Ulaknode

ulaknode changelog

Release history grouped from the itefix master release export.

Back to software index

Latest release summary

FieldValue
Softwareulaknode
Latest releaseulaknode 2.1.0
Release date2026-07-15

Latest release components

Output of ulaknode-version:

ulaknode 2.1.0

Components:
  postfix              3.10.12
  dovecot              2.4.4-5+debian13
  opendkim             2.11.0
  opendmarc            1.4.2-5
  spamassassin         4.0.1
  postgrey             1.37-2.1
  clamav               1.4.3
  openssl              3.5.6

Platform:
  os                   Debian GNU/Linux 13 (trixie)
  kernel               6.8.0-124-generic
  arch                 x86_64

Changelog history

2026-07-15 ulaknode 2.1.0

  • Added Fail2ban, running inside the container as a supervised service. Bans brute-force SMTP/IMAP clients at the Postfix/Dovecot application layer instead of iptables (a check_client_access cidr: table for SMTP, a filter-scoped Dovecot deny passdb for IMAP), so no extra container privileges are needed. New ulaknode-ban action script; new ulak_fail2ban volume.
  • Added DNSBL blocklist checking via postscreen, backed by a dedicated recursive resolver (Unbound). RBL/DNSBL checking was dropped in 2.0.1 because public DNSBLs like Spamhaus classify shared/forwarding resolvers as “open” and return their block-page response to every query, indistinguishable from a real listing. Unbound resolves recursively from the root instead of forwarding, so queries come from a resolver dedicated to just this mail server. Postfix’s smtp service on port 25 is now postscreen, checking postscreen_dnsbl_sites = zen.spamhaus.org, bl.spamcop.net before a real smtpd process spawns. New ulak_unbound volume.
  • Fixed master.cf missing the error, retry, and showq internal services — local delivery (postmaster/root notices, cron output) bounced with “transport unavailable”, and mailq/postqueue -p was broken entirely.
  • Fixed ulaknode-service start/restart leaving opendkim, opendmarc, spamass-milter, clamav, clamav-milter, and fail2ban unable to rebind their sockets (“Address already in use”) — only docker-init’s boot-time cleanup removed stale sockets, restarting by hand had no equivalent.
  • Fixed ulaknode-service reload opendkim/opendmarc sending SIGHUP, which could fail to rebind the milter socket and exit instead of reloading, silently dropping DKIM signing or DMARC checks. reload now falls back to a full stop/start.
  • Fixed the Fail2ban SMTP filter regex only matching NOQUEUE: reject: RCPT from [<ip>]:... — Postfix sometimes logs a hostname before the bracket, and those reject lines weren’t triggering a ban.
  • Fixed the ClamAV virus database volume (/var/lib/clamav) sometimes ending up owned by something other than clamav, breaking freshclam on every run and leaving the signature database silently stale. set-conf-permissions now re-asserts clamav:clamav ownership on every boot.
  • Fixed SpamAssassin’s skip_rbl_checks (added in 2.0.1) only disabling RCVD_IN_* rules, not URIBL_* URI-based DNSBL lookups — those kept querying multi.uribl.com/dbl.opendns.com and got rate-limited. use_dns 0 now disables every DNS-dependent SpamAssassin test.
  • Documented that clamd alone can use up to ~2GB RSS once its signature database is loaded — a container memory limit below ~3GB gets it silently killed by the cgroup OOM killer while the rest of the stack keeps running.

2026-07-09 ulaknode 2.0.1

  • Removed RBL/DNSBL blocklist checking (reject_rbl_client, added in 2.0.0): Spamhaus flagged this deployment’s resolver as a shared/open resolver and returned its “open resolver” error to every query, which was indistinguishable from a real match and silently rejected all inbound mail. May return later via postscreen with a dedicated resolver, or a self-hosted list.
  • Fixed opendkim failing to rebind its milter socket after docker stop/docker start (“Address already in use”); docker-init now clears known milter/AV sockets at boot.
  • Fixed spamass-milter’s socket being created mode 755, causing Postfix “Permission denied”; scoped umask 007 to that command.
  • Noted a stray Radicale-related Dovecot config block (not shipped by this image) that can prevent Dovecot from starting on existing volumes.

2026-07-09 ulaknode 2.0.0

  • Breaking: replaced rspamd + Redis with OpenDKIM, OpenDMARC, policyd-spf, Postgrey, and SpamAssassin + spamass-milter. ClamAV now fronted directly by clamav-milter. Existing deployments need manual migration steps, see docs/upgrading.md.
  • New persistent config volumes (ulak_opendkim, ulak_opendmarc, ulak_spamassassin, ulak_policyd_spf, ulak_postgrey) replacing ulak_rspamd.
  • ulaknode-dkim rewritten for OpenDKIM’s KeyTable/SigningTable format.
  • ulaknode-service/ulaknode-errlog updated for the new daemon set.
  • Added ulaknode-service <action> all to act on every managed service at once.
  • Fixed dovecot/opendkim/spamd status reporting bugs in ulaknode-service/ulaknode-version, and clamd status always showing STOPPED.

2026-05-25 ulaknode 1.2.1

  • ulaknode-service: reload option
  • ulkanode-service: fix rspamd restart option

2026-05-23 ulaknode 1.2.0

  • dovecot 2.4.4-5+debian13
  • redis 8.6.3
  • openssl 3.5.6

2026-05-01 ulaknode 1.1.0

  • rspamd 4.0.1
  • redis 8.6.2
  • remove license logic (not in use)
  • handle version via environment
  • remove fail2ban support in ulaknode-errlog (external now)

2024-07-04 ulaknode 1.0.0

  • Initial version

Output of ulaknode-version:

Components:
  postfix              3.10.5
  dovecot              2.4.1-4
  rspamd               3.12.1
  redis                8.0.2
  clamav               1.4.3
  openssl              3.5.5

Platform:
  os                   Debian GNU/Linux 13 (trixie)
  kernel               6.8.0-107-generic
  arch                 x86_64