self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-09-16 09:06:32 +02:00
Code Issues Releases Activity

Merge branch 'Mailu:master' into patch-1

Browse Source
This commit is contained in:
DaCHack
2025-08-18 18:40:48 +02:00
committed by GitHub
parent f8604be3c8 7bb14b34ba
commit 7619b16e32
4 changed files with 96 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
towncrier/newsfragments/3896.misc Normal file
View File

@@ -0,0 +1 @@
Fix Snappymail

42
webmails/nginx-webmail.conf
View File

@@ -1,15 +1,15 @@
server {
listen 80 default_server;
{% if SUBNET6 %}
{% if SUBNET6 %}
listen [::]:80 default_server;
{% endif %}
{% endif %}
resolver {{ RESOLVER }} valid=30s;
{% if WEBMAIL == 'roundcube' %}
{% if WEBMAIL == 'roundcube' %}
root /var/www/{{ WEBMAIL }}/public_html;
{% else %}
{% else %}
root /var/www/{{ WEBMAIL }};
{% endif %}
{% endif %}
include /etc/nginx/mime.types;
@@ -36,7 +36,7 @@ server {
try_files $uri $uri/ /index.php$args;
}
location ~ \.php$ {
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
@@ -55,11 +55,12 @@ server {
{% else %}
fastcgi_param SCRIPT_NAME {{WEB_WEBMAIL}}/$fastcgi_script_name;
{% endif %}
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param PATH_INFO $fastcgi_path_info;
# fastcgi buffers for php-fpm #
fastcgi_buffers 16 32k;
fastcgi_buffer_size 64k;
fastcgi_busy_buffers_size 64k;
fastcgi_request_buffering off;
# nginx buffers #
proxy_buffer_size 128k;
@@ -67,12 +68,31 @@ server {
proxy_busy_buffers_size 256k;
}
# Assets cache control
# --------------------------------------
location ~* \.(?:html|xml|json)$ {
expires -1;
}
location ~* \.(?:css|js)$ {
expires 7d;
add_header Pragma public;
add_header Cache-Control "public";
}
location ~* \.(?:gif|jpe?g|png|ico|otf|eot|svg|ttf|woff|woff2)$ {
expires 30d;
log_not_found off;
add_header Pragma public;
add_header Cache-Control "public";
}
location ~ (^|/)\. {
deny all;
}
location ~* /(config|temp|logs|data) {
deny all;
deny all;
}
location = /ping {

65
webmails/snappymail/defaults/default.json
View File

@@ -1,10 +1,20 @@
{
"name": "*",
"IMAP": {
"host": "{{ FRONT_ADDRESS }}",
"port": 10143,
"secure": 3,
"type": 0,
"timeout": 300,
"shortLogin": false,
"lowerLogin": true,
"stripLogin": "",
"sasl": [
"SCRAM-SHA3-512",
"SCRAM-SHA-512",
"SCRAM-SHA-256",
"SCRAM-SHA-1",
"PLAIN",
"LOGIN"
],
"ssl": {
"verify_peer": false,
"verify_peer_name": false,
@@ -13,15 +23,37 @@
"disable_compression": true,
"security_level": 1
},
{% if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] %}
"fast_simple_search": "false"
{% endif %}
"use_expunge_all_on_delete": false,
"fast_simple_search": {% if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] %}true{% else %}false{% endif %},
"force_select": false,
"message_all_headers": false,
"message_list_limit": 10000,
"search_filter": "",
"spam_headers": "",
"virus_headers": "",
"disabled_capabilities": [
"METADATA",
"OBJECTID",
"PREVIEW",
"STATUS=SIZE"
]
},
"SMTP": {
"host": "{{ FRONT_ADDRESS }}",
"port": 10025,
"secure": 3,
"type": 0,
"timeout": 60,
"shortLogin": false,
"lowerLogin": true,
"stripLogin": "",
"sasl": [
"SCRAM-SHA3-512",
"SCRAM-SHA-512",
"SCRAM-SHA-256",
"SCRAM-SHA-1",
"PLAIN",
"LOGIN"
],
"ssl": {
"verify_peer": false,
"verify_peer_name": false,
@@ -32,22 +64,35 @@
},
"useAuth": true,
"setSender": false,
"usePhpMail": false
"usePhpMail": false,
"authPlainLine": false
},
"Sieve": {
"host": "{{ FRONT_ADDRESS }}",
"port": 14190,
"type": 3,
"type": 0,
"timeout": 10,
"shortLogin": false,
"lowerLogin": true,
"stripLogin": "",
"sasl": [
"SCRAM-SHA3-512",
"SCRAM-SHA-512",
"SCRAM-SHA-256",
"SCRAM-SHA-1",
"PLAIN",
"LOGIN"
],
"ssl": {
"verify_peer": false,
"verify_peer_name": false,
"allow_self_signed": true,
"allow_self_signed": false,
"SNI_enabled": true,
"disable_compression": true,
"security_level": 1
},
"enabled": true
"enabled": true,
"authLiteral": true
},
"whiteList": ""
}

16
webmails/snuffleupagus.rules
View File

@@ -132,8 +132,10 @@ sp.disable_function.function("curl_init").param("url").value_r("file://").drop()
# File upload
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.inc").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.inc").drop();
# Logging lockdown
sp.disable_function.function("ini_set").param("option").value_r("error_log").drop();
@@ -141,13 +143,13 @@ sp.disable_function.function("ini_set").param("option").value_r("display_errors"
sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop();
# Classic webshells patterns
sp.disable_function.function("system>base64_decode").drop();
sp.disable_function.function("shell_exec>base64_decode").drop();
sp.disable_function.function("exec>base64_decode").drop();
sp.disable_function.function("passthru>base64_decode").drop();
sp.disable_function.function("proc_open>base64_decode").drop();
# TODO: enable this for real
sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open").simulation();
# Those create SIGSEGV on arm64 for some reason
#sp.disable_function.function("system>base64_decode").drop();
#sp.disable_function.function("shell_exec>base64_decode").drop();
#sp.disable_function.function("exec>base64_decode").drop();
#sp.disable_function.function("passthru>base64_decode").drop();
#sp.disable_function.function("proc_open>base64_decode").drop();
sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open");
sp.auto_cookie_secure.enable();
# TODO: consider encrypting the cookies?