From e4454d776aa93fa4bb562715e07845f31365cae9 Mon Sep 17 00:00:00 2001
From: Michael Wyraz <michael@wyraz.de>
Date: Sat, 2 May 2020 20:58:07 +0200
Subject: [PATCH 1/5] Allow to enforce TLS for outbound using
 OUTBOUND_TLS_LEVEL=encrypt (default is 'may')

---
 core/postfix/conf/main.cf | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 43ed2df0..72828ea6 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -52,9 +52,10 @@ tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:
 tls_preempt_cipherlist = yes
 tls_ssl_options = NO_COMPRESSION
 
-# Outgoing TLS is more flexible because 1. not all receiving servers will
-# support TLS, 2. not all will have and up-to-date TLS stack.
-smtp_tls_security_level = may
+# By default, outgoing TLS is more flexible because
+# 1. not all receiving servers will support TLS,
+# 2. not all will have and up-to-date TLS stack.
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

From 6234da37863fd9f61fa441edd06b292db11c8eed Mon Sep 17 00:00:00 2001
From: Michael Wyraz <michael@wyraz.de>
Date: Sat, 2 May 2020 21:02:53 +0200
Subject: [PATCH 2/5] Add doc and changelog for OUTBOUND_TLS_LEVEL

---
 docs/configuration.rst | 4 ++++
 towncrier/1478.feature | 1 +
 2 files changed, 5 insertions(+)
 create mode 100644 towncrier/1478.feature

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 292d4303..20df3767 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -69,6 +69,10 @@ The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing
 mail in following format: ``[HOST]:PORT``.
 ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
 
+By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
+if you are a relayhost that supports TLS.
+
 The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to
 go and fetch new email if available. Do not use too short delays if you do not
 want to be blacklisted by external services, but not too long delays if you
diff --git a/towncrier/1478.feature b/towncrier/1478.feature
new file mode 100644
index 00000000..fcfe6ea2
--- /dev/null
+++ b/towncrier/1478.feature
@@ -0,0 +1 @@
+Allow to enforce TLS for outbound mail by setting OUTBOUND_TLS_LEVEL=encrypt for postfix.
\ No newline at end of file

From b1f012d53b586820b3a2f17aff34b1074d305504 Mon Sep 17 00:00:00 2001
From: ofthesun9 <olivier@ofthesun.net>
Date: Tue, 12 May 2020 09:51:30 +0200
Subject: [PATCH 3/5] In setup/flavor, change DMARC rua and ruf email default
 settings DMARC_RUA and DMARC_RUF defaults will reuse the value defined for
 POSTMASTER, instead of 'admin' as previously

---
 setup/flavors/compose/mailu.env     | 4 ++--
 towncrier/newsfragments/1463.bugfix | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 towncrier/newsfragments/1463.bugfix

diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 78ecce72..b3cef48d 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -76,8 +76,8 @@ FETCHMAIL_DELAY={{ fetchmail_delay or '600' }}
 RECIPIENT_DELIMITER={{ recipient_delimiter or '+' }}
 
 # DMARC rua and ruf email
-DMARC_RUA={{ dmarc_rua or 'admin' }}
-DMARC_RUF={{ dmarc_ruf or 'admin' }}
+DMARC_RUA={{ dmarc_rua or postmaster }}
+DMARC_RUF={{ dmarc_ruf or postmaster }}
 
 # Welcome email, enable and set a topic and body if you wish to send welcome
 # emails to all users.
diff --git a/towncrier/newsfragments/1463.bugfix b/towncrier/newsfragments/1463.bugfix
new file mode 100644
index 00000000..37423bfa
--- /dev/null
+++ b/towncrier/newsfragments/1463.bugfix
@@ -0,0 +1 @@
+Defining POSTMASTER through setup tool apply also to DMARC_RUA and DMARC_RUF settings

From c3cbac65f9c0b321b3f842d3f1e7a187c9e28c23 Mon Sep 17 00:00:00 2001
From: Dennis Hoppe <github@debian-solutions.de>
Date: Sat, 6 Jun 2020 20:18:36 +0200
Subject: [PATCH 4/5] Replace SMPT with SMTP

---
 setup/templates/steps/stack/04_replicas.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/templates/steps/stack/04_replicas.html b/setup/templates/steps/stack/04_replicas.html
index 785125cc..9f6de061 100644
--- a/setup/templates/steps/stack/04_replicas.html
+++ b/setup/templates/steps/stack/04_replicas.html
@@ -22,7 +22,7 @@
 <div class="form-group">
   <input class="form-control" type="number" name=smtp_replicas min="1" required value="1"
   		style="width: 6%; display: inline;">
-  <label>SMPT</label>
+  <label>SMTP</label>
 </div>
 
-{% endcall %}
\ No newline at end of file
+{% endcall %}

From f48a13336fea092c661bd7825552333af75635d1 Mon Sep 17 00:00:00 2001
From: ofthesun9 <olivier@ofthesun.net>
Date: Wed, 17 Jun 2020 16:18:33 +0200
Subject: [PATCH 5/5] Disable Health checks on swarm mode ref:
 https://github.com/moby/moby/issues/35451

---
 setup/flavors/stack/docker-compose.yml | 18 ++++++++++++++++++
 towncrier/newsfragments/1289.bugfix    |  1 +
 2 files changed, 19 insertions(+)
 create mode 100644 towncrier/newsfragments/1289.bugfix

diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml
index 6ae0f103..66731805 100644
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@@ -43,6 +43,8 @@ services:
       - "{{ root }}/dkim:/dkim"
     deploy:
       replicas: {{ admin_replicas }}
+    healthcheck:
+      disable: true
 
   imap:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}}
@@ -52,6 +54,8 @@ services:
       - "{{ root }}/overrides:/overrides"
     deploy:
       replicas: {{ imap_replicas }}
+    healthcheck:
+      disable: true
 
   smtp:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}}
@@ -61,6 +65,8 @@ services:
       - "{{ root }}/overrides:/overrides"
     deploy:
       replicas: {{ smtp_replicas }}
+    healthcheck:
+      disable: true
 
   antispam:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
@@ -71,6 +77,8 @@ services:
       - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
 
   # Optional services
   {% if antivirus_enabled %}
@@ -81,6 +89,8 @@ services:
       - "{{ root }}/filter:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if webdav_enabled %}
@@ -91,6 +101,8 @@ services:
       - "{{ root }}/dav:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if fetchmail_enabled %}
@@ -101,6 +113,8 @@ services:
       - "{{ root }}/data:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if webmail_type != 'none' %}
@@ -111,6 +125,8 @@ services:
       - "{{ root }}/webmail:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if db_flavor == 'postgresql' and postgresql == 'internal' %}
@@ -119,6 +135,8 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/data/psql_backup:/backup"
+    healthcheck:
+      disable: true
   {% endif %}
 
 networks:
diff --git a/towncrier/newsfragments/1289.bugfix b/towncrier/newsfragments/1289.bugfix
new file mode 100644
index 00000000..8dc41dea
--- /dev/null
+++ b/towncrier/newsfragments/1289.bugfix
@@ -0,0 +1 @@
+Disable Health checks on swarm mode