diff --git a/towncrier/newsfragments/3896.misc b/towncrier/newsfragments/3896.misc new file mode 100644 index 00000000..0e7420d1 --- /dev/null +++ b/towncrier/newsfragments/3896.misc @@ -0,0 +1 @@ +Fix Snappymail diff --git a/webmails/nginx-webmail.conf b/webmails/nginx-webmail.conf index d403eea4..067ee718 100644 --- a/webmails/nginx-webmail.conf +++ b/webmails/nginx-webmail.conf @@ -1,15 +1,15 @@ server { listen 80 default_server; -{% if SUBNET6 %} + {% if SUBNET6 %} listen [::]:80 default_server; -{% endif %} + {% endif %} resolver {{ RESOLVER }} valid=30s; -{% if WEBMAIL == 'roundcube' %} + {% if WEBMAIL == 'roundcube' %} root /var/www/{{ WEBMAIL }}/public_html; -{% else %} + {% else %} root /var/www/{{ WEBMAIL }}; -{% endif %} + {% endif %} include /etc/nginx/mime.types; @@ -36,7 +36,7 @@ server { try_files $uri $uri/ /index.php$args; } - location ~ \.php$ { + location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; @@ -55,11 +55,12 @@ server { {% else %} fastcgi_param SCRIPT_NAME {{WEB_WEBMAIL}}/$fastcgi_script_name; {% endif %} + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + fastcgi_param PATH_INFO $fastcgi_path_info; - # fastcgi buffers for php-fpm # - fastcgi_buffers 16 32k; - fastcgi_buffer_size 64k; - fastcgi_busy_buffers_size 64k; + fastcgi_request_buffering off; # nginx buffers # proxy_buffer_size 128k; @@ -67,12 +68,31 @@ server { proxy_busy_buffers_size 256k; } + # Assets cache control + # -------------------------------------- + location ~* \.(?:html|xml|json)$ { + expires -1; + } + + location ~* \.(?:css|js)$ { + expires 7d; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~* \.(?:gif|jpe?g|png|ico|otf|eot|svg|ttf|woff|woff2)$ { + expires 30d; + log_not_found off; + add_header Pragma public; + add_header Cache-Control "public"; + } + location ~ (^|/)\. { deny all; } location ~* /(config|temp|logs|data) { - deny all; + deny all; } location = /ping { diff --git a/webmails/snappymail/defaults/default.json b/webmails/snappymail/defaults/default.json index dee93332..df7ad057 100644 --- a/webmails/snappymail/defaults/default.json +++ b/webmails/snappymail/defaults/default.json @@ -1,10 +1,20 @@ { - "name": "*", "IMAP": { "host": "{{ FRONT_ADDRESS }}", "port": 10143, - "secure": 3, + "type": 0, + "timeout": 300, "shortLogin": false, + "lowerLogin": true, + "stripLogin": "", + "sasl": [ + "SCRAM-SHA3-512", + "SCRAM-SHA-512", + "SCRAM-SHA-256", + "SCRAM-SHA-1", + "PLAIN", + "LOGIN" + ], "ssl": { "verify_peer": false, "verify_peer_name": false, @@ -13,15 +23,37 @@ "disable_compression": true, "security_level": 1 }, - {% if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] %} - "fast_simple_search": "false" - {% endif %} + "use_expunge_all_on_delete": false, + "fast_simple_search": {% if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] %}true{% else %}false{% endif %}, + "force_select": false, + "message_all_headers": false, + "message_list_limit": 10000, + "search_filter": "", + "spam_headers": "", + "virus_headers": "", + "disabled_capabilities": [ + "METADATA", + "OBJECTID", + "PREVIEW", + "STATUS=SIZE" + ] }, "SMTP": { "host": "{{ FRONT_ADDRESS }}", "port": 10025, - "secure": 3, + "type": 0, + "timeout": 60, "shortLogin": false, + "lowerLogin": true, + "stripLogin": "", + "sasl": [ + "SCRAM-SHA3-512", + "SCRAM-SHA-512", + "SCRAM-SHA-256", + "SCRAM-SHA-1", + "PLAIN", + "LOGIN" + ], "ssl": { "verify_peer": false, "verify_peer_name": false, @@ -32,22 +64,35 @@ }, "useAuth": true, "setSender": false, - "usePhpMail": false + "usePhpMail": false, + "authPlainLine": false }, "Sieve": { "host": "{{ FRONT_ADDRESS }}", "port": 14190, - "type": 3, + "type": 0, + "timeout": 10, "shortLogin": false, + "lowerLogin": true, + "stripLogin": "", + "sasl": [ + "SCRAM-SHA3-512", + "SCRAM-SHA-512", + "SCRAM-SHA-256", + "SCRAM-SHA-1", + "PLAIN", + "LOGIN" + ], "ssl": { "verify_peer": false, "verify_peer_name": false, - "allow_self_signed": true, + "allow_self_signed": false, "SNI_enabled": true, "disable_compression": true, "security_level": 1 }, - "enabled": true + "enabled": true, + "authLiteral": true }, "whiteList": "" } diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules index 90601207..5734f6e9 100644 --- a/webmails/snuffleupagus.rules +++ b/webmails/snuffleupagus.rules @@ -132,8 +132,10 @@ sp.disable_function.function("curl_init").param("url").value_r("file://").drop() # File upload sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); +sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.inc").drop(); sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.inc").drop(); # Logging lockdown sp.disable_function.function("ini_set").param("option").value_r("error_log").drop(); @@ -141,13 +143,13 @@ sp.disable_function.function("ini_set").param("option").value_r("display_errors" sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop(); # Classic webshells patterns -sp.disable_function.function("system>base64_decode").drop(); -sp.disable_function.function("shell_exec>base64_decode").drop(); -sp.disable_function.function("exec>base64_decode").drop(); -sp.disable_function.function("passthru>base64_decode").drop(); -sp.disable_function.function("proc_open>base64_decode").drop(); -# TODO: enable this for real -sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open").simulation(); +# Those create SIGSEGV on arm64 for some reason +#sp.disable_function.function("system>base64_decode").drop(); +#sp.disable_function.function("shell_exec>base64_decode").drop(); +#sp.disable_function.function("exec>base64_decode").drop(); +#sp.disable_function.function("passthru>base64_decode").drop(); +#sp.disable_function.function("proc_open>base64_decode").drop(); +sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open"); sp.auto_cookie_secure.enable(); # TODO: consider encrypting the cookies?