Hi folks, I have a mailcow server for < 10 accounts running on ARM architecture (4 CPUs 8GB RAM).
I have run the update.sh script to update to the latest release (nightly, as this host was set up before the ARM was released to stable and this is the first update that has been run since).

After doing this my sogo container fails to start properly, just showing the following logs
sogo-mailcow-1 | Waiting for schema update...

Further to this, when I try and browse to the MailCow admin UI for the server I just get a blank page displayed. There are no errors logged in the php-fpm container.

Checking the sogo version I can see that the schema is out of date when performing the commands in the GitHub Icon bootstrap-sogo.sh script

GitHub Icon GitHub
mailcow-dockerized/data/Dockerfiles/sogo/bootstrap-sogo.sh at master · mailcow/mailcow-dockerized
mailcow: dockerized - 🐮 + 🐋 = 💕. Contribute to mailcow/mailcow-dockerized development by creating an account on GitHub.
mailcow: dockerized - 🐮 + 🐋 = 💕. Contribute to mailcow/mailcow-dockerized development by creating an account on GitHub.

root@ac844a7fcd7a:/# grep -oE '\$db_version = .*;' init_db.inc.php | sed 's/$db_version = //g;s/;//g' | cut -d \" -f2
15082024_1212

root@ac844a7fcd7a:/# mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions;"
+------------------------------------------------------------------+
| version                                                          |
+------------------------------------------------------------------+
| 25072022_2300                                                    |
| 2eadaa7787a7a2fbebd54bc0c97a5caab9d2e8f3743ace372142b8a022742a1b |
+------------------------------------------------------------------+

The SQL update scripts look to be missing from the container using the mailcow/sogo:nightly-20240905 image, so I’m not sure how the container is meant to update the schema

root@7a92cfb1cfb9:/# ls -l /usr/share/doc/sogo
total 4
-rw-r--r-- 1 root root 1144 Jul 24  2016 copyright
-rw-r--r-- 1 root root    0 Sep  5 12:23 empty.sh
root@7a92cfb1cfb9:/#

Should I look at changing to the stable release from the nightly with an update?

  • Running ./update.sh --current has resolved the issue of the SoGo container failing to start, and the webadmin interface does now load, however after transitioning to the stable release I am now unable to access historical emails when logged in, dovecot is returning an error about the private encryption key being unavailable:

    dovecot-mailcow-1 | Oct 21 17:24:19 d361e7e45276 dovecot: imap(user@domain.com)<217><oWpA7P8knNysFgH4>: Disconnected: FETCH failed: Mailbox INBOX: UID=3059: read() failed: read(/var/vmail/domain.com/user/Maildir/cur/1729512072.M902144P180822.afd87ad3782a,S=30783,W=31163:2,) failed: Decryption error: no private key available (read reason=prefetch) in=105 out=1966 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=0 body_count=0 body_bytes=0

    Before performing the switch to the current branch I took a copy of my docker volumes directory, so hopefully I should still have a copy of the correct key - is it possible my checkout from git is too old? I had to switch to the nightly git branch in order to do the initial installation on the ARM service, and I know that since then the dovecot container has been migrated to an Alpine based image which I know had an issue with needing a specific patch that was applied in Debian but not in Alpine that caused a similar looking issue? https://gitlab.alpinelinux.org/alpine/aports/-/issues/15365

    Are there any suggestions on how to resolve this particular issue? My dovecot image is currently: mailcow/dovecot:2.1

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

I guess it’s a problem with the nightly branch then…

changing to the stable branch, but keeping the mysql container version the same, resolved it for me.

Running ./update.sh --current has resolved the issue of the SoGo container failing to start, and the webadmin interface does now load, however after transitioning to the stable release I am now unable to access historical emails when logged in, dovecot is returning an error about the private encryption key being unavailable:

dovecot-mailcow-1 | Oct 21 17:24:19 d361e7e45276 dovecot: imap(user@domain.com)<217><oWpA7P8knNysFgH4>: Disconnected: FETCH failed: Mailbox INBOX: UID=3059: read() failed: read(/var/vmail/domain.com/user/Maildir/cur/1729512072.M902144P180822.afd87ad3782a,S=30783,W=31163:2,) failed: Decryption error: no private key available (read reason=prefetch) in=105 out=1966 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=0 body_count=0 body_bytes=0

Before performing the switch to the current branch I took a copy of my docker volumes directory, so hopefully I should still have a copy of the correct key - is it possible my checkout from git is too old? I had to switch to the nightly git branch in order to do the initial installation on the ARM service, and I know that since then the dovecot container has been migrated to an Alpine based image which I know had an issue with needing a specific patch that was applied in Debian but not in Alpine that caused a similar looking issue? GitLab Icon dovecot lib-dcrypt.so is not patched for OpenSSL 3.0 (Mail Crypt Plugin broken) (#15365) · Issues · alpine / aports · GitLab

GitLab Icon GitLab
dovecot lib-dcrypt.so is not patched for OpenSSL 3.0 (Mail Crypt Plugin broken) (#15365) · Issues · alpine / aports · GitLab
Hello everyone, i'm DerLinkman one main developer of the mailcow: dockerized project on GitHub. We are currently building native ARM64 support for the mailcow...
GitLab

Are there any suggestions on how to resolve this particular issue? My dovecot image is currently: mailcow/dovecot:2.1

My issue with my emails being reporting an issue with the private key was caused by a bug in an old nightly image that meant that the same keys generated encrypted data that could only be decrypted from the same container image. This information was mentioned to me in the Telegram channel.

The container image I was running before updating/migrating to stable was mailcow/dovecot:nightly-20231016

The recommendation I was given in the mailcow telegram following the failed update/migration was to docs.mailcow.email Icon backup

docs.mailcow.email Icon docs.mailcow.email
Backup - mailcow: dockerized documentation
None
docs.mailcow.email
and then docs.mailcow.email Icon roll back
docs.mailcow.email Icon docs.mailcow.email
Update - mailcow: dockerized documentation
None
docs.mailcow.email
 the upgrade to the previous version I was coming from, decrypt the mail in all mailboxes, and then update back to stable and re-encrypt all the mail in all the mailboxes.

I had previously had an override defined in the docker-compose.overrides.yml for the dovecot container image, so rather than perform a full rollback I started a temporary container with the older container image, using bind mounts to point to the crypt and vmail volumes (which allowed me to keep my production mail system up and running)

docker run --rm -it --entrypoint /bin/bash -v /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data:/var/vmail:rw -v /var/lib/docker/volumes/mailcowdockerized_crypt-vol-1/_data:/mail_crypt:ro mailcow/dovecot:nightly-20231016

Once this temporary container was running I used the documentation docs.mailcow.email Icon to decrypt mail

docs.mailcow.email Icon docs.mailcow.email
Mail crypt - mailcow: dockerized documentation
None
docs.mailcow.email
inside the temporary container using the old image. This worked cleanly (I had to make a minor adjestment to the find command which didn’t support the -regextype egrep flag), and this left me with unencrypted mails in each account.

I then activated a bash prompt inside the production dovecot container (as per the documentation linked above) and used a variation on the command included there to re-compress and re-encrypt the mail files.

find /var/vmail/ -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") != "CRYPTED" ]]; then
doveadm fs put compress lz4:1:crypt:private_key_path=/mail_crypt/ecprivkey.pem:public_key_path=/mail_crypt/ecpubkey.pem:posix:prefix=/ \
  "$file" "$file"
  chmod 600 "$file"
  chown 5000:5000 "$file"
fi
done

After logging into SoGo I was able to read emails that had been delivered before the update procedure was initiated, and refreshing my Android email client showed emails again.
I hope this provides useful information for people struggling in future!

No one is typing