1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00

Merge branch 'master' into AdminLTE-3

This commit is contained in:
Dimitri Huisman 2021-08-13 14:06:46 +02:00 committed by GitHub
commit df64601b28
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
103 changed files with 3735 additions and 529 deletions

431
.github/workflows/CI.yml vendored Normal file
View File

@ -0,0 +1,431 @@
name: CI
on:
push:
branches:
- staging
- testing
- '1.5'
- '1.6'
- '1.7'
- '1.8'
- master
# version tags, e.g. 1.7.1
- '[1-9].[0-9].[0-9]'
# pre-releases, e.g. 1.8-pre1
- 1.8-pre[0-9]
# test branches, e.g. test-debian
- test-*
###############################################
# REQUIRED secrets
# DOCKER_UN: ${{ secrets.Docker_Login }}
# Username of docker login for pushing the images to repo $DOCKER_ORG
# DOCKER_PW: ${{ secrets.Docker_Password }}
# Password of docker login for pushing the images to repo $DOCKER_ORG
# DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
# The docker repository where the images are pushed to.
# DOCKER_ORG_TESTS: ${{ secrets.DOCKER_ORG_TESTS }}
# The docker repository for test images. Only used for the branch TESTING (BORS try).
# Add the above secrets to your github repo to determine where the images will be pushed.
################################################
jobs:
build:
name: Build images
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Extract branch name
shell: bash
run: |
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
#For branch TESTING, we set the image tag to PR-xxxx
- name: Derive MAILU_VERSION for branch testing
if: ${{ env.BRANCH == 'testing' }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for other branches than testing
if: ${{ env.BRANCH != 'testing' }}
shell: bash
env:
MAILU_BRANCH: ${{ env.BRANCH }}
run: |
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
- name: Create folder for storing images
run: |
sudo mkdir -p /images
sudo chmod 777 /images
- name: Configure images folder for caching
uses: actions/cache@v2
with:
path: /images
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
- name: Check docker-compose version
run: docker-compose -v
- name: Login docker
env:
DOCKER_UN: ${{ secrets.Docker_Login }}
DOCKER_PW: ${{ secrets.Docker_Password }}
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
run: echo "$DOCKER_PW" | docker login --username $DOCKER_UN --password-stdin
- name: Build all docker images
env:
MAILU_VERSION: ${{ env.MAILU_VERSION }}
TRAVIS_BRANCH: ${{ env.BRANCH }}
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
run: docker-compose -f tests/build.yml build
- name: Save all docker images
run: docker save ${{ secrets.DOCKER_ORG }}/admin ${{ secrets.DOCKER_ORG }}/clamav ${{ secrets.DOCKER_ORG }}/docs ${{ secrets.DOCKER_ORG }}/dovecot ${{ secrets.DOCKER_ORG }}/fetchmail ${{ secrets.DOCKER_ORG }}/nginx ${{ secrets.DOCKER_ORG }}/none ${{ secrets.DOCKER_ORG }}/postfix ${{ secrets.DOCKER_ORG }}/postgresql ${{ secrets.DOCKER_ORG }}/radicale ${{ secrets.DOCKER_ORG }}/rainloop ${{ secrets.DOCKER_ORG }}/roundcube ${{ secrets.DOCKER_ORG }}/rspamd ${{ secrets.DOCKER_ORG }}/setup ${{ secrets.DOCKER_ORG }}/traefik-certdumper ${{ secrets.DOCKER_ORG }}/unbound -o /images/images.tar.gz
test-core:
name: Perform core tests
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@v2
- name: Extract branch name
shell: bash
run: |
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for branch testing
if: ${{ env.BRANCH == 'testing' }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for other branches than testing
if: ${{ env.BRANCH != 'testing' }}
shell: bash
env:
MAILU_BRANCH: ${{ env.BRANCH }}
run: |
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
- name: Create folder for storing images
run: |
sudo mkdir -p /images
sudo chmod 777 /images
- name: Configure images folder for caching
uses: actions/cache@v2
with:
path: /images
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
- name: Load docker images
run: docker load -i /images/images.tar.gz
- name: Install python packages
run: python3 -m pip install -r tests/requirements.txt
- name: Copy all certs
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
- name: Test core suite
run: python tests/compose/test.py core 2
env:
MAILU_VERSION: ${{ env.MAILU_VERSION }}
TRAVIS_BRANCH: ${{ env.BRANCH }}
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
test-fetchmail:
name: Perform fetchmail tests
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@v2
- name: Extract branch name
shell: bash
run: |
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for branch testing
if: ${{ env.BRANCH == 'testing' }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for other branches than testing
if: ${{ env.BRANCH != 'testing' }}
shell: bash
env:
MAILU_BRANCH: ${{ env.BRANCH }}
run: |
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
- name: Create folder for storing images
run: |
sudo mkdir -p /images
sudo chmod 777 /images
- name: Configure images folder for caching
uses: actions/cache@v2
with:
path: /images
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
- name: Load docker images
run: docker load -i /images/images.tar.gz
- name: Install python packages
run: python3 -m pip install -r tests/requirements.txt
- name: Copy all certs
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
- name: Test fetch
run: python tests/compose/test.py fetchmail 2
env:
MAILU_VERSION: ${{ env.MAILU_VERSION }}
TRAVIS_BRANCH: ${{ env.BRANCH }}
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
test-filters:
name: Perform filter tests
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@v2
- name: Extract branch name
shell: bash
run: |
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for branch testing
if: ${{ env.BRANCH == 'testing' }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for other branches than testing
if: ${{ env.BRANCH != 'testing' }}
shell: bash
env:
MAILU_BRANCH: ${{ env.BRANCH }}
run: |
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
- name: Create folder for storing images
run: |
sudo mkdir -p /images
sudo chmod 777 /images
- name: Configure images folder for caching
uses: actions/cache@v2
with:
path: /images
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
- name: Load docker images
run: docker load -i /images/images.tar.gz
- name: Install python packages
run: python3 -m pip install -r tests/requirements.txt
- name: Copy all certs
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
- name: Test clamvav
run: python tests/compose/test.py filters 3
env:
MAILU_VERSION: ${{ env.MAILU_VERSION }}
TRAVIS_BRANCH: ${{ env.BRANCH }}
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
test-rainloop:
name: Perform rainloop tests
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@v2
- name: Extract branch name
shell: bash
run: |
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for branch testing
if: ${{ env.BRANCH == 'testing' }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for other branches than testing
if: ${{ env.BRANCH != 'testing' }}
shell: bash
env:
MAILU_BRANCH: ${{ env.BRANCH }}
run: |
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
- name: Create folder for storing images
run: |
sudo mkdir -p /images
sudo chmod 777 /images
- name: Configure images folder for caching
uses: actions/cache@v2
with:
path: /images
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
- name: Load docker images
run: docker load -i /images/images.tar.gz
- name: Install python packages
run: python3 -m pip install -r tests/requirements.txt
- name: Copy all certs
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
- name: Test rainloop
run: python tests/compose/test.py rainloop 2
env:
MAILU_VERSION: ${{ env.MAILU_VERSION }}
TRAVIS_BRANCH: ${{ env.BRANCH }}
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
test-roundcube:
name: Perform roundcube tests
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@v2
- name: Extract branch name
shell: bash
run: |
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for branch testing
if: ${{ env.BRANCH == 'testing' }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for other branches than testing
if: ${{ env.BRANCH != 'testing' }}
shell: bash
env:
MAILU_BRANCH: ${{ env.BRANCH }}
run: |
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
- name: Create folder for storing images
run: |
sudo mkdir -p /images
sudo chmod 777 /images
- name: Configure images folder for caching
uses: actions/cache@v2
with:
path: /images
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
- name: Load docker images
run: docker load -i /images/images.tar.gz
- name: Install python packages
run: python3 -m pip install -r tests/requirements.txt
- name: Copy all certs
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
- name: Test roundcube
run: python tests/compose/test.py roundcube 2
env:
MAILU_VERSION: ${{ env.MAILU_VERSION }}
TRAVIS_BRANCH: ${{ env.BRANCH }}
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
test-webdav:
name: Perform webdav tests
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@v2
- name: Extract branch name
shell: bash
run: |
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for branch testing
if: ${{ env.BRANCH == 'testing' }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for other branches than testing
if: ${{ env.BRANCH != 'testing' }}
shell: bash
env:
MAILU_BRANCH: ${{ env.BRANCH }}
run: |
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
- name: Create folder for storing images
run: |
sudo mkdir -p /images
sudo chmod 777 /images
- name: Configure images folder for caching
uses: actions/cache@v2
with:
path: /images
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
- name: Load docker images
run: docker load -i /images/images.tar.gz
- name: Install python packages
run: python3 -m pip install -r tests/requirements.txt
- name: Copy all certs
run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
- name: Test webdav
run: python tests/compose/test.py webdav 2
env:
MAILU_VERSION: ${{ env.MAILU_VERSION }}
TRAVIS_BRANCH: ${{ env.BRANCH }}
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
deploy:
name: Deploy images
runs-on: ubuntu-latest
needs:
- build
- test-core
- test-fetchmail
- test-filters
- test-rainloop
- test-roundcube
- test-webdav
steps:
- uses: actions/checkout@v2
- name: Extract branch name
shell: bash
run: |
echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
#For branch TESTING, we set the image tag to PR-xxxx
- name: Derive MAILU_VERSION for branch testing
if: ${{ env.BRANCH == 'testing' }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "MAILU_VERSION=pr-${COMMIT_MESSAGE//[!0-9]/}" >> $GITHUB_ENV
- name: Derive MAILU_VERSION for other branches than testing
if: ${{ env.BRANCH != 'testing' }}
shell: bash
env:
MAILU_BRANCH: ${{ env.BRANCH }}
run: |
echo "MAILU_VERSION=${{ env.MAILU_BRANCH }}" >> $GITHUB_ENV
- name: Create folder for storing images
run: |
sudo mkdir -p /images
sudo chmod 777 /images
- name: Configure images folder for caching
# For staging we do not deploy images. So we do not have to load them from cache.
if: ${{ env.BRANCH != 'staging' }}
uses: actions/cache@v2
with:
path: /images
key: ${{ env.BRANCH }}-${{ github.run_id }}-${{ github.run_number }}
- name: Load docker images
if: ${{ env.BRANCH != 'staging' }}
run: docker load -i /images/images.tar.gz
- name: Deploy built docker images
env:
DOCKER_UN: ${{ secrets.Docker_Login }}
DOCKER_PW: ${{ secrets.Docker_Password }}
DOCKER_ORG: ${{ secrets.DOCKER_ORG }}
DOCKER_ORG_TESTS: ${{ secrets.DOCKER_ORG_TESTS }}
MAILU_VERSION: ${{ env.MAILU_VERSION }}
TRAVIS_BRANCH: ${{ env.BRANCH }}
run: bash tests/deploy.sh
# This job is watched by bors. It only complets if building,testing and deploy worked.
ci-success:
name: CI-Done
#Returns true when none of the **previous** steps have failed or been canceled.
if: ${{ success() }}
needs:
- deploy
runs-on: ubuntu-latest
steps:
- name: CI/CD succeeded.
run: exit 0

View File

@ -27,7 +27,7 @@ pull_request_rules:
- name: Trusted author and 1 approved review; trigger bors r+ - name: Trusted author and 1 approved review; trigger bors r+
conditions: conditions:
- author~=^(mergify|kaiyou|muhlemmer|mildred|HorayNarea|adi90x|hoellen|ofthesun9|Nebukadneza|micw|lub|Diman0)$ - author~=^(mergify|kaiyou|muhlemmer|mildred|HorayNarea|hoellen|ofthesun9|Nebukadneza|micw|lub|Diman0|3-w-c|decentral1se|ghostwheel42|nextgens|parisni)$
- -title~=(WIP|wip) - -title~=(WIP|wip)
- -label~=^(status/wip|status/blocked|review/need2)$ - -label~=^(status/wip|status/blocked|review/need2)$
- "#approved-reviews-by>=1" - "#approved-reviews-by>=1"

View File

@ -1,56 +0,0 @@
branches:
only:
- staging
- testing
- '1.5'
- '1.6'
- '1.7'
- '1.8'
- master
# version tags, e.g. 1.7.1
- /^1\.[5678]\.\d+$/
# pre-releases, e.g. 1.8-pre1
- /^1\.8-pre\d+$/
# test branches, e.g. test-debian
- /^test-[\w\-\.]+$/
sudo: required
services: docker
addons:
apt:
packages:
- docker-ce
env:
- MAILU_VERSION=${TRAVIS_BRANCH////-}
language: python
python:
- "3.6"
install:
- pip install -r tests/requirements.txt
- sudo curl -L https://github.com/docker/compose/releases/download/1.23.0-rc3/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
- sudo chmod +x /usr/local/bin/docker-compose
before_script:
- docker-compose -v
- echo "$DOCKER_PW" | docker login --username $DOCKER_UN --password-stdin
- docker-compose -f tests/build.yml build
- sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
script:
# test.py, test name and timeout between start and tests.
- python tests/compose/test.py core 1
- python tests/compose/test.py fetchmail 1
- travis_wait python tests/compose/test.py filters 10
- python tests/compose/test.py rainloop 1
- python tests/compose/test.py roundcube 1
- python tests/compose/test.py webdav 1
deploy:
provider: script
script: bash tests/deploy.sh
on:
all_branches: true
condition: -n $DOCKER_UN

View File

@ -4,18 +4,49 @@ Changelog
Upgrade should run fine as long as you generate a new compose or stack Upgrade should run fine as long as you generate a new compose or stack
configuration and upgrade your mailu.env. configuration and upgrade your mailu.env.
Please note that the current 1.8 is what we call a "soft release": It’s there for everyone to see and use, but to limit possible user-impact of this very big release, it’s not yet the default in the setup-utility for new users. When upgrading, please treat it with some care, and be sure to always have backups!
There are some changes to the configuration overrides. Override files are now mounted read-only into the containers. There are some changes to the configuration overrides. Override files are now mounted read-only into the containers.
The Dovecot and Postfix overrides are moved in their own sub-directory. The Dovecot and Postfix overrides are moved in their own sub-directory.
If there are local override files, they will need to be moved from overrides/ to overrides/dovecot and overrides/postfix/. If there are local override files, they will need to be moved from overrides/ to overrides/dovecot and overrides/postfix/.
See https://mailu.io/1.8/faq.html#how-can-i-override-settings for all the mappings. See https://mailu.io/1.8/faq.html#how-can-i-override-settings for all the mappings.
Please note that the shipped image for PostgreSQL database is deprecated. One major change for the docker compose file is that the antispam container needs a fixed hostname [#1837](https://github.com/Mailu/Mailu/issues/1837).
We advise to switch to an external database server. This is handled when you regenerate the docker-compose file. A fixed hostname is required to retain rspamd history.
This is also handled in the helm-chart repo.
<!-- TOWNCRIER --> Improvements have been made to protect again session-fixation attacks.
v1.8.0 - 2020-09-28 To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading.
A new SECRET_KEY is generated when you recreate your docker-compose.yml & mailu.env file via setup.mailu.io.
The SECRET_KEY is an uppercase alphanumeric string of length 16. You can manually create such a string via
```cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w ${1:-16} | head -n 1```
After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
Please note that the shipped image for PostgreSQL database is deprecated.
We advise to switch to an external PostgreSQL database server.
1.8.0 - 2021-08-06
--------------------
- Features: Update version of roundcube webmail and carddav plugin. This is a security update. ([#1841](https://github.com/Mailu/Mailu/issues/1841))
- Features: Update version of rainloop webmail to 1.16.0. This is a security update. ([#1845](https://github.com/Mailu/Mailu/issues/1845))
- Features: Changed default value of AUTH_RATELIMIT_SUBNET to false. Increased default value of the rate limit in setup utility (AUTH_RATELIMIT) to a higher value. ([#1867](https://github.com/Mailu/Mailu/issues/1867))
- Features: Update jquery used in setup. Set pinned versions in requirements.txt for setup. This is a security update. ([#1880](https://github.com/Mailu/Mailu/issues/1880))
- Bugfixes: Replace PUBLIC_HOSTNAME and PUBLIC_IP in "Received" headers to ensure that no undue spam points are attributed ([#191](https://github.com/Mailu/Mailu/issues/191))
- Bugfixes: Don't replace nested headers (typically in attached emails) ([#1660](https://github.com/Mailu/Mailu/issues/1660))
- Bugfixes: Fix letsencrypt access to certbot for the mail-letsencrypt flavour ([#1686](https://github.com/Mailu/Mailu/issues/1686))
- Bugfixes: Fix CVE-2020-25275 and CVE-2020-24386 by upgrading alpine for
dovecot which contains a fixed dovecot version. ([#1720](https://github.com/Mailu/Mailu/issues/1720))
- Bugfixes: Antispam service now uses a static hostname. Rspamd history is only retained when the service has a fixed hostname. ([#1837](https://github.com/Mailu/Mailu/issues/1837))
- Bugfixes: Fix a bug preventing colons from being used in passwords when using radicale/webdav. ([#1861](https://github.com/Mailu/Mailu/issues/1861))
- Bugfixes: Remove dot in blueprint name to prevent critical flask startup error in setup. ([#1874](https://github.com/Mailu/Mailu/issues/1874))
- Bugfixes: fix punycode encoding of domain names ([#1891](https://github.com/Mailu/Mailu/issues/1891))
- Improved Documentation: Update fail2ban documentation to use systemd backend instead of filepath for journald ([#1857](https://github.com/Mailu/Mailu/issues/1857))
- Misc: Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading. ([#1783](https://github.com/Mailu/Mailu/issues/1783))
v1.8.0rc - 2020-09-28
-------------------- --------------------
- Features: Add support for backward-forwarding using SRS ([#328](https://github.com/Mailu/Mailu/issues/328)) - Features: Add support for backward-forwarding using SRS ([#328](https://github.com/Mailu/Mailu/issues/328))

View File

@ -13,4 +13,4 @@ Before we can consider review and merge, please make sure the following list is
If an entry in not applicable, you can check it or remove it from the list. If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly - [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. - [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.

View File

@ -1,3 +1,4 @@
status = [ status = [
"continuous-integration/travis-ci/push" "CI-Done"
] ]

View File

@ -1,8 +1,9 @@
# First stage to build assets # First stage to build assets
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
ARG ARCH="" ARG ARCH=""
FROM ${ARCH}node:15 as assets
COPY --from=balenalib/rpi-alpine:3.10 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static FROM ${ARCH}node:8 as assets
COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
COPY package.json ./ COPY package.json ./
RUN npm install RUN npm install
@ -24,9 +25,9 @@ RUN mkdir -p /app
WORKDIR /app WORKDIR /app
COPY requirements-prod.txt requirements.txt COPY requirements-prod.txt requirements.txt
RUN apk add --no-cache libressl curl postgresql-libs mariadb-connector-c \ RUN apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
&& apk add --no-cache --virtual build-dep \ && apk add --no-cache --virtual build-dep \
libressl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev \ openssl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
&& pip3 install -r requirements.txt \ && pip3 install -r requirements.txt \
&& apk del --no-cache build-dep && apk del --no-cache build-dep

View File

@ -1,11 +1,12 @@
""" Mailu admin app
"""
import flask import flask
import flask_bootstrap import flask_bootstrap
import redis
from flask_kvsession import KVSessionExtension
from simplekv.memory.redisstore import RedisStore
from mailu import utils, debug, models, manage, configuration from mailu import utils, debug, models, manage, configuration
import hmac
def create_app_from_config(config): def create_app_from_config(config):
""" Create a new application based on the given configuration """ Create a new application based on the given configuration
@ -20,7 +21,7 @@ def create_app_from_config(config):
# Initialize application extensions # Initialize application extensions
config.init_app(app) config.init_app(app)
models.db.init_app(app) models.db.init_app(app)
KVSessionExtension(RedisStore(redis.StrictRedis().from_url('redis://{0}/3'.format(config['REDIS_ADDRESS']))), app).cleanup_sessions(app) utils.session.init_app(app)
utils.limiter.init_app(app) utils.limiter.init_app(app)
utils.babel.init_app(app) utils.babel.init_app(app)
utils.login.init_app(app) utils.login.init_app(app)
@ -28,6 +29,8 @@ def create_app_from_config(config):
utils.proxy.init_app(app) utils.proxy.init_app(app)
utils.migrate.init_app(app, models.db) utils.migrate.init_app(app, models.db)
app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
# Initialize debugging tools # Initialize debugging tools
if app.config.get("DEBUG"): if app.config.get("DEBUG"):
debug.toolbar.init_app(app) debug.toolbar.init_app(app)
@ -53,8 +56,7 @@ def create_app_from_config(config):
def create_app(): def create_app():
""" Create a new application based on the config module """ Create a new application based on the config module
""" """
config = configuration.ConfigManager() config = configuration.ConfigManager()
return create_app_from_config(config) return create_app_from_config(config)

View File

@ -14,6 +14,7 @@ DEFAULT_CONFIG = {
'DEBUG': False, 'DEBUG': False,
'DOMAIN_REGISTRATION': False, 'DOMAIN_REGISTRATION': False,
'TEMPLATES_AUTO_RELOAD': True, 'TEMPLATES_AUTO_RELOAD': True,
'MEMORY_SESSIONS': False,
# Database settings # Database settings
'DB_FLAVOR': None, 'DB_FLAVOR': None,
'DB_USER': 'mailu', 'DB_USER': 'mailu',
@ -33,8 +34,8 @@ DEFAULT_CONFIG = {
'POSTMASTER': 'postmaster', 'POSTMASTER': 'postmaster',
'TLS_FLAVOR': 'cert', 'TLS_FLAVOR': 'cert',
'INBOUND_TLS_ENFORCE': False, 'INBOUND_TLS_ENFORCE': False,
'AUTH_RATELIMIT': '10/minute;1000/hour', 'AUTH_RATELIMIT': '1000/minute;10000/hour',
'AUTH_RATELIMIT_SUBNET': True, 'AUTH_RATELIMIT_SUBNET': False,
'DISABLE_STATISTICS': False, 'DISABLE_STATISTICS': False,
# Mail settings # Mail settings
'DMARC_RUA': None, 'DMARC_RUA': None,
@ -55,6 +56,7 @@ DEFAULT_CONFIG = {
'RECAPTCHA_PRIVATE_KEY': '', 'RECAPTCHA_PRIVATE_KEY': '',
# Advanced settings # Advanced settings
'LOG_LEVEL': 'WARNING', 'LOG_LEVEL': 'WARNING',
'SESSION_KEY_BITS': 128,
'SESSION_LIFETIME': 24, 'SESSION_LIFETIME': 24,
'SESSION_COOKIE_SECURE': True, 'SESSION_COOKIE_SECURE': True,
'CREDENTIAL_ROUNDS': 12, 'CREDENTIAL_ROUNDS': 12,
@ -65,7 +67,6 @@ DEFAULT_CONFIG = {
'HOST_SMTP': 'smtp', 'HOST_SMTP': 'smtp',
'HOST_AUTHSMTP': 'smtp', 'HOST_AUTHSMTP': 'smtp',
'HOST_ADMIN': 'admin', 'HOST_ADMIN': 'admin',
'WEBMAIL': 'none',
'HOST_WEBMAIL': 'webmail', 'HOST_WEBMAIL': 'webmail',
'HOST_WEBDAV': 'webdav:5232', 'HOST_WEBDAV': 'webdav:5232',
'HOST_REDIS': 'redis', 'HOST_REDIS': 'redis',
@ -136,9 +137,9 @@ class ConfigManager(dict):
self.config['RATELIMIT_STORAGE_URL'] = 'redis://{0}/2'.format(self.config['REDIS_ADDRESS']) self.config['RATELIMIT_STORAGE_URL'] = 'redis://{0}/2'.format(self.config['REDIS_ADDRESS'])
self.config['QUOTA_STORAGE_URL'] = 'redis://{0}/1'.format(self.config['REDIS_ADDRESS']) self.config['QUOTA_STORAGE_URL'] = 'redis://{0}/1'.format(self.config['REDIS_ADDRESS'])
self.config['SESSION_STORAGE_URL'] = 'redis://{0}/3'.format(self.config['REDIS_ADDRESS'])
self.config['SESSION_COOKIE_SAMESITE'] = 'Strict' self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
self.config['SESSION_COOKIE_HTTPONLY'] = True self.config['SESSION_COOKIE_HTTPONLY'] = True
self.config['SESSION_KEY_BITS'] = 128
self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME'])) self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
# update the app config itself # update the app config itself
app.config = self app.config = self

View File

@ -7,7 +7,6 @@ import ipaddress
import socket import socket
import tenacity import tenacity
SUPPORTED_AUTH_METHODS = ["none", "plain"] SUPPORTED_AUTH_METHODS = ["none", "plain"]
@ -26,8 +25,12 @@ def check_credentials(user, password, ip, protocol=None):
if not user or not user.enabled or (protocol == "imap" and not user.enable_imap) or (protocol == "pop3" and not user.enable_pop): if not user or not user.enabled or (protocol == "imap" and not user.enable_imap) or (protocol == "pop3" and not user.enable_pop):
return False return False
is_ok = False is_ok = False
# webmails
if len(password) == 64 and ip == app.config['WEBMAIL_ADDRESS']:
if user.verify_temp_token(password):
is_ok = True
# All tokens are 32 characters hex lowercase # All tokens are 32 characters hex lowercase
if len(password) == 32: if not is_ok and len(password) == 32:
for token in user.tokens: for token in user.tokens:
if (token.check_password(password) and if (token.check_password(password) and
(not token.ip or token.ip == ip)): (not token.ip or token.ip == ip)):

View File

@ -43,6 +43,18 @@ def admin_authentication():
return "" return ""
return flask.abort(403) return flask.abort(403)
@internal.route("/auth/user")
def user_authentication():
""" Fails if the user is not authenticated.
"""
if (not flask_login.current_user.is_anonymous
and flask_login.current_user.enabled):
response = flask.Response()
response.headers["X-User"] = flask_login.current_user.get_id()
response.headers["X-User-Token"] = models.User.get_temp_token(flask_login.current_user.get_id())
return response
return flask.abort(403)
@internal.route("/auth/basic") @internal.route("/auth/basic")
def basic_authentication(): def basic_authentication():
@ -51,7 +63,7 @@ def basic_authentication():
authorization = flask.request.headers.get("Authorization") authorization = flask.request.headers.get("Authorization")
if authorization and authorization.startswith("Basic "): if authorization and authorization.startswith("Basic "):
encoded = authorization.replace("Basic ", "") encoded = authorization.replace("Basic ", "")
user_email, password = base64.b64decode(encoded).split(b":") user_email, password = base64.b64decode(encoded).split(b":", 1)
user = models.User.query.get(user_email.decode("utf8")) user = models.User.query.get(user_email.decode("utf8"))
if nginx.check_credentials(user, password.decode('utf-8'), flask.request.remote_addr, "web"): if nginx.check_credentials(user, password.decode('utf-8'), flask.request.remote_addr, "web"):
response = flask.Response() response = flask.Response()

View File

@ -2,6 +2,7 @@ from mailu import models
from mailu.internal import internal from mailu.internal import internal
import flask import flask
import idna
import re import re
import srslib import srslib
@ -35,13 +36,67 @@ def postfix_alias_map(alias):
def postfix_transport(email): def postfix_transport(email):
if email == '*' or re.match("(^|.*@)\[.*\]$", email): if email == '*' or re.match("(^|.*@)\[.*\]$", email):
return flask.abort(404) return flask.abort(404)
localpart, domain_name = models.Email.resolve_domain(email) _, domain_name = models.Email.resolve_domain(email)
relay = models.Relay.query.get(domain_name) or flask.abort(404) relay = models.Relay.query.get(domain_name) or flask.abort(404)
ret = "smtp:[{0}]".format(relay.smtp) target = relay.smtp.lower()
if ":" in relay.smtp: port = None
split = relay.smtp.split(':') use_lmtp = False
ret = "smtp:[{0}]:{1}".format(split[0], split[1]) use_mx = False
return flask.jsonify(ret) # strip prefixes mx: and lmtp:
if target.startswith('mx:'):
target = target[3:]
use_mx = True
elif target.startswith('lmtp:'):
target = target[5:]
use_lmtp = True
# split host:port or [host]:port
if target.startswith('['):
if use_mx or ']' not in target:
# invalid target (mx: and [] or missing ])
flask.abort(400)
host, rest = target[1:].split(']', 1)
if rest.startswith(':'):
port = rest[1:]
elif rest:
# invalid target (rest should be :port)
flask.abort(400)
else:
if ':' in target:
host, port = target.rsplit(':', 1)
else:
host = target
# default for empty host part is mx:domain
if not host:
if not use_lmtp:
host = relay.name.lower()
use_mx = True
else:
# lmtp: needs a host part
flask.abort(400)
# detect ipv6 address or encode host
if ':' in host:
host = f'ipv6:{host}'
else:
try:
host = idna.encode(host).decode('ascii')
except idna.IDNAError:
# invalid host (fqdn not encodable)
flask.abort(400)
# validate port
if port is not None:
try:
port = int(port, 10)
except ValueError:
# invalid port (should be numeric)
flask.abort(400)
# create transport
transport = 'lmtp' if use_lmtp else 'smtp'
# use [] when not using MX lookups or host is an ipv6 address
if host.startswith('ipv6:') or (not use_lmtp and not use_mx):
host = f'[{host}]'
# create port suffix
port = '' if port is None else f':{port}'
return flask.jsonify(f'{transport}:{host}{port}')
@internal.route("/postfix/recipient/map/<path:recipient>") @internal.route("/postfix/recipient/map/<path:recipient>")

View File

@ -1,40 +1,46 @@
from mailu import models """ Mailu command line interface
"""
from flask import current_app as app import sys
from flask import cli as flask_cli
import flask
import os import os
import socket import socket
import uuid import uuid
import click import click
import yaml
from flask import current_app as app
from flask.cli import FlaskGroup, with_appcontext
from mailu import models
from mailu.schemas import MailuSchema, Logger, RenderJSON
db = models.db db = models.db
@click.group() @click.group(cls=FlaskGroup, context_settings={'help_option_names': ['-?', '-h', '--help']})
def mailu(cls=flask_cli.FlaskGroup): def mailu():
""" Mailu command line """ Mailu command line
""" """
@mailu.command() @mailu.command()
@flask_cli.with_appcontext @with_appcontext
def advertise(): def advertise():
""" Advertise this server against statistic services. """ Advertise this server against statistic services.
""" """
if os.path.isfile(app.config["INSTANCE_ID_PATH"]): if os.path.isfile(app.config['INSTANCE_ID_PATH']):
with open(app.config["INSTANCE_ID_PATH"], "r") as handle: with open(app.config['INSTANCE_ID_PATH'], 'r') as handle:
instance_id = handle.read() instance_id = handle.read()
else: else:
instance_id = str(uuid.uuid4()) instance_id = str(uuid.uuid4())
with open(app.config["INSTANCE_ID_PATH"], "w") as handle: with open(app.config['INSTANCE_ID_PATH'], 'w') as handle:
handle.write(instance_id) handle.write(instance_id)
if not app.config["DISABLE_STATISTICS"]: if not app.config['DISABLE_STATISTICS']:
try: try:
socket.gethostbyname(app.config["STATS_ENDPOINT"].format(instance_id)) socket.gethostbyname(app.config['STATS_ENDPOINT'].format(instance_id))
except: except OSError:
pass pass
@ -43,7 +49,7 @@ def advertise():
@click.argument('domain_name') @click.argument('domain_name')
@click.argument('password') @click.argument('password')
@click.option('-m', '--mode') @click.option('-m', '--mode')
@flask_cli.with_appcontext @with_appcontext
def admin(localpart, domain_name, password, mode='create'): def admin(localpart, domain_name, password, mode='create'):
""" Create an admin user """ Create an admin user
'mode' can be: 'mode' can be:
@ -58,7 +64,7 @@ def admin(localpart, domain_name, password, mode='create'):
user = None user = None
if mode == 'ifmissing' or mode == 'update': if mode == 'ifmissing' or mode == 'update':
email = '{}@{}'.format(localpart, domain_name) email = f'{localpart}@{domain_name}'
user = models.User.query.get(email) user = models.User.query.get(email)
if user and mode == 'ifmissing': if user and mode == 'ifmissing':
@ -86,7 +92,7 @@ def admin(localpart, domain_name, password, mode='create'):
@click.argument('localpart') @click.argument('localpart')
@click.argument('domain_name') @click.argument('domain_name')
@click.argument('password') @click.argument('password')
@flask_cli.with_appcontext @with_appcontext
def user(localpart, domain_name, password): def user(localpart, domain_name, password):
""" Create a user """ Create a user
""" """
@ -108,16 +114,16 @@ def user(localpart, domain_name, password):
@click.argument('localpart') @click.argument('localpart')
@click.argument('domain_name') @click.argument('domain_name')
@click.argument('password') @click.argument('password')
@flask_cli.with_appcontext @with_appcontext
def password(localpart, domain_name, password): def password(localpart, domain_name, password):
""" Change the password of an user """ Change the password of an user
""" """
email = '{0}@{1}'.format(localpart, domain_name) email = f'{localpart}@{domain_name}'
user = models.User.query.get(email) user = models.User.query.get(email)
if user: if user:
user.set_password(password) user.set_password(password)
else: else:
print("User " + email + " not found.") print(f'User {email} not found.')
db.session.commit() db.session.commit()
@ -126,7 +132,7 @@ def password(localpart, domain_name, password):
@click.option('-u', '--max-users') @click.option('-u', '--max-users')
@click.option('-a', '--max-aliases') @click.option('-a', '--max-aliases')
@click.option('-q', '--max-quota-bytes') @click.option('-q', '--max-quota-bytes')
@flask_cli.with_appcontext @with_appcontext
def domain(domain_name, max_users=-1, max_aliases=-1, max_quota_bytes=0): def domain(domain_name, max_users=-1, max_aliases=-1, max_quota_bytes=0):
""" Create a domain """ Create a domain
""" """
@ -142,9 +148,9 @@ def domain(domain_name, max_users=-1, max_aliases=-1, max_quota_bytes=0):
@click.argument('localpart') @click.argument('localpart')
@click.argument('domain_name') @click.argument('domain_name')
@click.argument('password_hash') @click.argument('password_hash')
@flask_cli.with_appcontext @with_appcontext
def user_import(localpart, domain_name, password_hash): def user_import(localpart, domain_name, password_hash):
""" Import a user along with password hash. """ Import a user along with password hash
""" """
domain = models.Domain.query.get(domain_name) domain = models.Domain.query.get(domain_name)
if not domain: if not domain:
@ -160,14 +166,14 @@ def user_import(localpart, domain_name, password_hash):
db.session.commit() db.session.commit()
# TODO: remove deprecated config_update function?
@mailu.command() @mailu.command()
@click.option('-v', '--verbose') @click.option('-v', '--verbose')
@click.option('-d', '--delete-objects') @click.option('-d', '--delete-objects')
@flask_cli.with_appcontext @with_appcontext
def config_update(verbose=False, delete_objects=False): def config_update(verbose=False, delete_objects=False):
"""sync configuration with data from YAML-formatted stdin""" """ Sync configuration with data from YAML (deprecated)
import yaml """
import sys
new_config = yaml.safe_load(sys.stdin) new_config = yaml.safe_load(sys.stdin)
# print new_config # print new_config
domains = new_config.get('domains', []) domains = new_config.get('domains', [])
@ -187,13 +193,13 @@ def config_update(verbose=False, delete_objects=False):
max_aliases=max_aliases, max_aliases=max_aliases,
max_quota_bytes=max_quota_bytes) max_quota_bytes=max_quota_bytes)
db.session.add(domain) db.session.add(domain)
print("Added " + str(domain_config)) print(f'Added {domain_config}')
else: else:
domain.max_users = max_users domain.max_users = max_users
domain.max_aliases = max_aliases domain.max_aliases = max_aliases
domain.max_quota_bytes = max_quota_bytes domain.max_quota_bytes = max_quota_bytes
db.session.add(domain) db.session.add(domain)
print("Updated " + str(domain_config)) print(f'Updated {domain_config}')
users = new_config.get('users', []) users = new_config.get('users', [])
tracked_users = set() tracked_users = set()
@ -209,7 +215,7 @@ def config_update(verbose=False, delete_objects=False):
domain_name = user_config['domain'] domain_name = user_config['domain']
password_hash = user_config.get('password_hash', None) password_hash = user_config.get('password_hash', None)
domain = models.Domain.query.get(domain_name) domain = models.Domain.query.get(domain_name)
email = '{0}@{1}'.format(localpart, domain_name) email = f'{localpart}@{domain_name}'
optional_params = {} optional_params = {}
for k in user_optional_params: for k in user_optional_params:
if k in user_config: if k in user_config:
@ -239,13 +245,13 @@ def config_update(verbose=False, delete_objects=False):
print(str(alias_config)) print(str(alias_config))
localpart = alias_config['localpart'] localpart = alias_config['localpart']
domain_name = alias_config['domain'] domain_name = alias_config['domain']
if type(alias_config['destination']) is str: if isinstance(alias_config['destination'], str):
destination = alias_config['destination'].split(',') destination = alias_config['destination'].split(',')
else: else:
destination = alias_config['destination'] destination = alias_config['destination']
wildcard = alias_config.get('wildcard', False) wildcard = alias_config.get('wildcard', False)
domain = models.Domain.query.get(domain_name) domain = models.Domain.query.get(domain_name)
email = '{0}@{1}'.format(localpart, domain_name) email = f'{localpart}@{domain_name}'
if not domain: if not domain:
domain = models.Domain(name=domain_name) domain = models.Domain(name=domain_name)
db.session.add(domain) db.session.add(domain)
@ -275,7 +281,7 @@ def config_update(verbose=False, delete_objects=False):
domain_name = manager_config['domain'] domain_name = manager_config['domain']
user_name = manager_config['user'] user_name = manager_config['user']
domain = models.Domain.query.get(domain_name) domain = models.Domain.query.get(domain_name)
manageruser = models.User.query.get(user_name + '@' + domain_name) manageruser = models.User.query.get(f'{user_name}@{domain_name}')
if manageruser not in domain.managers: if manageruser not in domain.managers:
domain.managers.append(manageruser) domain.managers.append(manageruser)
db.session.add(domain) db.session.add(domain)
@ -284,26 +290,117 @@ def config_update(verbose=False, delete_objects=False):
if delete_objects: if delete_objects:
for user in db.session.query(models.User).all(): for user in db.session.query(models.User).all():
if not (user.email in tracked_users): if not user.email in tracked_users:
if verbose: if verbose:
print("Deleting user: " + str(user.email)) print(f'Deleting user: {user.email}')
db.session.delete(user) db.session.delete(user)
for alias in db.session.query(models.Alias).all(): for alias in db.session.query(models.Alias).all():
if not (alias.email in tracked_aliases): if not alias.email in tracked_aliases:
if verbose: if verbose:
print("Deleting alias: " + str(alias.email)) print(f'Deleting alias: {alias.email}')
db.session.delete(alias) db.session.delete(alias)
for domain in db.session.query(models.Domain).all(): for domain in db.session.query(models.Domain).all():
if not (domain.name in tracked_domains): if not domain.name in tracked_domains:
if verbose: if verbose:
print("Deleting domain: " + str(domain.name)) print(f'Deleting domain: {domain.name}')
db.session.delete(domain) db.session.delete(domain)
db.session.commit() db.session.commit()
@mailu.command()
@click.option('-v', '--verbose', count=True, help='Increase verbosity.')
@click.option('-s', '--secrets', is_flag=True, help='Show secret attributes in messages.')
@click.option('-d', '--debug', is_flag=True, help='Enable debug output.')
@click.option('-q', '--quiet', is_flag=True, help='Quiet mode - only show errors.')
@click.option('-c', '--color', is_flag=True, help='Force colorized output.')
@click.option('-u', '--update', is_flag=True, help='Update mode - merge input with existing config.')
@click.option('-n', '--dry-run', is_flag=True, help='Perform a trial run with no changes made.')
@click.argument('source', metavar='[FILENAME|-]', type=click.File(mode='r'), default=sys.stdin)
@with_appcontext
def config_import(verbose=0, secrets=False, debug=False, quiet=False, color=False,
update=False, dry_run=False, source=None):
""" Import configuration as YAML or JSON from stdin or file
"""
log = Logger(want_color=color or None, can_color=sys.stdout.isatty(), secrets=secrets, debug=debug)
log.lexer = 'python'
log.strip = True
log.verbose = 0 if quiet else verbose
log.quiet = quiet
context = {
'import': True,
'update': update,
'clear': not update,
'callback': log.track_serialize,
}
schema = MailuSchema(only=MailuSchema.Meta.order, context=context)
try:
# import source
with models.db.session.no_autoflush:
config = schema.loads(source)
# flush session to show/count all changes
if not quiet and (dry_run or verbose):
db.session.flush()
# check for duplicate domain names
config.check()
except Exception as exc:
if msg := log.format_exception(exc):
raise click.ClickException(msg) from exc
raise
# don't commit when running dry
if dry_run:
log.changes('Dry run. Not committing changes.')
db.session.rollback()
else:
log.changes('Committing changes.')
db.session.commit()
@mailu.command()
@click.option('-f', '--full', is_flag=True, help='Include attributes with default value.')
@click.option('-s', '--secrets', is_flag=True,
help='Include secret attributes (dkim-key, passwords).')
@click.option('-d', '--dns', is_flag=True, help='Include dns records.')
@click.option('-c', '--color', is_flag=True, help='Force colorized output.')
@click.option('-o', '--output-file', 'output', default=sys.stdout, type=click.File(mode='w'),
help='Save configuration to file.')
@click.option('-j', '--json', 'as_json', is_flag=True, help='Export configuration in json format.')
@click.argument('only', metavar='[FILTER]...', nargs=-1)
@with_appcontext
def config_export(full=False, secrets=False, color=False, dns=False, output=None, as_json=False, only=None):
""" Export configuration as YAML or JSON to stdout or file
"""
log = Logger(want_color=color or None, can_color=output.isatty())
only = only or MailuSchema.Meta.order
context = {
'full': full,
'secrets': secrets,
'dns': dns,
}
try:
schema = MailuSchema(only=only, context=context)
if as_json:
schema.opts.render_module = RenderJSON
log.lexer = 'json'
log.strip = True
print(log.colorize(schema.dumps(models.MailuConfig())), file=output)
except Exception as exc:
if msg := log.format_exception(exc):
raise click.ClickException(msg) from exc
raise
@mailu.command() @mailu.command()
@click.argument('email') @click.argument('email')
@flask_cli.with_appcontext @with_appcontext
def user_delete(email): def user_delete(email):
"""delete user""" """delete user"""
user = models.User.query.get(email) user = models.User.query.get(email)
@ -314,7 +411,7 @@ def user_delete(email):
@mailu.command() @mailu.command()
@click.argument('email') @click.argument('email')
@flask_cli.with_appcontext @with_appcontext
def alias_delete(email): def alias_delete(email):
"""delete alias""" """delete alias"""
alias = models.Alias.query.get(email) alias = models.Alias.query.get(email)
@ -328,7 +425,7 @@ def alias_delete(email):
@click.argument('domain_name') @click.argument('domain_name')
@click.argument('destination') @click.argument('destination')
@click.option('-w', '--wildcard', is_flag=True) @click.option('-w', '--wildcard', is_flag=True)
@flask_cli.with_appcontext @with_appcontext
def alias(localpart, domain_name, destination, wildcard=False): def alias(localpart, domain_name, destination, wildcard=False):
""" Create an alias """ Create an alias
""" """
@ -341,7 +438,7 @@ def alias(localpart, domain_name, destination, wildcard=False):
domain=domain, domain=domain,
wildcard=wildcard, wildcard=wildcard,
destination=destination.split(','), destination=destination.split(','),
email="%s@%s" % (localpart, domain_name) email=f'{localpart}@{domain_name}'
) )
db.session.add(alias) db.session.add(alias)
db.session.commit() db.session.commit()
@ -352,7 +449,7 @@ def alias(localpart, domain_name, destination, wildcard=False):
@click.argument('max_users') @click.argument('max_users')
@click.argument('max_aliases') @click.argument('max_aliases')
@click.argument('max_quota_bytes') @click.argument('max_quota_bytes')
@flask_cli.with_appcontext @with_appcontext
def setlimits(domain_name, max_users, max_aliases, max_quota_bytes): def setlimits(domain_name, max_users, max_aliases, max_quota_bytes):
""" Set domain limits """ Set domain limits
""" """
@ -367,16 +464,12 @@ def setlimits(domain_name, max_users, max_aliases, max_quota_bytes):
@mailu.command() @mailu.command()
@click.argument('domain_name') @click.argument('domain_name')
@click.argument('user_name') @click.argument('user_name')
@flask_cli.with_appcontext @with_appcontext
def setmanager(domain_name, user_name='manager'): def setmanager(domain_name, user_name='manager'):
""" Make a user manager of a domain """ Make a user manager of a domain
""" """
domain = models.Domain.query.get(domain_name) domain = models.Domain.query.get(domain_name)
manageruser = models.User.query.get(user_name + '@' + domain_name) manageruser = models.User.query.get(f'{user_name}@{domain_name}')
domain.managers.append(manageruser) domain.managers.append(manageruser)
db.session.add(domain) db.session.add(domain)
db.session.commit() db.session.commit()
if __name__ == '__main__':
cli()

File diff suppressed because it is too large Load Diff

1269
core/admin/mailu/schemas.py Normal file

File diff suppressed because it is too large Load Diff

View File

@ -50,5 +50,17 @@
<td><pre>_dmarc.{{ domain.name }}. 600 IN TXT "v=DMARC1; p=reject;{% if config["DMARC_RUA"] %} rua=mailto:{{ config["DMARC_RUA"] }}@{{ config["DOMAIN"] }};{% endif %}{% if config["DMARC_RUF"] %} ruf=mailto:{{ config["DMARC_RUF"] }}@{{ config["DOMAIN"] }};{% endif %} adkim=s; aspf=s"</pre></td> <td><pre>_dmarc.{{ domain.name }}. 600 IN TXT "v=DMARC1; p=reject;{% if config["DMARC_RUA"] %} rua=mailto:{{ config["DMARC_RUA"] }}@{{ config["DOMAIN"] }};{% endif %}{% if config["DMARC_RUF"] %} ruf=mailto:{{ config["DMARC_RUF"] }}@{{ config["DOMAIN"] }};{% endif %} adkim=s; aspf=s"</pre></td>
</tr> </tr>
{% endif %} {% endif %}
<tr>
<th>{% trans %}DNS client auto-configuration (RFC6186) entries{% endtrans %}</th>
<td>
<pre style="white-space: pre-wrap; word-wrap: break-word;">_submission._tcp.{{ domain.name }}. 600 IN SRV 1 1 587 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;">_imap._tcp.{{ domain.name }}. 600 IN SRV 100 1 143 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3._tcp.{{ domain.name }}. 600 IN SRV 100 1 110 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
{% if config["TLS_FLAVOR"] != "notls" %}
<pre style="white-space: pre-wrap; word-wrap: break-word;">_submissions._tcp.{{ domain.name }}. 600 IN SRV 10 1 465 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;">_imaps._tcp.{{ domain.name }}. 600 IN SRV 10 1 993 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3s._tcp.{{ domain.name }}. 600 IN SRV 10 1 995 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
{% endif %}</td>
</tr>
{% endcall %} {% endcall %}
{% endblock %} {% endblock %}

View File

@ -14,7 +14,7 @@
{{ form.hidden_tag() }} {{ form.hidden_tag() }}
{{ macros.form_field(form.reply_enabled, {{ macros.form_field(form.reply_enabled,
onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').removeAttr('readonly')} onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').removeAttr('readonly')}
else{$('#reply_subject,#reply_body,#reply_enddate').attr('readonly', '')}") }} else{$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').attr('readonly', '')}") }}
{{ macros.form_field(form.reply_subject, {{ macros.form_field(form.reply_subject,
**{("rw" if user.reply_enabled else "readonly"): ""}) }} **{("rw" if user.reply_enabled else "readonly"): ""}) }}
{{ macros.form_field(form.reply_body, rows=10, {{ macros.form_field(form.reply_body, rows=10,

View File

@ -1,6 +1,7 @@
from mailu import models from mailu import models
from mailu.ui import ui, forms, access from mailu.ui import ui, forms, access
from flask import current_app as app
import flask import flask
import flask_login import flask_login
@ -49,6 +50,9 @@ def announcement():
flask.flash('Your announcement was sent', 'success') flask.flash('Your announcement was sent', 'success')
return flask.render_template('announcement.html', form=form) return flask.render_template('announcement.html', form=form)
@ui.route('/webmail', methods=['GET'])
def webmail():
return flask.redirect(app.config['WEB_WEBMAIL'])
@ui.route('/client', methods=['GET']) @ui.route('/client', methods=['GET'])
def client(): def client():

View File

@ -74,6 +74,8 @@ def domain_details(domain_name):
def domain_genkeys(domain_name): def domain_genkeys(domain_name):
domain = models.Domain.query.get(domain_name) or flask.abort(404) domain = models.Domain.query.get(domain_name) or flask.abort(404)
domain.generate_dkim_key() domain.generate_dkim_key()
models.db.session.add(domain)
models.db.session.commit()
return flask.redirect( return flask.redirect(
flask.url_for(".domain_details", domain_name=domain_name)) flask.url_for(".domain_details", domain_name=domain_name))

View File

@ -1,11 +1,28 @@
from mailu import models, limiter """ Mailu admin app utilities
"""
try:
import cPickle as pickle
except ImportError:
import pickle
import hmac
import secrets
import time
from multiprocessing import Value
from mailu import limiter
import flask import flask
import flask_login import flask_login
import flask_script
import flask_migrate import flask_migrate
import flask_babel import flask_babel
import redis
from flask.sessions import SessionMixin, SessionInterface
from itsdangerous.encoding import want_bytes
from werkzeug.datastructures import CallbackDict
from werkzeug.contrib import fixers from werkzeug.contrib import fixers
@ -15,6 +32,7 @@ login.login_view = "ui.login"
@login.unauthorized_handler @login.unauthorized_handler
def handle_needs_login(): def handle_needs_login():
""" redirect unauthorized requests to login page """
return flask.redirect( return flask.redirect(
flask.url_for('ui.login', next=flask.request.endpoint) flask.url_for('ui.login', next=flask.request.endpoint)
) )
@ -27,6 +45,7 @@ babel = flask_babel.Babel()
@babel.localeselector @babel.localeselector
def get_locale(): def get_locale():
""" selects locale for translation """
translations = list(map(str, babel.list_translations())) translations = list(map(str, babel.list_translations()))
flask.session['available_languages'] = translations flask.session['available_languages'] = translations
@ -41,6 +60,10 @@ def get_locale():
# Proxy fixer # Proxy fixer
class PrefixMiddleware(object): class PrefixMiddleware(object):
""" fix proxy headers """
def __init__(self):
self.app = None
def __call__(self, environ, start_response): def __call__(self, environ, start_response):
prefix = environ.get('HTTP_X_FORWARDED_PREFIX', '') prefix = environ.get('HTTP_X_FORWARDED_PREFIX', '')
if prefix: if prefix:
@ -56,3 +79,384 @@ proxy = PrefixMiddleware()
# Data migrate # Data migrate
migrate = flask_migrate.Migrate() migrate = flask_migrate.Migrate()
# session store (inspired by https://github.com/mbr/flask-kvsession)
class RedisStore:
""" Stores session data in a redis db. """
has_ttl = True
def __init__(self, redisstore):
self.redis = redisstore
def get(self, key):
""" load item from store. """
value = self.redis.get(key)
if value is None:
raise KeyError(key)
return value
def put(self, key, value, ttl=None):
""" save item to store. """
if ttl:
self.redis.setex(key, int(ttl), value)
else:
self.redis.set(key, value)
def delete(self, key):
""" delete item from store. """
self.redis.delete(key)
def list(self, prefix=None):
""" return list of keys starting with prefix """
if prefix:
prefix += b'*'
return list(self.redis.scan_iter(match=prefix))
class DictStore:
""" Stores session data in a python dict. """
has_ttl = False
def __init__(self):
self.dict = {}
def get(self, key):
""" load item from store. """
return self.dict[key]
def put(self, key, value, ttl_secs=None):
""" save item to store. """
self.dict[key] = value
def delete(self, key):
""" delete item from store. """
try:
del self.dict[key]
except KeyError:
pass
def list(self, prefix=None):
""" return list of keys starting with prefix """
if prefix is None:
return list(self.dict.keys())
return [key for key in self.dict if key.startswith(prefix)]
class MailuSession(CallbackDict, SessionMixin):
""" Custom flask session storage. """
# default modified to false
modified = False
def __init__(self, key=None, app=None):
self.app = app or flask.current_app
initial = None
key = want_bytes(key)
if parsed := self.app.session_config.parse_key(key, self.app):
try:
initial = pickle.loads(app.session_store.get(key))
except (KeyError, EOFError, pickle.UnpicklingError):
# either the cookie was manipulated or we did not find the
# session in the backend or the pickled data is invalid.
# => start new session
pass
else:
(self._uid, self._sid, self._created) = parsed
self._key = key
if initial is None:
# start new session
self.new = True
self._uid = None
self._sid = None
self._created = self.app.session_config.gen_created()
self._key = None
def _on_update(obj):
obj.modified = True
CallbackDict.__init__(self, initial, _on_update)
@property
def saved(self):
""" this reflects if the session was saved. """
return self._key is not None
@property
def sid(self):
""" this reflects the session's id. """
if self._sid is None or self._uid is None or self._created is None:
return None
return b''.join([self._uid, self._sid, self._created])
def destroy(self):
""" destroy session for security reasons. """
self.delete()
self._uid = None
self._sid = None
self._created = None
self.clear()
self.modified = True
self.new = False
def regenerate(self):
""" generate new id for session to avoid `session fixation`. """
self.delete()
self._sid = None
self._created = self.app.session_config.gen_created()
self.modified = True
def delete(self):
""" Delete stored session. """
if self.saved:
self.app.session_store.delete(self._key)
self._key = None
def save(self):
""" Save session to store. """
set_cookie = False
# set uid from dict data
if self._uid is None:
self._uid = self.app.session_config.gen_uid(self.get('user_id', ''))
# create new session id for new or regenerated sessions and force setting the cookie
if self._sid is None:
self._sid = self.app.session_config.gen_sid()
set_cookie = True
# get new session key
key = self.sid
# delete old session if key has changed
if key != self._key:
self.delete()
# remember time to refresh
self['_refresh'] = int(time.time()) + self.app.permanent_session_lifetime.total_seconds()/2
# save session
self.app.session_store.put(
key,
pickle.dumps(dict(self)),
self.app.permanent_session_lifetime.total_seconds()
)
self._key = key
self.new = False
self.modified = False
return set_cookie
def needs_refresh(self):
""" Checks if server side session needs to be refreshed. """
return int(time.time()) > self.get('_refresh', 0)
class MailuSessionConfig:
""" Stores sessions crypto config """
# default size of session key parts
uid_bits = 64 # default if SESSION_KEY_BITS is not set in config
sid_bits = 128 # for now. must be multiple of 8!
time_bits = 32 # for now. must be multiple of 8!
def __init__(self, app=None):
if app is None:
app = flask.current_app
bits = app.config.get('SESSION_KEY_BITS', self.uid_bits)
if not 64 <= bits <= 256:
raise ValueError('SESSION_KEY_BITS must be between 64 and 256!')
uid_bytes = bits//8 + (bits%8>0)
sid_bytes = self.sid_bits//8
key = want_bytes(app.secret_key)
self._hmac = hmac.new(hmac.digest(key, b'SESSION_UID_HASH', digest='sha256'), digestmod='sha256')
self._uid_len = uid_bytes
self._uid_b64 = len(self._encode(bytes(uid_bytes)))
self._sid_len = sid_bytes
self._sid_b64 = len(self._encode(bytes(sid_bytes)))
self._key_min = self._uid_b64 + self._sid_b64
self._key_max = self._key_min + len(self._encode(bytes(self.time_bits//8)))
def gen_sid(self):
""" Generate random session id. """
return self._encode(secrets.token_bytes(self._sid_len))
def gen_uid(self, uid):
""" Generate hashed user id part of session key. """
_hmac = self._hmac.copy()
_hmac.update(want_bytes(uid))
return self._encode(_hmac.digest()[:self._uid_len])
def gen_created(self, now=None):
""" Generate base64 representation of creation time. """
return self._encode(int(now or time.time()).to_bytes(8, byteorder='big').lstrip(b'\0'))
def parse_key(self, key, app=None, validate=False, now=None):
""" Split key into sid, uid and creation time. """
if not (isinstance(key, bytes) and self._key_min <= len(key) <= self._key_max):
return None
uid = key[:self._uid_b64]
sid = key[self._uid_b64:self._key_min]
crt = key[self._key_min:]
# validate if parts are decodeable
created = self._decode(crt)
if created is None or self._decode(uid) is None or self._decode(sid) is None:
return None
# validate creation time when requested or store does not support ttl
if validate or not app.session_store.has_ttl:
if now is None:
now = int(time.time())
created = int.from_bytes(created, byteorder='big')
if not created < now < created + app.permanent_session_lifetime.total_seconds():
return None
return (uid, sid, crt)
def _encode(self, value):
return secrets.base64.urlsafe_b64encode(value).rstrip(b'=')
def _decode(self, value):
try:
return secrets.base64.urlsafe_b64decode(value + b'='*(4-len(value)%4))
except secrets.binascii.Error:
return None
class MailuSessionInterface(SessionInterface):
""" Custom flask session interface. """
def open_session(self, app, request):
""" Load or create session. """
return MailuSession(request.cookies.get(app.config['SESSION_COOKIE_NAME'], None), app)
def save_session(self, app, session, response):
""" Save modified session. """
# If the session is modified to be empty, remove the cookie.
# If the session is empty, return without setting the cookie.
if not session:
if session.modified:
session.delete()
response.delete_cookie(
app.session_cookie_name,
domain=self.get_cookie_domain(app),
path=self.get_cookie_path(app),
)
return
# Add a "Vary: Cookie" header if the session was accessed
if session.accessed:
response.vary.add('Cookie')
set_cookie = session.permanent and app.config['SESSION_REFRESH_EACH_REQUEST']
need_refresh = session.needs_refresh()
# save modified session or refresh unmodified session
if session.modified or need_refresh:
set_cookie |= session.save()
# set cookie on refreshed permanent sessions
if need_refresh and session.permanent:
set_cookie = True
# set or update cookie if necessary
if set_cookie:
response.set_cookie(
app.session_cookie_name,
session.sid,
expires=self.get_expiration_time(app, session),
httponly=self.get_cookie_httponly(app),
domain=self.get_cookie_domain(app),
path=self.get_cookie_path(app),
secure=self.get_cookie_secure(app),
samesite=self.get_cookie_samesite(app)
)
class MailuSessionExtension:
""" Server side session handling """
@staticmethod
def cleanup_sessions(app=None):
""" Remove invalid or expired sessions. """
app = app or flask.current_app
now = int(time.time())
count = 0
for key in app.session_store.list():
if not app.session_config.parse_key(key, app, validate=True, now=now):
app.session_store.delete(key)
count += 1
return count
@staticmethod
def prune_sessions(uid=None, keep=None, app=None):
""" Remove sessions
uid: remove all sessions (NONE) or sessions belonging to a specific user
keep: keep listed sessions
"""
keep = keep or set()
app = app or flask.current_app
prefix = None if uid is None else app.session_config.gen_uid(uid)
count = 0
for key in app.session_store.list(prefix):
if key not in keep:
app.session_store.delete(key)
count += 1
return count
def init_app(self, app):
""" Replace session management of application. """
if app.config.get('MEMORY_SESSIONS'):
# in-memory session store for use in development
app.session_store = DictStore()
else:
# redis-based session store for use in production
app.session_store = RedisStore(
redis.StrictRedis().from_url(app.config['SESSION_STORAGE_URL'])
)
# clean expired sessions oonce on first use in case lifetime was changed
def cleaner():
with cleaned.get_lock():
if not cleaned.value:
cleaned.value = True
flask.current_app.logger.error('cleaning')
MailuSessionExtension.cleanup_sessions(app)
app.before_first_request(cleaner)
app.session_config = MailuSessionConfig(app)
app.session_interface = MailuSessionInterface()
cleaned = Value('i', False)
session = MailuSessionExtension()

View File

@ -2,30 +2,31 @@
"name": "mailu", "name": "mailu",
"version": "1.0.0", "version": "1.0.0",
"description": "Mailu admin assets", "description": "Mailu admin assets",
"main": "assest/index.js", "main": "assets/index.js",
"directories": {
"lib": "lib"
},
"scripts": { "scripts": {
"test": "echo \"Error: no test specified\" && exit 1" "test": "echo \"Error: no test specified\" && exit 1"
}, },
"author": "", "author": "",
"license": "ISC", "license": "ISC",
"dependencies": { "dependencies": {
"@babel/core": "^7.4.4", "@babel/core": "^7.14.6",
"@babel/preset-env": "^7.4.4", "@babel/preset-env": "^7.14.7",
"admin-lte": "^3.1.0", "admin-lte": "^3.1.0",
"babel-loader": "^8.0.5", "babel-loader": "^8.0.6",
"css-loader": "^2.1.1", "css-loader": "^2.1.1",
"expose-loader": "^0.7.5", "expose-loader": "^0.7.5",
"file-loader": "^3.0.1", "jquery": "^3.6.0",
"jQuery": "^1.7.4", "less": "^3.13.1",
"less": "^3.9.0",
"less-loader": "^5.0.0", "less-loader": "^5.0.0",
"mini-css-extract-plugin": "^0.6.0", "mini-css-extract-plugin": "^1.2.1",
"node-sass": "^4.12.0", "node-sass": "^4.13.1",
"popper.js": "^1.15.0", "sass-loader": "^7.3.1",
"sass-loader": "^7.1.0", "select2": "^4.0.13",
"style-loader": "^0.23.1", "url-loader": "^2.3.0",
"url-loader": "^1.1.2", "webpack": "^4.33.0",
"webpack": "^4.30.0", "webpack-cli": "^3.3.12"
"webpack-cli": "^3.3.2"
} }
} }

View File

@ -5,7 +5,7 @@ bcrypt==3.1.6
blinker==1.4 blinker==1.4
cffi==1.12.3 cffi==1.12.3
Click==7.0 Click==7.0
cryptography==3.2 cryptography==3.4.7
decorator==4.4.0 decorator==4.4.0
dnspython==1.16.0 dnspython==1.16.0
dominate==2.3.5 dominate==2.3.5
@ -13,9 +13,9 @@ Flask==1.0.2
Flask-Babel==0.12.2 Flask-Babel==0.12.2
Flask-Bootstrap==3.3.7.1 Flask-Bootstrap==3.3.7.1
Flask-DebugToolbar==0.10.1 Flask-DebugToolbar==0.10.1
Flask-KVSession==0.6.2
Flask-Limiter==1.0.1 Flask-Limiter==1.0.1
Flask-Login==0.4.1 Flask-Login==0.4.1
flask-marshmallow==0.14.0
Flask-Migrate==2.4.0 Flask-Migrate==2.4.0
Flask-Script==2.0.6 Flask-Script==2.0.6
Flask-SQLAlchemy==2.4.0 Flask-SQLAlchemy==2.4.0
@ -25,19 +25,22 @@ idna==2.8
infinity==1.4 infinity==1.4
intervals==0.8.1 intervals==0.8.1
itsdangerous==1.1.0 itsdangerous==1.1.0
Jinja2==2.10.1 Jinja2==2.11.3
limits==1.3 limits==1.3
Mako==1.0.9 Mako==1.0.9
MarkupSafe==1.1.1 MarkupSafe==1.1.1
mysqlclient==1.4.2.post1 mysqlclient==1.4.2.post1
marshmallow==3.10.0
marshmallow-sqlalchemy==0.24.1
passlib==1.7.4 passlib==1.7.4
psycopg2==2.8.2 psycopg2==2.8.2
pycparser==2.19 pycparser==2.19
pyOpenSSL==19.0.0 Pygments==2.8.1
pyOpenSSL==20.0.1
python-dateutil==2.8.0 python-dateutil==2.8.0
python-editor==1.0.4 python-editor==1.0.4
pytz==2019.1 pytz==2019.1
PyYAML==5.1 PyYAML==5.4.1
redis==3.2.1 redis==3.2.1
#alpine3:12 provides six==1.15.0 #alpine3:12 provides six==1.15.0
#six==1.12.0 #six==1.12.0

View File

@ -3,7 +3,6 @@ Flask-Login
Flask-SQLAlchemy Flask-SQLAlchemy
Flask-bootstrap Flask-bootstrap
Flask-Babel Flask-Babel
Flask-KVSession
Flask-migrate Flask-migrate
Flask-script Flask-script
Flask-wtf Flask-wtf
@ -17,6 +16,7 @@ gunicorn
tabulate tabulate
PyYAML PyYAML
PyOpenSSL PyOpenSSL
Pygments
dnspython dnspython
bcrypt bcrypt
tenacity tenacity
@ -24,3 +24,6 @@ mysqlclient
psycopg2 psycopg2
idna idna
srslib srslib
marshmallow
flask-marshmallow
marshmallow-sqlalchemy

View File

@ -19,7 +19,8 @@ if account is not None and domain is not None and password is not None:
os.system("flask mailu admin %s %s '%s' --mode %s" % (account, domain, password, mode)) os.system("flask mailu admin %s %s '%s' --mode %s" % (account, domain, password, mode))
start_command="".join([ start_command="".join([
"gunicorn -w 4 -b :80 ", "gunicorn --threads ", str(os.cpu_count()),
" -b :80 ",
"--access-logfile - " if (log.root.level<=log.INFO) else "", "--access-logfile - " if (log.root.level<=log.INFO) else "",
"--error-logfile - ", "--error-logfile - ",
"--preload ", "--preload ",

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.13 ARG DISTRO=alpine:3.14
FROM $DISTRO as builder FROM $DISTRO as builder
WORKDIR /tmp WORKDIR /tmp
RUN apk add git build-base automake autoconf libtool dovecot-dev xapian-core-dev icu-dev RUN apk add git build-base automake autoconf libtool dovecot-dev xapian-core-dev icu-dev

View File

@ -21,7 +21,10 @@ mail_access_groups = mail
maildir_stat_dirs = yes maildir_stat_dirs = yes
mailbox_list_index = yes mailbox_list_index = yes
mail_vsize_bg_after_count = 100 mail_vsize_bg_after_count = 100
mail_plugins = $mail_plugins quota quota_clone zlib{{ ' ' }} mail_plugins = $mail_plugins quota quota_clone{{ ' ' }}
{%- if COMPRESSION -%}
zlib{{ ' ' }}
{%- endif %}
{%- if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] -%} {%- if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] -%}
fts fts_xapian fts fts_xapian
{%- endif %} {%- endif %}
@ -50,7 +53,7 @@ plugin {
fts_autoindex_exclude = \Trash fts_autoindex_exclude = \Trash
{% endif %} {% endif %}
{% if COMPRESSION in [ 'gz', 'bz2' ] %} {% if COMPRESSION in [ 'gz', 'bz2', 'lz4', 'zstd' ] %}
zlib_save = {{ COMPRESSION }} zlib_save = {{ COMPRESSION }}
{% endif %} {% endif %}

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
# python3 shared with most images # python3 shared with most images
RUN apk add --no-cache \ RUN apk add --no-cache \

View File

@ -117,7 +117,7 @@ http {
include /overrides/*.conf; include /overrides/*.conf;
# Actual logic # Actual logic
{% if WEB_WEBMAIL != '/' %} {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
location / { location / {
{% if WEBROOT_REDIRECT %} {% if WEBROOT_REDIRECT %}
try_files $uri {{ WEBROOT_REDIRECT }}; try_files $uri {{ WEBROOT_REDIRECT }};
@ -136,9 +136,33 @@ http {
include /etc/nginx/proxy.conf; include /etc/nginx/proxy.conf;
client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }}; client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
proxy_pass http://$webmail; proxy_pass http://$webmail;
{% if ADMIN == 'true' %}
auth_request /internal/auth/user;
error_page 403 @webmail_login;
} }
{% endif %}
location {{ WEB_WEBMAIL }}/sso.php {
{% if WEB_WEBMAIL != '/' %}
rewrite ^({{ WEB_WEBMAIL }})$ $1/ permanent;
rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
{% endif %}
include /etc/nginx/proxy.conf;
client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
auth_request /internal/auth/user;
auth_request_set $user $upstream_http_x_user;
auth_request_set $token $upstream_http_x_user_token;
proxy_set_header X-Remote-User $user;
proxy_set_header X-Remote-User-Token $token;
proxy_pass http://$webmail;
error_page 403 @webmail_login;
}
location @webmail_login {
return 302 {{ WEB_ADMIN }}/ui/login?next=ui.webmail;
}
{% else %}
}
{% endif %}{% endif %}
{% if ADMIN == 'true' %} {% if ADMIN == 'true' %}
location {{ WEB_ADMIN }} { location {{ WEB_ADMIN }} {
return 301 {{ WEB_ADMIN }}/ui; return 301 {{ WEB_ADMIN }}/ui;

View File

@ -1,6 +1,6 @@
# This is an idle image to dynamically replace any component if disabled. # This is an idle image to dynamically replace any component if disabled.
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
CMD sleep 1000000d CMD sleep 1000000d

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
# python3 shared with most images # python3 shared with most images
RUN apk add --no-cache \ RUN apk add --no-cache \
@ -12,7 +12,7 @@ RUN pip3 install socrate==0.2.0
RUN pip3 install "podop>0.2.5" RUN pip3 install "podop>0.2.5"
# Image specific layers under this line # Image specific layers under this line
RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-plain cyrus-sasl-login RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login
COPY conf /conf COPY conf /conf
COPY start.py /start.py COPY start.py /start.py

View File

@ -32,7 +32,7 @@ mydestination =
relayhost = {{ RELAYHOST }} relayhost = {{ RELAYHOST }}
{% if RELAYUSER %} {% if RELAYUSER %}
smtp_sasl_auth_enable = yes smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous smtp_sasl_security_options = noanonymous
{% endif %} {% endif %}
@ -58,7 +58,7 @@ tls_ssl_options = NO_COMPRESSION
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }} smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols =!SSLv2,!SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache
############### ###############
# Virtual # Virtual

View File

@ -4,7 +4,7 @@
# Remove the first line of the Received: header. Note that we cannot fully remove the Received: header # Remove the first line of the Received: header. Note that we cannot fully remove the Received: header
# because OpenDKIM requires that a header be present when signing outbound mail. The first line is # because OpenDKIM requires that a header be present when signing outbound mail. The first line is
# where the user's home IP address would be. # where the user's home IP address would be.
/^\s*Received:[^\n]*(.*)/ REPLACE Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])$1 /^\s*Received:[^\n]*(.*)/ REPLACE Received: from authenticated-user ({{OUTCLEAN}} [{{OUTCLEAN_ADDRESS}}])$1
# Remove other typically private information. # Remove other typically private information.
/^\s*User-Agent:/ IGNORE /^\s*User-Agent:/ IGNORE

View File

@ -1 +1,2 @@
{{ RELAYHOST }} {{ RELAYUSER }}:{{ RELAYPASSWORD }} {{ RELAYHOST }} {{ RELAYUSER }}:{{ RELAYPASSWORD }}

View File

@ -8,12 +8,13 @@ import logging as log
import sys import sys
from podop import run_server from podop import run_server
from pwd import getpwnam
from socrate import system, conf from socrate import system, conf
log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING")) log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
def start_podop(): def start_podop():
os.setuid(100) os.setuid(getpwnam('postfix').pw_uid)
url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/postfix/" url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/postfix/"
# TODO: Remove verbosity setting from Podop? # TODO: Remove verbosity setting from Podop?
run_server(0, "postfix", "/tmp/podop.socket", [ run_server(0, "postfix", "/tmp/podop.socket", [
@ -36,6 +37,15 @@ os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT",
os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin") os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin")
os.environ["ANTISPAM_MILTER_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_MILTER", "antispam:11332") os.environ["ANTISPAM_MILTER_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_MILTER", "antispam:11332")
os.environ["LMTP_ADDRESS"] = system.get_host_address_from_environment("LMTP", "imap:2525") os.environ["LMTP_ADDRESS"] = system.get_host_address_from_environment("LMTP", "imap:2525")
os.environ["OUTCLEAN"] = os.environ["HOSTNAMES"].split(",")[0]
try:
_to_lookup = os.environ["OUTCLEAN"]
# Ensure we lookup a FQDN: @see #1884
if not _to_lookup.endswith('.'):
_to_lookup += '.'
os.environ["OUTCLEAN_ADDRESS"] = system.resolve_hostname(_to_lookup)
except:
os.environ["OUTCLEAN_ADDRESS"] = "10.10.10.10"
for postfix_file in glob.glob("/conf/*.cf"): for postfix_file in glob.glob("/conf/*.cf"):
conf.jinja(postfix_file, os.environ, os.path.join("/etc/postfix", os.path.basename(postfix_file))) conf.jinja(postfix_file, os.environ, os.path.join("/etc/postfix", os.path.basename(postfix_file)))

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
# python3 shared with most images # python3 shared with most images
RUN apk add --no-cache \ RUN apk add --no-cache \

View File

@ -10,7 +10,6 @@ log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
# Actual startup script # Actual startup script
os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT", "front")
os.environ["REDIS_ADDRESS"] = system.get_host_address_from_environment("REDIS", "redis") os.environ["REDIS_ADDRESS"] = system.get_host_address_from_environment("REDIS", "redis")
if os.environ.get("ANTIVIRUS") == 'clamav': if os.environ.get("ANTIVIRUS") == 'clamav':

View File

@ -1,20 +1,28 @@
ARG DISTRO=alpine:3.8 # Convert .rst files to .html in temporary build container
FROM $DISTRO FROM python:3.8-alpine3.14 AS build
COPY requirements.txt /requirements.txt
ARG version=master ARG version=master
ENV VERSION=$version ENV VERSION=$version
RUN apk add --no-cache nginx curl python3 \ COPY requirements.txt /requirements.txt
&& pip3 install -r /requirements.txt \
&& mkdir /run/nginx
COPY ./nginx.conf /etc/nginx/conf.d/default.conf
COPY . /docs COPY . /docs
RUN mkdir -p /build/$VERSION \ RUN apk add --no-cache --virtual .build-deps \
&& sphinx-build -W /docs /build/$VERSION gcc musl-dev \
&& pip3 install -r /requirements.txt \
&& mkdir -p /build/$VERSION \
&& sphinx-build -W /docs /build/$VERSION \
&& apk del .build-deps
# Build nginx deployment image including generated html
FROM nginx:1.21-alpine
ARG version=master
ENV VERSION=$version
COPY ./nginx.conf /etc/nginx/conf.d/default.conf
COPY --from=build /build/$VERSION /build/$VERSION
EXPOSE 80/tcp EXPOSE 80/tcp

View File

@ -11,6 +11,8 @@ Managing users and aliases can be done from CLI using commands:
* user-import * user-import
* user-delete * user-delete
* config-update * config-update
* config-export
* config-import
alias alias
----- -----
@ -62,7 +64,7 @@ primary difference with simple `user` command is that password is being imported
docker-compose run --rm admin flask mailu user-import myuser example.net '$6$51ebe0cb9f1dab48effa2a0ad8660cb489b445936b9ffd812a0b8f46bca66dd549fea530ce' 'SHA512-CRYPT' docker-compose run --rm admin flask mailu user-import myuser example.net '$6$51ebe0cb9f1dab48effa2a0ad8660cb489b445936b9ffd812a0b8f46bca66dd549fea530ce' 'SHA512-CRYPT'
user-delete user-delete
------------ -----------
.. code-block:: bash .. code-block:: bash
@ -94,7 +96,7 @@ where mail-config.yml looks like:
without ``--delete-object`` option config-update will only add/update new values but will *not* remove any entries missing in provided YAML input. without ``--delete-object`` option config-update will only add/update new values but will *not* remove any entries missing in provided YAML input.
Users Users
----- ^^^^^
following are additional parameters that could be defined for users: following are additional parameters that could be defined for users:
@ -113,8 +115,197 @@ following are additional parameters that could be defined for users:
* spam_threshold * spam_threshold
Alias Alias
----- ^^^^^
additional fields: additional fields:
* wildcard * wildcard
config-export
-------------
The purpose of this command is to export the complete configuration in YAML or JSON format.
.. code-block:: bash
$ docker-compose exec admin flask mailu config-export --help
Usage: flask mailu config-export [OPTIONS] [FILTER]...
Export configuration as YAML or JSON to stdout or file
Options:
-f, --full Include attributes with default value.
-s, --secrets Include secret attributes (dkim-key, passwords).
-d, --dns Include dns records.
-c, --color Force colorized output.
-o, --output-file FILENAME Save configuration to file.
-j, --json Export configuration in json format.
-?, -h, --help Show this message and exit.
Only non-default attributes are exported. If you want to export all attributes use ``--full``.
If you want to export plain-text secrets (dkim-keys, passwords) you have to add the ``--secrets`` option.
To include dns records (mx, spf, dkim and dmarc) add the ``--dns`` option.
By default all configuration objects are exported (domain, user, alias, relay). You can specify
filters to export only some objects or attributes (try: ``user`` or ``domain.name``).
Attributes explicitly specified in filters are automatically exported: there is no need to add ``--secrets`` or ``--full``.
.. code-block:: bash
$ docker-compose exec admin flask mailu config-export --output mail-config.yml
$ docker-compose exec admin flask mailu config-export domain.dns_mx domain.dns_spf
$ docker-compose exec admin flask mailu config-export user.spam_threshold
config-import
-------------
This command imports configuration data from an external YAML or JSON source.
.. code-block:: bash
$ docker-compose exec admin flask mailu config-import --help
Usage: flask mailu config-import [OPTIONS] [FILENAME|-]
Import configuration as YAML or JSON from stdin or file
Options:
-v, --verbose Increase verbosity.
-s, --secrets Show secret attributes in messages.
-q, --quiet Quiet mode - only show errors.
-c, --color Force colorized output.
-u, --update Update mode - merge input with existing config.
-n, --dry-run Perform a trial run with no changes made.
-?, -h, --help Show this message and exit.
The current version of docker-compose exec does not pass stdin correctly, so you have to user docker exec instead:
.. code-block:: bash
docker exec -i $(docker-compose ps -q admin) flask mailu config-import -nv < mail-config.yml
mail-config.yml contains the configuration and looks like this:
.. code-block:: yaml
domain:
- name: example.com
alternatives:
- alternative.example.com
user:
- email: foo@example.com
password_hash: '$2b$12$...'
hash_scheme: MD5-CRYPT
alias:
- email: alias1@example.com
destination:
- user1@example.com
- user2@example.com
relay:
- name: relay.example.com
comment: test
smtp: mx.example.com
config-import shows the number of created/modified/deleted objects after import.
To suppress all messages except error messages use ``--quiet``.
By adding the ``--verbose`` switch the import gets more detailed and shows exactly what attributes changed.
In all log messages plain-text secrets (dkim-keys, passwords) are hidden by default. Use ``--secrets`` to log secrets.
If you want to test what would be done when importing without committing any changes, use ``--dry-run``.
By default config-import replaces the whole configuration. ``--update`` allows to modify the existing configuration instead.
New elements will be added and existing elements will be modified.
It is possible to delete a single element or prune all elements from lists and associative arrays using a special notation:
+-----------------------------+------------------+--------------------------+
| Delete what? | notation | example |
+=============================+==================+==========================+
| specific array object | ``- -key: id`` | ``- -name: example.com`` |
+-----------------------------+------------------+--------------------------+
| specific list item | ``- -id`` | ``- -user1@example.com`` |
+-----------------------------+------------------+--------------------------+
| all remaining array objects | ``- -key: null`` | ``- -email: null`` |
+-----------------------------+------------------+--------------------------+
| all remaining list items | ``- -prune-`` | ``- -prune-`` |
+-----------------------------+------------------+--------------------------+
The ``-key: null`` notation can also be used to reset an attribute to its default.
To reset *spam_threshold* to it's default *80* use ``-spam_threshold: null``.
A new dkim key can be generated when adding or modifying a domain, by using the special value
``dkim_key: -generate-``.
This is a complete YAML template with all additional parameters that can be defined:
.. code-block:: yaml
domain:
- name: example.com
alternatives:
- alternative.tld
comment: ''
dkim_key: ''
max_aliases: -1
max_quota_bytes: 0
max_users: -1
signup_enabled: false
user:
- email: postmaster@example.com
comment: ''
displayed_name: 'Postmaster'
enable_imap: true
enable_pop: false
enabled: true
fetches:
- id: 1
comment: 'test fetch'
error: null
host: other.example.com
keep: true
last_check: '2020-12-29T17:09:48.200179'
password: 'secret'
hash_password: true
port: 993
protocol: imap
tls: true
username: fetch-user
forward_destination:
- address@remote.example.com
forward_enabled: true
forward_keep: true
global_admin: true
manager_of:
- example.com
password: '$2b$12$...'
hash_password: true
quota_bytes: 1000000000
reply_body: ''
reply_enabled: false
reply_enddate: '2999-12-31'
reply_startdate: '1900-01-01'
reply_subject: ''
spam_enabled: true
spam_threshold: 80
tokens:
- id: 1
comment: email-client
ip: 192.168.1.1
password: '$5$rounds=1$...'
aliases:
- email: email@example.com
comment: ''
destination:
- address@example.com
wildcard: false
relay:
- name: relay.example.com
comment: ''
smtp: mx.example.com

View File

@ -97,7 +97,7 @@ WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly! WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
# Maildir Compression # Maildir Compression
# choose compression-method, default: none (value: bz2, gz) # choose compression-method, default: none (value: gz, bz2, lz4, zstd)
COMPRESSION= COMPRESSION=
# change compression-level, default: 6 (value: 1-9) # change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL= COMPRESSION_LEVEL=

View File

@ -4,7 +4,7 @@
import os import os
extensions = ['sphinx.ext.imgmath', 'sphinx.ext.viewcode'] extensions = ['sphinx.ext.imgmath', 'sphinx.ext.viewcode', 'sphinx_rtd_theme']
templates_path = ['_templates'] templates_path = ['_templates']
source_suffix = '.rst' source_suffix = '.rst'
master_doc = 'index' master_doc = 'index'
@ -36,7 +36,7 @@ html_context = {
'github_user': 'mailu', 'github_user': 'mailu',
'github_repo': 'mailu', 'github_repo': 'mailu',
'github_version': version, 'github_version': version,
'stable_version': '1.7', 'stable_version': '1.8',
'versions': [ 'versions': [
('1.5', '/1.5/'), ('1.5', '/1.5/'),
('1.6', '/1.6/'), ('1.6', '/1.6/'),

View File

@ -41,7 +41,7 @@ The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that
try to guess user passwords. The value is the limit of failed authentication attempts try to guess user passwords. The value is the limit of failed authentication attempts
that a single IP address can perform against IMAP, POP and SMTP authentication endpoints. that a single IP address can perform against IMAP, POP and SMTP authentication endpoints.
If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (which is the default), the ``AUTH_RATELIMIT`` If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (default: False), the ``AUTH_RATELIMIT``
rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail. rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail.
If you disable this, ensure that the rate limit on the webmail is enforced in a different If you disable this, ensure that the rate limit on the webmail is enforced in a different
way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail. way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail.
@ -99,14 +99,19 @@ the localpart for DMARC rua and ruf email addresses.
Full-text search is enabled for IMAP is enabled by default. This feature can be disabled Full-text search is enabled for IMAP is enabled by default. This feature can be disabled
(e.g. for performance reasons) by setting the optional variable ``FULL_TEXT_SEARCH`` to ``off``. (e.g. for performance reasons) by setting the optional variable ``FULL_TEXT_SEARCH`` to ``off``.
.. _web_settings:
Web settings Web settings
------------ ------------
The ``WEB_ADMIN`` contains the path to the main admin interface, while - ``WEB_ADMIN`` contains the path to the main admin interface
``WEB_WEBMAIL`` contains the path to the Web email client.
The ``WEBROOT_REDIRECT`` redirects all non-found queries to the set path. - ``WEB_WEBMAIL`` contains the path to the Web email client.
An empty ``WEBROOT_REDIRECT`` value disables redirecting and enables classic
behavior of a 404 result when not found. - ``WEBROOT_REDIRECT`` redirects all non-found queries to the set path.
An empty ``WEBROOT_REDIRECT`` value disables redirecting and enables classic behavior of a 404 result when not found.
Alternatively, ``WEBROOT_REDIRECT`` can be set to ``none`` if you are using an Nginx override for ``location /``.
All three options need a leading slash (``/``) to work. All three options need a leading slash (``/``) to work.
.. note:: ``WEBROOT_REDIRECT`` has to point to a valid path on the webserver. .. note:: ``WEBROOT_REDIRECT`` has to point to a valid path on the webserver.
@ -195,4 +200,24 @@ resolved. This can be used to rely on DNS based service discovery with changing
When using ``*_ADDRESS``, the hostnames must be full-qualified hostnames. Otherwise nginx will not be able to When using ``*_ADDRESS``, the hostnames must be full-qualified hostnames. Otherwise nginx will not be able to
resolve the hostnames. resolve the hostnames.
Database settings
-----------------
The admin service stores configurations in a database.
- ``DB_FLAVOR``: the database type for mailu admin service. (``sqlite``, ``postgresql``, ``mysql``)
- ``DB_HOST``: the database host for mailu admin service. (when not ``sqlite``)
- ``DB_PORT``: the database port for mailu admin service. (when not ``sqlite``)
- ``DB_PW``: the database password for mailu admin service. (when not ``sqlite``)
- ``DB_USER``: the database user for mailu admin service. (when not ``sqlite``)
- ``DB_NAME``: the database name for mailu admin service. (when not ``sqlite``)
The roundcube service stores configurations in a database.
- ``ROUNDCUBE_DB_FLAVOR``: the database type for roundcube service. (``sqlite``, ``postgresql``, ``mysql``)
- ``ROUNDCUBE_DB_HOST``: the database host for roundcube service. (when not ``sqlite``)
- ``ROUNDCUBE_DB_PORT``: the database port for roundcube service. (when not ``sqlite``)
- ``ROUNDCUBE_DB_PW``: the database password for roundcube service. (when not ``sqlite``)
- ``ROUNDCUBE_DB_USER``: the database user for roundcube service. (when not ``sqlite``)
- ``ROUNDCUBE_DB_NAME``: the database name for roundcube service. (when not ``sqlite``)

View File

@ -178,9 +178,9 @@ In the case of a PR from a fellow team member, a single review is enough
to initiate merging. In all other cases, two approving reviews are required. to initiate merging. In all other cases, two approving reviews are required.
There is also a possibility to set the ``review/need2`` to require a second review. There is also a possibility to set the ``review/need2`` to require a second review.
After Travis successfully tests the PR and the required amount of reviews are acquired, After the Github Action workflow successfully tests the PR and the required amount of reviews are acquired,
Mergify will trigger with a ``bors r+`` command. Bors will batch any approved PR's, Mergify will trigger with a ``bors r+`` command. Bors will batch any approved PR's,
merges them with master in a staging branch where Travis builds and tests the result. merges them with master in a staging branch where the Github Action workflow builds and tests the result.
After a successful test, the actual master gets fast-forwarded to that point. After a successful test, the actual master gets fast-forwarded to that point.
System requirements System requirements
@ -201,16 +201,16 @@ us on `Matrix`_.
Test images Test images
``````````` ```````````
All PR's automatically get build by Travis, controlled by `bors-ng`_. All PR's automatically get build by a Github Action workflow, controlled by `bors-ng`_.
Some primitive auto testing is done. Some primitive auto testing is done.
The resulting images get uploaded to Docker hub, under the The resulting images get uploaded to Docker hub, under the
tag name ``mailutest/<name>:pr-<no>``. tag name ``mailuci/<name>:pr-<no>``.
For example, to test PR #500 against master, reviewers can use: For example, to test PR #500 against master, reviewers can use:
.. code-block:: bash .. code-block:: bash
export DOCKER_ORG="mailutest" export DOCKER_ORG="mailuci"
export MAILU_VERSION="pr-500" export MAILU_VERSION="pr-500"
docker-compose pull docker-compose pull
docker-compose up -d docker-compose up -d
@ -232,8 +232,8 @@ after Bors confirms a successful build.
When bors try fails When bors try fails
``````````````````` ```````````````````
Sometimes Travis fails when another PR triggers a ``bors try`` command, Sometimes the Github Action workflow fails when another PR triggers a ``bors try`` command,
before Travis cloned the git repository. before the Github Action workflow cloned the git repository.
Inspect the build log in the link provided by *bors-ng* to find out the cause. Inspect the build log in the link provided by *bors-ng* to find out the cause.
If you see something like the following error on top of the logs, If you see something like the following error on top of the logs,
feel free to write a comment with ``bors retry``. feel free to write a comment with ``bors retry``.

View File

@ -41,7 +41,7 @@ PR Workflow
----------- -----------
All pull requests have to be against the main ``master`` branch. All pull requests have to be against the main ``master`` branch.
The PR gets build by Travis and some primitive auto-testing is done. The PR gets build by a Github Action workflow and some primitive auto-testing is done.
Test images get uploaded to a separate section in Docker hub. Test images get uploaded to a separate section in Docker hub.
Reviewers will check the PR and test the resulting images. Reviewers will check the PR and test the resulting images.
See the :ref:`testing` section for more info. See the :ref:`testing` section for more info.

View File

@ -8,7 +8,8 @@ This functionality should still be considered experimental!
Mailu Postgresql Mailu Postgresql
---------------- ----------------
Mailu optionally comes with a pre-configured Postgresql image. Mailu optionally comes with a pre-configured Postgresql image, which as of 1.8, is deprecated
and will be removed in 1.9.
This images has the following features: This images has the following features:
- Automatic creation of users, db, extensions and password; - Automatic creation of users, db, extensions and password;

View File

@ -61,7 +61,7 @@ have to prevent pushing out something quickly.
We currently maintain a strict work flow: We currently maintain a strict work flow:
#. Someone writes a solution and sends a pull request; #. Someone writes a solution and sends a pull request;
#. We use Travis-CI for some very basic building and testing; #. We use Github actions for some very basic building and testing;
#. The pull request needs to be code-reviewed and tested by at least two members #. The pull request needs to be code-reviewed and tested by at least two members
from the contributors team. from the contributors team.
@ -261,10 +261,14 @@ correct syntax. The following file names will be taken as override configuration
- ``main.cf`` as ``$ROOT/overrides/postfix/postfix.cf`` - ``main.cf`` as ``$ROOT/overrides/postfix/postfix.cf``
- ``master.cf`` as ``$ROOT/overrides/postfix/postfix.master`` - ``master.cf`` as ``$ROOT/overrides/postfix/postfix.master``
- All ``$ROOT/overrides/postfix/*.map`` files - All ``$ROOT/overrides/postfix/*.map`` files
- For both ``postfix.cf`` and ``postfix.master``, you need to put one configuration per line, as they are fed line-by-line
to postfix.
- `Dovecot`_ - ``dovecot.conf`` in dovecot sub-directory; - `Dovecot`_ - ``dovecot.conf`` in dovecot sub-directory;
- `Nginx`_ - All ``*.conf`` files in the ``nginx`` sub-directory; - `Nginx`_ - All ``*.conf`` files in the ``nginx`` sub-directory;
- `Rspamd`_ - All files in the ``rspamd`` sub-directory. - `Rspamd`_ - All files in the ``rspamd`` sub-directory.
To override the root location (``/``) in Nginx ``WEBROOT_REDIRECT`` needs to be set to ``none`` in the env file (see :ref:`web settings <web_settings>`).
*Issue reference:* `206`_, `1368`_. *Issue reference:* `206`_, `1368`_.
I want to integrate Nextcloud 15 (and newer) with Mailu I want to integrate Nextcloud 15 (and newer) with Mailu
@ -495,6 +499,8 @@ follow these steps:
logging: logging:
driver: journald driver: journald
options:
tag: mailu-front
2. Add the /etc/fail2ban/filter.d/bad-auth.conf 2. Add the /etc/fail2ban/filter.d/bad-auth.conf
@ -504,6 +510,7 @@ follow these steps:
[Definition] [Definition]
failregex = .* client login failed: .+ client:\ <HOST> failregex = .* client login failed: .+ client:\ <HOST>
ignoreregex = ignoreregex =
journalmatch = CONTAINER_TAG=mailu-front
3. Add the /etc/fail2ban/jail.d/bad-auth.conf 3. Add the /etc/fail2ban/jail.d/bad-auth.conf
@ -511,8 +518,8 @@ follow these steps:
[bad-auth] [bad-auth]
enabled = true enabled = true
backend = systemd
filter = bad-auth filter = bad-auth
logpath = /var/log/messages
bantime = 604800 bantime = 604800
findtime = 300 findtime = 300
maxretry = 10 maxretry = 10

View File

@ -1,4 +1,4 @@
apiVersion: apps/v1beta2 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
name: mailu-front name: mailu-front

View File

@ -3,6 +3,10 @@
Kubernetes setup Kubernetes setup
================ ================
> Hold up!
> These instructions are not recommended for setting up Mailu in a production Kubernetes environment.
> Please see [the Helm Chart documentation](https://github.com/Mailu/helm-charts/blob/master/mailu/README.md).
Prequisites Prequisites
----------- -----------

View File

@ -1,8 +1,81 @@
Release notes Release notes
============= =============
Mailu 1.8 - 2020-10-02 Mailu 1.8 - 2021-08-7
---------------------- ---------------------
The full 1.8 release is finally ready. There have been some changes in the contributors team. Many people from the contributors team have stepped back due to changed priorities in their life.
We are very grateful for all their contributions and hope we will see them back again in the future.
This is the main reason why it took so long for 1.8 to be fully released.
Fortunately more people have decided to join the project. Some very nice contributions have been made which will become part of the next 1.9 release.
We hope that future Mailu releases will be released more quickly now we have more active contributors again.
For a list of all changes refer to `CHANGELOG.md` in the root folder of the Mailu github project. Please read the 'Override location changes' section further on this page. It contains important information for the people who use the overrides folder.
New Functionality & Improvements
````````````````````````````````
Here’s a short summary of new features:
- Roundcube and Rainloop have been updated.
- All dependencies have been updated to the latest security update.
- Fail2ban documentation has been improved.
- Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading.
- Full-text-search is back after having been disabled for a while due to nasty bugs. It can still be disabled via the mailu.env file.
- Tons of documentation improvements, especially geared towards new users.
- (Experimental) support for different architectures, such as ARM.
- Improvements around webmails, such as CardDAV, GPG and a new skin for an updated roundcube, and support for MySQL for it. Updated Rainloop, too.
- Improvements around relaying, such as AUTH LOGIN and non-standard port support.
- Update to alpine:3.14 as baseimage for most containers.
- Setup warns users about compose-IPv6 deployments which have caused open relays in the past.
- Improved handling of upper-vs-lowercase aliases and user-addresses.
- Improved rate-limiting system.
- Support for SRS.
- Japanese localisation is now available.
Upgrading
`````````
Upgrade should run fine as long as you generate a new compose or stack
configuration and upgrade your mailu.env.
Please note that the shipped image for PostgreSQL database is deprecated.
The shipped image for PostgreSQL is not maintained anymore from release 1.8.
We recommend switching to an external PostgreSQL image as soon as possible.
Override location changes
^^^^^^^^^^^^^^^^^^^^^^^^^
If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
Recreate SECRET_KEY after upgrading
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Improvements have been made to protect again session-fixation attacks.
To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading.
A new SECRET_KEY is generated when you recreate your docker-compose.yml & mailu.env file via setup.mailu.io.
The SECRET_KEY is an uppercase alphanumeric string of length 16. You can manually create such a string via
```cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w ${1:-16} | head -n 1```
After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
Update your DNS SPF Records
^^^^^^^^^^^^^^^^^^^^^^^^^^^
It has become known that the SPF DNS records generated by the admin interface are not completely standard compliant anymore. Please check the DNS records for your domains and compare them to what the new admin-interface instructs you to use. In most cases, this should be a simple copy-paste operation for you ….
Fixed hostname for antispam service
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For history to be retained in Rspamd, the antispam container requires a static hostname. When you re-generate your docker-compose.yml file (or helm-chart), this will be covered.
Mailu 1.8rc - 2020-10-02
------------------------
Release 1.8 has come a long way again. Due to corona the project slowed down to a crawl. Fortunately new contributors have joined the team what enabled us to still release Mailu 1.8 this year. Release 1.8 has come a long way again. Due to corona the project slowed down to a crawl. Fortunately new contributors have joined the team what enabled us to still release Mailu 1.8 this year.

View File

@ -2,3 +2,4 @@ recommonmark
Sphinx Sphinx
sphinx-autobuild sphinx-autobuild
sphinx-rtd-theme sphinx-rtd-theme
docutils==0.16

View File

@ -154,7 +154,40 @@ Add the respective Traefik labels for your domain/configuration, like
If your Traefik is configured to automatically request certificates from *letsencrypt*, then you’ll have a certificate for ``mail.your.doma.in`` now. However, If your Traefik is configured to automatically request certificates from *letsencrypt*, then you’ll have a certificate for ``mail.your.doma.in`` now. However,
``mail.your.doma.in`` might only be the location where you want the Mailu web-interfaces to live — your mail should be sent/received from ``your.doma.in``, ``mail.your.doma.in`` might only be the location where you want the Mailu web-interfaces to live — your mail should be sent/received from ``your.doma.in``,
and this is the ``DOMAIN`` in your ``.env``? and this is the ``DOMAIN`` in your ``.env``?
To support that use-case, Traefik can request ``SANs`` for your domain. Lets add something like To support that use-case, Traefik can request ``SANs`` for your domain. The configuration for this will depend on your Traefik version.
----
Traefik 2.x using labels configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Add the appropriate labels for your domain(s) to the ``front`` container in ``docker-compose.yml``.
.. code-block:: yaml
services:
front:
labels:
# Enable TLS
- "traefik.http.routers.mailu-secure.tls"
# Your main domain
- "traefik.http.routers.mailu-secure.tls.domains[0].main=your.doma.in"
# Optional SANs for your main domain
- "traefik.http.routers.mailu-secure.tls.domains[0].sans=mail.your.doma.in,webmail.your.doma.in,smtp.your.doma.in"
# Optionally add other domains
- "traefik.http.routers.mailu-secure.tls.domains[1].main=mail.other.doma.in"
- "traefik.http.routers.mailu-secure.tls.domains[1].sans=mail2.other.doma.in,mail3.other.doma.in"
# Your ACME certificate resolver
- "traefik.http.routers.mailu-secure.tls.certResolver=foo"
Of course, be sure to define the Certificate Resolver ``foo`` in the static configuration as well.
Alternatively, you can define SANs in the Traefik static configuration using routers, or in the static configuration using entrypoints. Refer to the Traefik documentation for more details.
Traefik 1.x with TOML configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lets add something like
.. code-block:: yaml .. code-block:: yaml
@ -163,7 +196,11 @@ To support that use-case, Traefik can request ``SANs`` for your domain. Lets add
main = "your.doma.in" # this is the same as $TRAEFIK_DOMAIN! main = "your.doma.in" # this is the same as $TRAEFIK_DOMAIN!
sans = ["mail.your.doma.in", "webmail.your.doma.in", "smtp.your.doma.in"] sans = ["mail.your.doma.in", "webmail.your.doma.in", "smtp.your.doma.in"]
to your ``traefik.toml``. You might need to clear your ``acme.json``, if a certificate for one of these domains already exists. to your ``traefik.toml``.
----
You might need to clear your ``acme.json``, if a certificate for one of these domains already exists.
You will need some solution which dumps the certificates in ``acme.json``, so you can include them in the ``mailu/front`` container. You will need some solution which dumps the certificates in ``acme.json``, so you can include them in the ``mailu/front`` container.
One such example is ``mailu/traefik-certdumper``, which has been adapted for use in Mailu. You can add it to your ``docker-compose.yml`` like: One such example is ``mailu/traefik-certdumper``, which has been adapted for use in Mailu. You can add it to your ``docker-compose.yml`` like:

View File

@ -1,7 +1,7 @@
Web administration interface Web administration interface
============================ ============================
The web administration interface is the main website for maintaining your Mailu installation. The web administration interface is the main website for maintaining your Mailu installation.
For brevity the web administration interface will now be mentioned as admin gui. For brevity the web administration interface will now be mentioned as admin gui.
It offers the following configuration options: It offers the following configuration options:
@ -30,13 +30,13 @@ It offers the following configuration options:
* Configure all email domains served by Mailu, including: * Configure all email domains served by Mailu, including:
* generating dkim and dmarc keys for a domain. * generating dkim and dmarc keys for a domain.
* view email domain information on how to configure your SPF, DMARC, DKIM and MX dns records for an email domain. * view email domain information on how to configure your SPF, DMARC, DKIM and MX dns records for an email domain.
* Add new email domains. * Add new email domains.
* For existing domains, configure users, quotas, aliases, administrators and alternative domain names. * For existing domains, configure users, quotas, aliases, administrators and alternative domain names.
* access the webmail site. * access the webmail site.
* lookup settings for configuring your email client. * lookup settings for configuring your email client.
@ -49,7 +49,7 @@ The admin GUI is by default accessed via the URL `https://<my domain>/admin`, wh
To login the admin GUI enter the email address and password of an user. To login the admin GUI enter the email address and password of an user.
Only global administrator users have access to all configuration settings and the Rspamd webgui. Other users will be presented with settings for only their account, and domains they are managers of. Only global administrator users have access to all configuration settings and the Rspamd webgui. Other users will be presented with settings for only their account, and domains they are managers of.
To create a user who is a global administrator for a new installation, the Mailu.env file can be adapted. To create a user who is a global administrator for a new installation, the Mailu.env file can be adapted.
For more information see the section 'Admin account - automatic creation' in :ref:`the configuration reference <admin_account>`. For more information see the section 'Admin account - automatic creation' in :ref:`the configuration reference <admin_account>`.
The following sections are only accessible for global administrators: The following sections are only accessible for global administrators:
@ -69,7 +69,7 @@ The following sections are only accessible for global administrators:
Settings Settings
-------- --------
After logging in the web administration interface, the settings page is loaded. After logging in the web administration interface, the settings page is loaded.
On the settings page the settings of the currently logged in user can be changed. On the settings page the settings of the currently logged in user can be changed.
Changes are saved and effective immediately after clicking the Save Settings button at the bottom of the page. Changes are saved and effective immediately after clicking the Save Settings button at the bottom of the page.
@ -77,27 +77,27 @@ Changes are saved and effective immediately after clicking the Save Settings but
Display name Display name
```````````` ````````````
On the settings page the displayed name can be changed of the logged in user. On the settings page the displayed name can be changed of the logged in user.
This display name is only used within the web administration interface. This display name is only used within the web administration interface.
Antispam Antispam
```````` ````````
Under the section `Antispam` the spam filter can be enabled or disabled for the logged in user. By default the spam filter is enabled. Under the section `Antispam` the spam filter can be enabled or disabled for the logged in user. By default the spam filter is enabled.
When the spam filter is disabled, all received email messages will go to the inbox folder of the logged in user. When the spam filter is disabled, all received email messages will go to the inbox folder of the logged in user.
The exception to this rule, are email messages with an extremely high spam score. These email messages are always rejected by Rspamd. The exception to this rule, are email messages with an extremely high spam score. These email messages are always rejected by Rspamd.
When the spam filter is enabled, received email messages will be moved to the logged in user's inbox folder or junk folder depending on the user defined spam filter tolerance. When the spam filter is enabled, received email messages will be moved to the logged in user's inbox folder or junk folder depending on the user defined spam filter tolerance.
The user defined spam filter tolerance determines when an email is classified as ham (moved to the inbox folder) or spam (moved to the junk folder). The user defined spam filter tolerance determines when an email is classified as ham (moved to the inbox folder) or spam (moved to the junk folder).
The default value is 80%. The lower the spam filter tolerance, the more false positives (ham classified as spam). The higher the spam filter tolerance, the more false negatives (spam classified as ham). The default value is 80%. The lower the spam filter tolerance, the more false positives (ham classified as spam). The higher the spam filter tolerance, the more false negatives (spam classified as ham).
For more information see the :ref:`antispam documentation <antispam_howto>`. For more information see the :ref:`antispam documentation <antispam_howto>`.
Auto-forward Auto-forward
````````````` `````````````
Under the section `Auto-forward`, the automatic forwarding of received email messages can be enabled. When enabled, all received email messages are forwarded to the specified email address. Under the section `Auto-forward`, the automatic forwarding of received email messages can be enabled. When enabled, all received email messages are forwarded to the specified email address.
The option "Keep a copy of the emails" can be ticked, to keep a copy of the received email message in the inbox folder. The option "Keep a copy of the emails" can be ticked, to keep a copy of the received email message in the inbox folder.
@ -107,7 +107,7 @@ In the destination textbox, the email addresses can be entered for automatic for
Update password Update password
--------------- ---------------
On the `update password` page, the password of the logged in user can be changed. Changes are effective immediately. On the `update password` page, the password of the logged in user can be changed. Changes are effective immediately.
.. _webadministration_auto-reply: .. _webadministration_auto-reply:
@ -117,7 +117,7 @@ Auto-reply
On the `auto-reply` page, automatic replies can be configured. This is also known as out of office (ooo) or out of facility (oof) replies. On the `auto-reply` page, automatic replies can be configured. This is also known as out of office (ooo) or out of facility (oof) replies.
To enable automatic replies tick the checkbox 'Enable automatic reply'. To enable automatic replies tick the checkbox 'Enable automatic reply'.
Under Reply subject the email subject for automatic replies can be configured. When a reply subject is entered, this subject will be used for the automatic reply. Under Reply subject the email subject for automatic replies can be configured. When a reply subject is entered, this subject will be used for the automatic reply.
@ -130,12 +130,12 @@ E.g. if the email subject of the received email message is "how are you?", then
Fetched accounts Fetched accounts
---------------- ----------------
This page is only available when the Fetchmail container is part of your Mailu deployment. This page is only available when the Fetchmail container is part of your Mailu deployment.
Fetchmail can be enabled when creating the docker-compose.yml file with the setup utility (https://setup.mailu.io). Fetchmail can be enabled when creating the docker-compose.yml file with the setup utility (https://setup.mailu.io).
On the `fetched accounts` page you can configure email accounts from which email messages will be retrieved. On the `fetched accounts` page you can configure email accounts from which email messages will be retrieved.
Only unread email messages are retrieved from the specified email account. Only unread email messages are retrieved from the specified email account.
By default Fetchmail will retrieve email messages every 10 minutes. This can be changed in the Mailu.env file. By default Fetchmail will retrieve email messages every 10 minutes. This can be changed in the Mailu.env file.
For more information on changing the polling interval see :ref:`the configuration reference <fetchmail>`. For more information on changing the polling interval see :ref:`the configuration reference <fetchmail>`.
@ -149,7 +149,7 @@ You can add a fetched account by clicking on the `Add an account` button on the
* Enable TLS. Tick this setting if the email server requires TLS/SSL instead of STARTTLS. * Enable TLS. Tick this setting if the email server requires TLS/SSL instead of STARTTLS.
* Username. The user name for logging in to the email server. Normally this is the email address or the email address' local-part (the part before @). * Username. The user name for logging in to the email server. Normally this is the email address or the email address' local-part (the part before @).
* Password. The password for logging in to the email server. * Password. The password for logging in to the email server.
@ -166,8 +166,8 @@ The purpose of an authentication token is to create a unique and strong password
The application will use this authentication token instead of the logged in user's password for sending/receiving email. The application will use this authentication token instead of the logged in user's password for sending/receiving email.
This allows safe access to the logged in user's email account. At any moment, the authentication token can be deleted so that the application has no access to the logged in user's email account anymore. This allows safe access to the logged in user's email account. At any moment, the authentication token can be deleted so that the application has no access to the logged in user's email account anymore.
By clicking on the New token button on the top right of the page, a new authentication token can be created. On this page the generated authentication token will only be displayed once. By clicking on the New token button on the top right of the page, a new authentication token can be created. On this page the generated authentication token will only be displayed once.
After saving the application token it is not possible anymore to view the unique password. After saving the application token it is not possible anymore to view the unique password.
The comment field can be used to enter a description for the authentication token. For example the name of the application the application token is created for. The comment field can be used to enter a description for the authentication token. For example the name of the application the application token is created for.
@ -198,9 +198,9 @@ A global administrator can change `any setting` in the admin GUI. Be careful tha
Relayed domains Relayed domains
--------------- ---------------
On the `relayed domains list` page, destination domains can be added that Mailu will relay email messages for without authentication. On the `relayed domains list` page, destination domains can be added that Mailu will relay email messages for without authentication.
This means that for these destination domains, other email clients or email servers can send email via Mailu unauthenticated via port 25 to this destination domain. This means that for these destination domains, other email clients or email servers can send email via Mailu unauthenticated via port 25 to this destination domain.
For example if the destination domain example.com is added. Any emails to example.com (john@example.com) will be relayed to example.com. For example if the destination domain example.com is added. Any emails to example.com (john@example.com) will be relayed to example.com.
Example scenario's are: Example scenario's are:
* relay domain from a backup server. * relay domain from a backup server.
@ -212,30 +212,37 @@ Example scenario's are:
On the new relayed domain page the following options can be entered for a new relayed domain: On the new relayed domain page the following options can be entered for a new relayed domain:
* Relayed domain name. The domain name that is relayed. Email messages addressed to this domain (To: John@example.com), will be forwarded to this domain. * Relayed domain name. The domain name that is relayed. Email messages addressed to this domain (To: John@example.com), will be forwarded to this domain.
No authentication is required. No authentication is required.
* Remote host (optional). The SMPT server that will be used for relaying the email message. * Remote host (optional). The host that will be used for relaying the email message.
When this field is blank, the Mailu server will directly send the email message to the relayed domain. When this field is blank, the Mailu server will directly send the email message to the mail server of the relayed domain.
As value can be entered either a hostname or IP address of the SMPT server. When a remote host is specified it can be prefixed by ``mx:`` or ``lmtp:`` and followed by a port number: ``:port``).
By default port 25 is used. To use a different port append ":port number" to the Remote Host. For example:
123.45.67.90:2525. ================ ===================================== =========================
Remote host Description postfix transport:nexthop
================ ===================================== =========================
empty use MX of relay domain smtp:domain
:port use MX of relay domain and use port smtp:domain:port
target resolve A/AAAA of target smtp:[target]
target:port resolve A/AAAA of target and use port smtp:[target]:port
mx:target resolve MX of target smtp:target
mx:target:port resolve MX of target and use port smtp:target:port
lmtp:target resolve A/AAAA of target lmtp:target
lmtp:target:port resolve A/AAAA of target and use port lmtp:target:port
================ ===================================== =========================
`target` can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: ``[2001:DB8::]``).
* Comment. A text field where a comment can be entered to describe the entry. * Comment. A text field where a comment can be entered to describe the entry.
Changes are effective immediately after clicking the Save button. Changes are effective immediately after clicking the Save button.
NOTE: Due to bug `1588`_ email messages fail to be relayed if no Remote Host is configured.
As a workaround the HOSTNAME or IP Address of the SMPT server of the relayed domain can be entered as Remote Host.
Please note that no MX lookup is performed when entering a hostname as Remote Host. You can use the MX lookup on mxtoolbox.com to find the hostname and IP Address of the SMTP server.
.. _`1588`: https://github.com/Mailu/Mailu/issues/1588
Antispam Antispam
-------- --------
The menu item Antispam opens the Rspamd webgui. For more information how spam filtering works in Mailu see the :ref:`Spam filtering page <antispam_howto_block>`. The menu item Antispam opens the Rspamd webgui. For more information how spam filtering works in Mailu see the :ref:`Spam filtering page <antispam_howto_block>`.
The spam filtering page also contains a section that describes how to create a local blacklist for blocking email messages from specific domains. The spam filtering page also contains a section that describes how to create a local blacklist for blocking email messages from specific domains.
The Rspamd webgui offers basic functions for setting metric actions, scores, viewing statistics and learning. The Rspamd webgui offers basic functions for setting metric actions, scores, viewing statistics and learning.
The following settings are not persisent and are *lost* when the Antispam container is recreated or restarted: The following settings are not persisent and are *lost* when the Antispam container is recreated or restarted:
@ -266,31 +273,31 @@ On the `Mail domains` page all the domains served by Mailu are configured. Via t
Details Details
``````` ```````
This page is also accessible for domain managers. On the details page all DNS settings are displayed for configuring your DNS server. It contains information on what to configure as MX record and SPF record. On this page it is also possible to (re-)generate the keys for DKIM and DMARC. The option for generating keys for DKIM and DMARC is only available for global administrators. After generating the keys for DKIM and DMARC, this page will also show the DNS records for configuring the DKIM/DMARC records on the DNS server. This page is also accessible for domain managers. On the details page all DNS settings are displayed for configuring your DNS server. It contains information on what to configure as MX record and SPF record. On this page it is also possible to (re-)generate the keys for DKIM and DMARC. The option for generating keys for DKIM and DMARC is only available for global administrators. After generating the keys for DKIM and DMARC, this page will also show the DNS records for configuring the DKIM/DMARC records on the DNS server.
Edit Edit
```` ````
This page is only accessible for global administrators. On the edit page, the global settings for the domain can be changed. This page is only accessible for global administrators. On the edit page, the global settings for the domain can be changed.
* Maximum user count. The maximum amount of users that can be created under this domain. Once this limit is reached it is not possible anymore to add users to the domain; and it is also not possible for users to self-register. * Maximum user count. The maximum amount of users that can be created under this domain. Once this limit is reached it is not possible anymore to add users to the domain; and it is also not possible for users to self-register.
* Maximum alias count. The maximum amount of aliases that can be created for an email account. * Maximum alias count. The maximum amount of aliases that can be created for an email account.
* Maximum user quota. The maximum amount of quota that can be assigned to a user. When creating or editing a user, this sets the limit on the maximum amount of quota that can be assigned to the user. * Maximum user quota. The maximum amount of quota that can be assigned to a user. When creating or editing a user, this sets the limit on the maximum amount of quota that can be assigned to the user.
* Enable sign-up. When this option is ticked, self-registration is enabled. When the Admin GUI is accessed, in the menu list the option Signup becomes available. * Enable sign-up. When this option is ticked, self-registration is enabled. When the Admin GUI is accessed, in the menu list the option Signup becomes available.
Obviously this menu item is only visible when signed out. On the Signup page a user can create an email account. Obviously this menu item is only visible when signed out. On the Signup page a user can create an email account.
If your Admin GUI is available to the public internet, this means your Mailu installation basically becomes a free email provider. If your Admin GUI is available to the public internet, this means your Mailu installation basically becomes a free email provider.
Use this option with care! Use this option with care!
* Comment. Description for the domain. This description is visible on the parent domains list page. * Comment. Description for the domain. This description is visible on the parent domains list page.
Delete Delete
`````` ``````
This page is only accessible for global administrators. This page allows you to delete the domain. The Admin GUI will ask for confirmation if the domain must be really deleted. This page is only accessible for global administrators. This page allows you to delete the domain. The Admin GUI will ask for confirmation if the domain must be really deleted.
Users Users
@ -326,7 +333,7 @@ For adding a new user the following options can be configured.
* Enabled. Tick this checkbox to enable the user account. When an user is disabled, the user is unable to login to the Admin GUI or webmail or access his email via IMAP/POP3 or send mail. * Enabled. Tick this checkbox to enable the user account. When an user is disabled, the user is unable to login to the Admin GUI or webmail or access his email via IMAP/POP3 or send mail.
The email inbox of the user is still retained. This option can be used to temporarily suspend an user account. The email inbox of the user is still retained. This option can be used to temporarily suspend an user account.
* Quota. The maximum quota for the user's email box. * Quota. The maximum quota for the user's email box.
* Allow IMAP access. When ticked, allows email retrieval via the IMAP protocol. * Allow IMAP access. When ticked, allows email retrieval via the IMAP protocol.
@ -337,7 +344,7 @@ For adding a new user the following options can be configured.
Aliases Aliases
``````` ```````
This page is also accessible for domain managers. On the aliases page, aliases can be added for email addresses. An alias is a way to disguise another email address. This page is also accessible for domain managers. On the aliases page, aliases can be added for email addresses. An alias is a way to disguise another email address.
Everything sent to an alias email address is actually received in the primary email account's inbox of the destination email address. Everything sent to an alias email address is actually received in the primary email account's inbox of the destination email address.
Aliases can diversify a single email account without having to create multiple email addresses (users). Aliases can diversify a single email account without having to create multiple email addresses (users).
It is also possible to add multiple email addresses to the destination field. All incoming mails will be sent to each users inbox in this case. It is also possible to add multiple email addresses to the destination field. All incoming mails will be sent to each users inbox in this case.
@ -348,11 +355,11 @@ The following options are available when adding an alias:
* Use SQL LIKE Syntax (e.g. for catch-all aliases). When this option is ticked, you can use SQL LIKE syntax as alias. * Use SQL LIKE Syntax (e.g. for catch-all aliases). When this option is ticked, you can use SQL LIKE syntax as alias.
The SQL LIKE syntax is used to match text values against a pattern using wildcards. There are two wildcards that can be used with SQL LIKE syntax: The SQL LIKE syntax is used to match text values against a pattern using wildcards. There are two wildcards that can be used with SQL LIKE syntax:
* % - The percent sign represents zero, one, or multiple characters * % - The percent sign represents zero, one, or multiple characters
* _ - The underscore represents a single character * _ - The underscore represents a single character
Examples are: Examples are:
* a% - Finds any values that start with "a" * a% - Finds any values that start with "a"
* %a - Finds any values that end with "a" * %a - Finds any values that end with "a"
* %or% - Finds any values that have "or" in any position * %or% - Finds any values that have "or" in any position
@ -369,7 +376,7 @@ The following options are available when adding an alias:
Managers Managers
```````` ````````
This page is also accessible for domain managers. On the `managers list` page, managers can be added for the domain and can be deleted. This page is also accessible for domain managers. On the `managers list` page, managers can be added for the domain and can be deleted.
Managers have access to configuration settings of the domain. Managers have access to configuration settings of the domain.
On the `add manager` page you can click on the manager email text box to access a drop down list of users that can be made a manager of the domain. On the `add manager` page you can click on the manager email text box to access a drop down list of users that can be made a manager of the domain.
@ -377,11 +384,11 @@ On the `add manager` page you can click on the manager email text box to access
Alternatives Alternatives
```````````` ````````````
This page is only accessible for global administrators. On the alternatives page, alternative domains can be added for the domain. This page is only accessible for global administrators. On the alternatives page, alternative domains can be added for the domain.
An alternative domain acts as a copy of a given domain. An alternative domain acts as a copy of a given domain.
Everything sent to an alternative domain, is actually received in the domain the alternative is created for. Everything sent to an alternative domain, is actually received in the domain the alternative is created for.
This allows you to receive emails for multiple domains while using a single domain. This allows you to receive emails for multiple domains while using a single domain.
For example if the main domain has the email address user@example.com, and the alternative domain is mymail.com, For example if the main domain has the email address user@example.com, and the alternative domain is mymail.com,
then email send to user@mymail.com will end up in the email box of user@example.com. then email send to user@mymail.com will end up in the email box of user@example.com.
New domain New domain
@ -392,16 +399,16 @@ This page is only accessible for global administrators. Via this page a new doma
* domain name. The name of the domain. * domain name. The name of the domain.
* Maximum user count. The maximum amount of users that can be created under this domain. Once this limit is reached it is not possible anymore to add users to the domain; and it is also not possible for users to self-register. * Maximum user count. The maximum amount of users that can be created under this domain. Once this limit is reached it is not possible anymore to add users to the domain; and it is also not possible for users to self-register.
* Maximum alias count. The maximum amount of aliases that can be made for an email account. * Maximum alias count. The maximum amount of aliases that can be made for an email account.
* Maximum user quota. The maximum amount of quota that can be assigned to a user. When creating or editing a user, this sets the limit on the maximum amount of quota that can be assigned to the user. * Maximum user quota. The maximum amount of quota that can be assigned to a user. When creating or editing a user, this sets the limit on the maximum amount of quota that can be assigned to the user.
* Enable sign-up. When this option is ticked, self-registration is enabled. When the Admin GUI is accessed, in the menu list the option Signup becomes available. * Enable sign-up. When this option is ticked, self-registration is enabled. When the Admin GUI is accessed, in the menu list the option Signup becomes available.
Obviously this menu item is only visible when signed out. On the Signup page a user can create an email account. Obviously this menu item is only visible when signed out. On the Signup page a user can create an email account.
If your Admin GUI is available to the public internet, this means your Mailu installation basically becomes a free email provider. If your Admin GUI is available to the public internet, this means your Mailu installation basically becomes a free email provider.
Use this option with care! Use this option with care!
* Comment. Description for the domain. This description is visible on the parent domains list page. * Comment. Description for the domain. This description is visible on the parent domains list page.
@ -414,7 +421,7 @@ The menu item `Webmail` opens the webmail page. This option is only available if
Client setup Client setup
------------ ------------
The menu item `Client setup` shows all settings for configuring your email client for connecting to Mailu. The menu item `Client setup` shows all settings for configuring your email client for connecting to Mailu.
Website Website

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
# python3 shared with most images # python3 shared with most images
RUN apk add --no-cache \ RUN apk add --no-cache \

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
# python3 shared with most images # python3 shared with most images

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
# python3 shared with most images # python3 shared with most images
RUN apk add --no-cache \ RUN apk add --no-cache \

View File

@ -2,7 +2,6 @@
import anosql import anosql
import psycopg2 import psycopg2
import jinja2
import glob import glob
import os import os
import subprocess import subprocess
@ -38,7 +37,6 @@ if not os.listdir("/data"):
rec.write("restore_command = 'gunzip < /backup/wal_archive/%f > %p'\n") rec.write("restore_command = 'gunzip < /backup/wal_archive/%f > %p'\n")
rec.write("standby_mode = off\n") rec.write("standby_mode = off\n")
os.system("chown postgres:postgres /data/recovery.conf") os.system("chown postgres:postgres /data/recovery.conf")
#os.system("sudo -u postgres pg_ctl start -D /data -o '-h \"''\" '")
else: else:
# Bootstrap the database # Bootstrap the database
os.system("sudo -u postgres initdb -D /data") os.system("sudo -u postgres initdb -D /data")

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
# python3 shared with most images # python3 shared with most images

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.12 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
# python3 shared with most images # python3 shared with most images
RUN apk add --no-cache \ RUN apk add --no-cache \

View File

@ -2,7 +2,7 @@ server:
verbosity: 1 verbosity: 1
interface: 0.0.0.0 interface: 0.0.0.0
interface: ::0 interface: ::0
logfile: /dev/stdout logfile: ""
do-ip4: yes do-ip4: yes
do-ip6: yes do-ip6: yes
do-udp: yes do-udp: yes

View File

@ -1,4 +1,4 @@
ARG DISTRO=alpine:3.10 ARG DISTRO=alpine:3.14
FROM $DISTRO FROM $DISTRO
RUN mkdir -p /app RUN mkdir -p /app

View File

@ -85,6 +85,7 @@ services:
antispam: antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}} image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
hostname: antispam
restart: always restart: always
env_file: {{ env }} env_file: {{ env }}
volumes: volumes:

View File

@ -86,7 +86,7 @@ WELCOME_SUBJECT={{ welcome_subject or 'Welcome to your new email account' }}
WELCOME_BODY={{ welcome_body or 'Welcome to your new email account, if you can read this, then it is configured properly!' }} WELCOME_BODY={{ welcome_body or 'Welcome to your new email account, if you can read this, then it is configured properly!' }}
# Maildir Compression # Maildir Compression
# choose compression-method, default: none (value: bz2, gz) # choose compression-method, default: none (value: gz, bz2, lz4, zstd)
COMPRESSION={{ compression }} COMPRESSION={{ compression }}
# change compression-level, default: 6 (value: 1-9) # change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL={{ compression_level }} COMPRESSION_LEVEL={{ compression_level }}
@ -175,3 +175,10 @@ DB_HOST={{ db_url }}
DB_NAME={{ db_name }} DB_NAME={{ db_name }}
{% endif %} {% endif %}
{% if (postgresql == 'external' or db_flavor == 'mysql') and webmail_type == 'roundcube' %}
ROUNDCUBE_DB_FLAVOR={{ db_flavor }}
ROUNDCUBE_DB_USER={{ roundcube_db_user }}
ROUNDCUBE_DB_PW={{ roundcube_db_pw }}
ROUNDCUBE_DB_HOST={{ roundcube_db_url }}
ROUNDCUBE_DB_NAME={{ roundcube_db_name }}
{% endif %}

View File

@ -70,6 +70,7 @@ services:
antispam: antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}} image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
hostname: antispam
env_file: {{ env }} env_file: {{ env }}
volumes: volumes:
- "{{ root }}/filter:/var/lib/rspamd" - "{{ root }}/filter:/var/lib/rspamd"

View File

@ -1,4 +1,4 @@
flask Flask==1.0.2
flask-bootstrap Flask-Bootstrap==3.3.7.1
redis gunicorn==19.9.0
gunicorn redis==3.2.1

View File

@ -54,11 +54,11 @@ def build_app(path):
@app.context_processor @app.context_processor
def app_context(): def app_context():
return dict( return dict(
versions=os.getenv("VERSIONS","master").split(','), versions=os.getenv("VERSIONS","master").split(','),
stable_version = os.getenv("stable_version", "master") stable_version = os.getenv("stable_version", "master")
) )
prefix_bp = flask.Blueprint(version, __name__) prefix_bp = flask.Blueprint(version.replace(".", "_"), __name__)
prefix_bp.jinja_loader = jinja2.ChoiceLoader([ prefix_bp.jinja_loader = jinja2.ChoiceLoader([
jinja2.FileSystemLoader(os.path.join(path, "templates")), jinja2.FileSystemLoader(os.path.join(path, "templates")),
jinja2.FileSystemLoader(os.path.join(path, "flavors")) jinja2.FileSystemLoader(os.path.join(path, "flavors"))

View File

@ -57,6 +57,13 @@ $(document).ready(function() {
$("#db_pw").prop('required',true); $("#db_pw").prop('required',true);
$("#db_url").prop('required',true); $("#db_url").prop('required',true);
$("#db_name").prop('required',true); $("#db_name").prop('required',true);
if ($("#webmail").val() == 'roundcube') {
$("#roundcube_external_db").show();
$("#roundcube_db_user").prop('required',true);
$("#roundcube_db_pw").prop('required',true);
$("#roundcube_db_url").prop('required',true);
$("#roundcube_db_name").prop('required',true);
}
} else if (this.value == 'mysql') { } else if (this.value == 'mysql') {
$("#postgres_db").hide(); $("#postgres_db").hide();
$("#external_db").show(); $("#external_db").show();
@ -64,6 +71,13 @@ $(document).ready(function() {
$("#db_pw").prop('required',true); $("#db_pw").prop('required',true);
$("#db_url").prop('required',true); $("#db_url").prop('required',true);
$("#db_name").prop('required',true); $("#db_name").prop('required',true);
if ($("#webmail").val() == 'roundcube') {
$("#roundcube_external_db").show();
$("#roundcube_db_user").prop('required',true);
$("#roundcube_db_pw").prop('required',true);
$("#roundcube_db_url").prop('required',true);
$("#roundcube_db_name").prop('required',true);
}
} }
}); });
$("#external_psql").change(function() { $("#external_psql").change(function() {
@ -73,6 +87,13 @@ $(document).ready(function() {
$("#db_pw").prop('required',true); $("#db_pw").prop('required',true);
$("#db_url").prop('required',true); $("#db_url").prop('required',true);
$("#db_name").prop('required',true); $("#db_name").prop('required',true);
if ($("#webmail").val() == 'roundcube') {
$("#roundcube_external_db").show();
$("#roundcube_db_user").prop('required',true);
$("#roundcube_db_pw").prop('required',true);
$("#roundcube_db_url").prop('required',true);
$("#roundcube_db_name").prop('required',true);
}
} else { } else {
$("#external_db").hide(); $("#external_db").hide();
} }

View File

@ -59,7 +59,7 @@ the security implications caused by such an increase of attack surface.<p>
<i>Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.</i> <i>Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.</i>
</div> </div>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script> <script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script>

View File

@ -50,8 +50,8 @@ Or in plain english: if receivers start to classify your mail as spam, this post
<div class="form-group"> <div class="form-group">
<label>Authentication rate limit (per source IP address)</label> <label>Authentication rate limit (per source IP address)</label>
<!-- Validates number input only --> <!-- Validates number input only -->
<p><input class="form-control" style="width: 7%; display: inline;" type="number" name="auth_ratelimit_pm" <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_pm"
value="10" required > / minute value="10000" required > / minute
</p> </p>
</div> </div>
@ -83,7 +83,7 @@ manage your email domains, users, etc.</p>
<input class="form-control" type="text" name="admin_path" id="admin_path" style="display: none"> <input class="form-control" type="text" name="admin_path" id="admin_path" style="display: none">
</div> </div>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script> <script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script>

View File

@ -28,7 +28,7 @@
<br/> <br/>
</div> </div>
<div class="form-group" id="external_db" style="display: none"> <div class="form-group" id="external_db" style="display: none">
<p>Set external database parameters</p> <p>Set external database parameters for <b>Admin UI</b></p>
<label>DB User</label> <label>DB User</label>
<input class="form-control" type="text" name="db_user" placeholder="Username" id="db_user"> <input class="form-control" type="text" name="db_user" placeholder="Username" id="db_user">
<label>Db Password</label> <label>Db Password</label>
@ -37,6 +37,18 @@
<input class="form-control" type="text" name="db_url" placeholder="URL" id="db_url"> <input class="form-control" type="text" name="db_url" placeholder="URL" id="db_url">
<label>Db Name</label> <label>Db Name</label>
<input class="form-control" type="text" name="db_name" placeholder="Database Name" id="db_name"> <input class="form-control" type="text" name="db_name" placeholder="Database Name" id="db_name">
<br/>
<div class="form-group" id="roundcube_external_db" style="display: none">
<p>Set external database parameters for <b>Roundcube</b></p>
<label>DB User</label>
<input class="form-control" type="text" name="roundcube_db_user" placeholder="Username" id="roundcube_db_user">
<label>DB Password</label>
<input class="form-control" type="password" name="roundcube_db_pw" placeholder="Password" id="roundcube_db_pw">
<label>DB URL</label>
<input class="form-control" type="text" name="roundcube_db_url" placeholder="URL" id="roundcube_db_url">
<label>DB Name</label>
<input class="form-control" type="text" name="roundcube_db_name" placeholder="Database Name" id="roundcube_db_name">
</div>
</div> </div>
</div> </div>

View File

@ -55,7 +55,7 @@ the security implications caused by such an increase of attack surface.<p>
<i>Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.</i> <i>Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.</i>
</div> </div>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script> <script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script>

View File

@ -1,6 +1,6 @@
#!/bin/bash -x #!/bin/bash -x
ALPINE_VER="3.10" ALPINE_VER="3.14"
DISTRO="balenalib/rpi-alpine:$ALPINE_VER" DISTRO="balenalib/rpi-alpine:$ALPINE_VER"
# Used for webmails # Used for webmails
QEMU="arm" QEMU="arm"

View File

@ -92,7 +92,7 @@ DMARC_RUF=admin
# Maildir Compression # Maildir Compression
# choose compression-method, default: none (value: bz2, gz) # choose compression-method, default: none (value: gz, bz2, lz4, zstd)
COMPRESSION= COMPRESSION=
# change compression-level, default: 6 (value: 1-9) # change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL= COMPRESSION_LEVEL=

View File

@ -92,7 +92,7 @@ DMARC_RUF=admin
# Maildir Compression # Maildir Compression
# choose compression-method, default: none (value: bz2, gz) # choose compression-method, default: none (value: gz, bz2, lz4, zstd)
COMPRESSION= COMPRESSION=
# change compression-level, default: 6 (value: 1-9) # change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL= COMPRESSION_LEVEL=

View File

@ -0,0 +1,5 @@
echo "Creating user required for next test ..."
# Should not fail and update the password; update mode
docker-compose -f tests/compose/filters/docker-compose.yml exec -T admin flask mailu admin admin mailu.io 'password' --mode=update || exit 1
docker-compose -f tests/compose/filters/docker-compose.yml exec -T admin flask mailu user user mailu.io 'password' || exit 1
echo "User created successfully"

View File

@ -92,7 +92,7 @@ DMARC_RUF=admin
# Maildir Compression # Maildir Compression
# choose compression-method, default: none (value: bz2, gz) # choose compression-method, default: none (value: gz, bz2, lz4, zstd)
COMPRESSION= COMPRESSION=
# change compression-level, default: 6 (value: 1-9) # change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL= COMPRESSION_LEVEL=

View File

@ -51,7 +51,7 @@ DISABLE_STATISTICS=False
################################### ###################################
# Expose the admin interface (value: true, false) # Expose the admin interface (value: true, false)
ADMIN=true ADMIN=false
# Choose which webmail to run if any (values: roundcube, rainloop, none) # Choose which webmail to run if any (values: roundcube, rainloop, none)
WEBMAIL=rainloop WEBMAIL=rainloop
@ -92,7 +92,7 @@ DMARC_RUF=admin
# Maildir Compression # Maildir Compression
# choose compression-method, default: none (value: bz2, gz) # choose compression-method, default: none (value: gz, bz2, lz4, zstd)
COMPRESSION= COMPRESSION=
# change compression-level, default: 6 (value: 1-9) # change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL= COMPRESSION_LEVEL=

View File

@ -51,7 +51,7 @@ DISABLE_STATISTICS=False
################################### ###################################
# Expose the admin interface (value: true, false) # Expose the admin interface (value: true, false)
ADMIN=true ADMIN=false
# Choose which webmail to run if any (values: roundcube, rainloop, none) # Choose which webmail to run if any (values: roundcube, rainloop, none)
WEBMAIL=roundcube WEBMAIL=roundcube
@ -92,7 +92,7 @@ DMARC_RUF=admin
# Maildir Compression # Maildir Compression
# choose compression-method, default: none (value: bz2, gz) # choose compression-method, default: none (value: gz, bz2, lz4, zstd)
COMPRESSION= COMPRESSION=
# change compression-level, default: 6 (value: 1-9) # change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL= COMPRESSION_LEVEL=

View File

@ -92,7 +92,7 @@ DMARC_RUF=admin
# Maildir Compression # Maildir Compression
# choose compression-method, default: none (value: bz2, gz) # choose compression-method, default: none (value: gz, bz2, lz4, zstd)
COMPRESSION= COMPRESSION=
# change compression-level, default: 6 (value: 1-9) # change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL= COMPRESSION_LEVEL=

View File

@ -3,14 +3,5 @@
# Skip deploy for staging branch # Skip deploy for staging branch
[ "$TRAVIS_BRANCH" = "staging" ] && exit 0 [ "$TRAVIS_BRANCH" = "staging" ] && exit 0
# Retag in case of `bors try`
if [ "$TRAVIS_BRANCH" = "testing" ]; then
export DOCKER_ORG="mailutest"
# Commit message is like "Try #99".
# This sets the version tag to "pr-99"
export MAILU_VERSION="pr-${TRAVIS_COMMIT_MESSAGE//[!0-9]/}"
docker-compose -f tests/build.yml build
fi
docker login -u $DOCKER_UN -p $DOCKER_PW docker login -u $DOCKER_UN -p $DOCKER_PW
docker-compose -f tests/build.yml push docker-compose -f tests/build.yml push

View File

@ -0,0 +1 @@
Add a credential cache to speedup authentication requests.

View File

@ -0,0 +1 @@
Ensure that the podop socket is always owned by the postfix user (wasn't the case when build using non-standard base images... typically for arm64)

View File

@ -0,0 +1 @@
Add documentation for Traefik 2 in Reverse Proxy

View File

@ -0,0 +1 @@
Add cli commands config-import and config-export

View File

@ -1 +0,0 @@
Don't replace nested headers (typically in attached emails)

View File

@ -1 +0,0 @@
Fix letsencrypt access to certbot for the mail-letsencrypt flavour

View File

@ -0,0 +1 @@
Support configuring lz4 and zstd compression for dovecot.

View File

@ -1,2 +0,0 @@
Fix CVE-2020-25275 and CVE-2020-24386 by using alpine 3.13 for
dovecot which contains a fixed dovecot version.

View File

@ -0,0 +1,2 @@
Fix CVE-2021-23240, CVE-2021-3156 and CVE-2021-23239 for postgresql
by force-upgrading sudo.

View File

@ -1 +0,0 @@
Switch from client side sessions (cookies) to server-side sessions (Redis). This simplies the security model a lot and allows for an easier recovery should a cookie ever land in the hands of an attacker.

View File

@ -0,0 +1 @@
Switched from Travis to Github actions for CI/CD. Improved CI workflow to perform all tests in parallel.

View File

@ -0,0 +1 @@
Make CI tests run in parallel.

View File

@ -0,0 +1 @@
Fix roundcube environment configuration for databases

View File

@ -0,0 +1 @@
Remove cyrus-sasl-plain as it's not packaged by alpine anymore. SASL-login is still available and used when relaying.

View File

@ -0,0 +1 @@
Alpine has removed support for btree and hash in postfix... please use lmdb instead

View File

@ -0,0 +1 @@
Add instructions on how to create DNS records for email client auto-configuration (RFC6186 style)

View File

@ -0,0 +1 @@
Centralize the authentication of webmails behind the admin interface

View File

@ -3,7 +3,7 @@ ARG QEMU=other
# NOTE: only add file if building for arm # NOTE: only add file if building for arm
FROM ${ARCH}php:7.4-apache as build_arm FROM ${ARCH}php:7.4-apache as build_arm
ONBUILD COPY --from=balenalib/rpi-alpine:3.10 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
FROM ${ARCH}php:7.4-apache as build_other FROM ${ARCH}php:7.4-apache as build_other
@ -17,7 +17,7 @@ RUN apt-get update && apt-get install -y \
# Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
RUN pip3 install socrate RUN pip3 install socrate
ENV RAINLOOP_URL https://github.com/RainLoop/rainloop-webmail/releases/download/v1.14.0/rainloop-community-1.14.0.zip ENV RAINLOOP_URL https://github.com/RainLoop/rainloop-webmail/releases/download/v1.16.0/rainloop-community-1.16.0.zip
RUN apt-get update && apt-get install -y \ RUN apt-get update && apt-get install -y \
unzip python3-jinja2 \ unzip python3-jinja2 \
@ -35,6 +35,7 @@ RUN apt-get update && apt-get install -y \
&& rm -rf /var/lib/apt/lists && rm -rf /var/lib/apt/lists
COPY include.php /var/www/html/include.php COPY include.php /var/www/html/include.php
COPY sso.php /var/www/html/sso.php
COPY php.ini /php.ini COPY php.ini /php.ini
COPY application.ini /application.ini COPY application.ini /application.ini

View File

@ -8,6 +8,10 @@ allow_admin_panel = Off
[labs] [labs]
allow_gravatar = Off allow_gravatar = Off
{% if ADMIN == "true" %}
custom_login_link='sso.php'
custom_logout_link='{{ WEB_ADMIN }}/ui/logout'
{% endif %}
[contacts] [contacts]
enable = On enable = On

31
webmails/rainloop/sso.php Normal file
View File

@ -0,0 +1,31 @@
<?php
$_ENV['RAINLOOP_INCLUDE_AS_API'] = true;
if (!defined('APP_VERSION')) {
$version = file_get_contents('/data/VERSION');
if ($version) {
define('APP_VERSION', $version);
define('APP_INDEX_ROOT_FILE', __FILE__);
define('APP_INDEX_ROOT_PATH', str_replace('\\', '/', rtrim(dirname(__FILE__), '\\/').'/'));
}
}
if (file_exists(APP_INDEX_ROOT_PATH.'rainloop/v/'.APP_VERSION.'/include.php')) {
include APP_INDEX_ROOT_PATH.'rainloop/v/'.APP_VERSION.'/include.php';
} else {
echo '[105] Missing version directory';
exit(105);
}
// Retrieve email and password
if (in_array('HTTP_X_REMOTE_USER', $_SERVER) && in_array('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) {
$email = $_SERVER['HTTP_X_REMOTE_USER'];
$password = $_SERVER['HTTP_X_REMOTE_USER_TOKEN'];
$ssoHash = \RainLoop\Api::GetUserSsoHash($email, $password);
// redirect to webmail sso url
header('Location: index.php?sso&hash='.$ssoHash);
}
else {
header('HTTP/1.0 403 Forbidden');
}

View File

@ -24,6 +24,7 @@ conf.jinja("/application.ini", os.environ, "/data/_data_/_default_/configs/appli
conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/rainloop.ini") conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/rainloop.ini")
os.system("chown -R www-data:www-data /data") os.system("chown -R www-data:www-data /data")
os.system("chmod -R a+rX /var/www/html/")
os.execv("/usr/local/bin/apache2-foreground", ["apache2-foreground"]) os.execv("/usr/local/bin/apache2-foreground", ["apache2-foreground"])

View File

@ -2,7 +2,7 @@
ARG ARCH="" ARG ARCH=""
ARG QEMU=other ARG QEMU=other
FROM ${ARCH}php:7.4-apache as build_arm FROM ${ARCH}php:7.4-apache as build_arm
ONBUILD COPY --from=balenalib/rpi-alpine:3.10 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
FROM ${ARCH}php:7.4-apache as build_other FROM ${ARCH}php:7.4-apache as build_other
@ -16,9 +16,9 @@ RUN apt-get update && apt-get install -y \
# Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
RUN pip3 install socrate RUN pip3 install socrate
ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.4.6/roundcubemail-1.4.6-complete.tar.gz ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz
ENV CARDDAV_URL https://github.com/blind-coder/rcmcarddav/releases/download/v3.0.3/carddav-3.0.3.tar.bz2 ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz
RUN apt-get update && apt-get install -y \ RUN apt-get update && apt-get install -y \
zlib1g-dev libzip4 libzip-dev libpq-dev \ zlib1g-dev libzip4 libzip-dev libpq-dev \
@ -28,12 +28,8 @@ RUN apt-get update && apt-get install -y \
&& echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \ && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \
&& rm -rf /var/www/html/ \ && rm -rf /var/www/html/ \
&& cd /var/www \ && cd /var/www \
&& curl -L -O ${ROUNDCUBE_URL} \ && curl -sL ${ROUNDCUBE_URL} | tar xz \
&& curl -L -O ${CARDDAV_URL} \ && curl -sL ${CARDDAV_URL} | tar xz \
&& tar -xf *.tar.gz \
&& tar -xf *.tar.bz2 \
&& rm -f *.tar.gz \
&& rm -f *.tar.bz2 \
&& mv roundcubemail-* html \ && mv roundcubemail-* html \
&& mv carddav html/plugins/ \ && mv carddav html/plugins/ \
&& cd html \ && cd html \
@ -46,6 +42,7 @@ RUN apt-get update && apt-get install -y \
COPY php.ini /php.ini COPY php.ini /php.ini
COPY config.inc.php /var/www/html/config/ COPY config.inc.php /var/www/html/config/
COPY mailu.php /var/www/html/plugins/mailu/mailu.php
COPY start.py /start.py COPY start.py /start.py
EXPOSE 80/tcp EXPOSE 80/tcp

Some files were not shown because too many files have changed in this diff Show More