpenDMARC service.
+# **1** => Enabled
+#   0   => Disabled
+ENABLE_OPENDMARC=0
+
+
+# Enabled `policyd-spf` in Postfix's configuration. You will likely want to set this
+# to `0` in case you're using Rspamd (`ENABLE_RSPAMD=1`).
+#
+# - 0     => Disabled
+# - **1** => Enabled
+ENABLE_POLICYD_SPF=0
+
+# Enables POP3 service
+# - **0** => Disabled
+# - 1     => Enabled
 ENABLE_POP3=
+
+# Enables IMAP service
+# - 0     => Disabled
+# - **1** => Enabled
+ENABLE_IMAP=1
+
+# Enables ClamAV, and anti-virus scanner.
+#   1   => Enabled
+# **0** => Disabled
 ENABLE_CLAMAV=0
 
+# Add the value of this ENV as a prefix to the mail subject when spam is detected.
+# NOTE: This subject prefix may be redundant (by default spam is delivered to a junk folder).
+#       It provides value when your junk mail is stored alongside legitimate mail instead of a separate location (like with `SPAMASSASSIN_SPAM_TO_INBOX=1` or `MOVE_SPAM_TO_JUNK=0` or a POP3 only setup, without IMAP).
+# NOTE: When not using Docker Compose, other CRI may not support quote-wrapping the value here to preserve any trailing white-space.
+SPAM_SUBJECT=
+
+# Enables Rspamd
+# **0** => Disabled
+#   1   => Enabled
+ENABLE_RSPAMD=1
+
+# When `ENABLE_RSPAMD=1`, an internal Redis instance is enabled implicitly.
+# This setting provides an opt-out to allow using an external instance instead.
+# 0 => Disabled
+# 1 => Enabled
+ENABLE_RSPAMD_REDIS=
+
+# When enabled,
+#
+# 1. the "[autolearning][rspamd-autolearn]" feature is turned on;
+# 2. the Bayes classifier will be trained when moving mails from or to the Junk folder (with the help of Sieve scripts).
+#
+# **0** => disabled
+# 1     => enabled
+RSPAMD_LEARN=0
+
+# This settings controls whether checks should be performed on emails coming
+# from authenticated users (i.e. most likely outgoing emails). The default value
+# is `0` in order to align better with SpamAssassin. We recommend reading
+# through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
+# decide for yourself whether you need and want this feature.
+#
+# Note that DKIM signing of e-mails will still happen.
+RSPAMD_CHECK_AUTHENTICATED=0
+
+# Controls whether the Rspamd Greylisting module is enabled.
+# This module can further assist in avoiding spam emails by greylisting
+# e-mails with a certain spam score.
+#
+# **0** => disabled
+# 1     => enabled
+RSPAMD_GREYLISTING=1
+
+# Can be used to enable or disable the Hfilter group module.
+#
+# - 0     => Disabled
+# - **1** => Enabled
+RSPAMD_HFILTER=1
+
+# Can be used to control the score when the HFILTER_HOSTNAME_UNKNOWN symbol applies. A higher score is more punishing. Setting it to 15 is equivalent to rejecting the email when the check fails.
+#
+# Default: 6
+RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=6
+
+# Can be used to enable or disable the (still experimental) neural module.
+#
+# - **0** => Disabled
+# - 1     => Enabled
+RSPAMD_NEURAL=0
+
 # Amavis content filter (used for ClamAV & SpamAssassin)
 # 0 => Disabled
 # 1 => Enabled
-ENABLE_AMAVIS=1
+ENABLE_AMAVIS=0
 
 # -1/-2/-3 => Only show errors
 # **0**    => Show warnings
@@ -114,14 +201,13 @@ ENABLE_AMAVIS=1
 # 3/4/5    => log debug information (very verbose)
 AMAVIS_LOGLEVEL=0
 
-# This enables the [zen.spamhaus.org](https://www.spamhaus.org/zen/) DNS block list in postfix
-# and various [lists](https://github.com/docker-mailserver/docker-mailserver/blob/f7465a50888eef909dbfc01aff4202b9c7d8bc00/target/postfix/main.cf#L58-L66) in postscreen.
+# This enables DNS block lists in Postscreen.
 # Note: Emails will be rejected, if they don't pass the block list checks!
 # **0** => DNS block lists are disabled
 # 1     => DNS block lists are enabled
 ENABLE_DNSBL=0
 
-# If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`:
+# If you enable Fail2Ban, don't forget to add the following lines to your `compose.yaml`:
 #    cap_add:
 #      - NET_ADMIN
 # Otherwise, `nftables` won't be able to ban IPs.
@@ -145,14 +231,14 @@ POSTSCREEN_ACTION=enforce
 # 1 => only launch postfix smtp
 SMTP_ONLY=
 
-# Please read [the SSL page in the documentation](https://docker-mailserver.github.io/docker-mailserver/edge/config/security/ssl) for more information.
+# Please read [the SSL page in the documentation](https://docker-mailserver.github.io/docker-mailserver/latest/config/security/ssl) for more information.
 #
 # empty => SSL disabled
 # letsencrypt => Enables Let's Encrypt certificates
 # custom => Enables custom certificates
 # manual => Let's you manually specify locations of your SSL certificates for non-standard cases
 # self-signed => Enables self-signed certificates
-SSL_TYPE=letsencrypt
+SSL_TYPE=
 
 # These are only supported with `SSL_TYPE=manual`.
 # Provide the path to your cert and key files that you've mounted access to within the container.
@@ -167,31 +253,26 @@ SSL_ALT_KEY_PATH=
 # empty => 7 days
 VIRUSMAILS_DELETE_DELAY=
 
-# This Option is activating the Usage of POSTFIX_DAGENT to specify a lmtp client different from default dovecot socket.
-# empty => disabled
-# 1 => enabled
-ENABLE_POSTFIX_VIRTUAL_TRANSPORT=
-
-# Enabled by ENABLE_POSTFIX_VIRTUAL_TRANSPORT. Specify the final delivery of postfix
+# Configure Postfix `virtual_transport` to deliver mail to a different LMTP client (default is a dovecot socket).
+# Provide any valid URI. Examples:
 #
-# empty => fail
+# empty => `lmtp:unix:/var/run/dovecot/lmtp` (default, configured in Postfix main.cf)
 # `lmtp:unix:private/dovecot-lmtp` (use socket)
-# `lmtps:inet:<host>:<port>` (secure lmtp with starttls, take a look at https://sys4.de/en/blog/2014/11/17/sicheres-lmtp-mit-starttls-in-dovecot/)
+# `lmtps:inet:<host>:<port>` (secure lmtp with starttls)
 # `lmtp:<kopano-host>:2003` (use kopano as mailstore)
-# etc.
 POSTFIX_DAGENT=
 
-# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default).
+# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
 #
 # empty => 0
 POSTFIX_MAILBOX_SIZE_LIMIT=
 
-# See https://docker-mailserver.github.io/docker-mailserver/edge/config/user-management/accounts/#notes
+# See https://docker-mailserver.github.io/docker-mailserver/latest/config/account-management/overview/#quotas
 # 0 => Dovecot quota is disabled
 # 1 => Dovecot quota is enabled
 ENABLE_QUOTAS=1
 
-# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)
+# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
 #
 # empty => 10240000 (~10 MB)
 POSTFIX_MESSAGE_SIZE_LIMIT=
@@ -266,6 +347,16 @@ REPORT_SENDER=
 # Note: This variable can also determine the interval for Postfix's log summary reports, see [`PFLOGSUMM_TRIGGER`](#pflogsumm_trigger).
 LOGROTATE_INTERVAL=weekly
 
+# Defines how many log files are kept by logrorate
+LOGROTATE_COUNT=4
+
+
+# If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration.
+#
+# - **0** => Disabled
+# - 1 => Enabled
+POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
+
 # Choose TCP/IP protocols for postfix to use
 # **all** => All possible protocols.
 # ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker.
@@ -274,6 +365,12 @@ LOGROTATE_INTERVAL=weekly
 # Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
 POSTFIX_INET_PROTOCOLS=all
 
+# Enables MTA-STS support for outbound mail.
+# More details: https://docker-mailserver.github.io/docker-mailserver/v13.3/config/best-practices/mta-sts/
+# - **0** ==> MTA-STS disabled
+# - 1 => MTA-STS enabled
+ENABLE_MTA_STS=0
+
 # Choose TCP/IP protocols for dovecot to use
 # **all** => Listen on all interfaces
 # ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
@@ -288,9 +385,6 @@ DOVECOT_INET_PROTOCOLS=all
 
 ENABLE_SPAMASSASSIN=0
 
-# deliver spam messages in the inbox (eventually tagged using SA_SPAM_SUBJECT)
-SPAMASSASSIN_SPAM_TO_INBOX=1
-
 # KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
 # If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
 # - **0** => KAM disabled
@@ -299,20 +393,23 @@ SPAMASSASSIN_SPAM_TO_INBOX=1
 # Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
 ENABLE_SPAMASSASSIN_KAM=0
 
+# deliver spam messages to the inbox (tagged using SPAM_SUBJECT)
+SPAMASSASSIN_SPAM_TO_INBOX=1
+
 # spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
 MOVE_SPAM_TO_JUNK=1
 
-# add spam info headers if at, or above that level:
+# spam messages will be marked as read
+MARK_SPAM_AS_READ=0
+
+# add 'spam info' headers at, or above this level
 SA_TAG=2.0
 
-# add 'spam detected' headers at that level
+# add 'spam detected' headers at, or above this level
 SA_TAG2=6.31
 
 # triggers spam evasive actions
-SA_KILL=6.31
-
-# add tag to subject if spam detected
-SA_SPAM_SUBJECT=***SPAM*****
+SA_KILL=10.0
 
 # -----------------------------------------------
 # --- Fetchmail Section -------------------------
@@ -322,26 +419,45 @@ ENABLE_FETCHMAIL=0
 
 # The interval to fetch mail in seconds
 FETCHMAIL_POLL=300
+# Use multiple fetchmail instances (1 per poll entry in fetchmail.cf)
+# Supports multiple IMAP IDLE connections when a server is used across multiple poll entries
+# https://otremba.net/wiki/Fetchmail_(Debian)#Immediate_Download_via_IMAP_IDLE
+FETCHMAIL_PARALLEL=0
+
+# Enable or disable `getmail`.
+#
+# - **0** => Disabled
+# - 1 => Enabled
+ENABLE_GETMAIL=0
+
+# The number of minutes for the interval. Min: 1; Default: 5.
+GETMAIL_POLL=5
 
 # -----------------------------------------------
-# --- LDAP Section ------------------------------
+# --- OAUTH2 Section ----------------------------
 # -----------------------------------------------
 
-# A second container for the ldap service is necessary (i.e. https://github.com/osixia/docker-openldap)
-# For preparing the ldap server to use in combination with this container this article may be helpful: http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/
+# empty => OAUTH2 authentication is disabled
+# 1 => OAUTH2 authentication is enabled
+ENABLE_OAUTH2=
+
+# Specify the user info endpoint URL of the oauth2 provider
+# Example: https://oauth2.example.com/userinfo/
+OAUTH2_INTROSPECTION_URL=
+
+# -----------------------------------------------
+# --- LDAP Section ------------------------------
+# -----------------------------------------------
 
-# with the :edge tag, use ACCOUNT_PROVISIONER=LDAP
-# empty => LDAP authentification is disabled
-# 1 => LDAP authentification is enabled
-ENABLE_LDAP=
+# A second container for the ldap service is necessary (i.e. https://hub.docker.com/r/bitnami/openldap/)
 
 # empty => no
 # yes => LDAP over TLS enabled for Postfix
 LDAP_START_TLS=
 
-# If you going to use the mailserver in combination with docker-compose you can set the service name here
-# empty => mail.domain.com
-# Specify the dns-name/ip-address where the ldap-server
+# empty => mail.example.com
+# Specify the `<dns-name>` / `<ip-address>` where the LDAP server is reachable via a URI like: `ldaps://mail.example.com`.
+# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
 LDAP_SERVER_HOST=
 
 # empty => ou=people,dc=domain,dc=com
@@ -428,11 +544,11 @@ SASLAUTHD_MECHANISMS=
 SASLAUTHD_MECH_OPTIONS=
 
 # empty => Use value of LDAP_SERVER_HOST
-# Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL.
+# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
 SASLAUTHD_LDAP_SERVER=
 
 # empty => Use value of LDAP_BIND_DN
-# specify an object with priviliges to search the directory tree
+# specify an object with privileges to search the directory tree
 # e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
 # e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
 SASLAUTHD_LDAP_BIND_DN=
@@ -474,10 +590,6 @@ SASLAUTHD_LDAP_TLS_CACERT_DIR=
 # Any value => Fills the `ldap_password_attr` option
 SASLAUTHD_LDAP_PASSWORD_ATTR=
 
-# empty => No sasl_passwd will be created
-# string => `/etc/postfix/sasl_passwd` will be created with the string as password
-SASL_PASSWD=
-
 # empty => `bind` will be used as a default value
 # `fastbind` => The fastbind method is used
 # `custom` => The custom method uses userPassword attribute to verify the password
@@ -485,7 +597,7 @@ SASLAUTHD_LDAP_AUTH_METHOD=
 
 # Specify the authentication mechanism for SASL bind
 # empty => Nothing is added to the configuration
-# Any value => Fills the `ldap_mech` option
+# Any value => Fills the `ldap_mech` option
 SASLAUTHD_LDAP_MECH=
 
 # -----------------------------------------------
@@ -517,8 +629,8 @@ SRS_SECRET=
 
 # Setup relaying all mail through a default relay host
 #
-# empty => don't configure default relay host
-# default host and optional port to relay all mail through
+# Set a default host to relay all mail through (optionally include a port)
+# Example: [mail.example.com]:587
 DEFAULT_RELAY_HOST=
 
 # -----------------------------------------------
@@ -528,18 +640,22 @@ DEFAULT_RELAY_HOST=
 # Setup relaying for multiple domains based on the domain name of the sender
 # optionally uses usernames and passwords in postfix-sasl-password.cf and relay host mappings in postfix-relaymap.cf
 #
-# empty => don't configure relay host
-# default host to relay mail through
+# Set a default host to relay mail through
+# Example: mail.example.com
 RELAY_HOST=
 
 # empty => 25
 # default port to relay mail
 RELAY_PORT=25
 
+# -----------------------------------------------
+# --- Relay Host Credentials Section ------------
+# -----------------------------------------------
+
+# Configure a relay user and password to use with RELAY_HOST / DEFAULT_RELAY_HOST
+
 # empty => no default
-# default relay username (if no specific entry exists in postfix-sasl-password.cf)
 RELAY_USER=
 
 # empty => no default
-# password for default relay user
 RELAY_PASSWORD=