1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Commit Graph

1402 Commits

Author SHA1 Message Date
Dimitri Huisman
0de2ec77c6 Process code review remarks #1441 2021-11-23 21:43:00 +00:00
Dimitri Huisman
f7677543c6 Process code review remarks
- Moved run to bottom of Dockerfile to allow using unmodified / cached states.
- Simplified bash code in deploy.sh.
- Improved the large bash one-liner in CI.yml. It could not handle >9 for 1.x.
2021-11-18 17:21:56 +00:00
Dimitri Huisman
56dd70cf4a Implement versioning for CI/CD workflow (see #1182). 2021-11-17 20:00:04 +00:00
Alexander Graf
aa1d605665
Merge remote-tracking branch 'upstream/master' into passlib 2021-11-16 10:21:08 +01:00
Alexander Graf
84a5514a97
fixed auto reply form 2021-11-12 12:19:45 +01:00
Alexander Graf
cf7914d050
fixed field iteration 2021-11-11 16:00:00 +01:00
Alexander Graf
fd5bdc8650
added localized date output 2021-11-11 12:20:52 +01:00
Alexander Graf
0315ed78d9
Merge remote-tracking branch 'upstream/master' into update_deps 2021-11-11 11:49:48 +01:00
Till Skrodzki
c48e00ee26 Do not call .split() on RELAYNETS if not specified 2021-11-09 12:22:53 +01:00
bors[bot]
56cbc56df7
Merge #2044
2044: Vault/rspamd: don't return any key for relayed domains r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR 

Don't return any key for relayed domains. We may want to revisit this (ARC signing)... but in the meantime it saves from a scary message in rspamd.
    
```signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...```


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-11-08 16:01:10 +00:00
bors[bot]
78dd13a217
Merge #2042
2042: Add MESSAGE_RATELIMIT_EXEMPTION r=mergify[bot] a=nextgens

## What type of PR?

Enhancement

## What does this PR do?

Add a new knob called ```MESSAGE_RATELIMIT_EXEMPTION```.

### Related issue(s)
- #1774

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-11-08 15:29:50 +00:00
Florent Daigniere
6bf1a178b9 Go with ghostwheel42's suggestion 2021-11-08 09:34:02 +01:00
Florent Daigniere
b68033eb43 only parse it once 2021-11-08 09:23:24 +01:00
Alexander Graf
82e14f1292
Merge branch 'master' into update_deps 2021-11-07 21:25:08 +01:00
bors[bot]
f0188d9623
Merge #2034
2034: Add timezone to containers r=mergify[bot] a=DjVinnii

## What type of PR?

Enhancement

## What does this PR do?
This PR adds the tzdata package so that the environment variable `TZ` can be used to set the timezone of containers.

### Related issue(s)
- closes #1154 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: DjVinnii <vincentkling@msn.com>
2021-11-07 18:52:43 +00:00
Florent Daigniere
dc6e970a7f handle HTTP too 2021-11-07 12:41:29 +01:00
Florent Daigniere
bbef4bee27 Don't return any key for relayed domains
We may want to revisit this (ARC signing)... but in the meantime
it saves from a scary message in rspamd

signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...
2021-11-07 12:20:31 +01:00
Florent Daigniere
6c6b0b161c Set the right flags on the rate_limit cookie 2021-11-06 10:45:59 +01:00
Florent Daigniere
f9373eacab Merge remote-tracking branch 'upstream/master' into misc 2021-11-06 10:05:59 +01:00
Florent Daigniere
5714b4f4b0 introduce MESSAGE_RATELIMIT_EXEMPTION 2021-11-06 10:05:52 +01:00
DjVinnii
30d7e72765 Move TZ to Advanced settings 2021-11-05 14:44:12 +01:00
DjVinnii
225160610b Set default TZ in Dockerfiles 2021-11-04 14:22:12 +01:00
DjVinnii
81e33d3679 Add default TZ to config manager 2021-11-04 13:21:37 +01:00
Alexander Graf
97e79a973f fix sso login button spacing again 2021-11-04 08:32:53 +01:00
Alexander Graf
73ab4327c2 updated database libraries (sqlalchemy etc.)
this is working fine, but introduces a sqlalchemy warning
when using config-import:

  /app/mailu/schemas.py:822:
    SAWarning: Identity map already had an identity for (...),
    replacing it with newly flushed object.
    Are there load operations occurring inside of an event handler
    within the flush?
2021-11-03 22:57:07 +01:00
Alexander Graf
4669374b9e use python wheels 2021-11-03 22:55:41 +01:00
Alexander Graf
85d86d4156 some more libs updated 2021-11-03 22:55:26 +01:00
Alexander Graf
ffd99c3fa8 updated flask
ConfigManager should not replace app.config - this is causing trouble
with some other flask modules (swagger).
Updated ConfigManager to only modify app.config and not replace it.
2021-11-03 22:21:26 +01:00
Alexander Graf
87884213c4 update misc helper libs 2021-11-03 22:03:51 +01:00
Alexander Graf
56f65d724d update babel 2021-11-03 21:52:59 +01:00
Alexander Graf
5238b00f0b update alembic 2021-11-03 21:33:39 +01:00
Alexander Graf
f613205fe1 update tenacity 2021-11-03 21:30:34 +01:00
Alexander Graf
833ccb5544 reload page using GET when selecting language 2021-11-03 20:38:00 +01:00
Alexander Graf
8b15820b01 fix sso login button spacing 2021-11-03 20:35:05 +01:00
Alexander Graf
26fb108a3f updated Flask-Login 2021-11-03 20:22:47 +01:00
Alexander Graf
abc4112242 updated Werkzeug, Click and Flask-Migrate 2021-11-03 20:12:20 +01:00
Alexander Graf
f1d7bedd1b fix display of range inputs (again) 2021-11-03 19:54:15 +01:00
Alexander Graf
13e6793c9f Merge remote-tracking branch 'upstream/master' into update_deps 2021-11-03 19:35:51 +01:00
Alexander Graf
aca1e13648 update socrate - will be removed later 2021-11-02 20:47:53 +01:00
Alexander Graf
866741bcbe updated WTForms-Components deps 2021-11-02 19:22:58 +01:00
Alexander Graf
ef19869cde updated redis 2021-11-02 18:06:26 +01:00
Alexander Graf
d8efd3057c updated idna 2021-11-02 17:52:25 +01:00
Alexander Graf
8ad8cde0e2 removed some obsolete requirements 2021-11-02 17:06:28 +01:00
Alexander Graf
3ac1b3d86c update pyyaml and pygments 2021-11-02 17:02:54 +01:00
Alexander Graf
40cdff4911 updated dnspython 2021-11-02 16:49:25 +01:00
Alexander Graf
dcbe55f062 updated crypto 2021-11-02 16:28:37 +01:00
Alexander Graf
771b2d1112 duh 2021-11-02 16:21:31 +01:00
Alexander Graf
23d0cd0466 update tabluate. fix audit.py and include in container 2021-11-02 15:55:20 +01:00
Alexander Graf
8d90a74624 update werkzeug to 1.x 2021-11-02 15:39:41 +01:00
bors[bot]
5e212ea46d
Merge #2036
2036: round display of range inputs to 2 decimals r=mergify[bot] a=ghostwheel42

## What type of PR?

small fix

## What does this PR do?

rounds display of range inputs to 2 decimals 

### Related issue(s)

- small fix to #1966

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-11-02 13:34:59 +00:00
Alexander Graf
80be3506da upgrade pip. completed reqs via pip freeze 2021-11-02 13:32:12 +01:00
Alexander Graf
598b2df5a0 update wtforms 2021-11-02 13:04:40 +01:00
Alexander Graf
e8b5f1a185 round display of range inputs to 2 decimals 2021-11-02 12:59:59 +01:00
DjVinnii
1d6809193b Add tzdata to core 2021-11-02 11:18:21 +01:00
Florent Daigniere
74b31dc407 Ensure that RCVD_NO_TLS_LAST doesn't add spam points 2021-11-01 17:52:12 +01:00
bors[bot]
11bbceb9cc
Merge #2032
2032: doh r=mergify[bot] a=nextgens

This should have been part of #2030

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-11-01 12:21:02 +00:00
Florent Daigniere
8dad40f67c doh 2021-11-01 12:48:48 +01:00
bors[bot]
e52a3de1b0
Merge #2027 #2030
2027: Make logs more quiet r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

It silences various useless log messages in front, specifically:
```
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/1.1" 301 162 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/2.0" 204 0 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 2021/10/30 03:11:04 [info] 476302#476302: *2622679 client 127.0.0.1 closed keepalive connection
Oct 30 03:13:02 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:13:02 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
```

`@micw` has requested it for k8s

2030: Fix RELAYNETS r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

RELAYNETS should be comma separated like everything else; rspamd should also be aware of what is considered "trusted".

I am not sure whether ```local_networks``` is the right configuration option for it though

- close #360

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-11-01 08:48:41 +00:00
Florent Daigniere
2170e07731 Tell rspamd about RELAYNETS 2021-10-31 19:57:51 +01:00
Florent Daigniere
9d474f32a6 RELAYNETS is comma separated! 2021-10-31 19:47:16 +01:00
Florent Daigniere
f3c93212c6 The Rate-limiter should run after the deny 2021-10-31 19:41:12 +01:00
Florent Daigniere
53a0363b9e Deal with the noisy keepalive messages
We don't particularly care about HTTP... and that's what's noisy.
2021-10-30 15:39:13 +02:00
Florent Daigniere
80a85c27a9 Silent healthchecks in logs 2021-10-30 15:34:40 +02:00
Alexander Graf
9bc685c30b removed some more whitespace 2021-10-29 15:34:00 +02:00
Alexander Graf
8c31699baf fixed locale selector for no_NB 2021-10-29 15:29:20 +02:00
Alexander Graf
882a27f87c simplified if's and added external link icon 2021-10-29 15:07:25 +02:00
Alexander Graf
3141ffe791 removed some whitespace 2021-10-29 14:26:23 +02:00
Dimitri Huisman
6b16756d92 Fix acessing antispam via sidebar. 2021-10-29 09:22:46 +00:00
Dimitri Huisman
3449b67c86 Process code review remarks PR2023 2021-10-29 08:18:50 +00:00
Dimitri Huisman
8784971b7f Merge rate limiting and failed login logging 2021-10-28 18:55:35 +00:00
Dimitri Huisman
503044ef6e Reintroduce ProxyFix. Use two buttons for logging in. 2021-10-27 21:51:49 +00:00
Dimitri Huisman
c42ad8e71e Forgot to include changes for url_for of base.html 2021-10-27 18:49:36 +00:00
Dimitri Huisman
fb0f005343 Get rid of complicated prefix logic. Further simplify /static handling and nginx config. 2021-10-27 18:36:50 +00:00
Dimitri Huisman
da788ddee3 Merge branch 'fix-sso-1929' of github.com:Diman0/Mailu into fix-sso-1929 2021-10-27 12:38:18 +00:00
Dimitri Huisman
bdcc183165 Redirect to configured ENV VAR for Admin/Webmail, further simplify nginx config. 2021-10-27 11:24:10 +00:00
Dimitri Huisman
f1a60aa6ea Remove unneeded auth_request_set 2021-10-27 11:11:50 +00:00
Florent Daigniere
fee13e6c4b Save a redirect 2021-10-27 11:11:22 +02:00
Florent Daigniere
d3f07a0882 Simplify the handling of /static 2021-10-27 10:56:34 +02:00
Florent Daigniere
aee089f3b1 Ensure that static assets are readable 2021-10-27 10:55:47 +02:00
Dimitri Huisman
a47afec4ee Make logic more readable. 2021-10-27 08:22:36 +00:00
Dimitri Huisman
48764f0400 Ensure all requests from the page sso go through the page sso. 2021-10-27 08:06:53 +00:00
Dimitri Huisman
5232bd38fd Simplify webmail logout. 2021-10-26 12:07:36 +00:00
Dimitri Huisman
aab258d284 Move handling of logging out in admin, to sso logout page. 2021-10-26 11:54:25 +00:00
Dimitri Huisman
615743b331 Improve indendation of conditions. 2021-10-26 11:39:56 +00:00
Dimitri Huisman
5d81846c5d Introduce the shared stub /static for providing all static files 2021-10-26 11:30:06 +00:00
Dimitri Huisman
eb74a72a52 Moved locations to correct area in nginx.conf. 2021-10-26 07:35:06 +00:00
Dimitri Huisman
aa7380ffba Doh! 2021-10-25 20:00:00 +00:00
Dimitri Huisman
44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting. 2021-10-25 19:21:38 +00:00
Dimitri Huisman
f9eee0cbaf Adapt HEALTHCHECK to new URL 2021-10-25 17:43:53 +00:00
Dimitri Huisman
ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 2021-10-25 17:31:25 +00:00
Dimitri Huisman
913a6304a7 Finishing touches. Introduce /static stub for handling all static files. 2021-10-25 17:24:41 +00:00
bors[bot]
a1192d8039
Merge #1987
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Turn the rate-limiters into something useful (that won't fire for no reason).

- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.

Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)

### Related issue(s)
- close #1926
- close #1745 
- close #1915


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
2021-10-16 15:52:47 +00:00
Florent Daigniere
693b578bbb The second strip isn't necessary 2021-10-16 17:24:12 +02:00
Florent Daigniere
1c6165213c better that way 2021-10-16 16:54:56 +02:00
Florent Daigniere
34497cff20 doh 2021-10-16 16:35:48 +02:00
Florent Daigniere
e8871dd77f doh 2021-10-16 16:06:13 +02:00
Florent Daigniere
5b72c32251 Doh 2021-10-16 15:44:26 +02:00
Florent Daigniere
19b784b198 Parse the network configuration only once
thanks @ghostwheel42
2021-10-16 15:18:41 +02:00
Florent Daigniere
98742268e6 Make it more readable 2021-10-16 15:12:20 +02:00
Florent Daigniere
94bbed9746 Ensure we have the right IP 2021-10-16 10:39:43 +02:00
Florent Daigniere
c5bd82650f doh 2021-10-16 10:30:57 +02:00
Florent Daigniere
99c81c20a7 Introduce AUTH_RATELIMIT_EXEMPTION
This disables rate limiting on specific CIDRs
2021-10-16 10:26:38 +02:00
Florent Daigniere
c674f1567a Merge branch 'ratelimits' of https://github.com/nextgens/Mailu into ratelimits 2021-10-16 09:55:15 +02:00
Florent Daigniere
8414dd5cf0 Merge remote-tracking branch 'upstream/master' into ratelimits 2021-10-16 09:52:20 +02:00
Florent Daigniere
e14d2e7c03 Error out explictely if Auth-Port isn't set 2021-10-16 09:49:01 +02:00
Florent Daigniere
abaa2e8cc3 simplify client_ip 2021-10-16 09:46:21 +02:00
Florent Daigniere
de276a6822 Simplify extract_network_from_ip 2021-10-16 09:45:10 +02:00
Florent Daigniere
3bda8368e4 simplify the Auth-Status check 2021-10-16 09:39:34 +02:00
Florent Daigniere
2dd9ea1506 simplify 2021-10-16 09:36:49 +02:00
Florent Daigniere
068170c0ff Use app instead of flask.current_app where possible 2021-10-16 09:35:01 +02:00
Florent Daigniere
57b0dd490c Initialize user_email in all cases 2021-10-16 09:29:17 +02:00
qy117121
b1425015ef
Update messages.po
Fix wrong text
2021-10-16 03:51:22 +08:00
bors[bot]
afffe4063e
Merge #2018
2018: show dmarc record for report domain in domain details r=mergify[bot] a=ghostwheel42

## What type of PR?

documentation

## What does this PR do?

show dmarc record for report domain in domain details

### Related issue(s)

closes #1382

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-15 12:52:16 +00:00
bors[bot]
9f2aa0aadc
Merge #1986 #2014
1986: Document how to setup client autoconfig r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Document how to setup autoconfig. This works with most open-source MUAs (thunderbird, evolution, ...)

We could go further than that by providing dynamic configuration (issue an auth token for each MUA request)... but it won't work unless a new DNS entry (and matching certificate) is created.

### Related issue(s)
- #224

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


2014: Update Chinese translation r=mergify[bot] a=qy117121

## What type of PR?

translation

## What does this PR do?

Update Chinese translation. Use `zh` instead of `zh_CN`.

### Related issue(s)

none

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: qy117121 <mixuan121@gmail.com>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-15 12:29:46 +00:00
Alexander Graf
7fe15ea9cf added dmarc record for report domain 2021-10-15 14:22:50 +02:00
bors[bot]
a5b1d36171
Merge #2017
2017: rspamd: get dkim keys via REST API instead of filesystem r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement

## What does this PR do?

rspamd now uses hashicorp's vault api v1 to get dkim keys and selectors for a domain.
this allows future enhancement (multiple keys) without reconfiguring and restarting rspamd.
it also makes mounting the /dkim volume into the rspamd container unnecessary.

### Related issue(s)

- improves and closes #2012 
- allows to implement key rotation using multiple selectors (see #1700)
- allows to implement dkim for alternate domains (see #1519)
- fixes and closes #1345 (selector transmitted by admin container is used)
- closes #1179 (no keys on disk)
- allows to implement key rotation from the outside (ie. via a helper script talking to some dns provider's api) (see #547)

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-15 12:08:40 +00:00
Alexander Graf
7b0c5935a8 only support GET method in vault 2021-10-15 13:16:37 +02:00
Alexander Graf
303fae00fb cleanup modules. use dkim selector from config 2021-10-14 23:25:42 +02:00
Alexander Graf
dc9f970a91 removed zh_CN and updated locale-map for datatables 2021-10-14 23:15:42 +02:00
Alexander Graf
893705169e PoC rspamd use dkimkeys from admin using vault api 2021-10-14 23:01:53 +02:00
Florent Daigniere
632ce663ee Prevent logins with no password 2021-10-14 18:04:49 +02:00
qy117121
866f784d06
Create messages.po
Update the translation
2021-10-14 15:05:32 +08:00
qy117121
251eea5553
Update messages.po
Updated translation
2021-10-14 15:03:23 +08:00
Florent Daigniere
7277e0b4e4
Merge branch 'master' into ratelimits 2021-10-12 14:47:00 +02:00
bors[bot]
8c8c1b2015
Merge #1997
1997: Prevent traceback when using non-email in login r=mergify[bot] a=ghostwheel42

There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('`@',` 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "`@")`
```

## What type of PR?

enhancement

## What does this PR do?

replace traceback (ERROR) with error message (WARNING)

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-12 12:07:08 +00:00
bors[bot]
9b01e663b2
Merge #2007
2007: allow sending emails as user+detail@domain.tld r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix or enhancement

## What does this PR do?

Allows sending emails with an added "+detail" in the local part.
 
### Related issue(s)

closes #1948

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: root <ghostwheel42@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-10-09 17:01:25 +00:00
Florent Daigniere
14360f8926 RECIPIENT_DELIMITER can have several characters 2021-10-09 18:28:50 +02:00
root
8c59f35697 use RECIPIENT_DELIMITER for splitting 2021-10-09 17:43:09 +02:00
Alexander Graf
1d571dedfc split localpart into user and tag 2021-10-09 17:11:12 +02:00
Florent Daigniere
d131d863ba The if needs to be inside the block 2021-10-09 15:44:56 +02:00
Alexander Graf
aaf3ddd002 moved javascript to app.js 2021-10-08 20:06:21 +02:00
Florent Daigniere
b48779ea70 SESSION_COOKIE_SECURE and HTTP won't work 2021-10-08 10:17:03 +02:00
Florent Daigniere
502affbe66 Use the regexp engine since we have one 2021-10-03 10:14:49 +02:00
Florent Daigniere
a349190e52 simplify 2021-10-02 10:19:57 +02:00
Florent Daigniere
10d78a888b Derive a new subkey for SRS 2021-10-01 15:00:10 +02:00
Florent Daigniere
995ce8d437 Remove OUTCLEAN_ADDRESS
I believe that this isn't relevant anymore as we don't use OpenDKIM
anymore

Background on:
https://bofhskull.wordpress.com/2014/03/25/postfix-opendkim-and-missing-from-header/
2021-10-01 14:54:04 +02:00
Alexander Graf
65133a960a Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
2021-09-28 10:38:37 +02:00
Diman0
41f5b43b38 Set nginx logging to level info again. 2021-09-24 15:33:16 +02:00
Diman0
f4cde61148 Make header translatable. More finishing touches. 2021-09-24 15:29:28 +02:00
Florent Daigniere
7d56ed3b70 Merge branch 'master' of https://github.com/Mailu/Mailu into ratelimits 2021-09-24 13:40:59 +02:00
Diman0
fbe0a446b9 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 2021-09-24 13:05:06 +02:00
Florent Daigniere
1e07b85fa1 doh 2021-09-24 10:20:21 +02:00
Diman0
9894b49cbd Merge/Update with changes from master 2021-09-24 10:07:52 +02:00
Florent Daigniere
24aadf2f52 ensure we log when the rate limiter hits 2021-09-24 10:07:41 +02:00
Florent Daigniere
64bc7972cc Make AUTH_RATELIMIT_IP 60/hour as discussed 2021-09-24 09:57:28 +02:00
Florent Daigniere
cab0ce2017 doh 2021-09-23 19:01:09 +02:00
Florent Daigniere
a9340e61f5 Log auth attempts on /admin 2021-09-23 18:48:23 +02:00
Florent Daigniere
89ea51d570 Implement rate-limits 2021-09-23 18:40:49 +02:00
Diman0
bf0aad9820 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 2021-09-22 17:04:13 +02:00
bors[bot]
4c5c6c3b5f
Merge #1966
1966: AdminLTE3 optimizations & compression and caching r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement, bugfix

## What does this PR do?

Optimization and cleanup of styles and javascript code for AdminLTE 3
Adds caching headers, gzip and robots.txt to nginx.

### Related issue(s)

Makes #1800 even better. Thanks to `@DjVinnii` and `@Diman0` for the good work.
Closes #1905

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-09-22 10:00:34 +00:00
bors[bot]
b329971b87
Merge #1971
1971: Updated Polish translation. r=mergify[bot] a=ghostwheel42

## What type of PR?

translation

## What does this PR do?

Update polish translation. Used `pl/LC_MESSAGES/messages.po` from PR #1751 created by `@martys71`
Part of Discussion of 1.9 roadmap #1930

### Related issue(s)

closes #1751 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-09-22 09:01:37 +00:00
bors[bot]
72e8ec53b7
Merge #1975
1975: Replace traceback with error message when creating initial admin user r=mergify[bot] a=ghostwheel42

## What type of PR?

small enhancement

## What does this PR do?

when creating the admin user via cli a traceback is shown when this user is already present in the database.
This is confusing users. I've replaced the traceback with an error message.

### Related issue(s)

#1921

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-09-13 18:48:38 +00:00
Alexander Graf
25cf8b5358 better help formatting 2021-09-13 15:13:29 +02:00
Alexander Graf
b63081cb48 display error (not exception) when creating admin
repleace misleading python exception (mailu broken)
with error message stating that the admin user is
already present
2021-09-13 14:49:49 +02:00
Alexander Graf
065215d4d1 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 2021-09-11 12:36:19 +02:00
Alexander Graf
7bec8029a4 strip not necessary anymore 2021-09-09 21:41:03 +02:00
Alexander Graf
05c79b0e3c copy (and not parse) mta sts override config 2021-09-09 18:45:39 +02:00
Alexander Graf
b02ceab72f handle DEFER_ON_TLS_ERROR as bool
use /conf/mta-sts-daemon.yml when override is missing
2021-09-09 18:00:48 +02:00
Alexander Graf
1e8b41f731 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 2021-09-09 13:22:15 +02:00
Alexander Graf
b883e3c4a6 duh. 2021-09-09 12:10:34 +02:00
Alexander Graf
bb40ccc4b0 normalize HOSTNAMES
should be moved to python lib and normalized in start.py
2021-09-09 11:58:27 +02:00
Alexander Graf
45a2be3766 Updated Polish translation.
Used pl/LC_MESSAGES/messages.po from PR#1751 created by martys71
2021-09-06 18:42:50 +02:00
bors[bot]
d464187477
Merge #1964
1964: Alpine3.14.2 r=mergify[bot] a=nextgens

Upgrade to alpine 3.14.2, retry upgrading unbound & switch back to libressl

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-09-06 15:59:10 +00:00
Alexander Graf
a319ecde29 also precompress static txt files 2021-09-06 13:52:35 +02:00
Alexander Graf
b445d9ddd1 set expire headers only for mailu content
also moved robots.txt from config to static folder.
2021-09-06 13:45:48 +02:00
Alexander Graf
698ee4e521 added tiff and webp to list of cached content 2021-09-06 09:10:59 +02:00
Alexander Graf
0094268410 allow to change logo. default color for flash msg
- two new environment variables allow to change logo background color
  and graphic
- flash messages are now green (not cyan)
2021-09-06 09:08:51 +02:00
Alexander Graf
d8b4a016af use blue color from https://mailu.io/ 2021-09-06 08:41:49 +02:00
bors[bot]
6fe265b548
Merge #1968
1968: optimize handle_authentication r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

catch utf-8 decoding errors and log a warning in handle_authentication instead of writing a traceback into the log.

### Related issue(s)

closes #1361

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-09-05 20:19:00 +00:00
bors[bot]
d8dc765f04
Merge #1967
1967: fix 1789: ensure that nginx resolves ipv4 addresses r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

This fixes ipv6 enabled setup by disabling it. If you were using SUBNET6 in your configuration, odds are it's broken since gunicorn isn't bound on an on an ipv6 enabled socket.

Should we backport this?

### Related issue(s)
- close #1789
- close #1802


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-09-05 19:11:50 +00:00
Alexander Graf
90c96bdddc optimize handle_authentication
- catch decoding of nginx headers (utf-8 exception)
- re-ordered function
2021-09-05 19:47:10 +02:00
Florent Daigniere
7aa403573d no with here 2021-09-05 19:06:20 +02:00
Florent Daigniere
0ee52ba65b Doh 2021-09-05 19:03:54 +02:00
Florent Daigniere
0f0459e9b2 suggestions from @ghostwheel42 2021-09-05 18:49:07 +02:00
Florent Daigniere
9888efe55d Document as suggested on #mailu-dev 2021-09-05 18:23:08 +02:00
Alexander Graf
7bede55fce more verbose cleaning message 2021-09-05 17:48:20 +02:00
Florent Daigniere
a9a1b3e55e Reduce the EDNS0 size to 1232
@see
https://github.com/dns-violations/dnsflagday/issues/125
2021-09-05 15:28:59 +02:00
Florent Daigniere
72ba5ca3f9 fix 1789: ensure that nginx resolves ipv4 addresses 2021-09-03 21:59:53 +02:00
Alexander Graf
7fd605cc21 fixed brand link target for normal users 2021-09-03 13:41:33 +02:00
Diman0
b148e41d9b Fix nginx config 2021-09-03 13:01:09 +02:00
Florent Daigniere
d8c22db547 Merge remote-tracking branch 'upstream/master' into policyd-mta-sts 2021-09-03 11:37:43 +02:00
Alexander Graf
8cdd7e911d duh. removed debug 2021-09-02 23:36:49 +02:00
Alexander Graf
2ba0d552e0 Merge remote-tracking branch 'upstream/master' into passlib 2021-09-02 23:00:39 +02:00
Alexander Graf
34df8b3168 AdminLTE3 optimizations & compression and caching
- fixed copy of qemu-arm-static for alpine
- added 'set -eu' safeguard
- silenced npm update notification
- added color to webpack call
- changed Admin-LTE default blue
  (core/admin/Dockerfile)

- AdminLTE 3 style tweaks
  (core/admin/assets/app.css)
  (core/admin/mailu/ui/templates/base.html)
  (core/admin/mailu/ui/templates/sidebar.html)

- localized datatables
  (core/admin/Dockerfile)
  (core/admin/assets/app.js)
  (core/admin/package.json)

- moved external javascript code to vendor.js
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/webpack.config.js)

- added mailu logo
  (core/admin/assets/app.js)
  (core/admin/assets/app.css)
  (core/admin/assets/mailu.png)

- moved all inline javascript to app.js
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/domain/create.html)
  (core/admin/mailu/ui/templates/user/create.html)

- added iframe display of rspamd page
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/views/base.py)
  (core/admin/mailu/ui/templates/sidebar.html)
  (core/admin/mailu/ui/templates/antispam.html)

- updated language-selector to display full language names and use post
  (core/admin/assets/app.js)
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/utils.py)
  (core/admin/mailu/ui/views/languages.py)

- added fieldset to group and en/disable input fields
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/user/settings.html)
  (core/admin/mailu/ui/templates/user/reply.html)

- added clipboard copy buttons
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/domain/details.html)

- cleaned external javascript imports
  (core/admin/assets/vendor.js)

- pre-split first hostname for further use
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/client.html)
  (core/admin/mailu/ui/templates/domain/signup.html)

- cache dns_* properties of domain object (immutable during runtime)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/domain/details.html)

- fixed and splitted dns_dkim property of domain object (space missing)
- added autoconfig and tlsa properties to domain object
  (core/admin/mailu/models.py)

- suppressed extra vertical spacing in jinja2 templates
- improved accessibility for screen reader
  (core/admin/mailu/ui/templates/**.html)

- deleted unused/broken /user/forward route
  (core/admin/mailu/ui/templates/user/forward.html)
  (core/admin/mailu/ui/views/users.py)

- updated gunicorn to 20.1.0 to get rid of buffering error at startup
  (core/admin/requirements-prod.txt)

- switched webpack to production mode
  (core/admin/webpack.config.js)

- added css and javascript minimization
- added pre-compression of assets (gzip)
  (core/admin/webpack.config.js)
  (core/admin/package.json)

- removed obsolte dependencies
- switched from node-sass to dart-sass
  (core/admin/package.json)

- changed startup cleaning message from error to info
  (core/admin/mailu/utils.py)

- move client config to "my account" section when logged in
  (core/admin/mailu/ui/templates/sidebar.html)
2021-09-02 22:49:36 +02:00
Alexander Graf
f4e7ce0990 enabled caching, gzip and robots.txt 2021-09-02 20:48:44 +02:00
Alexander Graf
103918ba57 pre-compress assets (*.ico for now) 2021-09-02 20:46:56 +02:00
Alexander Graf
39d7a5c504 pngcrushed images 2021-09-02 20:46:08 +02:00
Diman0
960033525d configure sso in nginx 2021-09-02 18:02:20 +02:00
Diman0
8868aec0dc Merge master. Make sso login working for admin. 2021-09-02 17:08:50 +02:00
Diman0
1cfc9ee1c4 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 2021-09-02 13:38:57 +02:00
Diman0
9fac3d7ad3 Initial implementation for standalone sso page 2021-09-02 13:36:42 +02:00
bors[bot]
71cc8b0a81
Merge #1800
1800: AdminLTE 3 r=mergify[bot] a=DjVinnii

## What type of PR?

Enhancement

## What does this PR do?

This PR implements AdminLTE 3 for the admin interface. It also includes the implementation of DataTables and a language selector.

### Related issue(s)
- closes: #1567
- closes: #1764 

## Prerequistes

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Vincent Kling <vincentkling@msn.com>
Co-authored-by: DjVinnii <vincentkling@msn.com>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-09-02 07:42:57 +00:00
Tim Foerster
9ec9d4d4fb
postfix/tls_policy: Use lmdb map instead of hash
The alpine postfix package seems to have removed support for btree and hash map type. #1918 
The tls_policy.map stuff has been introduced in #1902 and it has been merged without fixing this before (https://github.com/Mailu/Mailu/pull/1902/#issuecomment-902108080)
2021-09-01 22:40:47 +02:00
Florent Daigniere
d7c2b510c7 Give alpine 3.14.2 a shot 2021-09-01 18:56:44 +02:00
Florent Daigniere
fe186afb6f Revert "Switch to openssl to workaround alpine #12763"
This reverts commit f8362d04e4.
2021-09-01 18:52:35 +02:00
Florent Daigniere
4abf49edf4 indent 2021-09-01 09:15:13 +02:00
Florent Daigniere
c1d94bb725 Ensure that postfix will be able to use the TLSA records
see https://www.huque.com/dane/testsite/ for the testcases
2021-09-01 09:01:04 +02:00
Florent Daigniere
ef5f82362c Merge remote-tracking branch 'upstream/master' into policyd-mta-sts 2021-09-01 08:45:13 +02:00
Florent Daigniere
489520f067 forgot about alpine/lmdb 2021-09-01 08:41:39 +02:00
Florent Daigniere
9f66e2672b Use DEFER_ON_TLS_ERROR here too
We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
2021-08-31 20:44:57 +02:00
Florent Daigniere
a1da4daa4c Implement the DANE-only lookup policyd
https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67 for
context
2021-08-31 20:24:06 +02:00
Dimitri Huisman
5f18860669 Remove workaround. Remove deprecated url-loader. 2021-08-31 10:04:44 +00:00
Dimitri Huisman
60be06e298 Temporary workaround to get FontAwesome icons working. 2021-08-31 08:08:33 +00:00
Dimitri Huisman
5da7a06675 Resolve webpack.config.js error 2021-08-30 15:01:05 +00:00
Florent Daigniere
67db72d774 Behave like documented 2021-08-30 17:00:12 +02:00
Florent Daigniere
05b57c972e remove the static policy as it will override MTA-STS and DANE 2021-08-30 14:44:13 +02:00
Florent Daigniere
a8142dabbe Introduce DEFER_ON_TLS_ERROR
This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
2021-08-30 14:21:28 +02:00
Florent Daigniere
52d3a33875 Remove the domains that have a valid MTA-STS policy
gmail.com
comcast.net
mail.ru
googlemail.com
wp.pl
2021-08-29 17:41:55 +02:00
Florent Daigniere
4f96e99144 MTA-STS (use rather than publish policies) 2021-08-29 17:40:37 +02:00
Dimitri Huisman
00276d8b70
Merge branch 'master' into AdminLTE-3 2021-08-28 17:43:29 +02:00
Florent Daigniere
394c2fe22c Document REAL_IP_HEADER and REAL_IP_FROM
Fix a security vulnerability whereby we were not clearing other headers
2021-08-28 10:03:18 +02:00
Florent Daigniere
6bba0cecfc Strip the Forwarded header since nothing is compatible with it yet 2021-08-28 09:02:52 +02:00
bors[bot]
6e32092abd
Merge #1873
1873: Completed Hebrew translation r=mergify[bot] a=yarons

The Hebrew translation is incomplete so I've completed it.

Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com>
2021-08-27 14:37:54 +00:00
Dimitri Huisman
169a540692 Use punycode for HTTP header for radicale and create changelog 2021-08-27 08:20:52 +00:00
Dimitri Huisman
4f5cb0974e Make sure HTTP header only contains ASCII 2021-08-26 15:11:35 +00:00
bors[bot]
ecaaf25dcb
Merge #1939
1939: Ensure that we don't do multiple DNS lookups in the sieve script r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It ensures that DNS lookups don't introduce inconsistent state. We may want to go further and actually check the return codes of rspamc too.

I haven't tested it but it should work.

### Related issue(s)
- #1938



Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-08-24 12:42:17 +00:00
Florent Daigniere
368b40b4fd doh 2021-08-24 09:24:14 +02:00
Florent Daigniere
3e676e232a fix #1270 2021-08-23 19:41:44 +02:00
Florent Daigniere
ae8db08bdf Ensure that we don't do multiple DNS lookups in the sieve script 2021-08-21 17:14:40 +02:00
Florent Daigniere
65a27b1c7f add additional options to make DANE easier 2021-08-20 14:18:07 +02:00
Florent Daigniere
fb8d52ceb2 Merge branch 'master' of https://github.com/Mailu/Mailu into tls_policy_map 2021-08-20 14:17:34 +02:00
Florent Daigniere
b4102ba464 doh 2021-08-19 15:21:39 +02:00
Florent Daigniere
9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders 2021-08-19 11:10:14 +02:00
Florent Daigniere
7252a73e11 WILDCARD_SENDERS can have spaces 2021-08-19 11:02:03 +02:00
bors[bot]
b57df78dac
Merge #1916
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of #1360 implementing per-user sender limits

### Related issue(s)
- close #1360 
- close #1031
- close #1774 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-08-18 19:28:28 +00:00
Dimitri Huisman
e5972bd9ec Set default message rate limit to 200/day 2021-08-18 15:01:10 +00:00
Jack Murray
dd127f8f06 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
2021-08-18 15:57:53 +02:00
Florent Daigniere
6704cb869a Switch to 3072bits dhparam (instead of 4096bits)
We aim for 128bits of security here
2021-08-18 15:51:16 +02:00
Jack Murray
e304c352a1 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
2021-08-18 15:40:44 +02:00
Florent Daigniere
facc4b6427 Allow specific users to send email from any address 2021-08-14 09:03:57 +02:00
Florent Daigniere
ee54a615c1 Alpine has removed support for btree and hash 2021-08-14 09:03:57 +02:00
David Fairbrother
24747e33de Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
2021-08-14 09:03:57 +02:00
Florent Daigniere
0b16291153 doh 2021-08-14 08:49:28 +02:00
Florent Daigniere
1db08018da Ensure that we get certificate validation on top90
I have found a list of the top100 email destinations online and ran them
through a script to ensure that all of their MX servers had valid
configuration... this is the result
2021-08-14 08:48:42 +02:00
Florent Daigniere
b066a5e2ac add a default tls_policy_map 2021-08-14 08:48:42 +02:00
Florent Daigniere
1df79f8132 give PFS a chance 2021-08-14 08:48:04 +02:00
Florent Daigniere
925105075c this is required in fact 2021-08-13 20:35:40 +02:00
Diman0
5afbf37292 Resolve build issues 2021-08-13 15:12:33 +02:00
Dimitri Huisman
df64601b28
Merge branch 'master' into AdminLTE-3 2021-08-13 14:06:46 +02:00
Florent Daigniere
772e5efb7d Disable pipelining to prevent bypass 2021-08-11 22:47:29 +02:00
Florent Daigniere
c76a76c0b0 make it optional, add a knob 2021-08-10 12:19:51 +02:00
Florent Daigniere
109a8aa000 Ensure that we always have CERT+INTERMEDIARY CA
Let's encrypt may change things up in the future...
2021-08-10 10:55:21 +02:00
Florent Daigniere
dccd8afd51 Thanks @Diman0!
ENEEDSLEEP
2021-08-10 10:20:15 +02:00
Florent Daigniere
974bcba5ab Restore LOGIN as tests assume it's there 2021-08-10 09:05:02 +02:00
Florent Daigniere
2b05e72ce4 Revert "maybe fix the tests"
This reverts commit f971b47fb9.
2021-08-10 08:51:55 +02:00
Florent Daigniere
f971b47fb9 maybe fix the tests 2021-08-10 08:22:23 +02:00
Florent Daigniere
4a871c0905 this causes trouble with the test 2021-08-09 23:29:17 +02:00
Florent Daigniere
12c842c4b9 In fact in fullchain we want all but the last 2021-08-09 23:27:03 +02:00
Florent Daigniere
24f9bf1064 format certs for nginx 2021-08-09 22:51:23 +02:00
Florent Daigniere
98b903fe13 don't send the rootcert 2021-08-09 21:38:03 +02:00
Florent Daigniere
92ec446c20 doh 2021-08-09 21:29:05 +02:00
Florent Daigniere
f05cc99dc0 Add ECC certs for modern clients 2021-08-09 21:06:15 +02:00
Florent Daigniere
cb68cb312b Reduce the size of the RSA key to 3072bits
This is already generous for certificates that have a 3month validity!

We rekey every single time.
2021-08-09 20:40:56 +02:00
Florent Daigniere
5e7d5adf17 AUTH shouldn't happen on port 25 2021-08-09 20:10:49 +02:00
Florent Daigniere
55cdb1a534 be explicit about what we support 2021-08-09 17:42:33 +02:00
Florent Daigniere
ecadf46ac6 fix PFS 2021-08-09 17:39:15 +02:00
Florent Daigniere
7285c6bfd9 admin won't understand LOGIN 2021-08-09 17:29:42 +02:00
Florent Daigniere
de3620da4a Don't send credentials in clear ever 2021-08-09 17:29:42 +02:00
Florent Daigniere
4535c42e70 This isn't required 2021-08-09 17:29:42 +02:00
Florent Daigniere
1101e401e8 Apply the restriction on the right port 2021-08-09 14:58:58 +02:00
Florent Daigniere
6d244222da better error message 2021-08-09 09:28:19 +02:00
Florent Daigniere
d6ce5d0c06 Remove a warning: limits don't apply to trusted hosts 2021-08-08 20:21:24 +02:00
Florent Daigniere
bcdc137677 Alpine has removed support for btree and hash 2021-08-08 19:18:33 +02:00
Florent Daigniere
1438253a06 Ratelimit outgoing emails per user 2021-08-08 09:21:14 +02:00
bors[bot]
48f3b1fd49
Merge #1656
1656: Add ability to set no WEBROOT_REDIRECT to Nginx r=mergify[bot] a=DavidFair

## What type of PR?

Enhancement / Documentation

## What does this PR do?

From commit:

---

Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.

---

I've also added bullet points to break up a long flowing sentence in `configuration.rst` - it should be a bit easier to read now

### Related issue(s)
No Related Issue - I just jumped to a PR

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly

@ Maintainers - Is this worthy of the changelog, it's useful to know about but I imagine the number of people it affects is equally minimal?
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
2021-08-06 19:15:42 +00:00
Diman0
588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value. 2021-08-06 16:27:07 +02:00
Florent Daigniere
defea3258d update arm builds too 2021-08-03 13:58:54 +02:00
Florent Daigniere
d44608ed04 Merge remote-tracking branch 'upstream/master' into upgrade-alpine 2021-08-03 13:46:47 +02:00
Florent Daigniere
f8362d04e4 Switch to openssl to workaround alpine #12763 2021-08-03 13:44:56 +02:00
bors[bot]
6ea4e3217a
Merge #1901
1901: treat localpart case insensitive again r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

fixes error introduced by #1604 where the localpart of an email address was handled case sensitive.
this screwed things up at various other places.
 
### Related issue(s)

closes #1895
closes #1900

Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-31 08:31:13 +00:00
Alexander Graf
6856c2c80f treat localpart case insensitive again
by lowercasing it where necessary
2021-07-30 22:26:20 +02:00
bors[bot]
656cf22126
Merge #1856
1856: update asset builder dependencies r=mergify[bot] a=ghostwheel42

## What type of PR?

update asset builder dependencies

## What does this PR do?

only include needed dependencies to build mailu assets with nodejs v8

### Related issue(s)

update dependencies as discussed in #1829


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-27 11:55:12 +00:00
bors[bot]
9289fa6420
Merge #1896
1896: save dkim key after creation r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

saves generated dkim key after creation vi web ui.
after the model change the domain object needs to be added and flushed via sqlalchemy.

### Related issue(s)

closes #1892


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-27 10:45:29 +00:00
bors[bot]
9a4c6385e5
Merge #1888
1888: Use threads in gunicorn rather than workers/processes r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-07-25 20:30:47 +00:00
Alexander Graf
54b46a13c6 save dkim key after creation 2021-07-25 15:51:13 +02:00
bors[bot]
bf65a1248f
Merge #1885
1885: fix 1884: always lookup a FQDN r=mergify[bot] a=nextgens

## What type of PR?

bugfix

## What does this PR do?

Fix bug #1884. Ensure that we avoid the musl resolver bug by always looking up a FQDN

### Related issue(s)
- closes #1884

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-07-24 19:09:56 +00:00
Alexander Graf
c2c3030a2f rephrased comments 2021-07-24 20:54:58 +02:00
bors[bot]
bace7ba6e3
Merge #1890
1890: fix Email class in model.py r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

fixes class Email - keep email, localpart and domain in sync.

### Related issue(s)

closes #1878


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-24 18:33:48 +00:00
Alexander Graf
ad1b036f20 fix Email class 2021-07-24 20:21:38 +02:00
Florent Daigniere
8d9f3214cc Use threads in gunicorn rather than processes
This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"
2021-07-24 15:45:25 +02:00
Florent Daigniere
fa915d7862 Fix 1294 ensure podop's socket is owned by postfix 2021-07-24 14:39:40 +02:00
Florent Daigniere
9d2629a04e fix 1884: always lookup a FQDN 2021-07-24 12:40:38 +02:00
Yaron Shahrabani
e0bf75ae17
Completed Hebrew translation 2021-07-19 09:15:42 +03:00
Florent Daigniere
1d65529c94 The lookup could fail; ensure we set something 2021-07-18 18:43:20 +02:00
Florent Daigniere
8bc1d6c08b Replace PUBLIC_HOSTNAME/IP in Received headers
This will ensure that we don't get spam points for not respecting the
RFC
2021-07-18 18:24:46 +02:00
bors[bot]
c5ff72d657
Merge #1857
1857: disable startdate when autoreply is disabled r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

disable the reply startdate field when autoreply is disabled


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-16 06:58:57 +00:00
Florent Daigniere
a0dcd46483 fix #1861: Handle colons in passwords 2021-07-14 09:27:00 +02:00
Alexander Graf
180026bd77 also disable startdate 2021-07-07 11:33:48 +02:00
Alexander Graf
56cfcf8b64 converted tabs to spaces 2021-07-07 10:32:59 +02:00
Alexander Graf
6377ccb2cb re-add jquery and select2 used in app.js 2021-07-07 10:30:07 +02:00
Alexander Graf
3c8a8aa8f0 use less v3 to make less-loader happy 2021-07-06 19:47:13 +02:00
Alexander Graf
1bb059f4c1 switched to newest possible versions for nodejs v8 2021-07-06 19:36:28 +02:00
Alexander Graf
858312a5cb remove explicit jQuery dependency 2021-07-06 18:01:44 +02:00
Alexander Graf
3f91dcb7af compile scheme list using a generator 2021-07-06 13:48:53 +02:00
Alexander Graf
3bb0d68ead add cargo to build cryptography 2021-07-05 23:27:42 +02:00
Alexander Graf
9790dcdabe updated dependencies 2021-07-05 23:04:07 +02:00
Florent Daigniere
72735ab320 remove cyrus-sasl-plain 2021-07-05 17:08:05 +02:00
Florent Daigniere
420afa53f8 Upgrade to alpine 3.14 2021-07-05 15:50:49 +02:00
bors[bot]
4a5f6b1f92
Merge #1791
1791: Enhanced session handling r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

- replaces flask_kvsession and simplekv with a mailu-specific session store
- call cleanup_sessions before first request and not on startup.
  this allows to run cmdline actions without redis (and makes it faster)
- allow running without redis for debugging purposes by setting MEMORY_SESSIONS to True
- don't sign session id, as it has plenty of entropy (as suggested by nextgens)
- adds method to prune a user's sessions

### Related issue(s)
- enhances and close #1787


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-04 18:04:15 +00:00
Alexander Graf
8b71a92219 use fixed msg for key derivation 2021-07-03 22:32:47 +02:00