1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Commit Graph

1468 Commits

Author SHA1 Message Date
Dimitri Huisman
5d81846c5d Introduce the shared stub /static for providing all static files 2021-10-26 11:30:06 +00:00
Dimitri Huisman
eb74a72a52 Moved locations to correct area in nginx.conf. 2021-10-26 07:35:06 +00:00
Dimitri Huisman
aa7380ffba Doh! 2021-10-25 20:00:00 +00:00
Dimitri Huisman
44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting. 2021-10-25 19:21:38 +00:00
Dimitri Huisman
f9eee0cbaf Adapt HEALTHCHECK to new URL 2021-10-25 17:43:53 +00:00
Dimitri Huisman
ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 2021-10-25 17:31:25 +00:00
Dimitri Huisman
913a6304a7 Finishing touches. Introduce /static stub for handling all static files. 2021-10-25 17:24:41 +00:00
bors[bot]
a1192d8039
Merge #1987
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Turn the rate-limiters into something useful (that won't fire for no reason).

- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.

Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)

### Related issue(s)
- close #1926
- close #1745 
- close #1915


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
2021-10-16 15:52:47 +00:00
Florent Daigniere
693b578bbb The second strip isn't necessary 2021-10-16 17:24:12 +02:00
Florent Daigniere
1c6165213c better that way 2021-10-16 16:54:56 +02:00
Florent Daigniere
34497cff20 doh 2021-10-16 16:35:48 +02:00
Florent Daigniere
e8871dd77f doh 2021-10-16 16:06:13 +02:00
Florent Daigniere
5b72c32251 Doh 2021-10-16 15:44:26 +02:00
Florent Daigniere
19b784b198 Parse the network configuration only once
thanks @ghostwheel42
2021-10-16 15:18:41 +02:00
Florent Daigniere
98742268e6 Make it more readable 2021-10-16 15:12:20 +02:00
Florent Daigniere
94bbed9746 Ensure we have the right IP 2021-10-16 10:39:43 +02:00
Florent Daigniere
c5bd82650f doh 2021-10-16 10:30:57 +02:00
Florent Daigniere
99c81c20a7 Introduce AUTH_RATELIMIT_EXEMPTION
This disables rate limiting on specific CIDRs
2021-10-16 10:26:38 +02:00
Florent Daigniere
c674f1567a Merge branch 'ratelimits' of https://github.com/nextgens/Mailu into ratelimits 2021-10-16 09:55:15 +02:00
Florent Daigniere
8414dd5cf0 Merge remote-tracking branch 'upstream/master' into ratelimits 2021-10-16 09:52:20 +02:00
Florent Daigniere
e14d2e7c03 Error out explictely if Auth-Port isn't set 2021-10-16 09:49:01 +02:00
Florent Daigniere
abaa2e8cc3 simplify client_ip 2021-10-16 09:46:21 +02:00
Florent Daigniere
de276a6822 Simplify extract_network_from_ip 2021-10-16 09:45:10 +02:00
Florent Daigniere
3bda8368e4 simplify the Auth-Status check 2021-10-16 09:39:34 +02:00
Florent Daigniere
2dd9ea1506 simplify 2021-10-16 09:36:49 +02:00
Florent Daigniere
068170c0ff Use app instead of flask.current_app where possible 2021-10-16 09:35:01 +02:00
Florent Daigniere
57b0dd490c Initialize user_email in all cases 2021-10-16 09:29:17 +02:00
qy117121
b1425015ef
Update messages.po
Fix wrong text
2021-10-16 03:51:22 +08:00
bors[bot]
afffe4063e
Merge #2018
2018: show dmarc record for report domain in domain details r=mergify[bot] a=ghostwheel42

## What type of PR?

documentation

## What does this PR do?

show dmarc record for report domain in domain details

### Related issue(s)

closes #1382

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-15 12:52:16 +00:00
bors[bot]
9f2aa0aadc
Merge #1986 #2014
1986: Document how to setup client autoconfig r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Document how to setup autoconfig. This works with most open-source MUAs (thunderbird, evolution, ...)

We could go further than that by providing dynamic configuration (issue an auth token for each MUA request)... but it won't work unless a new DNS entry (and matching certificate) is created.

### Related issue(s)
- #224

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


2014: Update Chinese translation r=mergify[bot] a=qy117121

## What type of PR?

translation

## What does this PR do?

Update Chinese translation. Use `zh` instead of `zh_CN`.

### Related issue(s)

none

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: qy117121 <mixuan121@gmail.com>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-15 12:29:46 +00:00
Alexander Graf
7fe15ea9cf added dmarc record for report domain 2021-10-15 14:22:50 +02:00
bors[bot]
a5b1d36171
Merge #2017
2017: rspamd: get dkim keys via REST API instead of filesystem r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement

## What does this PR do?

rspamd now uses hashicorp's vault api v1 to get dkim keys and selectors for a domain.
this allows future enhancement (multiple keys) without reconfiguring and restarting rspamd.
it also makes mounting the /dkim volume into the rspamd container unnecessary.

### Related issue(s)

- improves and closes #2012 
- allows to implement key rotation using multiple selectors (see #1700)
- allows to implement dkim for alternate domains (see #1519)
- fixes and closes #1345 (selector transmitted by admin container is used)
- closes #1179 (no keys on disk)
- allows to implement key rotation from the outside (ie. via a helper script talking to some dns provider's api) (see #547)

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-15 12:08:40 +00:00
Alexander Graf
7b0c5935a8 only support GET method in vault 2021-10-15 13:16:37 +02:00
Alexander Graf
303fae00fb cleanup modules. use dkim selector from config 2021-10-14 23:25:42 +02:00
Alexander Graf
dc9f970a91 removed zh_CN and updated locale-map for datatables 2021-10-14 23:15:42 +02:00
Alexander Graf
893705169e PoC rspamd use dkimkeys from admin using vault api 2021-10-14 23:01:53 +02:00
Florent Daigniere
632ce663ee Prevent logins with no password 2021-10-14 18:04:49 +02:00
qy117121
866f784d06
Create messages.po
Update the translation
2021-10-14 15:05:32 +08:00
qy117121
251eea5553
Update messages.po
Updated translation
2021-10-14 15:03:23 +08:00
Florent Daigniere
7277e0b4e4
Merge branch 'master' into ratelimits 2021-10-12 14:47:00 +02:00
bors[bot]
8c8c1b2015
Merge #1997
1997: Prevent traceback when using non-email in login r=mergify[bot] a=ghostwheel42

There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('`@',` 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "`@")`
```

## What type of PR?

enhancement

## What does this PR do?

replace traceback (ERROR) with error message (WARNING)

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-12 12:07:08 +00:00
bors[bot]
9b01e663b2
Merge #2007
2007: allow sending emails as user+detail@domain.tld r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix or enhancement

## What does this PR do?

Allows sending emails with an added "+detail" in the local part.
 
### Related issue(s)

closes #1948

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: root <ghostwheel42@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-10-09 17:01:25 +00:00
Florent Daigniere
14360f8926 RECIPIENT_DELIMITER can have several characters 2021-10-09 18:28:50 +02:00
root
8c59f35697 use RECIPIENT_DELIMITER for splitting 2021-10-09 17:43:09 +02:00
Alexander Graf
1d571dedfc split localpart into user and tag 2021-10-09 17:11:12 +02:00
Florent Daigniere
d131d863ba The if needs to be inside the block 2021-10-09 15:44:56 +02:00
Alexander Graf
aaf3ddd002 moved javascript to app.js 2021-10-08 20:06:21 +02:00
Florent Daigniere
b48779ea70 SESSION_COOKIE_SECURE and HTTP won't work 2021-10-08 10:17:03 +02:00
Florent Daigniere
502affbe66 Use the regexp engine since we have one 2021-10-03 10:14:49 +02:00
Florent Daigniere
a349190e52 simplify 2021-10-02 10:19:57 +02:00
Florent Daigniere
10d78a888b Derive a new subkey for SRS 2021-10-01 15:00:10 +02:00
Florent Daigniere
995ce8d437 Remove OUTCLEAN_ADDRESS
I believe that this isn't relevant anymore as we don't use OpenDKIM
anymore

Background on:
https://bofhskull.wordpress.com/2014/03/25/postfix-opendkim-and-missing-from-header/
2021-10-01 14:54:04 +02:00
Alexander Graf
65133a960a Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
2021-09-28 10:38:37 +02:00
Diman0
41f5b43b38 Set nginx logging to level info again. 2021-09-24 15:33:16 +02:00
Diman0
f4cde61148 Make header translatable. More finishing touches. 2021-09-24 15:29:28 +02:00
Florent Daigniere
7d56ed3b70 Merge branch 'master' of https://github.com/Mailu/Mailu into ratelimits 2021-09-24 13:40:59 +02:00
Diman0
fbe0a446b9 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 2021-09-24 13:05:06 +02:00
Florent Daigniere
1e07b85fa1 doh 2021-09-24 10:20:21 +02:00
Diman0
9894b49cbd Merge/Update with changes from master 2021-09-24 10:07:52 +02:00
Florent Daigniere
24aadf2f52 ensure we log when the rate limiter hits 2021-09-24 10:07:41 +02:00
Florent Daigniere
64bc7972cc Make AUTH_RATELIMIT_IP 60/hour as discussed 2021-09-24 09:57:28 +02:00
Florent Daigniere
cab0ce2017 doh 2021-09-23 19:01:09 +02:00
Florent Daigniere
a9340e61f5 Log auth attempts on /admin 2021-09-23 18:48:23 +02:00
Florent Daigniere
89ea51d570 Implement rate-limits 2021-09-23 18:40:49 +02:00
Diman0
bf0aad9820 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 2021-09-22 17:04:13 +02:00
bors[bot]
4c5c6c3b5f
Merge #1966
1966: AdminLTE3 optimizations & compression and caching r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement, bugfix

## What does this PR do?

Optimization and cleanup of styles and javascript code for AdminLTE 3
Adds caching headers, gzip and robots.txt to nginx.

### Related issue(s)

Makes #1800 even better. Thanks to `@DjVinnii` and `@Diman0` for the good work.
Closes #1905

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-09-22 10:00:34 +00:00
bors[bot]
b329971b87
Merge #1971
1971: Updated Polish translation. r=mergify[bot] a=ghostwheel42

## What type of PR?

translation

## What does this PR do?

Update polish translation. Used `pl/LC_MESSAGES/messages.po` from PR #1751 created by `@martys71`
Part of Discussion of 1.9 roadmap #1930

### Related issue(s)

closes #1751 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-09-22 09:01:37 +00:00
bors[bot]
72e8ec53b7
Merge #1975
1975: Replace traceback with error message when creating initial admin user r=mergify[bot] a=ghostwheel42

## What type of PR?

small enhancement

## What does this PR do?

when creating the admin user via cli a traceback is shown when this user is already present in the database.
This is confusing users. I've replaced the traceback with an error message.

### Related issue(s)

#1921

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-09-13 18:48:38 +00:00
Alexander Graf
25cf8b5358 better help formatting 2021-09-13 15:13:29 +02:00
Alexander Graf
b63081cb48 display error (not exception) when creating admin
repleace misleading python exception (mailu broken)
with error message stating that the admin user is
already present
2021-09-13 14:49:49 +02:00
Alexander Graf
065215d4d1 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 2021-09-11 12:36:19 +02:00
Alexander Graf
7bec8029a4 strip not necessary anymore 2021-09-09 21:41:03 +02:00
Alexander Graf
05c79b0e3c copy (and not parse) mta sts override config 2021-09-09 18:45:39 +02:00
Alexander Graf
b02ceab72f handle DEFER_ON_TLS_ERROR as bool
use /conf/mta-sts-daemon.yml when override is missing
2021-09-09 18:00:48 +02:00
Alexander Graf
1e8b41f731 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 2021-09-09 13:22:15 +02:00
Alexander Graf
b883e3c4a6 duh. 2021-09-09 12:10:34 +02:00
Alexander Graf
bb40ccc4b0 normalize HOSTNAMES
should be moved to python lib and normalized in start.py
2021-09-09 11:58:27 +02:00
Alexander Graf
45a2be3766 Updated Polish translation.
Used pl/LC_MESSAGES/messages.po from PR#1751 created by martys71
2021-09-06 18:42:50 +02:00
bors[bot]
d464187477
Merge #1964
1964: Alpine3.14.2 r=mergify[bot] a=nextgens

Upgrade to alpine 3.14.2, retry upgrading unbound & switch back to libressl

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-09-06 15:59:10 +00:00
Alexander Graf
a319ecde29 also precompress static txt files 2021-09-06 13:52:35 +02:00
Alexander Graf
b445d9ddd1 set expire headers only for mailu content
also moved robots.txt from config to static folder.
2021-09-06 13:45:48 +02:00
Alexander Graf
698ee4e521 added tiff and webp to list of cached content 2021-09-06 09:10:59 +02:00
Alexander Graf
0094268410 allow to change logo. default color for flash msg
- two new environment variables allow to change logo background color
  and graphic
- flash messages are now green (not cyan)
2021-09-06 09:08:51 +02:00
Alexander Graf
d8b4a016af use blue color from https://mailu.io/ 2021-09-06 08:41:49 +02:00
bors[bot]
6fe265b548
Merge #1968
1968: optimize handle_authentication r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

catch utf-8 decoding errors and log a warning in handle_authentication instead of writing a traceback into the log.

### Related issue(s)

closes #1361

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-09-05 20:19:00 +00:00
bors[bot]
d8dc765f04
Merge #1967
1967: fix 1789: ensure that nginx resolves ipv4 addresses r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

This fixes ipv6 enabled setup by disabling it. If you were using SUBNET6 in your configuration, odds are it's broken since gunicorn isn't bound on an on an ipv6 enabled socket.

Should we backport this?

### Related issue(s)
- close #1789
- close #1802


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-09-05 19:11:50 +00:00
Alexander Graf
90c96bdddc optimize handle_authentication
- catch decoding of nginx headers (utf-8 exception)
- re-ordered function
2021-09-05 19:47:10 +02:00
Florent Daigniere
7aa403573d no with here 2021-09-05 19:06:20 +02:00
Florent Daigniere
0ee52ba65b Doh 2021-09-05 19:03:54 +02:00
Florent Daigniere
0f0459e9b2 suggestions from @ghostwheel42 2021-09-05 18:49:07 +02:00
Florent Daigniere
9888efe55d Document as suggested on #mailu-dev 2021-09-05 18:23:08 +02:00
Alexander Graf
7bede55fce more verbose cleaning message 2021-09-05 17:48:20 +02:00
Florent Daigniere
a9a1b3e55e Reduce the EDNS0 size to 1232
@see
https://github.com/dns-violations/dnsflagday/issues/125
2021-09-05 15:28:59 +02:00
Florent Daigniere
72ba5ca3f9 fix 1789: ensure that nginx resolves ipv4 addresses 2021-09-03 21:59:53 +02:00
Alexander Graf
7fd605cc21 fixed brand link target for normal users 2021-09-03 13:41:33 +02:00
Diman0
b148e41d9b Fix nginx config 2021-09-03 13:01:09 +02:00
Florent Daigniere
d8c22db547 Merge remote-tracking branch 'upstream/master' into policyd-mta-sts 2021-09-03 11:37:43 +02:00
Alexander Graf
8cdd7e911d duh. removed debug 2021-09-02 23:36:49 +02:00
Alexander Graf
2ba0d552e0 Merge remote-tracking branch 'upstream/master' into passlib 2021-09-02 23:00:39 +02:00
Alexander Graf
34df8b3168 AdminLTE3 optimizations & compression and caching
- fixed copy of qemu-arm-static for alpine
- added 'set -eu' safeguard
- silenced npm update notification
- added color to webpack call
- changed Admin-LTE default blue
  (core/admin/Dockerfile)

- AdminLTE 3 style tweaks
  (core/admin/assets/app.css)
  (core/admin/mailu/ui/templates/base.html)
  (core/admin/mailu/ui/templates/sidebar.html)

- localized datatables
  (core/admin/Dockerfile)
  (core/admin/assets/app.js)
  (core/admin/package.json)

- moved external javascript code to vendor.js
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/webpack.config.js)

- added mailu logo
  (core/admin/assets/app.js)
  (core/admin/assets/app.css)
  (core/admin/assets/mailu.png)

- moved all inline javascript to app.js
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/domain/create.html)
  (core/admin/mailu/ui/templates/user/create.html)

- added iframe display of rspamd page
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/views/base.py)
  (core/admin/mailu/ui/templates/sidebar.html)
  (core/admin/mailu/ui/templates/antispam.html)

- updated language-selector to display full language names and use post
  (core/admin/assets/app.js)
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/utils.py)
  (core/admin/mailu/ui/views/languages.py)

- added fieldset to group and en/disable input fields
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/user/settings.html)
  (core/admin/mailu/ui/templates/user/reply.html)

- added clipboard copy buttons
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/domain/details.html)

- cleaned external javascript imports
  (core/admin/assets/vendor.js)

- pre-split first hostname for further use
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/client.html)
  (core/admin/mailu/ui/templates/domain/signup.html)

- cache dns_* properties of domain object (immutable during runtime)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/domain/details.html)

- fixed and splitted dns_dkim property of domain object (space missing)
- added autoconfig and tlsa properties to domain object
  (core/admin/mailu/models.py)

- suppressed extra vertical spacing in jinja2 templates
- improved accessibility for screen reader
  (core/admin/mailu/ui/templates/**.html)

- deleted unused/broken /user/forward route
  (core/admin/mailu/ui/templates/user/forward.html)
  (core/admin/mailu/ui/views/users.py)

- updated gunicorn to 20.1.0 to get rid of buffering error at startup
  (core/admin/requirements-prod.txt)

- switched webpack to production mode
  (core/admin/webpack.config.js)

- added css and javascript minimization
- added pre-compression of assets (gzip)
  (core/admin/webpack.config.js)
  (core/admin/package.json)

- removed obsolte dependencies
- switched from node-sass to dart-sass
  (core/admin/package.json)

- changed startup cleaning message from error to info
  (core/admin/mailu/utils.py)

- move client config to "my account" section when logged in
  (core/admin/mailu/ui/templates/sidebar.html)
2021-09-02 22:49:36 +02:00
Alexander Graf
f4e7ce0990 enabled caching, gzip and robots.txt 2021-09-02 20:48:44 +02:00
Alexander Graf
103918ba57 pre-compress assets (*.ico for now) 2021-09-02 20:46:56 +02:00
Alexander Graf
39d7a5c504 pngcrushed images 2021-09-02 20:46:08 +02:00
Diman0
960033525d configure sso in nginx 2021-09-02 18:02:20 +02:00
Diman0
8868aec0dc Merge master. Make sso login working for admin. 2021-09-02 17:08:50 +02:00
Diman0
1cfc9ee1c4 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 2021-09-02 13:38:57 +02:00
Diman0
9fac3d7ad3 Initial implementation for standalone sso page 2021-09-02 13:36:42 +02:00
bors[bot]
71cc8b0a81
Merge #1800
1800: AdminLTE 3 r=mergify[bot] a=DjVinnii

## What type of PR?

Enhancement

## What does this PR do?

This PR implements AdminLTE 3 for the admin interface. It also includes the implementation of DataTables and a language selector.

### Related issue(s)
- closes: #1567
- closes: #1764 

## Prerequistes

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Vincent Kling <vincentkling@msn.com>
Co-authored-by: DjVinnii <vincentkling@msn.com>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-09-02 07:42:57 +00:00
Tim Foerster
9ec9d4d4fb
postfix/tls_policy: Use lmdb map instead of hash
The alpine postfix package seems to have removed support for btree and hash map type. #1918 
The tls_policy.map stuff has been introduced in #1902 and it has been merged without fixing this before (https://github.com/Mailu/Mailu/pull/1902/#issuecomment-902108080)
2021-09-01 22:40:47 +02:00
Florent Daigniere
d7c2b510c7 Give alpine 3.14.2 a shot 2021-09-01 18:56:44 +02:00
Florent Daigniere
fe186afb6f Revert "Switch to openssl to workaround alpine #12763"
This reverts commit f8362d04e4.
2021-09-01 18:52:35 +02:00
Florent Daigniere
4abf49edf4 indent 2021-09-01 09:15:13 +02:00
Florent Daigniere
c1d94bb725 Ensure that postfix will be able to use the TLSA records
see https://www.huque.com/dane/testsite/ for the testcases
2021-09-01 09:01:04 +02:00
Florent Daigniere
ef5f82362c Merge remote-tracking branch 'upstream/master' into policyd-mta-sts 2021-09-01 08:45:13 +02:00
Florent Daigniere
489520f067 forgot about alpine/lmdb 2021-09-01 08:41:39 +02:00
Florent Daigniere
9f66e2672b Use DEFER_ON_TLS_ERROR here too
We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
2021-08-31 20:44:57 +02:00
Florent Daigniere
a1da4daa4c Implement the DANE-only lookup policyd
https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67 for
context
2021-08-31 20:24:06 +02:00
Dimitri Huisman
5f18860669 Remove workaround. Remove deprecated url-loader. 2021-08-31 10:04:44 +00:00
Dimitri Huisman
60be06e298 Temporary workaround to get FontAwesome icons working. 2021-08-31 08:08:33 +00:00
Dimitri Huisman
5da7a06675 Resolve webpack.config.js error 2021-08-30 15:01:05 +00:00
Florent Daigniere
67db72d774 Behave like documented 2021-08-30 17:00:12 +02:00
Florent Daigniere
05b57c972e remove the static policy as it will override MTA-STS and DANE 2021-08-30 14:44:13 +02:00
Florent Daigniere
a8142dabbe Introduce DEFER_ON_TLS_ERROR
This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
2021-08-30 14:21:28 +02:00
Florent Daigniere
52d3a33875 Remove the domains that have a valid MTA-STS policy
gmail.com
comcast.net
mail.ru
googlemail.com
wp.pl
2021-08-29 17:41:55 +02:00
Florent Daigniere
4f96e99144 MTA-STS (use rather than publish policies) 2021-08-29 17:40:37 +02:00
Dimitri Huisman
00276d8b70
Merge branch 'master' into AdminLTE-3 2021-08-28 17:43:29 +02:00
Florent Daigniere
394c2fe22c Document REAL_IP_HEADER and REAL_IP_FROM
Fix a security vulnerability whereby we were not clearing other headers
2021-08-28 10:03:18 +02:00
Florent Daigniere
6bba0cecfc Strip the Forwarded header since nothing is compatible with it yet 2021-08-28 09:02:52 +02:00
bors[bot]
6e32092abd
Merge #1873
1873: Completed Hebrew translation r=mergify[bot] a=yarons

The Hebrew translation is incomplete so I've completed it.

Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com>
2021-08-27 14:37:54 +00:00
Dimitri Huisman
169a540692 Use punycode for HTTP header for radicale and create changelog 2021-08-27 08:20:52 +00:00
Dimitri Huisman
4f5cb0974e Make sure HTTP header only contains ASCII 2021-08-26 15:11:35 +00:00
bors[bot]
ecaaf25dcb
Merge #1939
1939: Ensure that we don't do multiple DNS lookups in the sieve script r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It ensures that DNS lookups don't introduce inconsistent state. We may want to go further and actually check the return codes of rspamc too.

I haven't tested it but it should work.

### Related issue(s)
- #1938



Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-08-24 12:42:17 +00:00
Florent Daigniere
368b40b4fd doh 2021-08-24 09:24:14 +02:00
Florent Daigniere
3e676e232a fix #1270 2021-08-23 19:41:44 +02:00
Florent Daigniere
ae8db08bdf Ensure that we don't do multiple DNS lookups in the sieve script 2021-08-21 17:14:40 +02:00
Florent Daigniere
65a27b1c7f add additional options to make DANE easier 2021-08-20 14:18:07 +02:00
Florent Daigniere
fb8d52ceb2 Merge branch 'master' of https://github.com/Mailu/Mailu into tls_policy_map 2021-08-20 14:17:34 +02:00
Florent Daigniere
b4102ba464 doh 2021-08-19 15:21:39 +02:00
Florent Daigniere
9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders 2021-08-19 11:10:14 +02:00
Florent Daigniere
7252a73e11 WILDCARD_SENDERS can have spaces 2021-08-19 11:02:03 +02:00
bors[bot]
b57df78dac
Merge #1916
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of #1360 implementing per-user sender limits

### Related issue(s)
- close #1360 
- close #1031
- close #1774 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-08-18 19:28:28 +00:00
Dimitri Huisman
e5972bd9ec Set default message rate limit to 200/day 2021-08-18 15:01:10 +00:00
Jack Murray
dd127f8f06 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
2021-08-18 15:57:53 +02:00
Florent Daigniere
6704cb869a Switch to 3072bits dhparam (instead of 4096bits)
We aim for 128bits of security here
2021-08-18 15:51:16 +02:00
Jack Murray
e304c352a1 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
2021-08-18 15:40:44 +02:00
Florent Daigniere
facc4b6427 Allow specific users to send email from any address 2021-08-14 09:03:57 +02:00
Florent Daigniere
ee54a615c1 Alpine has removed support for btree and hash 2021-08-14 09:03:57 +02:00
David Fairbrother
24747e33de Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
2021-08-14 09:03:57 +02:00
Florent Daigniere
0b16291153 doh 2021-08-14 08:49:28 +02:00
Florent Daigniere
1db08018da Ensure that we get certificate validation on top90
I have found a list of the top100 email destinations online and ran them
through a script to ensure that all of their MX servers had valid
configuration... this is the result
2021-08-14 08:48:42 +02:00
Florent Daigniere
b066a5e2ac add a default tls_policy_map 2021-08-14 08:48:42 +02:00
Florent Daigniere
1df79f8132 give PFS a chance 2021-08-14 08:48:04 +02:00
Florent Daigniere
925105075c this is required in fact 2021-08-13 20:35:40 +02:00
Diman0
5afbf37292 Resolve build issues 2021-08-13 15:12:33 +02:00
Dimitri Huisman
df64601b28
Merge branch 'master' into AdminLTE-3 2021-08-13 14:06:46 +02:00
Florent Daigniere
772e5efb7d Disable pipelining to prevent bypass 2021-08-11 22:47:29 +02:00
Florent Daigniere
c76a76c0b0 make it optional, add a knob 2021-08-10 12:19:51 +02:00
Florent Daigniere
109a8aa000 Ensure that we always have CERT+INTERMEDIARY CA
Let's encrypt may change things up in the future...
2021-08-10 10:55:21 +02:00
Florent Daigniere
dccd8afd51 Thanks @Diman0!
ENEEDSLEEP
2021-08-10 10:20:15 +02:00
Florent Daigniere
974bcba5ab Restore LOGIN as tests assume it's there 2021-08-10 09:05:02 +02:00
Florent Daigniere
2b05e72ce4 Revert "maybe fix the tests"
This reverts commit f971b47fb9.
2021-08-10 08:51:55 +02:00
Florent Daigniere
f971b47fb9 maybe fix the tests 2021-08-10 08:22:23 +02:00
Florent Daigniere
4a871c0905 this causes trouble with the test 2021-08-09 23:29:17 +02:00
Florent Daigniere
12c842c4b9 In fact in fullchain we want all but the last 2021-08-09 23:27:03 +02:00
Florent Daigniere
24f9bf1064 format certs for nginx 2021-08-09 22:51:23 +02:00
Florent Daigniere
98b903fe13 don't send the rootcert 2021-08-09 21:38:03 +02:00
Florent Daigniere
92ec446c20 doh 2021-08-09 21:29:05 +02:00
Florent Daigniere
f05cc99dc0 Add ECC certs for modern clients 2021-08-09 21:06:15 +02:00
Florent Daigniere
cb68cb312b Reduce the size of the RSA key to 3072bits
This is already generous for certificates that have a 3month validity!

We rekey every single time.
2021-08-09 20:40:56 +02:00
Florent Daigniere
5e7d5adf17 AUTH shouldn't happen on port 25 2021-08-09 20:10:49 +02:00
Florent Daigniere
55cdb1a534 be explicit about what we support 2021-08-09 17:42:33 +02:00
Florent Daigniere
ecadf46ac6 fix PFS 2021-08-09 17:39:15 +02:00
Florent Daigniere
7285c6bfd9 admin won't understand LOGIN 2021-08-09 17:29:42 +02:00
Florent Daigniere
de3620da4a Don't send credentials in clear ever 2021-08-09 17:29:42 +02:00
Florent Daigniere
4535c42e70 This isn't required 2021-08-09 17:29:42 +02:00
Florent Daigniere
1101e401e8 Apply the restriction on the right port 2021-08-09 14:58:58 +02:00
Florent Daigniere
6d244222da better error message 2021-08-09 09:28:19 +02:00
Florent Daigniere
d6ce5d0c06 Remove a warning: limits don't apply to trusted hosts 2021-08-08 20:21:24 +02:00
Florent Daigniere
bcdc137677 Alpine has removed support for btree and hash 2021-08-08 19:18:33 +02:00
Florent Daigniere
1438253a06 Ratelimit outgoing emails per user 2021-08-08 09:21:14 +02:00
bors[bot]
48f3b1fd49
Merge #1656
1656: Add ability to set no WEBROOT_REDIRECT to Nginx r=mergify[bot] a=DavidFair

## What type of PR?

Enhancement / Documentation

## What does this PR do?

From commit:

---

Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.

---

I've also added bullet points to break up a long flowing sentence in `configuration.rst` - it should be a bit easier to read now

### Related issue(s)
No Related Issue - I just jumped to a PR

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly

@ Maintainers - Is this worthy of the changelog, it's useful to know about but I imagine the number of people it affects is equally minimal?
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
2021-08-06 19:15:42 +00:00
Diman0
588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value. 2021-08-06 16:27:07 +02:00
Florent Daigniere
defea3258d update arm builds too 2021-08-03 13:58:54 +02:00
Florent Daigniere
d44608ed04 Merge remote-tracking branch 'upstream/master' into upgrade-alpine 2021-08-03 13:46:47 +02:00
Florent Daigniere
f8362d04e4 Switch to openssl to workaround alpine #12763 2021-08-03 13:44:56 +02:00
bors[bot]
6ea4e3217a
Merge #1901
1901: treat localpart case insensitive again r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

fixes error introduced by #1604 where the localpart of an email address was handled case sensitive.
this screwed things up at various other places.
 
### Related issue(s)

closes #1895
closes #1900

Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-31 08:31:13 +00:00
Alexander Graf
6856c2c80f treat localpart case insensitive again
by lowercasing it where necessary
2021-07-30 22:26:20 +02:00
bors[bot]
656cf22126
Merge #1856
1856: update asset builder dependencies r=mergify[bot] a=ghostwheel42

## What type of PR?

update asset builder dependencies

## What does this PR do?

only include needed dependencies to build mailu assets with nodejs v8

### Related issue(s)

update dependencies as discussed in #1829


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-27 11:55:12 +00:00
bors[bot]
9289fa6420
Merge #1896
1896: save dkim key after creation r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

saves generated dkim key after creation vi web ui.
after the model change the domain object needs to be added and flushed via sqlalchemy.

### Related issue(s)

closes #1892


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-27 10:45:29 +00:00
bors[bot]
9a4c6385e5
Merge #1888
1888: Use threads in gunicorn rather than workers/processes r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-07-25 20:30:47 +00:00
Alexander Graf
54b46a13c6 save dkim key after creation 2021-07-25 15:51:13 +02:00
bors[bot]
bf65a1248f
Merge #1885
1885: fix 1884: always lookup a FQDN r=mergify[bot] a=nextgens

## What type of PR?

bugfix

## What does this PR do?

Fix bug #1884. Ensure that we avoid the musl resolver bug by always looking up a FQDN

### Related issue(s)
- closes #1884

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-07-24 19:09:56 +00:00
Alexander Graf
c2c3030a2f rephrased comments 2021-07-24 20:54:58 +02:00
bors[bot]
bace7ba6e3
Merge #1890
1890: fix Email class in model.py r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

fixes class Email - keep email, localpart and domain in sync.

### Related issue(s)

closes #1878


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-24 18:33:48 +00:00
Alexander Graf
ad1b036f20 fix Email class 2021-07-24 20:21:38 +02:00
Florent Daigniere
8d9f3214cc Use threads in gunicorn rather than processes
This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"
2021-07-24 15:45:25 +02:00
Florent Daigniere
fa915d7862 Fix 1294 ensure podop's socket is owned by postfix 2021-07-24 14:39:40 +02:00
Florent Daigniere
9d2629a04e fix 1884: always lookup a FQDN 2021-07-24 12:40:38 +02:00
Yaron Shahrabani
e0bf75ae17
Completed Hebrew translation 2021-07-19 09:15:42 +03:00
Florent Daigniere
1d65529c94 The lookup could fail; ensure we set something 2021-07-18 18:43:20 +02:00
Florent Daigniere
8bc1d6c08b Replace PUBLIC_HOSTNAME/IP in Received headers
This will ensure that we don't get spam points for not respecting the
RFC
2021-07-18 18:24:46 +02:00
bors[bot]
c5ff72d657
Merge #1857
1857: disable startdate when autoreply is disabled r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

disable the reply startdate field when autoreply is disabled


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-16 06:58:57 +00:00
Florent Daigniere
a0dcd46483 fix #1861: Handle colons in passwords 2021-07-14 09:27:00 +02:00
Alexander Graf
180026bd77 also disable startdate 2021-07-07 11:33:48 +02:00
Alexander Graf
56cfcf8b64 converted tabs to spaces 2021-07-07 10:32:59 +02:00
Alexander Graf
6377ccb2cb re-add jquery and select2 used in app.js 2021-07-07 10:30:07 +02:00
Alexander Graf
3c8a8aa8f0 use less v3 to make less-loader happy 2021-07-06 19:47:13 +02:00
Alexander Graf
1bb059f4c1 switched to newest possible versions for nodejs v8 2021-07-06 19:36:28 +02:00
Alexander Graf
858312a5cb remove explicit jQuery dependency 2021-07-06 18:01:44 +02:00
Alexander Graf
3f91dcb7af compile scheme list using a generator 2021-07-06 13:48:53 +02:00
Alexander Graf
3bb0d68ead add cargo to build cryptography 2021-07-05 23:27:42 +02:00
Alexander Graf
9790dcdabe updated dependencies 2021-07-05 23:04:07 +02:00
Florent Daigniere
72735ab320 remove cyrus-sasl-plain 2021-07-05 17:08:05 +02:00
Florent Daigniere
420afa53f8 Upgrade to alpine 3.14 2021-07-05 15:50:49 +02:00
bors[bot]
4a5f6b1f92
Merge #1791
1791: Enhanced session handling r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

- replaces flask_kvsession and simplekv with a mailu-specific session store
- call cleanup_sessions before first request and not on startup.
  this allows to run cmdline actions without redis (and makes it faster)
- allow running without redis for debugging purposes by setting MEMORY_SESSIONS to True
- don't sign session id, as it has plenty of entropy (as suggested by nextgens)
- adds method to prune a user's sessions

### Related issue(s)
- enhances and close #1787


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-04 18:04:15 +00:00
Alexander Graf
8b71a92219 use fixed msg for key derivation 2021-07-03 22:32:47 +02:00
Alexander Graf
92896ae646 fix bugs in model and schema introduced by #1604 2021-07-03 11:40:32 +02:00
Alexander Graf
6740c77e43 small bugfix for exception 2021-07-02 18:44:21 +02:00
Alexander Graf
fab3168c23 Merge remote-tracking branch 'upstream/master' into kvsession 2021-06-29 16:38:38 +02:00
Alexander Graf
fbd945390d cleaned imports and fixed datetime and passlib use 2021-06-29 16:13:04 +02:00
Dimitri Huisman
6dc1a19390
Merge branch 'master' into import-export 2021-06-29 15:26:51 +02:00
bors[bot]
fc1a663da2
Merge #1754
1754: centralize Webmail authentication behind the admin panel (SSO) r=mergify[bot] a=nextgens

## What type of PR?

Enhancement: it centralizes the authentication of webmails to the admin interface.

## What does this PR do?

It implements the glue required for webmails to do SSO using the admin interface.
One of the main advantages of centralizing things this way is that it reduces significantly the attack surface available to an unauthenticated attacker (no webmail access until there is a valid Flask session).

Others include the ability to implement 2FA down the line and rate-limit things as required.

### Related issue(s)
- #783

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-06-29 12:32:21 +00:00
bors[bot]
4ff90683ca
Merge #1758 #1776
1758: Implement a simpler credential cache (alternative to #1755) r=mergify[bot] a=nextgens

## What type of PR?

Feature: it implements a credential cache to speedup authentication requests.

## What does this PR do?

Credentials are stored in cold-storage using a slow, salted/iterated hash function to prevent offline bruteforce attacks. This creates a performance bottleneck for no valid reason (see the
rationale/long version on https://github.com/Mailu/Mailu/issues/1194#issuecomment-762115549).

The new credential cache makes things fast again.

This is the simpler version of #1755 (with no new dependencies)

### Related issue(s)
- close #1411
- close #1194 
- close #1755

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1776: optimize generation of transport nexthop r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix and enhancement.

## What does this PR do?

Possibly there should be more input validation when editing a relay, but for now this tries to make the best out of the existing "smtp" attribute while maintaining backwards compatibility. When relay is empty, the transport's nexthop is the MX of the relayed domain to fix #1588 

```
RELAY			NEXTHOP						TRANSPORT
empty			use MX of relay domain				smtp:domain
:port			use MX of relay domain and use port	smtp:domain:port
target			resolve A/AAAA of target			smtp:[target]
target:port		resolve A/AAAA of target and use port	smtp:[target]:port
mx:target		resolve MX of target				smtp:target
mx:target:port	resolve MX of target and use port	smtp:target:port
lmtp:target		resolve A/AAAA of target			lmtp:target
lmtp:target:port	resolve A/AAAA of target and use port	lmtp:target:port

target can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: [2001:DB8::]).
```

When there is proper input validation and existing database entries are migrated this function can be made much shorter again.

### Related issue(s)
- closes #1588 
- closes #1815 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-06-29 12:15:03 +00:00
bors[bot]
d9da8e4bb2
Merge #1746
1746: DNS records for client autoconfiguration (RFC6186) r=Diman0 a=nextgens

## What type of PR?

Feature

## What does this PR do?

Add instructions on how to configure rfc6186 DNS records for client autoconfiguration

### Related issue(s)
- #224
- #498

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-06-29 06:50:27 +00:00
bors[bot]
5d1264e381
Merge #1694
1694: update compression algorithms for current dovecot r=nextgens a=lub

## What type of PR?

enhancement

## What does this PR do?

This adds additional compression algorithms in accordance with
https://doc.dovecot.org/configuration_manual/zlib_plugin/

### Related issue(s)

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-06-26 23:38:35 +00:00
bors[bot]
a1345114bc
Merge #1649 #1673
1649: Update docs/reverse.rst with Traefik v2+ info r=mergify[bot] a=patryk-tech

## What type of PR?

Documentation

## What does this PR do?

Adds information about using Traefik v2+ as a reverse proxy.

### Related issue(s)
Closes #1503 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1673: Remove rspamd unused env var from start script r=mergify[bot] a=cbachert

## What type of PR?
Cleanup

## What does this PR do?
Remove unused environment variable FRONT_ADDRESS in rspamd. FRONT_ADDRESS references were removed with commit 8172f3e in PR #727 like mentioned in chat https://matrix.to/#/!MINuyJjJSrfowljYCK:tedomum.net/$160401946364NGNmI:imninja.net?via=huisman.xyz&via=matrix.org&via=imninja.net
```
Mailu$ grep -r "FRONT_ADDRESS" core/rspamd/
core/rspamd/start.py:os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT", "front")
```

### Related issue(s)
N/A

## Prerequistes
- [x] Documentation updated accordingly: No documentation to update
- [x] Add to changelog: Minor change

Co-authored-by: Patryk Tech <git@patryk.tech>
Co-authored-by: cbachert <cbachert@users.noreply.github.com>
2021-06-26 21:59:25 +00:00
Alexander Graf
3f23e199f6 modified generation of session key and added refresh
- the session key is now generated using
  - a hash of the uid seeded by the apps secret_key (size: SESSION_KEY_BITS)
  - a random token (size: 128 bits)
  - the session's creation time (size: 32 bits)

- redis server side sessions are now refreshed after 1/2 the session lifetime
  even if not modified
- the cookie is also updated if necessary
2021-06-17 17:53:15 +02:00
Alexander Graf
9ef8aaf698 removed double confiog and fixed shaker 2021-06-16 22:06:28 +02:00
Alexander Graf
a1fd44fced added lmtp: prefix and documentation 2021-06-16 16:19:31 +02:00
lub
40ad3ca032 only load zlib when compression is used 2021-06-16 14:56:53 +02:00
lub
2316ef1162 update compression algorithms for dovecot 3.3.14
xz is deprecated; lz4 and zstd were not present in our configs before
2021-06-16 14:56:09 +02:00
Florent Daigniere
875308d405 Revert "In fact it could be global"
This reverts commit f52984e4c3.
2021-06-04 09:51:58 +02:00
Florent Daigniere
f52984e4c3 In fact it could be global 2021-06-04 09:41:12 +02:00
Florent Daigniere
ae9206e968 Implement a simple credential cache 2021-06-04 09:41:12 +02:00
DjVinnii
419fed5e6e Add language selector 2021-04-12 14:23:06 +02:00
Alexander Graf
731ce8ede9 fix permanent sessions. hash uid using SECRET_KEY
clean session in redis only once when starting
2021-04-04 18:02:43 +02:00
Alexander Graf
4b8bbf760b default to 128 bits 2021-04-04 14:40:49 +02:00
Alexander Graf
4b71bd56c4 replace flask_kvsession with mailu's own storage 2021-04-04 14:35:31 +02:00
DjVinnii
7dafa22762 Add /language/<language> route for changing the locale using a session variable 2021-04-03 10:33:08 +02:00
DjVinnii
f30cca1263 Do imports based on AdminLTE plugins 2021-04-03 10:32:01 +02:00
DjVinnii
a4bb42faeb Remove extra space between 'AdminLTE' and 'on' in footer 2021-04-02 09:22:05 +02:00
DjVinnii
b2498e8c8f Refactor box macro to card 2021-04-01 19:47:59 +02:00
DjVinnii
5ddea07c9a Fix form input append class 2021-04-01 19:46:38 +02:00
DjVinnii
1db0a870f3 Fix log in icon in sidebar 2021-04-01 19:45:49 +02:00
DjVinnii
51346c4860 Fix pre- and append styling 2021-04-01 18:30:13 +02:00
DjVinnii
e963e7495d Create datatable based on dataTable class instead of table class 2021-04-01 18:02:50 +02:00
DjVinnii
0984173504 Change label to badge 2021-04-01 16:54:25 +02:00
DjVinnii
8246497d16 Add card header to tables 2021-04-01 16:51:33 +02:00
DjVinnii
49d68fa6d1 Fix horizontal scrollbar in sidebar 2021-04-01 16:51:13 +02:00
DjVinnii
7d3c9d412d Change tables to datatables 2021-04-01 16:05:30 +02:00
DjVinnii
cdfa94c243 Make main action float right 2021-04-01 14:59:12 +02:00
DjVinnii
0c5fda3fca Change macros.box to macros.card 2021-04-01 14:47:41 +02:00
DjVinnii
deca6e0c4a update user/settings 2021-04-01 14:45:12 +02:00
DjVinnii
6b3170cb4c Update side menu 2021-04-01 14:42:15 +02:00
DjVinnii
c97728289b Update node version for building the image (AdminLTE requires node 10 or higher) 2021-04-01 11:34:03 +02:00
DjVinnii
e46d9e1fc9 Update admin-lte version in package.json 2021-04-01 11:26:37 +02:00
Vincent Kling
c6d0ef229f
Update messages.po 2021-03-19 10:46:42 +01:00
Alexander Graf
f0f79b23a3 Allow cleanup of sessions by key&value in data
This can be used to delete all sessions belonging to a user/login.
For no it just iterates over all sessions.
This could be enhanced by using a prefix for and deleting by prefix.
2021-03-14 21:38:16 +01:00
Alexander Graf
83b1fbb9d6 Lazy loading of KVSessionExtension
- call cleanup_sessions on first kvstore access
  this allows to run cmdline actions without redis (and makes it faster)
- Allow development using DictStore by setting REDIS_ADDRESS to the empty string in env
- don't sign 64bit random session id as suggested by nextgens
2021-03-14 18:09:21 +01:00
Alexander Graf
8bc4445572 Sync update of localpart, domain_name and email 2021-03-12 17:56:17 +01:00
Alexander Graf
0c38128c4e Add pygments to requirements 2021-03-11 18:38:00 +01:00
Alexander Graf
9cb6962335 Moved MyYamlLexer into logger
now cmdline runs without pygments
2021-03-11 18:12:50 +01:00
Alexander Graf
ce9a9ec572 always init Logger first 2021-03-10 18:50:52 +01:00
Alexander Graf
c17bfae240 correct rfc3339 datetime serialization
now using correct timezone
2021-03-10 18:50:25 +01:00
Alexander Graf
dc5464f254 Merge remote-tracking branch 'upstream/master' into import-export 2021-03-10 18:32:19 +01:00
Alexander Graf
e90d5548a6 use RFC3339 for last_check
fixed to UTC for now
2021-03-10 18:30:28 +01:00
Florent Daigniere
dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso 2021-03-10 14:41:12 +01:00
bors[bot]
9c57f2ac39
Merge #1785
1785: Fix bug #1660 (don't replace nested headers) r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Don't replace nested headers (typically in forwarded/attached emails). This will ensure we don't break cryptographic signatures.

### Related issue(s)
- close #1660

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-10 10:14:29 +00:00
bors[bot]
25e8910b89
Merge #1783
1783: Switch to server-side sessions r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-10 09:44:31 +00:00
bors[bot]
327884e07c
Merge #1610
1610: add option to enforce inbound starttls r=mergify[bot] a=lub

## What type of PR?

Feature

## What does this PR do?
It implements a check in the auth_http handler to check for Auth-SSL == on and otherwise returns a 530 starttls error.
If INBOUND_TLS_ENFORCE is not set the behaviour is still the same as before, so existing installations should be unaffected.

Although there is a small difference to e.g. smtpd_tls_security_level of Postfix.

Postfix already throws a 530 after mail from, but this solution only throws it after rcpt to. auth_http is only the request after rcpt to, so it's not possible to do it earlier.

### Related issue(s)
#1328 is kinda related, although this PR doesn't solve the issue that the headers will still display ESMTP instead of ESMTPS

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-10 09:14:23 +00:00
bors[bot]
7469bb7087
Merge #1638
1638: Remove the username from the milter_headers r=mergify[bot] a=githtz

Rspamd adds the name of the authenticated user by default. Setting add_smtp_user to false prevents the login to be leaked.

## What type of PR?
Enhancement

## What does this PR do?
This PR prevents the user login to be leaked in sent emails (for example using an alias)

### Related issue(s)
Closes https://github.com/Mailu/Mailu/issues/1465

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: anrc <15327800+githtz@users.noreply.github.com>
2021-03-10 07:30:25 +00:00
lub
f3f0a4d86d
Merge branch 'master' into enforce-tls-admin 2021-03-09 23:40:51 +01:00
Florent Daigniere
513d2a4c5e Fix bug #1660: nested headers shouldn't be touched 2021-03-09 19:43:08 +01:00
Florent Daigniere
64d757582d Disable anti-csrf on the login form
The rationale is that the attacker doesn't have the password...
and that doing it this way we avoid creating useless sessions
2021-03-09 14:21:02 +01:00
Florent Daigniere
481cb67392 cleanup old sessions on startup 2021-03-09 14:21:02 +01:00
Florent Daigniere
b9becd8649 make sessions expire 2021-03-09 14:21:02 +01:00
Florent Daigniere
a1d32568d6 Regenerate session-ids to prevent session fixation 2021-03-09 14:20:22 +01:00
Florent Daigniere
d459c37432 make session IDs 128bits 2021-03-09 14:20:22 +01:00
Florent Daigniere
22af5b8432 Switch to server-side sessions in redis 2021-03-09 14:20:22 +01:00
Alexander Graf
dd2e218375 Merge remote-tracking branch 'upstream/master' into import-export 2021-03-09 13:31:21 +01:00
Florent Daigniere
96ae54d04d CryptContext should be a singleton 2021-03-09 12:05:46 +01:00
Florent Daigniere
5f05fee8b3 Don't need regexps anymore 2021-03-09 12:05:46 +01:00
Florent Daigniere
1c5b58cba4 Remove scheme_dict 2021-03-09 12:05:46 +01:00
Florent Daigniere
df230cb482 Refactor auth under nginx.check_credentials() 2021-03-09 12:05:46 +01:00
Florent Daigniere
f9ed517b39 Be specific token length 2021-03-09 12:05:46 +01:00
Florent Daigniere
d0b34f8e24 Move CREDENTIAL_ROUNDS to advanced settings 2021-03-09 12:05:46 +01:00
Florent Daigniere
fda758e2b4 remove merge artifact 2021-03-09 12:04:42 +01:00
Florent Daigniere
57a6abaf50 Remove {scheme} from the DB if mailu has set it 2021-03-09 12:04:42 +01:00
Florent Daigniere
7137ba6ff1 Misc improvements to PASSWORD_SCHEME
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see #1706: ldap_salted_sha512 support)
2021-03-09 12:04:42 +01:00
Florent Daigniere
00b001f76b Improve the token storage format
shortcomings of the previous format included:
- 1000x slower than it should be (no point in adding rounds since there
 is enough entropy: they are not bruteforceable)
- vulnerable to DoS as explained in
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha256_crypt.html#security-issues
2021-03-09 12:04:42 +01:00
Florent Daigniere
eb7895bd1c Don't do more work than necessary (/webdav)
This is also fixing tokens on /webdav/
2021-03-09 12:04:42 +01:00
Florent Daigniere
58b2cdc428 Don't do more work than necessary 2021-03-09 12:04:42 +01:00
bors[bot]
464e46b02b
Merge #1765
1765: Set sensible cookie flags on the admin app r=mergify[bot] a=nextgens

## What type of PR?

Bugfix

## What does this PR do?

It sets the right flags on the session cookie issued by the admin app.
This should probably be backported as the lack of secure flag on TLS-enabled setup is a high risk vulnerability.

SameSite is hardening / helps against CSRF on modern browsers
HTTPOnly is hardening / helps reduce the impact of XSS

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-09 09:25:04 +00:00
bors[bot]
47d6c697d0
Merge #1763
1763: show flash messages again r=mergify[bot] a=lub

## What type of PR?

bug-fix

## What does this PR do?
This basically restores the behaviour, that got removed in
ecdf0c25b3 during refactoring.

### Related issue(s)
- noticed it while reviewing #1756

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [-] In case of feature or enhancement: documentation updated accordingly
- [-] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 11:53:10 +00:00
bors[bot]
ce0c93a681
Merge #1618
1618: add OCSP stapling to nginx.conf r=mergify[bot] a=lub

It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.

## What type of PR?

enhancement

## What does this PR do?

It enables OCSP stapling for the http server. OCSP stapling reduces roundtrips for the client and reduces load on OCSP responders.

### Related issue(s)
- fixes  #1616

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 09:39:25 +00:00
bors[bot]
cca4b50915
Merge #1607
1607: _FILE variables for Docker swarm secrets r=mergify[bot] a=lub

## What type of PR?

enhancement

## What does this PR do?

This PR enables usage of DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY to load these values from files instead of supplying them directly. That way it's possible to use Docker secrets.

### Related issue(s)


## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 09:07:10 +00:00
Florent Daigniere
0dcc059cd6 Add a new knob as discussed on matrix with lub 2021-03-05 22:26:46 +01:00
Jaume Barber
5bb67dfcbb Translated using Weblate (Basque)
Currently translated at 100.0% (151 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/eu/
2021-03-04 18:46:27 +00:00
Jaume Barber
a49b9d7974 Translated using Weblate (Catalan)
Currently translated at 99.3% (150 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ca/
2021-03-04 18:46:26 +00:00
Jaume Barber
cd9992f79c Translated using Weblate (Swedish)
Currently translated at 74.2% (121 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/sv/
2021-03-04 18:46:25 +00:00
Jaume Barber
afae5d1c24 Translated using Weblate (Russian)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ru/
2021-03-04 18:46:25 +00:00
Jaume Barber
7a01a63389 Translated using Weblate (Portuguese)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/pt/
2021-03-04 18:46:24 +00:00
Jaume Barber
480ec29d3d Translated using Weblate (Italian)
Currently translated at 91.4% (149 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/it/
2021-03-04 18:46:24 +00:00
Jaume Barber
5e96a4bfcf Translated using Weblate (Spanish)
Currently translated at 91.4% (149 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/es/
2021-03-04 18:46:24 +00:00
Jaume Barber
6143d66eb8 Translated using Weblate (English)
Currently translated at 39.2% (64 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-04 18:46:24 +00:00
Anonymous
6da5978870 Translated using Weblate (German)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/de/
2021-03-04 18:46:24 +00:00
Anonymous
58c22fd2c6 Translated using Weblate (English)
Currently translated at 38.6% (63 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 18:18:39 +00:00
Jaume Barber
0dc8817f32 Translated using Weblate (English)
Currently translated at 38.6% (63 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 18:18:39 +00:00
Anonymous
3d17000ceb Translated using Weblate (English)
Currently translated at 29.4% (48 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 17:57:27 +00:00
Jaume Barber
a2933d00f3 Translated using Weblate (English)
Currently translated at 29.4% (48 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 17:57:26 +00:00
Jaume Barber
7c0158c5f8 Translated using Weblate (English)
Currently translated at 17.7% (29 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 17:17:18 +00:00
Anonymous
7de94275a0 Translated using Weblate (English)
Currently translated at 17.7% (29 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 17:17:18 +00:00
Jaume Barber
43133d8515 Added translation using Weblate (Basque) 2021-03-03 17:05:23 +00:00
Jaume Barber
5e0aa65c8d Translated using Weblate (Italian)
Currently translated at 96.3% (157 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/it/
2021-03-03 17:03:23 +00:00
Jaume Barber
725cdc270c Translated using Weblate (Spanish)
Currently translated at 100.0% (163 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/es/
2021-03-03 12:37:52 +00:00
Weblate
a571704a9d Merge branch 'origin/master' into Weblate. 2021-03-03 11:35:49 +00:00
Jaume Barber
b9c2dc1a79 Translated using Weblate (Catalan)
Currently translated at 98.6% (149 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ca/
2021-03-03 11:35:49 +00:00
Anonymous
3a9a133226 Translated using Weblate (English)
Currently translated at 11.0% (18 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 11:35:47 +00:00
Jaume Barber
af251216b0 Translated using Weblate (English)
Currently translated at 11.0% (18 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 11:35:47 +00:00
Alexander Graf
b55b53b781 optimize generation of transport nexthop 2021-02-26 20:51:58 +01:00
Alexander Graf
0a9f732faa added docstring to Logger. use generators. 2021-02-22 20:35:23 +01:00
Dario Ernst
b6716f0d74 Remove "CHUNKING" capability from nginx-smtp
With `CHUNKING`set as a capability, nginx advertises this capability to
clients at a stage where the SMTP dialog does not seem to be forwarded
to the proxy-target (postfix) yet. Nginx' SMTP parser itself does not
support the `BDAT` command issued as part of a chunke-d dialog. This makes
Nginx respond with a `250 2.0.0 OK` and close the connection, after the
mail-data got sent by the client — without forwarding this to the
proxy-target.

With this, users mail can be lost.

Furthermore, when a user uses a sieve filter to forward mail, dovecot
sometimes chunks the forwarded mail when sending it through `front`.
These forwards then fail.

Removing `CHUNKING` from the capabilities fixes this behavior.
2021-02-20 13:03:08 +01:00
Alexander Graf
bde7a2b6c4 moved import logging to schema
- yaml-import is now logged via schema.Logger
- iremoved relative imports - not used in other mailu modules
- removed develepment comments
- added Mailconfig.check method to check for duplicate domain names
- converted .format() to .format_map() where possible
- switched to yaml multiline dump for dkim_key
- converted dkim_key import from regex to string functions
- automatically unhide/unexclude explicitly specified attributes on dump
- use field order when loading to stabilize import
- fail when using 'hash_password' without 'password'
- fixed logging of dkim_key
- fixed pruning and deleting of lists
- modified error messages
- added debug flag and two verbosity levels
2021-02-19 18:01:02 +01:00
Florent Daigniere
aa8cb98906 Set sensible cookie options 2021-02-18 15:47:13 +01:00
Alexander Graf
e4c83e162d fixed colorize auto detection 2021-02-16 17:59:43 +01:00
Alexander Graf
e46d4737b0 merged changes from api without api 2021-02-16 17:12:45 +01:00
Alexander Graf
4b9886b139 Merge remote-tracking branch 'upstream/master' into import-export 2021-02-16 16:24:30 +01:00
Alexander Graf
10435114ec updated remarks and docs 2021-02-16 15:36:01 +01:00
Alexander Graf
1e2b5f26ab don't handle nested lists 2021-02-16 13:34:02 +01:00
Alexander Graf
70a1c79f81 handle prune and delete for lists and backrefs 2021-02-15 22:57:37 +01:00
Alexander Graf
8929912dea remove OrderedDict - not necessary in python>=3.7 2021-02-15 21:56:58 +01:00
Alexander Graf
3937986e76 Convert OrderedDict to dict for output 2021-02-15 10:01:35 +01:00
Alexander Graf
68caf50154 new import/export using marshmallow 2021-02-15 00:46:59 +01:00
lub
88f992de16 show flash messages again
This basically restores the behaviour, that got removed in
ecdf0c25b3 during refactoring.
2021-02-13 13:36:05 +01:00
Florent Daigniere
80f939cf1a Revert to the old behaviour when ADMIN=false 2021-02-08 10:16:03 +01:00
Florent Daigniere
2e749abe61 DNS records for client autoconfiguration (RFC6186) 2021-02-07 18:50:26 +01:00
Florent Daigniere
b49554bec1 merge artifact 2021-02-07 18:12:00 +01:00
Florent Daigniere
ef637f51b7 derive the SSO keys from a KDF 2021-02-07 17:58:19 +01:00
Florent Daigniere
906a051925 Make rainloop use internal auth 2021-02-07 17:50:17 +01:00
Alexander Graf
1c9abf6e48 updated requirements for import/export
api reqs (flask-restx, ...) are still missing
2021-01-24 19:27:22 +01:00
Alexander Graf
1da7e5b8d2 Merge remote-tracking branch 'upstream/master' into api 2021-01-24 19:10:24 +01:00
Alexander Graf
902b398127 next step for import/export yaml & json 2021-01-24 19:07:48 +01:00
Michael Wyraz
ca6ea6465c make syslog optional 2021-01-23 16:16:07 +01:00
Michael Wyraz
e979743226 Rsyslog logging for postfix, optional logging to file, no logging of test requests 2021-01-23 15:21:29 +01:00
Mordi Sacks
f56af3053a
Removed email address 2021-01-17 01:28:25 +02:00
Alexander Graf
65b1ad46d9 order yaml data and allow callback on import
- in yaml the primary key is now always first
- calling a function on import allows import to be more verbose
- skip "fetches" when empty
2021-01-15 13:57:20 +01:00
Alexander Graf
8213d044b2 added docstrings, use f-strings, cleanup
- idna.encode does not encode upper-case letters,
  so .lower() has to be called on value not on result
- split email-address on '@' only once
- converted '*'.format(*) to f-strings
- added docstrings
- removed from_dict method
- code cleanup/style (list concat, exceptions, return&else, line-length)
- added TODO comments on possible future changes
2021-01-15 13:53:47 +01:00
Alexander Graf
31a903f959 revived & renamed config-fns. cosmetics.
- revived original config-update function for backwards compability
- renamed config-dump to config-export to be in line with config-import
- converted '*'.format(*) to f-strings
- converted string-concatenation to f-strings
2021-01-15 13:45:36 +01:00
Michael Wyraz
2b37be9889 Use alpine 3.13 to fix CVE-2020-25275 and CVE-2020-24386 2021-01-15 10:56:49 +01:00
Alexander Graf
c24bff1c1b added config_import using marshmallow 2021-01-14 01:11:04 +01:00
Alexander Graf
7413f9b7b4 config_dump now using marshmallow 2021-01-13 00:05:43 +01:00
Alexander Graf
dc42d375e2 added filtering of keys and default value 2021-01-08 14:22:59 +01:00
Alexander Graf
82cf0d843f fix sqlalchemy column definitions 2021-01-08 14:22:11 +01:00
Alexander Graf
b3f8dacdad add docstrings and make linter happy 2021-01-08 14:17:28 +01:00
Alexander Graf
6629aa3ff8 first try at api using flask-restx & marshmallow 2021-01-06 17:05:21 +01:00
Alexander Graf
4c258f5a6b cosmetic changes & make linter happy
renamed single letter variables (m => match)
renamed classmethod arguments to cls (model)
removed shadowing of variables (hash, context)
shortened unneeded lambda functions (id)
converted type ... is to isinstance(...)
removed unneded imports (flask)
2021-01-06 16:45:55 +01:00
Alexander Graf
7229c89de1 ConfigManager should not replace app.config
Updated ConfigManager to only modify app.config and not replace it.
Swagger does not play well, when app.config is not a real dict and
it is not necessary to keep ConfigManager around after init.

Also added "API" flag to config (default: disabled).
2021-01-06 16:31:03 +01:00
Alexander Graf
3b35180b41 cosmetic changes 2020-12-20 23:50:26 +01:00
Alexander Graf
815f47667b update dkim-key on commit only 2020-12-20 23:49:42 +01:00
Alexander Graf
0a594aaa2c cosmetic changes 2020-12-20 23:45:27 +01:00
Alexander Graf
3064a1dcff removed call to (undefined) cli 2020-12-20 23:38:55 +01:00
Alexander Graf
0051b93077 removed unused variable 2020-12-16 22:39:50 +01:00
Alexander Graf
2cd3acdc1a Merge remote-tracking branch 'upstream/master' into import-export 2020-12-16 22:39:09 +01:00
Alexander Graf
63176f4878 Merge remote-tracking branch 'upstream/master' into import-export 2020-11-30 22:03:10 +01:00
lub
98a6ffb497 add compression via xz and lz4 2020-11-21 12:37:08 +01:00
dependabot[bot]
54ccfdf975
Bump cryptography from 2.6.1 to 3.2 in /core/admin
Bumps [cryptography](https://github.com/pyca/cryptography) from 2.6.1 to 3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/2.6.1...3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2020-11-21 11:15:31 +00:00
ofthesun9
d32e73c5bc Fix letsencrypt access to certbot for the mail-letsencrypt flavour 2020-11-17 10:26:41 +01:00
bors[bot]
3ca81913fc
Merge #1654
1654: Ensure that the rendered file ends with newline in order to make `pos… r=mergify[bot] a=tremlin

## What type of PR?

Bugfix

## What does this PR do?

This fixes #1580 

### Related issue(s)
- closes #1580

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.


Co-authored-by: Thomas Rehn <thomas.rehn@initos.com>
2020-11-15 14:13:06 +00:00
cbachert
32f6a23a95 Remove rspamd unused env var from start script
Environment variable FRONT_ADDRESS is unused in rspamd
FRONT_ADDRESS references were removed with commit 8172f3e in PR #727
2020-10-30 17:12:34 +00:00
Alexander Graf
adc9c70c3e added dump option to dump dns data of domains 2020-10-24 22:31:32 +02:00
Alexander Graf
2a5c46c890 Allow to dump only selected sections 2020-10-24 22:31:31 +02:00
Alexander Graf
500967b2f5 ignore dkim_publickey when updating config 2020-10-24 22:31:29 +02:00
Alexander Graf
c46f9328f7 also dump dkim_publickey. allow key generation. 2020-10-24 22:31:26 +02:00
Alexander Graf
acc728109b validate dkim keys and allow removal 2020-10-24 22:31:13 +02:00
cbachert
72a9ec5b7c Fix extract_host_port port separation
Regex quantifier should be lazy to make port separation work.
2020-10-24 00:25:53 +01:00
Alexander Graf
dfc34b2165 Merge remote-tracking branch 'upstream/master' into import-export 2020-10-23 16:16:29 +02:00
David Fairbrother
e7caff9811 Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
2020-10-05 15:13:07 +01:00
Thomas Rehn
05ab244638 Ensure that the rendered file ends with newline in order to make postconf work correctly 2020-10-04 16:36:37 +02:00
Dimitri Huisman
78890a97ff Preparations for 1.8 release. 2020-10-01 20:32:05 +02:00
Alexander Graf
45bf6d1b4a Merge remote-tracking branch 'upstream/master' into import-export 2020-09-29 08:41:23 +02:00
bors[bot]
5c36dc4f54
Merge #1611
1611: Adds own server on port 80 for letsencrypt and redirect r=mergify[bot] a=elektro-wolle

## What type of PR?

Bugfix

## What does this PR do?

Handle letsencrypt route to `.well-known` by own server configuration within nginx.

### Related issue(s)
closes #1564

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Wolfgang Jung <w.jung@polyas.de>
2020-09-26 05:57:27 +00:00
anrc
59bc4f7aea
Remove the username from the milter_headers
Rspamd adds the name of the authenticated user by default. Setting add_smtp_user to false prevents the login to be leaked.
2020-09-24 13:16:25 +02:00
bors[bot]
92bf736da4
Merge #1635
1635: Add support for AUTH LOGIN authentication mechanism for relaying emai… r=mergify[bot] a=Diman0

…l via smart hosts.

## What type of PR?

Feature

## What does this PR do?

This PR adds support to postfix for AUTH LOGIN authentication mechanism. This enables using smart hosts which only offer AUTH LOGIN. 

### Related issue(s)
- Auto close an issue like: closes #1633

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [n/a] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2020-09-23 20:08:15 +00:00
Dimitri Huisman
d9e7b8249b Add support for AUTH LOGIN authentication mechanism for relaying email via smart hosts. 2020-09-23 19:59:00 +02:00
lub
66db1f8fd0 add OCSP stapling to nginx.conf
It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.
2020-09-12 01:35:10 +02:00
lub
0cb0a26d95 relax TLS settings on port 25
Because basically every MTA out there uses opportunistic TLS _in
the best case_, it's actually counter productive to use such strict
settings.

The alternative to a handshake error is often an unencrypted submission,
which is basically the opposite of what strict ssl_protocols and
ssl_ciphers tries to achieve.

Even big and established providers like Amazon SES are incompatible with the current
settings.

This reverts commit 2ddf46ad2b.
2020-09-10 20:38:15 +02:00
Wolfgang Jung
1f4e9165fa Disables unencrypted http on TLS_ERROR 2020-09-09 21:35:08 +02:00
Alexander Graf
8e14aa80ee documented options and added help text 2020-09-04 12:57:40 +02:00
Alexander Graf
9d2327b0f1 add space for more human readable indentation
add a newline before main sections
add some spaces to indent
2020-09-04 12:32:51 +02:00
Wolfgang Jung
f999e3de08 Adds own server on port 80 for letsencrypt and redirect 2020-09-03 23:18:57 +02:00
lub
05e2af1802
fix small typo in Auth-SSL 2020-09-02 15:16:10 +02:00
lub
f0f873ffe7 add option to enforce inbound starttls 2020-09-01 21:48:09 +02:00
lub
02cfe326d3 support using files for SECRET_KEY and DB_PW
this enables usage of e.g. docker swarm secrets instead of exposing the
passwords directly via environment variables

just use DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY
2020-08-30 01:04:36 +02:00
Alexander Graf
69ccf791d2 fixed data import via from_dict
- stabilized CommaSeparatedList by sorting values
- CommaSeparatedList can now handle list and set input

- from_dict now handles mapped keys
- from_dict now handles null values

- class Domain: handle dkim-key None correctly
- class User: delete obsolete keys after converting
- class Alias: now uses Email._dict_input
2020-08-26 23:16:37 +02:00
Alexander Graf
190e7a709b renamed config-dump option --verbose to --full 2020-08-26 23:14:27 +02:00
Alexander Graf
5c0efe82cf implemented config_update and config_dump
enhanced data model with to_dict and from_dict methods
added config_dump function to manage command
config_update now uses new data model methods
2020-08-26 11:27:38 +02:00
Alexander Graf
c26ddd3c68 fixed user's destination property
self.forward_destination is a list (and not string)
2020-08-26 11:19:01 +02:00
Alexander Graf
5dfccdafe9 fixed some minor typos, removed unused variable 2020-08-26 11:11:23 +02:00
ofthesun9
539114a3d6
Merge branch 'master' into test-alpine-3.12 2020-08-09 16:37:45 +02:00
bors[bot]
47be453aac
Merge #1557
1557: Explicitly define ProxyFix options r=mergify[bot] a=brian-maloney

## What type of PR?
bug-fix

## What does this PR do?
This PR explicitly defines the options for the ProxyFix module, which fixes a regression in admin behind a reverse proxy.

### Related issue(s)
- #1309

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.

This is a bugfix, so not doc changes, and it's an extremely minor change.


Co-authored-by: Brian Maloney <3286425+brian-maloney@users.noreply.github.com>
2020-08-09 12:41:05 +00:00
bors[bot]
535b95bca7
Merge #1538
1538: Introduce environment variable to control dovecot full-text-search r=mergify[bot] a=tremlin

## What type of PR?

Enhancement

## What does this PR do?

In #1320 a full-text-search feature was enabled in Dovecot by default. Since this can have a big impact on performance, I think it's preferable to offer an option to disable the feature if it is not needed. This PR doesn't change the default behavior (FTS on).

### Related issue(s)
- #1320

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordinagly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Thomas Rehn <thomas.rehn@initos.com>
2020-08-09 12:12:39 +00:00
bors[bot]
64f21d5b84
Merge #1478 #1501 #1532 #1543
1478: Allow to enforce TLS for outbound r=mergify[bot] a=micw

 using OUTBOUND_TLS_LEVEL=encrypt (default is 'may')

## What type of PR?

enhancement

## What does this PR do?

Add an option to postfix to enforce outbound traffic to be TLS encrypted.

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1501: In setup/flavor, change DMARC RUA and RUF email default settings r=mergify[bot] a=ofthesun9

## What type of PR?
bug-fix

## What does this PR do?
This PR changes the default value used to set DMARC_RUA and DMARC_RUF:
DMARC_RUA and DMARC_RUF defaults will reuse the value defined for POSTMASTER,
instead of 'admin' as previously.
Please note that the setup tool doesn't allow (yet?) to define dmarc_rua nor dmarc_ruf, so the default value is indeed used for the time being.

### Related issue(s)
closes #1463 

## Prerequistes
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1532: Replace SMPT with SMTP r=mergify[bot] a=dhoppe



1543: Disable Health checks on swarm mode r=mergify[bot] a=ofthesun9

ref: https://github.com/moby/moby/issues/35451

## What type of PR?
bug-fix

## What does this PR do?
Modify the docker-compose.yml template used by setup (swarm flavor) to disable Health checks on swarm mode for each service

### Related issue(s)
closes #1289

## Prerequistes
- [x]  add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Michael Wyraz <michael@wyraz.de>
Co-authored-by: ofthesun9 <olivier@ofthesun.net>
Co-authored-by: Dennis Hoppe <github@debian-solutions.de>
2020-08-08 16:01:16 +00:00
Brian Maloney
6bd14506c0
Explicitly define ProxyFix options
Even though these seem to be the defaults, since 1.7 x_proto was not being honored (see #1309), this fixes this issue for me.
2020-06-28 17:27:45 -04:00
Dennis Hoppe
f3ac4e9397
Remove unused variables 2020-06-16 15:45:11 +02:00
ofthesun9
1d35b1283d Adjust python required packages for alpine:3.12 2020-06-15 22:57:49 +02:00
ofthesun9
cff2e76269 Switching to alpine:3.12 2020-06-15 17:32:56 +02:00
Thomas Rehn
fc47b736ea introduce environment variable to control dovecot full-text-search 2020-06-14 19:26:05 +02:00
ofthesun9
381bf747cc Check permissions using postfix set-permissions 2020-05-04 18:18:32 +00:00
ofthesun9
3a9c9d0436 Fixed typo 2020-05-04 17:15:15 +00:00
ofthesun9
67caf0c8cf Check /queue permissions before postfix start
postfix and posdrop id might have changed after base image change
2020-05-04 15:41:53 +00:00
Michael Wyraz
e4454d776a Allow to enforce TLS for outbound using OUTBOUND_TLS_LEVEL=encrypt (default is 'may') 2020-05-02 20:58:07 +02:00
bors[bot]
5648669c61
Merge #1293
1293: Remove `reject_unverified_recipient` from `smtpd_client_restrictions` r=mergify[bot] a=SunMar


## What type of PR?

Bug-fix

## What does this PR do?

It removes recipient verification, as it broke my catch-all address.

Fix for #1292, though I'm not sure if this is the right way to fix the issue. It was added in 175349a224.

### Related issue(s)
Fix for #1292 and a revert of 175349a224.


Co-authored-by: SunMar <SunMar@users.noreply.github.com>
2020-05-02 07:59:07 +00:00
bors[bot]
15a0d7303c
Merge #1399 #1417
1399: Remove SPF type SPF record #1394 r=mergify[bot] a=bladeswords

As mentioned in #1394 - In accordance with RFC 7208, offer only TXT RRs for SPF.
Agree with @Nebukadneza - but not sure how to go about telling people to remove the old record...

## What type of PR?

Documentation

## What does this PR do?
Removes the recommendation to add a SPF RR for SPF records, as this is no longer RFC complaint and often causes issues to maintain two records.

### Related issue(s)
- closes #1394

## Prerequistes
None


1417: docker-compose exec needs a -T flag if no TTY is allocated r=mergify[bot] a=ofthesun9

This flag is missing in 00_create_users.sh and is failing the tests on travis arm architecture

## What type of PR?
This PR is an enhancement/bugfix needed to allow usage of travis to test and deploy on arm platform
Before the PR, tests are failing with the msg: "the input device is not a TTY"

## What does this PR do?
This PR add -T flag for the docker-compose exec occurences found in 00_create_users.sh


Co-authored-by: bladeswords <bladeswords@users.noreply.github.com>
Co-authored-by: Dario Ernst <dario@kanojo.de>
Co-authored-by: ofthesun9 <olivier@ofthesun.net>
2020-05-01 00:23:11 +00:00
Weblate
066f2bac07 Merge branch 'origin/master' into Weblate. 2020-04-26 13:09:42 +00:00
Jaume Barber
6c25d20c83 Translated using Weblate (Catalan)
Currently translated at 100.0% (151 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ca/
2020-04-26 13:09:41 +00:00
ofthesun9
885a0b5167 Relearn messages for fuzzy storage
This PR add a rspamc fuzzy_del to ham & spam scripts, in order to cover
move from Junk list to Ham list and vice versa
2020-04-09 09:16:29 +02:00
bors[bot]
60b9a3e2f0
Merge #1389
1389: Prefer specific alias over wildcard, regardless of case r=mergify[bot] a=Nebukadneza

## What type of PR?
bug-fix

## What does this PR do?
Since direct addresses (not aliases) are case-insensitive since a while,
it makes sense for aliases to behave the same. Up until now, a wildcard
alias could trump a alias not-matching-the-case of the incoming address.
This clarifies this behavior.

## Notes
I realize that the if-hell down there isn’t nice. What it is, however, is quite clear and easy to read. I’m hoping that if anyone ever gets confused in the future, this will make the current behavior transparent. For me, that was more important than a minimal amount of statements/branches …

### Related issue(s)
closes #1387

## Prerequistes
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Dario Ernst <github@kanojo.de>
2020-03-28 05:59:16 +00:00
bors[bot]
8844dc67fa
Merge #1392
1392: Use environment variables for cert paths/names in nginx certwatcher r=mergify[bot] a=Nebukadneza

## What type of PR?
bug-fix

## What does this PR do?
Previously, nginx certwatcher would only react to the hardcoded paths. It should have
honored the enviroment variables that are used by config.py too for this.
 
### Related issue(s)
closes #903

## Prerequistes
- [x] no feature or enhancement
- [x] minor/internal change


Co-authored-by: Dario Ernst <github@kanojo.de>
2020-03-27 07:56:35 +00:00
SunMar
ac6b8d62dd Remove reject_unverified_recipient from smtpd_client_restrictions
Fix for #1292, though I'm not sure if this is the right way to fix the issue. It was added in 175349a224.
2020-03-18 22:22:11 +01:00
bors[bot]
5004e62607
Merge #1398
1398: Update crypto to be modern and inline with tls.conf r=mergify[bot] a=bladeswords

Updated to match tls.conf and be aligned to more modern cryptographic standards and only use currently secure protocols and ciphers.

## What type of PR?

bugfix

## What does this PR do?
Update to use more modern cryptographic techniques
### Related issue(s)
- Addresses comment raised in 4f973f6

## Prerequistes
None


Co-authored-by: bladeswords <bladeswords@users.noreply.github.com>
2020-03-18 10:39:57 +00:00
bors[bot]
67b48f55fd
Merge #1393
1393: Ignore newlines and comment-lines in postfix overrides r=mergify[bot] a=Nebukadneza

## What type of PR?
enhancement

## What does this PR do?
To make postfix override files understandable and readable, users may
want to insert empty newlines and #-commented lines in their postfix
override files too. This will now ignore such bogus-lines and not send
them to `postconf`, which produced ugly errors in the past.

### Related issue(s)
closes #1098

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Dario Ernst <github@kanojo.de>
2020-03-12 16:30:29 +00:00
bors[bot]
575f6b1691
Merge #1296 #1322 #1337 #1358
1296: fetchmail: print unhandled exceptions, but don't crash r=Nebukadneza a=Al2Klimov

fixes #1295

1322: Bump validators from 0.12.5 to 0.12.6 in /core/admin r=Nebukadneza a=dependabot[bot]

Bumps [validators](https://github.com/kvesteri/validators) from 0.12.5 to 0.12.6.
<details>
<summary>Changelog</summary>

*Sourced from [validators's changelog](https://github.com/kvesteri/validators/blob/master/CHANGES.rst).*

> 0.12.6 (2019-05-08)
> ^^^^^^^^^^^^^^^^^^^
> 
> - Fixed domain validator for single character domains ([#118](https://github-redirect.dependabot.com/kvesteri/validators/issues/118), pull request courtesy kingbuzzman)
</details>
<details>
<summary>Commits</summary>

- See full diff in [compare view](https://github.com/kvesteri/validators/commits)
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=validators&package-manager=pip&previous-version=0.12.5&new-version=0.12.6)](https://help.github.com/articles/configuring-automated-security-fixes)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Mailu/Mailu/network/alerts).

</details>

1337: Add IPv6 to allow_nets r=Nebukadneza a=PhilRW

Roundcube was not connecting to sieve with IPv6 enabled.

Fixes #1336

1358: Add port to relay if it contains a colon r=Nebukadneza a=PhilRW

## What type of PR?

enhancement

## What does this PR do?

Allows relaying domains to non-standard SMTP ports by appending `:port` to the destination host/IP. E.g., `mx1.internal:2525`

### Related issue(s)

Closes #1357 


## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Philip Rosenberg-Watt <p.rosenberg-watt@cablelabs.com>
2020-03-12 13:20:00 +00:00
Weblate
e9ddb2ddcc Merge branch 'origin/master' into Weblate. 2020-03-11 23:03:59 +00:00
Jaume Barber
a2fa52170c Translated using Weblate (Catalan)
Currently translated at 98.6% (149 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ca/
2020-03-11 23:03:52 +00:00
Jaume Barber
aafcbadb23 Translated using Weblate (Italian)
Currently translated at 98.7% (161 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/it/
2020-03-11 23:03:51 +00:00
Jaume Barber
ecb8e07da2 Translated using Weblate (Spanish)
Currently translated at 98.7% (161 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/es/
2020-03-11 23:03:51 +00:00
Jae Beojkkoch
ca82380bcf Translated using Weblate (English)
Currently translated at 7.9% (13 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2020-03-11 23:03:51 +00:00
bors[bot]
ecae6872f3
Merge #1395 #1396
1395: Remove duplicate ports line r=mergify[bot] a=Nebukadneza


## What type of PR?
enhancement

## What does this PR do?

### Related issue(s)
closes #1079

## Prerequistes
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1396: Use pyyaml safe_load instead of load r=mergify[bot] a=Nebukadneza




## What type of PR?
enhancement

## What does this PR do?
Since load in unsafe (ref: https://msg.pyyaml.org/load),
switch the only occurrance of `yaml.load` that i could
find to safe_load.

### Related issue(s)
closes #1085

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Dario Ernst <github@kanojo.de>
2020-03-10 23:57:46 +00:00
bors[bot]
a28e30b93b
Merge #1320
1320: Add xapian full-text-search plugin to dovecot r=mergify[bot] a=Nebukadneza

## What type of PR?
Enhancement

## What does this PR do?
Currently we are not able to offer our users a FTS experience after the
demise of lucene due to unfixed coredumps with musl/alpine.
We now add lucene, the only remaining maintained small/lean FTS plugin
for dovecot. It is quite simple to add to our stack: A two-stage docker
build is used to compile the fts plugin in the first stage, and copy
over only the resulting plugin-artifact to the second stage, which is
our usual dovecot container. Configuration is also minimal.

There was a upstream issue where bodies were not able to be searched for subwords, but fortunately it was fixed quite quickly. We currently need to wait for a new release to use a stable tag in our `Dockerfile`.

### Related issue(s)
- https://github.com/Mailu/Mailu/pull/1176
- https://github.com/Mailu/Mailu/pull/1297
- https://github.com/Mailu/Mailu/issues/751
- **Upstream-issues which is the cause for the `TODO` in the `Dockerfile`**: https://github.com/grosjo/fts-xapian/issues/32

## Prerequistes
- [ ] Wait for upstream to prepare new release after https://github.com/grosjo/fts-xapian/issues/32 — so that we can use a stable tag in our `Dockerfile`
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Dario Ernst <dario@kanojo.de>
Co-authored-by: Dario Ernst <dario.ernst@rommelag.com>
2020-03-10 23:30:14 +00:00
bladeswords
8010595dd2
Remove SPF type SPF record #1394
As mentioned in #1394 - In accordance with RFC 7208, offer only TXT RRs for SPF.
Agree with @Nebukadneza - but not sure how to go about telling people to remove the old record...
2020-03-09 23:22:13 +11:00
bladeswords
2ddf46ad2b
Update crypto to be modern and inline with tls.conf
Updated to match tls.conf and be aligned to more modern cryptographic standards and only use currently secure protocols and ciphers.
2020-03-09 23:12:02 +11:00
Dario Ernst
23f21f8b9c Use pyyaml safe_load instead of load
Since load in unsafe (ref: https://msg.pyyaml.org/load),
switch the only occurrance of `yaml.load` that i could
find to safe_load.

closes #1085
2020-03-07 19:08:52 +00:00
Dario Ernst
dbcab06587 Ignore newlines and comment-lines in postfix overrides
To make postfix override files understandable and readable, users may
want to insert empty newlines and #-commented lines in their postfix
override files too. This will now ignore such bogus-lines and not send
them to `postconf`, which produced ugly errors in the past.

closes #1098
2020-03-07 18:20:56 +00:00
Dario Ernst
09024c8008 Use environment variables for cert paths/names in nginx certwatcher
Previously, nginx certwatcher would only react to the hardcoded paths. It should have
honored the enviroment variables that are used by config.py too for this.

closes #903
2020-03-07 17:17:17 +00:00
bors[bot]
b8b1699f9e
Merge #1359
1359: Refactor the rate limiting code r=mergify[bot] a=kaiyou

## What type of PR?

Enhancement

## What does this PR do?

Rate limiting was already redesigned to use Python limits. This
introduced some unexpected behavior, including the fact that only
one criteria is supported per limiter. Docs and setup utility are
updated with this in mind.

Also, the code was made more generic, so limiters can be delivered
for something else than authentication. Authentication-specific
code was moved directly to the authentication routine.

### Related issue(s)

No specific issue.

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: kaiyou <pierre@jaury.eu>
2020-03-07 09:50:04 +00:00
Dario Ernst
8626326559 Fix dovecot dockerfile (accidentally broken in previous commit) 2020-03-07 10:21:21 +01:00
dependabot[bot]
94cfc31e04
Bump validators from 0.12.5 to 0.12.6 in /core/admin
Bumps [validators](https://github.com/kvesteri/validators) from 0.12.5 to 0.12.6.
- [Release notes](https://github.com/kvesteri/validators/releases)
- [Changelog](https://github.com/kvesteri/validators/blob/master/CHANGES.rst)
- [Commits](https://github.com/kvesteri/validators/commits)

Signed-off-by: dependabot[bot] <support@github.com>
2020-03-06 15:33:41 +00:00
bors[bot]
a3c6002a0a
Merge #1321
1321: Upgrading nginx TLS configuration r=mergify[bot] a=radtkedev

## What type of PR?

Enhancement

## What does this PR do?

Upgrades the TLS protocols and ciphers to the recommended "Intermediate Configuration" and sets the "Old Configuration" for port 25 (SMTP) based on the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/) and adjusted for the nginx mail proxy.

Co-authored-by: Tom Radtke <tom@radtke.dev>
2020-03-06 15:33:03 +00:00
Dario Ernst
dfe092eb46 Use names for docker build stages in dovecot Dockerfile 2020-03-06 16:11:59 +01:00
bors[bot]
1ca4d6769c
Merge #1349
1349: Add support for SRS, related to #328 r=mergify[bot] a=kaiyou

## What type of PR?

Feature

## What does this PR do?

It implements SRS using a Python SRS library.

### Related issue(s)
- closes #328 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: kaiyou <pierre@jaury.eu>
2020-03-06 15:05:43 +00:00
Dario Ernst
da2dda49d4 Prefer specific alias over wildcard, regardless of case
Since direct addresses (not aliases) are case-insensitive since a while,
it makes sense for aliases to behave the same. Up until now, a wildcard
alias could trump a alias not-matching-the-case of the incoming address.
This clarifies this behavior.

closes #1387
2020-03-06 13:56:48 +01:00
NeroPcStation
365f21007d Translated using Weblate (Polish)
Currently translated at 90.2% (147 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/pl/
2020-02-17 20:23:38 +00:00
kaiyou
8e88f1b8c3 Refactor the rate limiting code
Rate limiting was already redesigned to use Python limits. This
introduced some unexpected behavior, including the fact that only
one criteria is supported per limiter. Docs and setup utility are
updated with this in mind.

Also, the code was made more generic, so limiters can be delivered
for something else than authentication. Authentication-specific
code was moved directly to the authentication routine.
2020-02-09 17:38:18 +01:00
Philip Rosenberg-Watt
ff1dfec39a Add port to relay if it contains a colon
This closes #1357
2020-02-09 08:05:24 -07:00
Philip Rosenberg-Watt
27e37577c6 Add IPv6 to allow_nets
Roundcube was not connecting to sieve with IPv6 enabled.

Fixes #1336
2020-02-03 14:53:04 -07:00
Weblate
b248f6a800 Merge branch 'origin/master' into Weblate 2020-01-31 01:23:00 +00:00
Andrási István
395a0d14dc Translated using Weblate (Hungarian)
Currently translated at 100.0% (163 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/hu/
2020-01-31 01:22:59 +00:00
bors[bot]
96f832835a
Merge #1278
1278: Limiter implementation r=kaiyou a=micw

## What type of PR?

(Feature, enhancement, bug-fix, documentation)

## What does this PR do?

Adds a custom limter based on the "limits" lirary that counts up on failed auths only

### Related issue(s)
- closes #1195
- closes #634

## Prerequistes

- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Michael Wyraz <michael@wyraz.de>
Co-authored-by: micw <michael@wyraz.de>
2020-01-30 07:19:35 +00:00
Dario Ernst
99ecaee7b9 Use a released git-tag for fts-xapian 2020-01-23 22:35:30 +01:00
Tom Radtke
4f973f63e6
Upgrading nginx TLS configuration 2020-01-20 10:09:11 +01:00