Initial changes for Mailu 2.0 release

.github/workflows/multiarch.yml

@@ -4,7 +4,7 @@ on:
     branches:
       - testing
       - staging
-      - '1.9'
+      - '2.0'
       - master
       - test-*
 

.mergify.yml

@@ -11,9 +11,9 @@ pull_request_rules:
         message: |
           Thanks for submitting this pull request.
           Bors-ng will now build test images. When it succeeds, we will continue to review and test your PR.
-          
+
           bors try
-          
+
           Note: if this build fails, [read this](http://mailu.io/master/contributors/environment.html#when-bors-try-fails).
 
   - name: 2 approved reviews; trigger bors r+
@@ -35,18 +35,18 @@ pull_request_rules:
       comment:
         message: bors r+
 
-  - name: Backport to 1.9  branch
+  - name: Backport to 2.0  branch
     conditions:
       - base=master
       - label=type/backport
     actions:
       backport:
         branches:
-          - '1.9'
+          - '2.0'
 
   - name: remove outdated reviews
     conditions:
-      - base~=^(master|1.9)$
+      - base~=^(master|2.0)$
     actions:
       dismiss_reviews:
         approved: True

CHANGELOG.md

@@ -1,6 +1,147 @@
 Changelog
 =========
 
+For full details see the [releases page](https://mailu.io/2.0/releases.html)
+
+Upgrade should run fine as long as you generate a new docker-compose.yml file and mailu.env file via setup.mailu.io.
+After that any old settings can be reapplied to mailu.env.
+Before making any changes, carefully read the [configuration reference](https://mailu.io/2.0/configuration.html). New settings have been introduced and some settings have been removed.
+Multiple changes have been made to the docker-compose.yml file and mailu.env file.
+
+If you use Fail2Ban, then the Fail2Ban intructions have been improved. It is mandatory to remove your Fail2Ban config and re-apply it using the instructions from the [documentation](https://mailu.io/2.0/faq.html#do-you-support-fail2ban).
+
+Please note that once you have upgraded to 2.0 you won't be able to roll-back to earlier versions
+
+After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
+
+2.0.0 - 2023-04-03
+
+- Features: Provide auto-configuration files (autodiscover, autoconfig & mobileconfig); Please update your DNS records ([#224](https://github.com/Mailu/Mailu/issues/224))
+- Features: Introduction of the Mailu RESTful API. The full Mailu config can be changed via the Mailu API.
+  See the section Mailu RESTful API & the section configuration reference in the documentation for more information. ([#445](https://github.com/Mailu/Mailu/issues/445))
+- Features: Allow other folders to be synced by fetchmail ([#711](https://github.com/Mailu/Mailu/issues/711))
+- Features: Update the webmail images.
+  Roundcube
+    - Switch to base image (alpine)
+    - Switch to php-fpm
+  SnappyMail
+    - Switch to base image
+    - Upgrade php7 to php8. ([#1521](https://github.com/Mailu/Mailu/issues/1521))
+- Features: Implement Header authentication via external proxy ([#1972](https://github.com/Mailu/Mailu/issues/1972))
+- Features: Add FETCHMAIL_ENABLED to toggle the fetchmail functionality in the admin interface ([#2127](https://github.com/Mailu/Mailu/issues/2127))
+- Features: Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly ([#2213](https://github.com/Mailu/Mailu/issues/2213))
+- Features: Add support for custom NGINX config in /etc/nginx/conf.d. ([#2221](https://github.com/Mailu/Mailu/issues/2221))
+- Features: Added ability to mark spam mails as read or unread when moving to junk folder. ([#2278](https://github.com/Mailu/Mailu/issues/2278))
+- Features: Switch from RainLoop to SnappyMail. SnappyMail has better performance and is more secure. ([#2295](https://github.com/Mailu/Mailu/issues/2295))
+- Features: Configurable default spam threshold used for new users ([#2328](https://github.com/Mailu/Mailu/issues/2328))
+- Features: Create a GUI for WILDCARD_SENDERS ([#2372](https://github.com/Mailu/Mailu/issues/2372))
+- Features: Prevent signups with accounts for which an SQL-LIKE alias exists. ([#2429](https://github.com/Mailu/Mailu/issues/2429))
+- Features: Introduce TLS_PERMISSIVE, a new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so. ([#2449](https://github.com/Mailu/Mailu/issues/2449))
+- Features: Upgrade the anti-spoofing rule. We shouldn't assume that Mailu is the only MTA allowed to send emails on behalf of the domains it hosts... but we should also ensure that both the envelope from and header from are checked. ([#2475](https://github.com/Mailu/Mailu/issues/2475))
+- Features: Implement the required glue to make "doveadm -A" work ([#2498](https://github.com/Mailu/Mailu/issues/2498))
+- Features: Implement a minimum length for passwords of 8 characters. Check passwords upon login against HaveIBeenPwned and warn users if their passwords are compromised. ([#2500](https://github.com/Mailu/Mailu/issues/2500))
+- Features: Implement OLETools and block bad macros in office documents ([#2510](https://github.com/Mailu/Mailu/issues/2510))
+- Features: Switch to GrapheneOS's hardened_malloc ([#2525](https://github.com/Mailu/Mailu/issues/2525))
+- Features: New override system for Rspamd. In the old system, all files were placed in the Rspamd overrides folder.
+  These overrides would override everything, including the Mailu Rspamd config.
+
+  Now overrides are placed in /overrides.
+  If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file.
+  It works as following.
+  * If the override file overrides a Mailu defined config file,
+    it will be included in the Mailu config file with lowest priority.
+    It will merge with existing sections.
+  * If the override file does not override a Mailu defined config file,
+    then the file will be placed in the rspamd local.d folder.
+    It will merge with existing sections.
+
+  For more information, see the description of the local.d folder on the rspamd website:
+  https://www.rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories ([#2555](https://github.com/Mailu/Mailu/issues/2555))
+- Features: Adds a button to the roundcube interface that gets you back to the admin interface ([#2591](https://github.com/Mailu/Mailu/issues/2591))
+- Features: Drop postfix rsyslog localhost messages with IPv6 address ([#2594](https://github.com/Mailu/Mailu/issues/2594))
+- Features: Isolate radicale and webmail on their own network. This ensures they don't have privileged access to any of the other containers. ([#2613](https://github.com/Mailu/Mailu/issues/2613))
+- Features: Improved IPv6 support ([#2630](https://github.com/Mailu/Mailu/issues/2630))
+- Features: Provide a changelog for minor releases. The github release will now:
+  * Provide the changelog message from the newsfragment of the PR that triggered the backport.
+  * Provide a github link to the PR/issue of the PR that was backported.
+
+  Switch to building multi-arch images. The images build for pull requests, master and production
+  are now multi-arch images for the architectures:
+  * linux/amd64
+  * linux/arm64/v8
+  * linux/arm/v7
+
+  Enhance CI/CD workflow with retry functionality. All steps for building images are now automatically
+  retried. If a build temporarily fails due to a network error, the retried step will still succeed. ([#2653](https://github.com/Mailu/Mailu/issues/2653))
+- Features: Add Czech translation for web administration interface. ([#2676](https://github.com/Mailu/Mailu/issues/2676))
+- Features: Allow inbound to http and mail ports to accept the PROXY protocol ([#2717](https://github.com/Mailu/Mailu/issues/2717))
+- Bugfixes: Add an option so that emails fetched with fetchmail don't go through the filters (closes #1231) ([#1231](https://github.com/Mailu/Mailu/issues/1231))
+- Bugfixes: Allow '+' in the localpart of email addresses to forward to ([#1236](https://github.com/Mailu/Mailu/issues/1236))
+- Bugfixes: Do not update the updated_at field of the User model when quota_bytes_used is updated ([#1363](https://github.com/Mailu/Mailu/issues/1363))
+- Bugfixes: Remove postfix's master.pid on startup if there is no other instance running ([#1483](https://github.com/Mailu/Mailu/issues/1483))
+- Bugfixes: updated Dockerfile to alpine 3.14.3 to address several CVEs ([#2099](https://github.com/Mailu/Mailu/issues/2099))
+- Bugfixes: The gpg-agent package was missing due to updating to a new debian version.
+  This fix adds gpg-agent back to the roundcube image.
+  It is used for the enigmail roundcube plugin. ([#2117](https://github.com/Mailu/Mailu/issues/2117))
+- Bugfixes: Fix CI/CD workflow. Tags were not set to the correct commit hash. ([#2124](https://github.com/Mailu/Mailu/issues/2124))
+- Bugfixes: Fix a bug preventing mailu from being usable when no webmail is configured ([#2125](https://github.com/Mailu/Mailu/issues/2125))
+- Bugfixes: Enable unbound by default. Mailu now requires a DNSSEC validating DNS resolver and experience has shown that this may not be the default everywhere yet. ([#2135](https://github.com/Mailu/Mailu/issues/2135))
+- Bugfixes: Pin the root certificate differently for DANE. If you have setup a TLSA record following previous suggestion from Mailu please update it. ([#2138](https://github.com/Mailu/Mailu/issues/2138))
+- Bugfixes: Remove the misleading text in mailu.env that zstd and lz4 are supported for dovecot mail compression.
+  Zstd and lz4 are not supported. The reason is that the alpine project does not compile this
+  into the dovecot package.
+  Users who want this funcionality, can kindly request the alpine project to compile dovecot
+  with lz4&zstd support. ([#2139](https://github.com/Mailu/Mailu/issues/2139))
+- Bugfixes: Update roundcube to 1.5.2 to fixe an XSS ([#2141](https://github.com/Mailu/Mailu/issues/2141))
+- Bugfixes: matching rainloop php to roundcube's: timezone is a parameter in mailu.env ([#2193](https://github.com/Mailu/Mailu/issues/2193))
+- Bugfixes: Added the /overrides directory in the roundcube config.inc.php file ([#2195](https://github.com/Mailu/Mailu/issues/2195))
+- Bugfixes: Configuring pwstore_scheme in carddav plugin with des_key because Mailu is incompatible with encrypted
+  https://github.com/mstilkerich/rcmcarddav/blob/master/doc/ADMIN-SETTINGS.md#password-storing-scheme ([#2196](https://github.com/Mailu/Mailu/issues/2196))
+- Bugfixes: Switch from DST_ROOT_X3 to ISRG_X1 as alpine is not shipping the former anymore ([#2199](https://github.com/Mailu/Mailu/issues/2199))
+- Bugfixes: Will update /etc/nginx/nginx.conf and /etc/nginx/http.d/rainloop.conf in webmail container to support MESSAGE_SIZE_LIMIT ([#2207](https://github.com/Mailu/Mailu/issues/2207))
+- Bugfixes: Add input validation for domain creation ([#2210](https://github.com/Mailu/Mailu/issues/2210))
+- Bugfixes: Make public announcement bypass the filters. They may still time-out before being sent if there is a large number of users. ([#2231](https://github.com/Mailu/Mailu/issues/2231))
+- Bugfixes: Work around a bug in coredns: set the DO flag on our DNSSEC queries. Add a new FAQ entry to explain our DNSSEC requirements and ensure that our error message points to it. ([#2239](https://github.com/Mailu/Mailu/issues/2239))
+- Bugfixes: Fetchmail: Missing support for '*_ADDRESS' env vars ([#2246](https://github.com/Mailu/Mailu/issues/2246))
+- Bugfixes: Fix broken setup. Not all dependencies were pinned resulting in a broken update being pulled. ([#2249](https://github.com/Mailu/Mailu/issues/2249))
+- Bugfixes: Fix a bug where rspamd may trigger HFILTER_HOSTNAME_UNKNOWN if part of the delivery chain was using ipv6 ([#2260](https://github.com/Mailu/Mailu/issues/2260))
+- Bugfixes: Update to Alpine Linux 3.14.4 which contains a security fix for openssl. ([#2281](https://github.com/Mailu/Mailu/issues/2281))
+- Bugfixes: Fixed AUTH_RATELIMIT_IP not working on imap/pop3/smtp. ([#2284](https://github.com/Mailu/Mailu/issues/2284))
+- Bugfixes: update alpine linux docker image to version 3.14.5 which includes a security fix for zlib’s CVE-2018-25032. ([#2302](https://github.com/Mailu/Mailu/issues/2302))
+- Bugfixes: postfix: wrap IPv6 CIDRs in square brackets for RELAYNETS ([#2325](https://github.com/Mailu/Mailu/issues/2325))
+- Bugfixes: Disable the built-in nginx resolver for traffic going through the mail plugin. This will silence errors about DNS resolution when the connecting host has no rDNS. ([#2346](https://github.com/Mailu/Mailu/issues/2346))
+- Bugfixes: Re-enable the built-in nginx resolver for traffic going through the mail plugin.
+  This is required for passing rDNS/ptr information to postfix.
+  Without this rspamd will flag all messages with DHFILTER_HOSTNAME_UNKNOWN due to the missing rDNS/ptr info. ([#2368](https://github.com/Mailu/Mailu/issues/2368))
+- Bugfixes: Roundcube overrides now also include .inc.php files. Only .inc.php should be used moving forward. ([#2388](https://github.com/Mailu/Mailu/issues/2388))
+- Bugfixes: Forwarding emails user setting did not support 1 letter domains. ([#2402](https://github.com/Mailu/Mailu/issues/2402))
+- Bugfixes: Update roundcube to 1.5.3
+  Update rcmcarddav plugin to 4.4.2 ([#2415](https://github.com/Mailu/Mailu/issues/2415))
+- Bugfixes: Switch from mysqlclient to mysql-connector explicitely ([#2432](https://github.com/Mailu/Mailu/issues/2432))
+- Bugfixes: Enable rspamd's autolearn feature to ensure that its bayes classifier has enough HAM to make it usable. Previously the bayes module would never work unless some HAM had been learnt manually. ([#2447](https://github.com/Mailu/Mailu/issues/2447))
+- Bugfixes: Fix a bug preventing users without IMAP access to access the webmails ([#2451](https://github.com/Mailu/Mailu/issues/2451))
+- Bugfixes: Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES ([#2467](https://github.com/Mailu/Mailu/issues/2467))
+- Bugfixes: Quote SMTP SIZE to avoid splitting keyword and parameter in EHLO response ([#2485](https://github.com/Mailu/Mailu/issues/2485))
+- Bugfixes: Upgrade to alpine 3.16.2 ([#2497](https://github.com/Mailu/Mailu/issues/2497))
+- Bugfixes: Fix: include start and end dates in the auto-reply period ([#2512](https://github.com/Mailu/Mailu/issues/2512))
+- Bugfixes: Fix creation of deep structures using import in update mode ([#2601](https://github.com/Mailu/Mailu/issues/2601))
+- Bugfixes: Speak HAPROXY protocol in between front and smtp and front and imap. This ensures the backend is aware of the real client IP and whether TLS was used. ([#2603](https://github.com/Mailu/Mailu/issues/2603))
+- Bugfixes: Fix a bug introduced in master whereby anything locally generated (sieve, autoresponder, ...) would be blocked by the anti-spoofing rules ([#2633](https://github.com/Mailu/Mailu/issues/2633))
+- Bugfixes: Fix sieve/out of office replies by adding SUBNET to rspamd's local_networks ([#2635](https://github.com/Mailu/Mailu/issues/2635))
+- Bugfixes: Uses the correct From address (instead of an SRS alias) in the sieve/vacation module ([#2640](https://github.com/Mailu/Mailu/issues/2640))
+- Bugfixes: Tell roundcube to use UTF8 instead of 'UTF7-IMAP' when creating sieve scripts. ([#2650](https://github.com/Mailu/Mailu/issues/2650))
+- Bugfixes: Tweak the snuffleupagus rules to make roundcube's caldav work ([#2693](https://github.com/Mailu/Mailu/issues/2693))
+- Bugfixes: Proxy authentication was using the real client ip instead of the proxy
+  IP for checking the PROXY_AUTH_WHITELIST. ([#2708](https://github.com/Mailu/Mailu/issues/2708))
+- Improved Documentation: remove the / in the location to avoid http 404 ([#2185](https://github.com/Mailu/Mailu/issues/2185))
+- Improved Documentation:  ([#2214](https://github.com/Mailu/Mailu/issues/2214))
+- Deprecations and Removals: Remove POD_ADDRESS_RANGE in favor of SUBNET ([#1258](https://github.com/Mailu/Mailu/issues/1258))
+- Misc:  ([#1341](https://github.com/Mailu/Mailu/issues/1341), [#2121](https://github.com/Mailu/Mailu/issues/2121), [#2211](https://github.com/Mailu/Mailu/issues/2211), [#2242](https://github.com/Mailu/Mailu/issues/2242), [#2338](https://github.com/Mailu/Mailu/issues/2338), [#2357](https://github.com/Mailu/Mailu/issues/2357), [#2383](https://github.com/Mailu/Mailu/issues/2383), [#2511](https://github.com/Mailu/Mailu/issues/2511), [#2526](https://github.com/Mailu/Mailu/issues/2526), [#2533](https://github.com/Mailu/Mailu/issues/2533), [#2539](https://github.com/Mailu/Mailu/issues/2539), [#2550](https://github.com/Mailu/Mailu/issues/2550), [#2566](https://github.com/Mailu/Mailu/issues/2566), [#2570](https://github.com/Mailu/Mailu/issues/2570), [#2577](https://github.com/Mailu/Mailu/issues/2577), [#2605](https://github.com/Mailu/Mailu/issues/2605), [#2606](https://github.com/Mailu/Mailu/issues/2606), [#2618](https://github.com/Mailu/Mailu/issues/2618), [#2634](https://github.com/Mailu/Mailu/issues/2634), [#2644](https://github.com/Mailu/Mailu/issues/2644), [#2660](https://github.com/Mailu/Mailu/issues/2660), [#2666](https://github.com/Mailu/Mailu/issues/2666), [#2692](https://github.com/Mailu/Mailu/issues/2692), [#2698](https://github.com/Mailu/Mailu/issues/2698), [#2704](https://github.com/Mailu/Mailu/issues/2704))
+
+
+Changelog
+=========
+
 For full details see the [releases page](https://mailu.io/1.9/releases.html)
 
 Upgrade should run fine as long as you generate a new compose or stack configuration and upgrade your mailu.env. Please note that once you have upgraded to 1.9 you won't be able to roll-back to earlier versions without resetting user passwords.
@@ -57,7 +198,7 @@ Please note that the shipped image for PostgreSQL database is fully deprecated n
     -  For X.Y and X.Y.Z write the version (X.Y.Z) into /version on the image and add a label with version=X.Y.Z
   	  -  This means that the latest X.Y image shows the pinned version (X.Y.Z e.g. 1.8.1) it was based on. Via the tag X.Y.Z you can see the commit hash that triggered the built.
     -  For master write the commit hash into /version on the image and add a label with version={commit hash}
-  -  Automatic releases. For x.y triggered builts (e.g. merge on 1.9) do a new github release for the pinned x.y.z (e.g. 1.9.2). 
+  -  Automatic releases. For x.y triggered builts (e.g. merge on 1.9) do a new github release for the pinned x.y.z (e.g. 1.9.2).
     -  Release shows a static message (see RELEASE_TEMPLATE.md) that explains how to reach the newsfragments folder and change the branch to the tag (x.y.z) mentioned in the release. Now you can get the changelog by reading all newsfragment files in this folder. ([#1182](https://github.com/Mailu/Mailu/issues/1182))
 - Features: Add a credential cache to speedup authentication requests. ([#1194](https://github.com/Mailu/Mailu/issues/1194))
 - Features: Introduces postfix logging via syslog with these features:
@@ -118,7 +259,7 @@ Please note that the shipped image for PostgreSQL database is fully deprecated n
   Fix bug #1838. ([#2069](https://github.com/Mailu/Mailu/issues/2069))
 - Bugfixes: RELAYNETS should be a comma separated list of networks ([#360](https://github.com/Mailu/Mailu/issues/360))
 - Bugfixes: Fix rate-limiting on /webdav/ ([#1194](https://github.com/Mailu/Mailu/issues/1194))
-- Bugfixes: Fixed fetchmail losing track of fetched emails upon container recreation. 
+- Bugfixes: Fixed fetchmail losing track of fetched emails upon container recreation.
   The relevant fetchmail files are now retained in the /data folder (in the fetchmail image).
   See the docker-compose.yml file for the relevant volume mapping.
   If you already had your own mapping, you must double check the volume mapping and take action. ([#1223](https://github.com/Mailu/Mailu/issues/1223))
@@ -135,7 +276,7 @@ Please note that the shipped image for PostgreSQL database is fully deprecated n
 - Bugfixes: Reverse proxy documentation has been updated to reflect new security hardening from PR#1959.
   If you do not set the configuration parameters in Mailu what reverse proxy header to trust,
   then Mailu will not have access to the real ip address of the connecting client.
-  This means that rate limiting will not properly work. You can also not use fail2ban. 
+  This means that rate limiting will not properly work. You can also not use fail2ban.
   It is very important to configure this when using a reverse proxy. ([#1962](https://github.com/Mailu/Mailu/issues/1962))
 - Bugfixes: Fixed roundcube sso login not working. ([#1990](https://github.com/Mailu/Mailu/issues/1990))
 - Bugfixes: The DB_PORT and ROUNDCUBE_DB_PORT environment variables were not actually used. They are removed from the documentation. For using different ports you can already use the notation host:port . ([#2073](https://github.com/Mailu/Mailu/issues/2073))
@@ -148,7 +289,7 @@ Please note that the shipped image for PostgreSQL database is fully deprecated n
 - Bugfixes: Alias, relay and fetchmail lists in the admin interface were missing the edit button. ([#2093](https://github.com/Mailu/Mailu/issues/2093))
 - Bugfixes: Fix bug introduced by enhanced session management ([#2098](https://github.com/Mailu/Mailu/issues/2102))
 - Bugfixes: Fix build dependencies postfix-mta-sts-resolver. ([#2106](https://github.com/Mailu/Mailu/issues/2106))
-- Improved Documentation: Document hardware requirements when using clamav. 
+- Improved Documentation: Document hardware requirements when using clamav.
   Clamav requires **at least** 2GB of memory.
   This 2Gb does not entail any other software running on the box.
   So in total you require at least 3GB of memory and 1GB swap when antivirus is enabled. ([#470](https://github.com/Mailu/Mailu/issues/470))

core/admin/mailu/configuration.py

@@ -31,7 +31,7 @@ DEFAULT_CONFIG = {
     'SQLALCHEMY_TRACK_MODIFICATIONS': False,
     # Statistics management
     'INSTANCE_ID_PATH': '/data/instance',
-    'STATS_ENDPOINT': '19.{}.stats.mailu.io',
+    'STATS_ENDPOINT': '20.{}.stats.mailu.io',
     # Common configuration variables
     'SECRET_KEY': 'changeMe',
     'DOMAIN': 'mailu.io',

docs/conf.py

@@ -9,7 +9,7 @@ templates_path = ['_templates']
 source_suffix = '.rst'
 master_doc = 'index'
 project = 'Mailu'
-copyright = '2018, Mailu authors'
+copyright = '2023, Mailu authors'
 author = 'Mailu authors'
 version = release = os.environ.get('VERSION', 'master')
 language = 'en'
@@ -25,7 +25,7 @@ htmlhelp_basename = 'Mailudoc'
 # to template names.
 html_sidebars = {
     '**': [
-        'relations.html', 
+        'relations.html',
         'searchbox.html',
     ]
 }
@@ -36,10 +36,10 @@ html_context = {
     'github_user': 'mailu',
     'github_repo': 'mailu',
     'github_version': version,
-    'stable_version': '1.9',
+    'stable_version': '2.0',
     'versions': [
-        ('1.8', '/1.8/'),
         ('1.9', '/1.9/'),
+        ('2.0', '/2.0/'),
         ('master', '/master/')
     ],
     'conf_py_path': '/docs/'

docs/releases.rst

@@ -1,6 +1,308 @@
 Release notes
 =============
 
+Mailu 2.0 - 2023-04-03
+----------------------
+
+Mailu 2.0 is finally available. It is vital to read the `Upgrading` section before upgrading to Mailu 2.0.
+
+Highlights
+``````````
+
+This is an overview of the major features introduced in Mailu 2.0.
+
+Multi-arch images (arm support)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The Mailu project now ships multi-arch images for the architectures:
+
+- linux/amd64
+- linux/arm64/v8
+- linux/arm/v7
+
+It is now possible to run Mailu on most ARM hardware such as the Raspberry Pi.
+
+Auto-configuration for client
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+On the domain details page, there are also DNS records for enabling DNS auto-client configuration.
+Email clients make use of these DNS records to automatically determine the configuration.
+If a reverse proxy is used, then the settings might have to be updated.
+
+For Apple users, the client setup page now offers an autoconfiguration link to automatically configure
+the Apple device for using the Mailu email server.
+
+RESTFul API
+^^^^^^^^^^^
+
+Mailu offers a RESTful API for changing the Mailu configuration.
+Anything that can be configured via the Mailu web administration interface,
+can also be configured via the Mailu RESTful API.
+
+This means the process of configuring a new domain or add new users can be fully automated now.
+
+This release still makes use of a single configured API token. In a future release the authentication
+mechanism for using the Mailu RESTful API will be improved.
+
+For more information refer to the `Mailu RESTful API` page.
+
+Header authentication support (use external identity providers)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+It is now possible to use different authentication providers (such as keycloak) to handle the authentication of Mailu users.
+Mailu offers the functionality to pass via headers the information for automatically loggin in users.
+If a user does not exist yet, Mailu can create the user automatically.
+
+For more information see `Header authentication using an external proxy` in the configuration reference.
+
+Login page for specifically admin or webmail
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+With the introduction of `Header authentication support`, it is now possible to have a login page only for admin or webmail.
+This functionality can be used by visiting either the URL for admin or webmail. E.g.
+
+- https://test.mailu.io/admin
+- https://test.mailu.io/webmail
+
+This results in a login page with a single login button. To access the normal login page, visit the root url.
+
+- https://test.mailu.io
+
+Users who only use the /admin endpoint can now bookmark https://test.mailu.io/admin. When logging in, it is possible to use the `Enter` key again.
+
+Introduction of SnappyMail
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The Rainloop webmail client has been replaced with SnappyMail.
+The Rainloop project had multiple long outstanding security bugs. For this reason the Mailu project looked for alternatives.
+SnappyMail is a fork of Rainloop focussed on performance and security. It offers a similar experience as Rainloop.
+
+Do not mark spam as read
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+In the user settings it is now possible to configure if a received spam email must be marked as read.
+It is  possible to see if you received spam now.
+
+Improve password complexity
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The minimum password length has been increased to 8. It is important to use complex passwords to prevent password guessing attacks.
+We did not want to make changing your password too cumbersome. For this reason the HaveIBeenPwned check is introduced.
+When a user changes his password, Mailu checks if this password exists in any of the breaches reported to HaveIBeenPwned.
+The changed password is only accepted when the password does not exist in any breaches.
+Mailu only checks the hash of the password. Only a part of the hash is submitted to the HaveIBeenPwned API.
+
+OLETools
+^^^^^^^^
+
+OLETools is introduced to block bad macros in Microsoft Office documents. OLETools is able to scan Microsoft Office documents and determine if
+a macro is malicous.
+
+By default attachments with know bad file extensions (such as .exe) are blocked. See the FAQ for more information on updating the list of blocked file extensions.
+
+New override system for Rspamd
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The override system for Rspamd has been overhauled. While the config files were first completely overridden, they are now merged.
+Now overrides are placed in the location (in the Rspamd/Antispam container) /overrides.
+
+If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file.
+It works as following.
+
+* If the override file overrides a Mailu defined config file,
+  it will be included in the Mailu config file with lowest priority.
+  It will merge with existing sections.
+
+* If the override file does not override a Mailu defined config file,
+  then the file will be placed in the rspamd local.d folder.
+  It will merge with existing sections.
+
+For more information, see the description of the local.d folder on the rspamd website:
+https://www.rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories
+
+
+Adds a button to the roundcube interface that gets you back to the admin interface
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Small feature, but so handy. The menu in Roundcube now shows a button to go the the web administration interface.
+As a user you can now go back to your profile page where you can change your password or spam settings. And then go back to Roundcube again.
+
+PROXY PROTOCOL Support
+^^^^^^^^^^^^^^^^^^^^^^
+
+Reverse proxies can connect to Mailu with the proxy protocol for HTTP and Mail. Below is a small example for Traefik connecting via proxy protocol to Mailu
+
+.. code-block:: bash
+
+  # Static configuration
+  providers:
+  file:
+    directory: "/opt/traefik/conf"
+
+  entryPoints:
+    mailu-web:
+      # Listen on port 8081 for incoming requests
+      address: :443
+    mailu-smtp:
+      address: :25
+    mailu-imaps:
+      address: :993
+    mailu-smtps:
+      address: :465
+    mailu-starttls:
+      address: :587
+
+  # From dynamic configuration /opt/traefik/conf
+  tls:
+    certificates:
+      - certFile: /etc/letsencrypt/live/mydomain.com/fullchain.pem
+        keyFile: /etc/letsencrypt/live/mydomain.com/privkey.pem
+
+  tcp:
+    routers:
+      mailu-web:
+        entryPoints:
+          - mailu-web
+        rule: "HostSNI(`*`)"
+        service: "mailu-web"
+      mailu-smtp:
+        entryPoints:
+          - mailu-smtp
+        rule: "HostSNI(`*`)"
+        service: "mailu-smtp"
+      mailu-imaps:
+        entryPoints:
+          - mailu-imaps
+        rule: "HostSNI(`*`)"
+        service: "mailu-imaps"
+      mailu-smtps:
+        entryPoints:
+          - mailu-smtps
+        rule: "HostSNI(`*`)"
+        service: "mailu-smtps"
+      mailu-starttls:
+        entryPoints:
+          - mailu-starttls
+        rule: "HostSNI(`*`)"
+        service: "mailu-starttls"
+    services:
+      mailu-web:
+        loadBalancer:
+          proxyProtocol:
+            version: 2
+          servers:
+            - address: "MailuServer:443"
+      mailu-smtp:
+        loadBalancer:
+          proxyProtocol:
+            version: 2
+          servers:
+            - address: "MailuServer:25"
+      mailu-smtps:
+        loadBalancer:
+          proxyProtocol:
+            version: 2
+          servers:
+            - address: "MailuServer:465"
+      mailu-starttls:
+        loadBalancer:
+          proxyProtocol:
+            version: 2
+          servers:
+            - address: "MailuServer:587"
+      mailu-imaps:
+        loadBalancer:
+          proxyProtocol:
+            version: 2
+          servers:
+            - address: "MailuServer:993"
+
+
+
+New Functionality & Improvements
+````````````````````````````````
+
+For a list of all the changes (including bug fixes) refer to `CHANGELOG.md` in the root folder of the Mailu github project.
+
+A short summary of the new features:
+
+- Features: Provide auto-configuration files (autodiscover, autoconfig & mobileconfig); Please update your DNS records
+- Features: Introduction of the Mailu RESTful API. The full Mailu config can be changed via the Mailu API.
+  See the section Mailu RESTful API & the section configuration reference in the documentation for more information.
+- Features: Allow other folders to be synced by fetchmail
+- Features: Update the webmail images.
+  Roundcube
+
+    - Switch to base image (alpine)
+    - Switch to php-fpm
+
+  SnappyMail
+
+    - Switch to base image
+    - Upgrade php7 to php8.
+
+- Features: Implement Header authentication via external proxy
+- Features: Add FETCHMAIL_ENABLED to toggle the fetchmail functionality in the admin interface
+- Features: Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly
+- Features: Add support for custom NGINX config in /etc/nginx/conf.d.
+- Features: Added ability to mark spam mails as read or unread when moving to junk folder.
+- Features: Switch from RainLoop to SnappyMail. SnappyMail has better performance and is more secure.
+- Features: Configurable default spam threshold used for new users
+- Features: Create a GUI for WILDCARD_SENDERS
+- Features: Prevent signups with accounts for which an SQL-LIKE alias exists.
+- Features: Introduce TLS_PERMISSIVE, a new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so.
+- Features: Upgrade the anti-spoofing rule. We shouldn't assume that Mailu is the only MTA allowed to send emails on behalf of the domains it hosts... but we should also ensure that both the envelope from and header from are checked.
+- Features: Implement the required glue to make "doveadm -A" work
+- Features: Implement a minimum length for passwords of 8 characters. Check passwords upon login against HaveIBeenPwned and warn users if their passwords are compromised.
+- Features: Implement OLETools and block bad macros in office documents
+- Features: Switch to GrapheneOS's hardened_malloc
+- Features: New override system for Rspamd. In the old system, all files were placed in the Rspamd overrides folder.
+  These overrides would override everything, including the Mailu Rspamd config.
+
+  Now overrides are placed in /overrides.
+  If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file.
+  It works as following.
+
+  * If the override file overrides a Mailu defined config file,
+    it will be included in the Mailu config file with lowest priority.
+    It will merge with existing sections.
+  * If the override file does not override a Mailu defined config file,
+    then the file will be placed in the rspamd local.d folder.
+    It will merge with existing sections.
+
+  For more information, see the description of the local.d folder on the rspamd website:
+  https://www.rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories
+- Features: Adds a button to the roundcube interface that gets you back to the admin interface
+- Features: Drop postfix rsyslog localhost messages with IPv6 address
+- Features: Isolate radicale and webmail on their own network. This ensures they don't have privileged access to any of the other containers.
+- Features: Improved IPv6 support
+- Features: Provide a changelog for minor releases. The github release will now:
+
+  * Provide the changelog message from the newsfragment of the PR that triggered the backport.
+  * Provide a github link to the PR/issue of the PR that was backported.
+
+  Switch to building multi-arch images. The images build for pull requests, master and production
+  are now multi-arch images for the architectures:
+
+  * linux/amd64
+  * linux/arm64/v8
+  * linux/arm/v7
+
+  Enhance CI/CD workflow with retry functionality. All steps for building images are now automatically
+  retried. If a build temporarily fails due to a network error, the retried step will still succeed.
+- Features: Add Czech translation for web administration interface.
+- Features: Allow inbound to http and mail ports to accept the PROXY protocol
+
+Upgrading
+`````````
+
+Upgrade should run fine as long as you generate a new compose & mailu.env and then reapply custom config settings to mailu.env.
+
+If you use Fail2Ban, then the Fail2Ban intructions have been improved. It is mandatory to remove your Fail2Ban config and re-apply it using the instructions from :ref:`updated Fail2Ban documentation <Fail2Ban>`.
+
+To use the new autoconfig endpoint and Mailu RESTFul API, you may need to update your reverse proxy config.
+
+
 Mailu 1.9 - 2021-12-29
 ----------------------
 
@@ -28,10 +330,10 @@ A fair amount of work went in this release; In no particular order:
 Updated Admin interface
 ^^^^^^^^^^^^^^^^^^^^^^^
 
-The Web Administration interface makes use of AdminLTE. The AdminLTE2 technology has been upgraded to AdminLTE3. This cost a lot of effort due to the changes between AdminLTE2 and AdminLTE3. 
+The Web Administration interface makes use of AdminLTE. The AdminLTE2 technology has been upgraded to AdminLTE3. This cost a lot of effort due to the changes between AdminLTE2 and AdminLTE3.
 As a result the webpage looks more modern. All tables now have a filter and columns that can be sorted. If you have many users or domains, this will be a very welcome new feature!
 
-A language selector has been added. On the login page and in the Web Admin Interface, the language selector can be accessed in the top right. 
+A language selector has been added. On the login page and in the Web Admin Interface, the language selector can be accessed in the top right.
 
 
 Import/Export command on steroids
@@ -41,7 +343,7 @@ The Mailu command line has been enhanced with the new config-export and config-i
 **Everything** that can be configured in the Mailu Web Administration Interface can now be exported and imported via yaml files.
 So via YAML files, you can now bulk configure a complete new installation, without the need to access the Mailu Web Administration Interface.
 
-It is also possible to create new users or import new users (with password hashes) using the config-import. 
+It is also possible to create new users or import new users (with password hashes) using the config-import.
 
 With this new command it is very easy to switch to a different database management system for the Mailu database. Simply dump your configuration to yaml file.
 After setting up your new Mailu system with the different DBMS, you can import the yaml file with all Mailu configuration.
@@ -76,13 +378,13 @@ The images now also contain the release it was built for.
 
 On the github project we will automatically create releases for each X.Y.Z release. Via this release you can check what commit hash the tag is assigned to.
 
-With this improvement in our CI/CD workflow, it is possible to be notified when an update is released via github releases. It is also possible to use pinned versions to update in a controlled manner. 
+With this improvement in our CI/CD workflow, it is possible to be notified when an update is released via github releases. It is also possible to use pinned versions to update in a controlled manner.
 
 
 New Functionality & Improvements
 ````````````````````````````````
 
-For a list of all the changes (including bug fixes) refer to `CHANGELOG.md` in the root folder of the Mailu github project. 
+For a list of all the changes (including bug fixes) refer to `CHANGELOG.md` in the root folder of the Mailu github project.
 
 A short summary of the new features:
 
@@ -112,7 +414,7 @@ A short summary of the new features:
 - Introduce MTA-STS and DANE validation.
 - Added Hebrew translation.
 - Log authentication attempts on the admin portal. Fail2ban can now be used to monitor login attempts on Admin/Webmail.
-- Remove Mailu PostgreSQL. 
+- Remove Mailu PostgreSQL.
 - Admin/Webmail sessions expire now. This can be tweakers via mailu.env.
 
 
@@ -127,7 +429,7 @@ For more information see the :ref:`configuration reference <reverse_proxy_header
 
 If you use Fail2Ban, you configure Fail2Ban to monitor failed logon attempts for the web-facing frontend (Admin/Webmail). See the :ref:`updated Fail2Ban documentation <Fail2Ban>` for more information.
 
-Please note that the shipped image for the PostgreSQL database is fully deprecated now. 
+Please note that the shipped image for the PostgreSQL database is fully deprecated now.
 To migrate to the official PostgreSQL image, you can follow our :ref:`migration guide <migrate_mailu_postgresql>`.
 
 
@@ -136,7 +438,7 @@ Mailu 1.8 - 2021-08-7
 
 The full 1.8 release is finally ready. There have been some changes in the contributors team. Many people from the contributors team have stepped back due to changed priorities in their life.
 We are very grateful for all their contributions and hope we will see them back again in the future.
-This is the main reason why it took so long for 1.8 to be fully released. 
+This is the main reason why it took so long for 1.8 to be fully released.
 
 Fortunately more people have decided to join the project. Some very nice contributions have been made which will become part of the next 1.9 release.
 We hope that future Mailu releases will be released more quickly now we have more active contributors again.
@@ -184,8 +486,8 @@ Override files are now mounted read-only into the containers. The Dovecot and Po
 Recreate SECRET_KEY after upgrading
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Improvements have been made to protect again session-fixation attacks. 
-To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading. 
+Improvements have been made to protect again session-fixation attacks.
+To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading.
 A new SECRET_KEY is generated when you recreate your docker-compose.yml & mailu.env file via setup.mailu.io.
 
 The SECRET_KEY is an uppercase alphanumeric string of length 16. You can manually create such a string via

docs/setup.rst

@@ -32,7 +32,7 @@ Pick a Mailu version
 
 Mailu is shipped in multiple versions.
 
-- ``1.9`` features the most recent stable version for Mailu. This is the
+- ``2.0`` features the most recent stable version for Mailu. This is the
   recommended build for new setups, old setups should migrate when possible.
 
 - ``1.0``, ``1.1``, and other version branches feature old versions of Mailu

towncrier/2591.feature

@@ -1 +0,0 @@
-Adds a button to the roundcube interface that gets you back to the admin interface

towncrier/2630.feature

@@ -1 +0,0 @@
-Improved IPv6 support

towncrier/newsfragments/1231.bugfix

@@ -1 +0,0 @@
-Add an option so that emails fetched with fetchmail don't go through the filters (closes #1231)

towncrier/newsfragments/1236.bugfix

@@ -1 +0,0 @@
-Allow '+' in the localpart of email addresses to forward to

towncrier/newsfragments/1258.removal

@@ -1 +0,0 @@
-Remove POD_ADDRESS_RANGE in favor of SUBNET

towncrier/newsfragments/1341.misc

@@ -1,4 +0,0 @@
-Remove HOST_* variables, use *_ADDRESS everywhere instead. Please note that those should only contain a FQDN (no port number).
-Derive a different key for admin/SECRET_KEY; this will invalidate existing sessions
-Ensure that rspamd starts after clamav
-Only display a single HOSTNAME on the client configuration page

towncrier/newsfragments/1363.bugfix

@@ -1 +0,0 @@
-Do not update the updated_at field of the User model when quota_bytes_used is updated

towncrier/newsfragments/1483.bugfix

@@ -1 +0,0 @@
-Remove postfix's master.pid on startup if there is no other instance running

towncrier/newsfragments/1521.feature

@@ -1,7 +0,0 @@
-Update the webmail images.
-Roundcube
-  - Switch to base image (alpine)
-  - Switch to php-fpm
-SnappyMail
-  - Switch to base image
-  - Upgrade php7 to php8.

towncrier/newsfragments/1972.feature

@@ -1 +0,0 @@
-Implement Header authentication via external proxy

towncrier/newsfragments/2099.bugfix

@@ -1 +0,0 @@
-updated Dockerfile to alpine 3.14.3 to address several CVEs

towncrier/newsfragments/2117.bugfix

@@ -1,3 +0,0 @@
-The gpg-agent package was missing due to updating to a new debian version.
-This fix adds gpg-agent back to the roundcube image.
-It is used for the enigmail roundcube plugin.

towncrier/newsfragments/2121.misc

@@ -1 +0,0 @@
-We forgot to include all changes in the CHANGELOG.md file for Mailu 1.9.0. The CHANGELOG.md and towncrier/newsfragments folder has now been updated correctly.

towncrier/newsfragments/2124.bugfix

@@ -1 +0,0 @@
-Fix CI/CD workflow. Tags were not set to the correct commit hash.

towncrier/newsfragments/2125.bugfix

@@ -1 +0,0 @@
-Fix a bug preventing mailu from being usable when no webmail is configured

towncrier/newsfragments/2127.feature

@@ -1 +0,0 @@
-Add FETCHMAIL_ENABLED to toggle the fetchmail functionality in the admin interface

towncrier/newsfragments/2135.bugfix

@@ -1 +0,0 @@
-Enable unbound by default. Mailu now requires a DNSSEC validating DNS resolver and experience has shown that this may not be the default everywhere yet.

towncrier/newsfragments/2138.bugfix

@@ -1 +0,0 @@
-Pin the root certificate differently for DANE. If you have setup a TLSA record following previous suggestion from Mailu please update it.

towncrier/newsfragments/2139.bugfix

@@ -1,5 +0,0 @@
-Remove the misleading text in mailu.env that zstd and lz4 are supported for dovecot mail compression.
-Zstd and lz4 are not supported. The reason is that the alpine project does not compile this
-into the dovecot package.
-Users who want this funcionality, can kindly request the alpine project to compile dovecot
-with lz4&zstd support.

towncrier/newsfragments/2141.bugfix

@@ -1 +0,0 @@
-Update roundcube to 1.5.2 to fixe an XSS

towncrier/newsfragments/2185.doc

@@ -1 +0,0 @@
-remove the / in the location to avoid http 404

towncrier/newsfragments/2193.bugfix

@@ -1 +0,0 @@
-matching rainloop php to roundcube's: timezone is a parameter in mailu.env

towncrier/newsfragments/2195.bugfix

@@ -1 +0,0 @@
-Added the /overrides directory in the roundcube config.inc.php file

towncrier/newsfragments/2196.bugfix

@@ -1,2 +0,0 @@
-Configuring pwstore_scheme in carddav plugin with des_key because Mailu is incompatible with encrypted
-https://github.com/mstilkerich/rcmcarddav/blob/master/doc/ADMIN-SETTINGS.md#password-storing-scheme

towncrier/newsfragments/2199.bugfix

@@ -1 +0,0 @@
-Switch from DST_ROOT_X3 to ISRG_X1 as alpine is not shipping the former anymore

towncrier/newsfragments/2207.bugfix

@@ -1 +0,0 @@
-Will update /etc/nginx/nginx.conf and /etc/nginx/http.d/rainloop.conf in webmail container to support MESSAGE_SIZE_LIMIT

towncrier/newsfragments/2210.bugfix

@@ -1 +0,0 @@
-Add input validation for domain creation

towncrier/newsfragments/2211.misc

@@ -1 +0,0 @@
-Set imap_idle_notify_interval to 29 mins (see rfc2177) to ensure we use IMAP IDLE effectively

towncrier/newsfragments/2213.feature

@@ -1 +0,0 @@
-Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly

towncrier/newsfragments/2221.feature

@@ -1 +0,0 @@
-Add support for custom NGINX config in /etc/nginx/conf.d.

towncrier/newsfragments/2231.bugfix

@@ -1 +0,0 @@
-Make public announcement bypass the filters. They may still time-out before being sent if there is a large number of users.

towncrier/newsfragments/2239.bugfix

@@ -1 +0,0 @@
-Work around a bug in coredns: set the DO flag on our DNSSEC queries. Add a new FAQ entry to explain our DNSSEC requirements and ensure that our error message points to it.

towncrier/newsfragments/224.feature

@@ -1 +0,0 @@
-Provide auto-configuration files (autodiscover, autoconfig & mobileconfig); Please update your DNS records

towncrier/newsfragments/2242.misc

@@ -1 +0,0 @@
-Make quotas adjustable in 50MiB increments

towncrier/newsfragments/2246.bugfix

@@ -1 +0,0 @@
-Fetchmail: Missing support for '*_ADDRESS' env vars

towncrier/newsfragments/2249.bugfix

@@ -1 +0,0 @@
-Fix broken setup. Not all dependencies were pinned resulting in a broken update being pulled.

towncrier/newsfragments/2260.bugfix

@@ -1 +0,0 @@
-Fix a bug where rspamd may trigger HFILTER_HOSTNAME_UNKNOWN if part of the delivery chain was using ipv6

towncrier/newsfragments/2278.feature

@@ -1 +0,0 @@
-Added ability to mark spam mails as read or unread when moving to junk folder.

towncrier/newsfragments/2281.bugfix

@@ -1 +0,0 @@
-Update to Alpine Linux 3.14.4 which contains a security fix for openssl. 

towncrier/newsfragments/2284.bugfix

@@ -1 +0,0 @@
-Fixed AUTH_RATELIMIT_IP not working on imap/pop3/smtp.

towncrier/newsfragments/2295.feature

@@ -1 +0,0 @@
-Switch from RainLoop to SnappyMail. SnappyMail has better performance and is more secure. 

towncrier/newsfragments/2302.bugfix

@@ -1 +0,0 @@
-update alpine linux docker image to version 3.14.5 which includes a security fix for zlib’s CVE-2018-25032.

towncrier/newsfragments/2325.bugfix

@@ -1 +0,0 @@
-postfix: wrap IPv6 CIDRs in square brackets for RELAYNETS

towncrier/newsfragments/2328.feature

@@ -1 +0,0 @@
-Configurable default spam threshold used for new users

towncrier/newsfragments/2338.misc

@@ -1 +0,0 @@
-Don't send the `X-XSS-Protection` http header anymore. 

towncrier/newsfragments/2346.bugfix

@@ -1 +0,0 @@
-Disable the built-in nginx resolver for traffic going through the mail plugin. This will silence errors about DNS resolution when the connecting host has no rDNS.

towncrier/newsfragments/2357.misc

@@ -1 +0,0 @@
-Switch to ffdhe3072, the "nothing up my sleeves" group defined in RFC 7919.

towncrier/newsfragments/2368.bugfix

@@ -1,3 +0,0 @@
-Re-enable the built-in nginx resolver for traffic going through the mail plugin.
-This is required for passing rDNS/ptr information to postfix.
-Without this rspamd will flag all messages with DHFILTER_HOSTNAME_UNKNOWN due to the missing rDNS/ptr info.

towncrier/newsfragments/2372.feature

@@ -1 +0,0 @@
-Create a GUI for WILDCARD_SENDERS

towncrier/newsfragments/2383.misc

@@ -1,9 +0,0 @@
-Switch from docker build to buildx for CI/CD.
-- The main workflow file has been optimised and simplified.
-- Images are built in parallel when building locally resulting in faster build times.
-- The github action workflow is about 50% faster.
-- Arm images are built as well. These images are not tested due to restrictions of github actions (no arm runners). The tags of the images have -arm appended to it.
-- Arm images can also be built locally.
-- Reusable workflow is introduced for building, testing and deploying the images.
-  This allows the workflow to be reused for other purposes in the future.
-- Workflow can be manually triggered. This allows forked Mailu projects to also use the workflow for building images.

towncrier/newsfragments/2388.bugfix

@@ -1 +0,0 @@
-Roundcube overrides now also include .inc.php files. Only .inc.php should be used moving forward.

towncrier/newsfragments/2402.bugfix

@@ -1 +0,0 @@
-Forwarding emails user setting did not support 1 letter domains.

towncrier/newsfragments/2415.bugfix

@@ -1,2 +0,0 @@
-Update roundcube to 1.5.3
-Update rcmcarddav plugin to 4.4.2

towncrier/newsfragments/2429.feature

@@ -1 +0,0 @@
-Prevent signups with accounts for which an SQL-LIKE alias exists.

towncrier/newsfragments/2432.bugfix

@@ -1 +0,0 @@
-Switch from mysqlclient to mysql-connector explicitely

towncrier/newsfragments/2447.bugfix

@@ -1 +0,0 @@
-Enable rspamd's autolearn feature to ensure that its bayes classifier has enough HAM to make it usable. Previously the bayes module would never work unless some HAM had been learnt manually.

towncrier/newsfragments/2449.feature

@@ -1 +0,0 @@
-Introduce TLS_PERMISSIVE, a new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so.

towncrier/newsfragments/2451.bugfix

@@ -1 +0,0 @@
-Fix a bug preventing users without IMAP access to access the webmails

towncrier/newsfragments/2467.bugfix

@@ -1 +0,0 @@
-Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES

towncrier/newsfragments/2475.feature

@@ -1 +0,0 @@
-Upgrade the anti-spoofing rule. We shouldn't assume that Mailu is the only MTA allowed to send emails on behalf of the domains it hosts... but we should also ensure that both the envelope from and header from are checked.

towncrier/newsfragments/2485.bugfix

@@ -1 +0,0 @@
-Quote SMTP SIZE to avoid splitting keyword and parameter in EHLO response

towncrier/newsfragments/2497.bugfix

@@ -1 +0,0 @@
-Upgrade to alpine 3.16.2

towncrier/newsfragments/2498.feature

@@ -1 +0,0 @@
-Implement the required glue to make "doveadm -A" work

towncrier/newsfragments/2500.feature

@@ -1 +0,0 @@
-Implement a minimum length for passwords of 8 characters. Check passwords upon login against HaveIBeenPwned and warn users if their passwords are compromised.

towncrier/newsfragments/2510.feature

@@ -1 +0,0 @@
-Implement OLETools and block bad macros in office documents

towncrier/newsfragments/2511.misc

@@ -1 +0,0 @@
-Block executable file formats by default. Ask your users to zip them up if required.

towncrier/newsfragments/2512.bugfix

@@ -1 +0,0 @@
-Fix: include start and end dates in the auto-reply period

towncrier/newsfragments/2525.feature

@@ -1 +0,0 @@
-Switch to GrapheneOS's hardened_malloc

towncrier/newsfragments/2526.misc

@@ -1 +0,0 @@
-Upgrade Snappymail to 2.21 and merge the webmail containers

towncrier/newsfragments/2533.misc

@@ -1,17 +0,0 @@
-Introduce SQLAlchemy database uris for configuring the admin and roundcube database.
-Remove the database configuration option from the setup utility. Using a different
-database system than SQLite is not necessary for Mailu. The Mailu database generally
-contains static data.
-
-The usage of the *DB_* environment variables is deprecated now.
-They can still be used in the release after Mailu 1.9, but will be removed
-after that version. This means it will be removed from master after the upcoming
-Mailu release.
-
-To start using the new environment variables, all *DB_* environment variables must be changed to:
-SQLALCHEMY_DATABASE_URI=<SQLAlchemy database URL>
-SQLALCHEMY_DATABASE_URI_ROUNDCUBE=<Roundcube database URL>
-
-If no URI is specified, SQLite is used with these settings:
-SQLALCHEMY_DATABASE_URI=sqlite:////data/main.db
-SQLALCHEMY_DATABASE_URI_ROUNDCUBE=sqlite:////data/roundcube.db

towncrier/newsfragments/2539.misc

@@ -1 +0,0 @@
-Upgrade to Alpine 3.16.3; Make setup, admin and rspamd run without root privs. Please ensure that your folder overrides/rspamd is owned by 1000:1000

towncrier/newsfragments/2550.misc

@@ -1 +0,0 @@
-Add Snuffleupagus to protect webmails (a Suhosin replacement)

towncrier/newsfragments/2555.feature

@@ -1,15 +0,0 @@
-New override system for Rspamd. In the old system, all files were placed in the Rspamd overrides folder.
-These overrides would override everything, including the Mailu Rspamd config.
-
-Now overrides are placed in /overrides.
-If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file.
-It works as following.
-* If the override file overrides a Mailu defined config file,
-  it will be included in the Mailu config file with lowest priority.
-  It will merge with existing sections.
-* If the override file does not override a Mailu defined config file,
-  then the file will be placed in the rspamd local.d folder.
-  It will merge with existing sections.
-
-For more information, see the description of the local.d folder on the rspamd website:
-https://www.rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories

towncrier/newsfragments/2566.misc

@@ -1,2 +0,0 @@
-Remove the ability to delete users via the webui; Disable them instead.
-For more information on deleting users see the entry "How to delete users" in the FAQ.

towncrier/newsfragments/2570.misc

@@ -1 +0,0 @@
-Upgrade to Alpine 3.17.0

towncrier/newsfragments/2577.misc

@@ -1 +0,0 @@
-Autofocus the login form on /sso/login

towncrier/newsfragments/2594.feature

@@ -1 +0,0 @@
-Drop postfix rsyslog localhost messages with IPv6 address

towncrier/newsfragments/2601.bugfix

@@ -1 +0,0 @@
-Fix creation of deep structures using import in update mode

towncrier/newsfragments/2603.bugfix

@@ -1 +0,0 @@
-Speak HAPROXY protocol in between front and smtp and front and imap. This ensures the backend is aware of the real client IP and whether TLS was used.

towncrier/newsfragments/2605.misc

@@ -1 +0,0 @@
-Reduce the SSL session caches from 50m each to 3m each. This should be good for 12k sessions (within 1day) for each cache and will help reduce memory usage.

towncrier/newsfragments/2606.misc

@@ -1 +0,0 @@
-Modify the healtchecks to make them disapear from the logs.

towncrier/newsfragments/2608.fix

@@ -1 +0,0 @@
-Don't talk haproxy to postfix yet.

towncrier/newsfragments/2613.feature

@@ -1 +0,0 @@
-Isolate radicale and webmail on their own network. This ensures they don't have privileged access to any of the other containers.

towncrier/newsfragments/2618.misc

@@ -1 +0,0 @@
-Upgrade to snuffleupagus 0.9.0

towncrier/newsfragments/2633.bugfix

@@ -1 +0,0 @@
-Fix a bug introduced in master whereby anything locally generated (sieve, autoresponder, ...) would be blocked by the anti-spoofing rules

towncrier/newsfragments/2634.misc

@@ -1 +0,0 @@
-Upgrade webmails: snappymail to 2.25.0, roundcube to 1.6.1 and carddav to 5.0.1

towncrier/newsfragments/2635.bugfix

@@ -1 +0,0 @@
-Fix sieve/out of office replies by adding SUBNET to rspamd's local_networks

towncrier/newsfragments/2636.enhancement

@@ -1 +0,0 @@
-Upgrade to alpine 3.17.1

towncrier/newsfragments/2640.bugfix

@@ -1 +0,0 @@
-Uses the correct From address (instead of an SRS alias) in the sieve/vacation module

towncrier/newsfragments/2644.misc

@@ -1 +0,0 @@
-Implement de-dupplication on rate limits. Now only attempts for distinct usernames will count as a hit.

towncrier/newsfragments/2650.bugfix

@@ -1 +0,0 @@
-Tell roundcube to use UTF8 instead of 'UTF7-IMAP' when creating sieve scripts.

towncrier/newsfragments/2653.feature

@@ -1,12 +0,0 @@
-Provide a changelog for minor releases. The github release will now:
-* Provide the changelog message from the newsfragment of the PR that triggered the backport.
-* Provide a github link to the PR/issue of the PR that was backported.
-
-Switch to building multi-arch images. The images build for pull requests, master and production
-are now multi-arch images for the architectures:
-* linux/amd64
-* linux/arm64/v8
-* linux/arm/v7
-
-Enhance CI/CD workflow with retry functionality. All steps for building images are now automatically
-retried. If a build temporarily fails due to a network error, the retried step will still succeed.