1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-28 23:06:37 +02:00
Commit Graph

231 Commits

Author SHA1 Message Date
Florent Daigniere
55c1e55529 Same for front-smtp
This should enable postfix to have visibility on TLS usage and fix the
following: #1705
2022-12-28 15:40:35 +01:00
Florent Daigniere
4ae0d7d768 Enable HAPROXY protocol in between front and imap
With this we avoid running into the limitations of
 mail_max_userip_connections (see #894 amd #1364) and the
 logfiles as well as ``doveadm who`` give an accurate picture.
2022-12-28 14:17:00 +01:00
Florent Daigniere
4e3874b0c1 Enable dynamic resolution of hostnames 2022-12-08 13:00:50 +01:00
bors[bot]
5703e97c73
Merge #2460
2460: Switch to a base image containing base tools and the podop and socrate libs r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement of build process

## What does this PR do?

Changes build.hcl to build core images using a base image.
Also adds a "assets" base image for the admin container.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Pierre Jaury <pierre@jaury.eu>
Co-authored-by: kaiyou <pierre@jaury.eu>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
2022-10-28 15:21:56 +00:00
Blaž Zupan
56617bbe12 Quote SMTP SIZE to avoid splitting keyword and parameter in EHLO response 2022-10-21 16:42:33 -07:00
Vincent Kling
23d06a5761 Fix a bunch of typos 2022-10-19 19:41:49 +02:00
Alexander Graf
146921f619
Move curl to base image 2022-10-14 14:34:58 +02:00
Alexander Graf
4c1071a497
Move all requirements*.txt to base image 2022-10-14 14:34:27 +02:00
Alexander Graf
a29f066858
Move even more python deps to base image 2022-10-12 16:32:27 +02:00
Alexander Graf
9fe452e3d1
Use base image when building core images 2022-10-12 16:32:20 +02:00
bors[bot]
e600f20762
Merge #2468
2468: Ensure that Mailu keeps working even if it can't obtain a certificate from LE r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES

Without this TLS configuration would fail and Mailu would operate without TLS completely.

I haven't tested it but thought this used to work previously... maybe certbot has changed something

### Related issue(s)
- closes #2467

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2022-10-08 14:13:28 +00:00
Florent Daigniere
1630a18dd8 Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES 2022-10-08 15:32:08 +02:00
Florent Daigniere
85a2aafcdf ghostwheel42's suggestions 2022-09-14 11:03:44 +02:00
Florent Daigniere
6a0e881522 Introduce TLS_PERMISSIVE for port 25
This new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so.
2022-09-12 12:53:57 +02:00
Alexander Graf
822abc9136
Put ipv6 resolver address in square brackets 2022-08-19 15:56:44 +02:00
bors[bot]
3327500f96
Merge #2221
2221: Add support for custom NGINX config r=mergify[bot] a=easybe

## What type of PR?

enhancement

## What does this PR do?

Add support for custom NGINX config. Including *.conf files in /etc/nginx/conf.d same as the default NGINX configuration gives the user more flexibility.

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Ezra Buehler <ezra@easyb.ch>
2022-08-17 18:18:29 +00:00
bors[bot]
1069c02bc8
Merge #2357
2357: Switch to ffdhe3072 to enable RFC 7919 r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

The idea being:
- it's a "nothing up my sleeves" group
- it may help shave off some bytes of the SSL handshake; That being said, I doubt that clients that are modern enough to support this RFC won't offer an EC kex

https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2022-08-17 17:58:07 +00:00
Dimitri Huisman
ee78a34da4 Process code review feedback
Remove unneeded IF statement in /admin block in nginx.conf of front.
Fix contributions made to Dockerfile, add missing trailing \ and add back curl
Change healthcheck to monitoring page of fpm. Now we check nginx and fpm.
2022-07-06 13:42:13 +00:00
Dimitri Huisman
d19208d3d1 Merge branch 'master' of github.com:Mailu/Mailu into feature-switch-snappymail 2022-07-06 12:35:21 +00:00
Dimitri Huisman
4b491d9de5 Re-enable the built-in nginx resolver for traffic going through the mail plugin.
This is required for passing rDNS/ptr information to postfix.
The mail proxy uses the resolver info for passing XCLIENT info.
See http://nginx.org/en/docs/mail/ngx_mail_proxy_module.html#xclient
Without this info rspamd will flag all messages with DHFILTER_HOSTNAME_UNKNOWN due to the missing rDNS/ptr info.
2022-07-06 08:51:59 +00:00
Florent Daigniere
74c5e92628 Switch to ffdhe3072 to enable RFC 7919
The idea being:
- it's a "nothing up my sleeves" group
- it may help shave off some bytes of the SSL handshake; That being
said, I doubt that clients that are modern enough to support this RFC
won't offer an EC kex

https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem
2022-05-24 17:42:30 +02:00
bors[bot]
e92c67b118
Merge #2338
2338: Update X-XSS-Protection to current recommendation r=mergify[bot] a=AvverbioPronome

See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection

## What type of PR?

Slight enhancement

## What does this PR do?

This PR turns off the XSS auditor in the few browsers that still have one.

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ?] In case of feature or enhancement: documentation updated accordingly
- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Giuseppe C <1191978+AvverbioPronome@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
2022-05-18 19:28:33 +00:00
Florent Daigniere
cb656fc9fd Silence some errors in nginx
"could not be resolved (3: Host not found) while in resolving client
address, client:"
2022-05-13 18:05:22 +02:00
Your Name
f7a3ecee2c remove X-XSS-Protection header from nginx.conf 2022-05-10 22:41:10 +02:00
Giuseppe C
389438d18b
Update X-XSS-Protection to current recommendation
See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
2022-05-08 21:11:01 +02:00
Will
a54a784168 Update alpine-linux to 3.14.5 - Zlib security FIX 2022-03-30 09:08:28 +00:00
Dimitri Huisman
f2f859280c Merge remote-tracking branch 'origin/master' into feature-switch-snappymail 2022-03-22 09:14:53 +00:00
Dimitri Huisman
9519d07ba2 Switch from RainLoop to SnappyMail 2022-03-22 09:04:56 +00:00
bors[bot]
c15e4e6015
Merge #2276
2276: Autoconfig of email clients r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

It provides auto-configuration templates for email clients and encourages them to use implicit TLS (see https://nostarttls.secvuln.info/)

There are numerous caveats:
- it will only work if suitable DNS records are created and certificates obtained (autoconfig, autodiscover, ...)
- the mobileconfig file isn't signed
- the credentials will be prompted... we could/should provision a token on each request instead
- it currently doesn't advertise caldav
- it's IMAP only

### Related issue(s)
- close #224 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2022-03-22 08:53:47 +00:00
Florent Daigniere
9b952da6c2 Allow nginx to lookup IPv6 addresses
It creates issues with RSPAMD/HFILTER_HOSTNAME_UNKNOWN on v6 enabled
setups see
https://github.com/Mailu/Mailu/issues/2260#issuecomment-1066797661
2022-03-20 12:11:50 +01:00
Will
d02296c3bc Update alpine-linux to 3.14.4 - OpenSSL security FIX 2022-03-17 10:40:42 +00:00
Florent Daigniere
6d80eea649 ghostwheel42's suggestion 2022-03-17 11:35:31 +01:00
Florent Daigniere
184c9bc566 Add json redirect 2022-03-16 14:04:02 +01:00
Florent Daigniere
d677c465a7 Handle spaces too 2022-03-16 14:04:02 +01:00
Florent Daigniere
6fc1273b58 Add a link to autoconfigure apple devices 2022-03-16 14:04:02 +01:00
Florent Daigniere
3a56525e21 As discussed on #mailu-dev
Don't attempt to guess what the user wants
2022-03-16 14:04:02 +01:00
Florent Daigniere
81b592f3cb try to get LE certs for the new names 2022-03-16 14:04:02 +01:00
Florent Daigniere
cdc92aa65b Mobileconfig apple style 2022-03-16 14:04:02 +01:00
Florent Daigniere
ccd2cad4f1 Autodiscovery microsoft style 2022-03-16 14:04:02 +01:00
Florent Daigniere
523cee1680 Autoconfig mozilla-style 2022-03-16 14:04:02 +01:00
Florent Daigniere
f9869b1d79 ghostwheel42's suggestions 2022-02-24 12:45:30 +01:00
Florent Daigniere
ab35492589 the first time the loop runs we don't have the second cert 2022-02-20 12:02:30 +01:00
Florent Daigniere
0816cb9497 simplify as per ghostwheel42's suggestion 2022-02-20 11:56:21 +01:00
Florent Daigniere
e4a32b55f5 Send ISRG_X1 on port 25, make DANE pin that 2022-02-19 14:35:45 +01:00
Ezra Buehler
5d6b295013 Add support for custom NGINX config
Including *.conf files in /etc/nginx/conf.d same as the default NGINX
configuration gives the user more flexibility.
2022-02-09 07:26:23 +01:00
Florent Daigniere
f6ebf9fda2
Update tls.conf 2022-01-31 11:19:00 +01:00
Florent Daigniere
68ff6c8337
Use ISRG_ROOT_X1 as DST_ROOT is not available 2022-01-31 11:18:21 +01:00
Sebastian Klemke
a6b4b9ae52 Removed ssl_trusted_certificate configuration setting from nginx.
Resolves an nginx startup issue when letsencrypt or
mail-letsencrypt is enabled.

Fixes #2199
2022-01-31 08:03:58 +01:00
Florent Daigniere
6425f440d3 fix 2147 2022-01-07 08:55:55 +01:00
Will
b2abbc8856 update Dockerfile to alpine 3.14.3 2021-12-22 09:19:44 +00:00