Describe the bug
We support Ubuntu Bionic & Focal, and also Debian buster; but Buster and Focal has dovecot v2.3 and Bionic has v2.2.

There are some config options (mainly on the 10-ssl.conf file) that changed and gives you some recurring warnings on Focal/Buster, some users has reported that

To Reproduce

• Make a deploy on bionic: no warnings all is good
• Make a deploy on focal/buster: you get a few warnings from dovecot about deprecated options

Expected behavior
No warnings

Possible solution
Create a different template base for dovecot, one for version 2.2 and other for version 2.3 and on provision time pich the correct one.

This will fix the warnings.

Message without Subject should be rejected
It does not matter if it is when sending or receiving the message, emails without subjects should not be allowed since they are mostly used by malicious applications to send SPAM. And it is good practice to remove them. The error message sent to the sender must be explicit when reporting what happened

THIS IS A ETERNALLY OPEN ISSUE, AS IT WILL BE THE HUB TO ADD CONTRIBUTIONS TO THE PROJECT.

Based on the All Contributors initiative & bot

Is your feature request related to a problem? Please describe.

Improve the readme with:

• Badges
• Better practives
• Organization
• Etc.

Describe the bug
ClamAV uses the DNS to get the update database fingerprint to detect updates, if the DNS is not functional or in a isolated environment (internal domain) you will never get the updates working

Possible solution
In the conf-check stage test for the dns TXT record of current.cvd.clamav.net and if not fails warning the user, line we mention in the #60

Describe the bug
Some times the provision/upgrade/force-upgrade fails and the reference for the backup good backup is changed; then on the next provision/upgrade/force-upgrade command you save an give for good a partial/not-working backup

Expected behavior
Update the backup link ONLY if the action that triggers the backup end with no trouble.

Is your feature request related to a problem? Please describe.
The access control for users (international/national/local) is good, but some times you need custom rules, for example an user with just national access but one or more specific addresses outside .cu

Or the case of a local access account that need to exchange mails with just ONE email in .cu (outside your domain)

Describe the solution you'd like
A way to declare restrictions inside the AD Admin tool

Is your feature request related to a problem? Please describe.
DNSRBL support is a must in a modern email server.

Describe the solution you'd like
Enable this feature like an option, and when enabled a simple file to configure the DNSRBL sources and it's scores. Adding by default only a few well known servers, with low false positives count.

Describe the bug
If your setup does not have a working DNS (like a local domain with no upstream DNS) the spamassassin service will die and amavisd-new will die also, breaking the mail flow.

Possible solution

• Check in conf-check the test stage if we have selected SPAMD the DNS can resolve the TXT register for spamassassin 2.4.3.updates.spamassassin.org it's a CNAME of "3.3.3...." and it return the TXT fingerprint of the database
• If not working notice the user with an error about it, to fix the error or disable the SPAMD in the config

This tool is mainly intended for Cubans, so the comments from execution and documents must be in both languages.

A translator is needed, if you like to contribute, please fork this project, translate a part of it and make me a PR.

Every little piece counts!

Is your feature request related to a problem? Please describe.
Spammers are very aggressive and we can harden postfix with some trick from @HugoFlorentino in the telegram channel, see https://t.me/MailAD_dev/181

Of curse this is optional and the user must be aware of the consequences.

Describe the bug
The correct pkg to install to obtain dig is dnsutils on all debian like distros, actual code force bind9-dnsutils for ubuntu

Muchas empresas tienen un pie de firma a todos los correos que creo que esa opcion seria bueno poner

Is your feature request related to a problem? Please describe.
As pointed out by @HugoFlorentino by using host instead of bind we are saving the install of a few packages and in some cases host is already installed.

~# dpkg -S $(which host)
bind9-host: /usr/bin/host
~# dpkg -S $(which dig)
dnsutils: /usr/bin/dig

By this we save time and space...

Is your feature request related to a problem? Please describe.
Some setups can not afford a mail gateway, in this case (or just because you want) we need the option to enable Spam & AV filtering

Describe the solution you'd like
A config option to enable or disable [default] the Spam & AV filtering

AV filtering will use ClamAV & FreshClam, the updates from FreshClam must be a two choice option:

• From an official repository [default]
• From an lternate mirror (alternate mirrors are needed in Cuba as per the US Embargo laws)

SpamAssassin rules must be eligible being [off by default]

In any case we need to use an upstream HTTP proxy if needed (server, port, user password)

Any alternatives or comments over this new feature?

Is your feature request related to a problem? Please describe.
I hit an user that needs the everyone alias to be accessible from outside, it's a requirement of the enterprise

So the most common sense is to make this option optional, being the default not accessible from the outside

Describe the bug
AV filtering is failing on Ubuntu Focal (unconfirmed on buster & bionic) due to permissions problems

Expected behavior
Not fail

Solution
Make clamav member of amavis group

adduser clamav amavis

Describe the bug

Debian buster has not a amavisd-new-postfix package like ubuntu, so the make install target fails only on that OS. confirmed Bug

Must emulate the actions in that package only for Debian.

When we add a new feature that has a new var in the mailad.conf file we need to set it up for the user to see it

We need to signal the user about the new variable and populate his past values on the others, this is a critical feature

As there are some new features that will depend on it

MailAD is getting impulse, and there are some key points about the config that are giving troubles to the users

A FAQ to compile them will be nice (both, english and spanish)

Seria bueno contar con un report, que se lo mande a una direccion o a una lista de informatico donde este un reporte con algunos datos como lo da zimbra:

Grand Totals

messages

3336 received
15865 delivered
0 forwarded
388 deferred (6839 deferrals)
16 bounced
3330 rejected (17%)
0 reject warnings
0 held
0 discarded (0%)

264409k bytes received
1378m bytes delivered
804 senders
238 sending hosts/domains
1008 recipients
86 recipient hosts/domains

Per-Hour Traffic Summary

time received delivered deferred bounced rejected

0000-0100 76 496 266 0 61
0100-0200 232 1071 259 0 87
0200-0300 51 238 285 0 175
0300-0400 29 121 266 0 112
0400-0500 209 927 270 0 136
0500-0600 53 214 268 0 138
0600-0700 108 440 292 0 168
0700-0800 247 1100 309 1 137
0800-0900 108 586 268 1 126
0900-1000 266 1249 303 0 193
1000-1100 114 518 297 0 166
1100-1200 125 945 330 3 140
1200-1300 106 507 292 1 150
1300-1400 278 1240 315 0 156
1400-1500 150 676 305 0 177
1500-1600 255 1143 294 2 168
1600-1700 198 844 304 3 151
1700-1800 105 804 289 2 160
1800-1900 101 427 288 1 161
1900-2000 83 354 296 0 111
2000-2100 70 308 307 0 110
2100-2200 247 1106 315 0 152
2200-2300 104 461 284 2 138
2300-2400 21 90 137 0 57

Host/Domain Summary: Message Delivery (top 50)

sent cnt bytes defers avg dly max dly host/domain

Host/Domain Summary: Messages Received (top 50)

msg cnt bytes host/domain

top 50 Senders by message count

top 50 Recipients by message count

top 50 Senders by message size

top 50 Recipients by message size

On the mailad server if you have a local linux user that has a name equal to a AD username (sAMAccountName LDAP attribute) then dovecot will try to deliver & use the maildir of the local user instead the AD/LDAP/Virtual one.

Proposed fixs:

• Quick & dirty: avoid creation of a local user with the same name that one in the AD
• Long term: configure dovecot to not use local database for autentication

Describe the bug
Any migration from a linux mailserver with mailboxes in maildir format, whatever came from MailAD or not can lose some mailboxes.

As the check_maildirs.sh script kicks and the removal is not opcional.

Expected behavior
The removal must be optional & disabled by default.

This will be an easy one.

• Create a AD_Requirements_ES.md file as a Spanish translation of the AD_Requirements.md file.
• Create a README_ES.md file as a Spanish translation of the README.md file.
• Update the links in the README_ES.md file pointing to the AD_Requirements.md to the file AD_Requirements_ES.md
• Add a note on top of the README.md file (in spanish) about the existence of the Spanish version
• Copy the file mailad.conf to mailad_ES.conf and translate mailad.conf to English

That's for the first part.

Actually, to enable a user with his email we are setting 4 fields if the AD:

• Mail (Mail)
• Main Storage (Office)
• User Quota (Telephone number)
• Maildir (Webpage)

The initial reason behind this was the integration with Postfix and Courier/Dovecot, but as I have gained more insight of the integration and softwares, and also by users request to simplify that, and a possible standard ldap fields usage.

I will review that to try to simplify it.

• Use the UserPrincipalName as the mail atrribute, this approach has pros and cons...
• Use the sAMAccountName as maildir element: the challenge is to trick postfix and dovecot to add the final "/" to sign of a maildir.
• Remove the setting for the mail storage completely from the AD. Just hard coded in the settings while provisioning. (this may be the easiest to implement)
• Try to use the ldap quota attribute for the quota.
• Try to use a default hard coded quota (provision stage) and just override it if the specific user has a particular quota set

Cheers.

Is your feature request related to a problem? Please describe.
When you have a webmail in a DMZ and you set the DMZ net in the mynetwork, some resctrictions does not apply to the webmail, because it's on the mynetwork.

Explain in the docs the use of ! to exclude IPs from a range, see here: http://www.postfix.org/postconf.5.html#mynetworks

Some bugs was found in the latest commits about clamav & freshclam

• DatabaseMirror parameter can be expressed multiple times, if https you can omit the prefix, but no for http
• We must increase the timeouts as in slow networks this can be a problem and the update never finish

Describe the bug
When the DN of the group has spaces it will cut and the search will fail...

We are investigating the bug to solve it ASAP.

Describe the bug
When you do an upgrade the header_checks & body_checks files are not preserved, then you lose all data on those files.

Not quite, the files are present on he backup file, but the users does not know that.

Expected behavior
Both files are preserved in the event of a upgrade (the same way you do with the virtual_aliases file)

Is your feature request related to a problem? Please describe.
In an enterprise where there are more than one sysadmin the notifications must go to all of them instead to only the configured one.

Aka: redirecting abuse@, posmaster@ and the notification for mail summary via a group alias

Describe the solution you'd like
Be able to tell mailad that I want notifications via a group alias address instead of the mail admin

Describe the bug
DNSBL is not working properly, in fact it's not working at all!

My mistake, in the dev env I manually enabled the transports in the master.cf file to enable postscreen but not included the stept to enable/disable them on production.

This cause that the DNSBL (that depends on postscreen) will never happens as postscreen is not enabled. Huge mistake from me, I apologize for the inconvenience.

This is a top priority bug.

Is your feature request related to a problem? Please describe.
Add german translation

Use travis to validate the test and install part, that will require a few task:

• Create scripts to setup the hostname info as per the config file
• Emulation of a real AD service to interact to (docker?)
  • Setup local env for travist to fake that AD service as mailad.cu
• Others not discovered yet (please Add/suggest as needed)

Issues with PING Option to AD. On my LAN, the segmentation is classified by Security levels. And based on criteria, I have the AD in a VLAN alone with no one else. And the mail server in another VLAN. In the firewall there is a rule that allows mail to reach the AD through LDAP port 389, but the ICMP protocol is not allowed. Therefore, the AD check using PING does not work in cases like these. Not to mention that the ICMP in the servers is totally discouraged

Is your feature request related to a problem? Please describe.
Almost all mail server solutions has a way to report mail usage statistics, and MailAD lacks of that feature

Describe the solution you'd like
A solution like the use of pflogsumm would be nice...

Is your feature request related to a problem? Please describe.
Additional steps after install to use a LE certificates is a pain...

Describe the solution you'd like
Use LE certificates from start, let's say we create a LE folder inside mailad folder (exclude it from git!) and place there the fullchain & privkey certs to be used during provision.

Then when you get to the SSL step, use the LE certs (a link to there must be created and certs folder & links must be secured with correct perms) to make it easy for the user.

Once renew of the certs just overwrite the certs in the LE files and restart the server.

Any other approach for this?

Describe the bug
If you upgrade from an old version then you will have the alias_virtuales file (and others) not restored correctly as they changed the place

A patch will follow to detect if the backus has the files in the old place and move it to the new place to preserve the user data

Is your feature request related to a problem? Please describe.
Some enterprises state as a policy that some group of users must have local or national access only

Describe the solution you'd like

A way to declare a group in the AD and auto-magicaly all members of that group has only local access (ie: only inside the local domain)

The same but for a country wide restriction (*.cu) policy

We can call the groups the name we want [via config on deploy] or use some default group names... what do you think it's must be the default?

Poder ponerle una direccion de que le mande una copia de todos los correos o a un buzon local o al buzon del mailpiler de los correos tanto entrada como saliente

Describe the bug
A script is set hourly to check for clamav-daemon is running fine at provision stage, it depend on clamav-freshclam getting the update and notify clamav-clamd via a socket that the update is done and must reload... but the socket is not there because clamav-daemon ran and died because no updates exist... a chicken vs. egg dilema

Possible solution

• Restart or reload the clamav-daemon daemon before the hourly script test for it.
• Proposed schema is to restart, wait and finally test for it.

Is your feature request related to a problem? Please describe.
Actually MailAD is based on a past LTS version of Ubuntu, support of the actual LTS (Focal Fosa 20.04) is imperative, also support for the Debian stable branch: Buster 10.x

Describe the solution you'd like
It work's on the 3 flavours, Ubuntu 18.08 & 20.04 (Focus on this) and also on Debian Buster

Is your feature request related to a problem? Please describe.
The main target audience of this software are in Cuba, so why not a Spanish translation?

In a first approach just the documentation translation...

Describe the solution you'd like
Built in i18n support to get messages in your own language, being English the default and Spanish the most wanted

Describe alternatives you've considered
Gettext i18n integration, like this sample: https://github.com/meonkeys/bash-i18n-example/

But open to any other alternative that allows full internationalization is welcomed.

Describe the bug
After the recent corrections, the services function on some scripts (restart services) is given for granted that all services are in place, when no av or spamd is configured it fails

So we must prepare that function for that: avoid handling the non functional services

Problem description

When you run the server for a while (more than a year) some users may exit the organization, so you remove them from the AD as requested by the human resources dept. Or maybe you disable them, and at some point you remove them.

But in the guts of the server the maildir folder remains!

And for an experience in a client this wasted space may get to dangerous levels, [~20GB]

So how to remove them?

Possible solution*

Create a monthly script that checks stalled folders on the mail storage against real users on the AD

This can report:

• Unsed mail folders and his total size
• Mail folders aging almost a year (> 9 monts) with a warning about removal after a year
• Notice of maildirs removal after 1 year and a month and the gained space.

The period of removal alert (>9 months) and the removal (>1 year) may be configurable, by default the Cuba's standard is removal after one year

Is your feature request related to a problem? Please describe.
The mail server is using plan LDAP all the time, it will be a security enhancement to use LDAPS all the time

Describe the solution you'd like
All ldap connection must be done in LDAPS

Describe alternatives you've considered
Automate a solution like this: https://tylersguides.com/guides/search-active-directory-ldapsearch/

Describe the bug
The target 'upgrade' preserve the customized files, but the 'force-provision' does not, that can lead to data loss for the users

Expected behavior
The 'force-provision' target preserve the custom data in the same way the 'upgrade' makes

Describe the bug
If you activate the EVERYONE alias, this is accessible from outside the domain

To Reproduce
Steps to reproduce the behavior:

1. Setup a env with the EVERYONE account set
2. Provision the server
3. Send an email to the EVERYONE declared address from within the domain [it works]
4. Now send an email to the EVERYONE declared address from OTHER domain [it works]

This can be used for spamming, phishing, etc.

Expected behavior
The EVERYONE alias when active must be not accessible from outside the domain

Possible solution
http://www.postfix.org/RESTRICTION_CLASS_README.html se the section named Protecting internal email distribution lists

Posterior Actions
Add a specific test in the test suite for this case

Describe the bug
In some cases you will have restrictive parent proxy that forbids a word or any IP based address, or just the mirror we use dies, you may need a fast way to change the non-default mirror from a few working options...

Also the mirror url must not have the protocol part, aka updates.clamsv.com (ok) vs http://updates.clamsv.com (worng)

Possible solution

• Modify the conf file to include the alternate mirrors
• Change the default one from the IP address to the name based address one

Is your feature request related to a problem? Please describe.
There is no way of track the usage of MailAD, some stats will be OK.

Also that could help in getting users informed about latest changes and bug fixes

Describe the solution you'd like
In the config there will be an option (checked by default) about sending an email to the creator as ping-back

That email will have:

• Date
• Mailserver name
• Mail Admin email
• MailAD "version" installed

Optionally that email may be sent monthly and you will ALWAYS receive a copy of it.

This feature is a opt-out one, enabled by default, the user must disable it.

A pool held on the telegram channel result in no problem from he users if that is made a optional feature.

Feature you would like to see
It needs a hardening as much as possible of the SSL/TLS connections against well known attacks, see for example: https://weakdh.org/

Describe the solution you'd like
All possible hardening measure in place