Skip to content

qickfix for Debian12 and new version mailcow #727

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Jetman80 merged 2 commits into from
Feb 19, 2026
Merged

qickfix for Debian12 and new version mailcow #727

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
79b7ac8
qickfix for Debian12 and new version mailcow
djooberlee Feb 19, 2026
1e63c9c
Update mailcow/pillar.example
djooberlee Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
179 changes: 51 additions & 128 deletions mailcow/init.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,58 +199,47 @@ mailcow_docker_compose_owerride:
file.managed:
- name: /opt/mailcow/{{ pillar["mailcow"]["mailcow_conf"]["MAILCOW_HOSTNAME"] }}/docker-compose.override.yml
- contents: |
{%- if 'docker_logging' in pillar['mailcow'] %}
{%- if 'docker_logging' in pillar['mailcow'] or pillar['mailcow'].get('apparmor_unconfined', False) %}
x-main-config: &main-config
{%- if pillar['mailcow'].get('apparmor_unconfined', False) %}
security_opt:
- apparmor:unconfined
{%- endif %}
{%- if 'docker_logging' in pillar['mailcow'] %}
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
{%- endif %}
services:
netfilter-mailcow:
<<: *main-config
unbound-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
mysql-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
{%- if pillar['mailcow'].get('postfix_tlspol_in_override', False) %}
postfix-tlspol-mailcow:
<<: *main-config
{%- endif %}
postfix-mailcow:
<<: *main-config
{%- if "haproxy" in pillar["mailcow"] %}
ports:
{#- "${SMTP_PORT_HAPROXY:-127.0.0.1:10025}:10025"#}
- "${SMTPS_PORT_HAPROXY:-127.0.0.1:10465}:10465"
- "${SUBMISSION_PORT_HAPROXY:-127.0.0.1:10587}:10587"
{%- endif %}
redis-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
clamd-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
rspamd-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
php-fpm-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
sogo-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
clamd-mailcow:
<<: *main-config
dovecot-mailcow:
<<: *main-config
{%- if "haproxy" in pillar["mailcow"] %}
ports:
- "${IMAP_PORT_HAPROXY:-127.0.0.1:10143}:10143"
Expand All @@ -259,102 +248,35 @@ mailcow_docker_compose_owerride:
- "${POPS_PORT_HAPROXY:-127.0.0.1:10995}:10995"
- "${SIEVE_PORT_HAPROXY:-127.0.0.1:14190}:14190"
{%- endif %}
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
postfix-mailcow:
{%- if "haproxy" in pillar["mailcow"] %}
ports:
{#- "${SMTP_PORT_HAPROXY:-127.0.0.1:10025}:10025"#}
- "${SMTPS_PORT_HAPROXY:-127.0.0.1:10465}:10465"
- "${SUBMISSION_PORT_HAPROXY:-127.0.0.1:10587}:10587"
{%- endif %}
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
memcached-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
rspamd-mailcow:
<<: *main-config
sogo-mailcow:
<<: *main-config
nginx-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
acme-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
netfilter-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
watchdog-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
olefy-mailcow:
<<: *main-config
dockerapi-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
memcached-mailcow:
<<: *main-config
{%- if pillar["mailcow"]["solr_enable"] | default(true) %}
solr-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
{%- endif %}
olefy-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
ofelia-mailcow:
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
<<: *main-config
ipv6nat-mailcow:
<<: *main-config
{%- if not pillar['mailcow']['enable_ipv6'] | default(true) %}
image: bash:latest
restart: "no"
entrypoint: ["echo", "ipv6nat disabled in docker-compose.override.yml"]
Comment on lines 276 to 278
Copy link

Copilot AI Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ipv6nat-mailcow override uses the generic bash:latest image, which is an unpinned third-party image that can change over time. If that image or its registry namespace is compromised, arbitrary code would run with the same privileges, networks and volumes granted to this service when IPv6 is disabled. Prefer using a vetted image specific to this purpose and pinning it to a trusted digest or version tag instead of latest.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@djooberlee djooberlee Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot open a new pull request to apply changes based on this feedback

{%- endif %}
logging:
driver: "{{ pillar['mailcow']['docker_logging']['driver'] }}"
options:
{%- for var_key, var_val in pillar["mailcow"]["docker_logging"]["options"].items() %}
{{ var_key }}: "{{ var_val }}"
{%- endfor %}
{%- elif "haproxy" in pillar["mailcow"] %}
services:
dovecot-mailcow:
Expand Down Expand Up @@ -676,3 +598,4 @@ nginx_reload_cron:
- hour: 6
{% endif %}
{% endif %}

3 changes: 3 additions & 0 deletions mailcow/pillar.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ mailcow:
driver: "json-file"
options:
tag: "{% raw -%}{{.ImageName}}|{{.Name}}|tst{%- endraw %}"
apparmor_unconfined: false # set to true only if you must add security_opt: apparmor:unconfined to all containers (e.g. as a Debian 12 workaround)
postfix_tlspol_in_override: true # include postfix-tlspol-mailcow container in docker-compose.override.yml (newer mailcow versions)
acme_account: example.com # used only when SKIP_LETS_ENCRYPT=y
enable_ipv6: true # DO NOT CHANGE THIS PARAMETER IF YOU ARE NOT SURE, because if you once disable ipv6 using this parameter, it will not work to turn it back on by setting the value to true
solr_enable: false # This option is added for backward compatibility with older versions. In newer versions this option should be set to false
Expand Down Expand Up @@ -56,3 +58,4 @@ mailcow:
header_checks: 'regexp:/opt/postfix/conf/header_checks'
header_checks: |
/^Subject:/ WARN