1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Commit Graph

228 Commits

Author SHA1 Message Date
Dimitri Huisman
5bedcc1cb1 Fix 2021-12-14 15:10:28 +00:00
Dimitri Huisman
f26fa8da84 Fix Webmail token check. Fix Auth-Port for Webmail. 2021-12-14 11:26:33 +00:00
Dimitri Huisman
f7677543c6 Process code review remarks
- Moved run to bottom of Dockerfile to allow using unmodified / cached states.
- Simplified bash code in deploy.sh.
- Improved the large bash one-liner in CI.yml. It could not handle >9 for 1.x.
2021-11-18 17:21:56 +00:00
Dimitri Huisman
56dd70cf4a Implement versioning for CI/CD workflow (see ). 2021-11-17 20:00:04 +00:00
DjVinnii
225160610b Set default TZ in Dockerfiles 2021-11-04 14:22:12 +01:00
DjVinnii
1d6809193b Add tzdata to core 2021-11-02 11:18:21 +01:00
Florent Daigniere
53a0363b9e Deal with the noisy keepalive messages
We don't particularly care about HTTP... and that's what's noisy.
2021-10-30 15:39:13 +02:00
Florent Daigniere
80a85c27a9 Silent healthchecks in logs 2021-10-30 15:34:40 +02:00
Alexander Graf
3141ffe791 removed some whitespace 2021-10-29 14:26:23 +02:00
Dimitri Huisman
6b16756d92 Fix acessing antispam via sidebar. 2021-10-29 09:22:46 +00:00
Dimitri Huisman
3449b67c86 Process code review remarks PR2023 2021-10-29 08:18:50 +00:00
Dimitri Huisman
503044ef6e Reintroduce ProxyFix. Use two buttons for logging in. 2021-10-27 21:51:49 +00:00
Dimitri Huisman
fb0f005343 Get rid of complicated prefix logic. Further simplify /static handling and nginx config. 2021-10-27 18:36:50 +00:00
Dimitri Huisman
da788ddee3 Merge branch 'fix-sso-1929' of github.com:Diman0/Mailu into fix-sso-1929 2021-10-27 12:38:18 +00:00
Dimitri Huisman
bdcc183165 Redirect to configured ENV VAR for Admin/Webmail, further simplify nginx config. 2021-10-27 11:24:10 +00:00
Dimitri Huisman
f1a60aa6ea Remove unneeded auth_request_set 2021-10-27 11:11:50 +00:00
Florent Daigniere
d3f07a0882 Simplify the handling of /static 2021-10-27 10:56:34 +02:00
Florent Daigniere
aee089f3b1 Ensure that static assets are readable 2021-10-27 10:55:47 +02:00
Dimitri Huisman
48764f0400 Ensure all requests from the page sso go through the page sso. 2021-10-27 08:06:53 +00:00
Dimitri Huisman
5232bd38fd Simplify webmail logout. 2021-10-26 12:07:36 +00:00
Dimitri Huisman
5d81846c5d Introduce the shared stub /static for providing all static files 2021-10-26 11:30:06 +00:00
Dimitri Huisman
eb74a72a52 Moved locations to correct area in nginx.conf. 2021-10-26 07:35:06 +00:00
Dimitri Huisman
aa7380ffba Doh! 2021-10-25 20:00:00 +00:00
Dimitri Huisman
44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting. 2021-10-25 19:21:38 +00:00
Dimitri Huisman
ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 2021-10-25 17:31:25 +00:00
Dimitri Huisman
913a6304a7 Finishing touches. Introduce /static stub for handling all static files. 2021-10-25 17:24:41 +00:00
Diman0
41f5b43b38 Set nginx logging to level info again. 2021-09-24 15:33:16 +02:00
Diman0
f4cde61148 Make header translatable. More finishing touches. 2021-09-24 15:29:28 +02:00
Diman0
9894b49cbd Merge/Update with changes from master 2021-09-24 10:07:52 +02:00
Florent Daigniere
89ea51d570 Implement rate-limits 2021-09-23 18:40:49 +02:00
Diman0
bf0aad9820 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 2021-09-22 17:04:13 +02:00
Alexander Graf
1e8b41f731 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 2021-09-09 13:22:15 +02:00
bors[bot]
d464187477
Merge
1964: Alpine3.14.2 r=mergify[bot] a=nextgens

Upgrade to alpine 3.14.2, retry upgrading unbound & switch back to libressl

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-09-06 15:59:10 +00:00
Alexander Graf
a319ecde29 also precompress static txt files 2021-09-06 13:52:35 +02:00
Alexander Graf
b445d9ddd1 set expire headers only for mailu content
also moved robots.txt from config to static folder.
2021-09-06 13:45:48 +02:00
Alexander Graf
698ee4e521 added tiff and webp to list of cached content 2021-09-06 09:10:59 +02:00
Florent Daigniere
72ba5ca3f9 fix 1789: ensure that nginx resolves ipv4 addresses 2021-09-03 21:59:53 +02:00
Diman0
b148e41d9b Fix nginx config 2021-09-03 13:01:09 +02:00
Alexander Graf
f4e7ce0990 enabled caching, gzip and robots.txt 2021-09-02 20:48:44 +02:00
Alexander Graf
103918ba57 pre-compress assets (*.ico for now) 2021-09-02 20:46:56 +02:00
Alexander Graf
39d7a5c504 pngcrushed images 2021-09-02 20:46:08 +02:00
Diman0
960033525d configure sso in nginx 2021-09-02 18:02:20 +02:00
Diman0
8868aec0dc Merge master. Make sso login working for admin. 2021-09-02 17:08:50 +02:00
Florent Daigniere
d7c2b510c7 Give alpine 3.14.2 a shot 2021-09-01 18:56:44 +02:00
Florent Daigniere
394c2fe22c Document REAL_IP_HEADER and REAL_IP_FROM
Fix a security vulnerability whereby we were not clearing other headers
2021-08-28 10:03:18 +02:00
Florent Daigniere
6bba0cecfc Strip the Forwarded header since nothing is compatible with it yet 2021-08-28 09:02:52 +02:00
Florent Daigniere
3e676e232a fix 2021-08-23 19:41:44 +02:00
Jack Murray
dd127f8f06 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
2021-08-18 15:57:53 +02:00
Florent Daigniere
6704cb869a Switch to 3072bits dhparam (instead of 4096bits)
We aim for 128bits of security here
2021-08-18 15:51:16 +02:00
Jack Murray
e304c352a1 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
2021-08-18 15:40:44 +02:00
Florent Daigniere
c76a76c0b0 make it optional, add a knob 2021-08-10 12:19:51 +02:00
Florent Daigniere
109a8aa000 Ensure that we always have CERT+INTERMEDIARY CA
Let's encrypt may change things up in the future...
2021-08-10 10:55:21 +02:00
Florent Daigniere
974bcba5ab Restore LOGIN as tests assume it's there 2021-08-10 09:05:02 +02:00
Florent Daigniere
12c842c4b9 In fact in fullchain we want all but the last 2021-08-09 23:27:03 +02:00
Florent Daigniere
24f9bf1064 format certs for nginx 2021-08-09 22:51:23 +02:00
Florent Daigniere
98b903fe13 don't send the rootcert 2021-08-09 21:38:03 +02:00
Florent Daigniere
92ec446c20 doh 2021-08-09 21:29:05 +02:00
Florent Daigniere
f05cc99dc0 Add ECC certs for modern clients 2021-08-09 21:06:15 +02:00
Florent Daigniere
cb68cb312b Reduce the size of the RSA key to 3072bits
This is already generous for certificates that have a 3month validity!

We rekey every single time.
2021-08-09 20:40:56 +02:00
Florent Daigniere
5e7d5adf17 AUTH shouldn't happen on port 25 2021-08-09 20:10:49 +02:00
Florent Daigniere
7285c6bfd9 admin won't understand LOGIN 2021-08-09 17:29:42 +02:00
bors[bot]
48f3b1fd49
Merge
1656: Add ability to set no WEBROOT_REDIRECT to Nginx r=mergify[bot] a=DavidFair

## What type of PR?

Enhancement / Documentation

## What does this PR do?

From commit:

---

Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.

---

I've also added bullet points to break up a long flowing sentence in `configuration.rst` - it should be a bit easier to read now

### Related issue(s)
No Related Issue - I just jumped to a PR

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly

@ Maintainers - Is this worthy of the changelog, it's useful to know about but I imagine the number of people it affects is equally minimal?
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
2021-08-06 19:15:42 +00:00
Florent Daigniere
420afa53f8 Upgrade to alpine 3.14 2021-07-05 15:50:49 +02:00
Florent Daigniere
dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso 2021-03-10 14:41:12 +01:00
bors[bot]
ce0c93a681
Merge
1618: add OCSP stapling to nginx.conf r=mergify[bot] a=lub

It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.

## What type of PR?

enhancement

## What does this PR do?

It enables OCSP stapling for the http server. OCSP stapling reduces roundtrips for the client and reduces load on OCSP responders.

### Related issue(s)
- fixes  

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 09:39:25 +00:00
Dario Ernst
b6716f0d74 Remove "CHUNKING" capability from nginx-smtp
With `CHUNKING`set as a capability, nginx advertises this capability to
clients at a stage where the SMTP dialog does not seem to be forwarded
to the proxy-target (postfix) yet. Nginx' SMTP parser itself does not
support the `BDAT` command issued as part of a chunke-d dialog. This makes
Nginx respond with a `250 2.0.0 OK` and close the connection, after the
mail-data got sent by the client — without forwarding this to the
proxy-target.

With this, users mail can be lost.

Furthermore, when a user uses a sieve filter to forward mail, dovecot
sometimes chunks the forwarded mail when sending it through `front`.
These forwards then fail.

Removing `CHUNKING` from the capabilities fixes this behavior.
2021-02-20 13:03:08 +01:00
Florent Daigniere
80f939cf1a Revert to the old behaviour when ADMIN=false 2021-02-08 10:16:03 +01:00
Florent Daigniere
906a051925 Make rainloop use internal auth 2021-02-07 17:50:17 +01:00
ofthesun9
d32e73c5bc Fix letsencrypt access to certbot for the mail-letsencrypt flavour 2020-11-17 10:26:41 +01:00
David Fairbrother
e7caff9811 Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
2020-10-05 15:13:07 +01:00
bors[bot]
5c36dc4f54
Merge
1611: Adds own server on port 80 for letsencrypt and redirect r=mergify[bot] a=elektro-wolle

## What type of PR?

Bugfix

## What does this PR do?

Handle letsencrypt route to `.well-known` by own server configuration within nginx.

### Related issue(s)
closes 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Wolfgang Jung <w.jung@polyas.de>
2020-09-26 05:57:27 +00:00
lub
66db1f8fd0 add OCSP stapling to nginx.conf
It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.
2020-09-12 01:35:10 +02:00
lub
0cb0a26d95 relax TLS settings on port 25
Because basically every MTA out there uses opportunistic TLS _in
the best case_, it's actually counter productive to use such strict
settings.

The alternative to a handshake error is often an unencrypted submission,
which is basically the opposite of what strict ssl_protocols and
ssl_ciphers tries to achieve.

Even big and established providers like Amazon SES are incompatible with the current
settings.

This reverts commit 2ddf46ad2b.
2020-09-10 20:38:15 +02:00
Wolfgang Jung
1f4e9165fa Disables unencrypted http on TLS_ERROR 2020-09-09 21:35:08 +02:00
Wolfgang Jung
f999e3de08 Adds own server on port 80 for letsencrypt and redirect 2020-09-03 23:18:57 +02:00
ofthesun9
cff2e76269 Switching to alpine:3.12 2020-06-15 17:32:56 +02:00
bors[bot]
8844dc67fa
Merge
1392: Use environment variables for cert paths/names in nginx certwatcher r=mergify[bot] a=Nebukadneza

## What type of PR?
bug-fix

## What does this PR do?
Previously, nginx certwatcher would only react to the hardcoded paths. It should have
honored the enviroment variables that are used by config.py too for this.
 
### Related issue(s)
closes 

## Prerequistes
- [x] no feature or enhancement
- [x] minor/internal change


Co-authored-by: Dario Ernst <github@kanojo.de>
2020-03-27 07:56:35 +00:00
bladeswords
2ddf46ad2b
Update crypto to be modern and inline with tls.conf
Updated to match tls.conf and be aligned to more modern cryptographic standards and only use currently secure protocols and ciphers.
2020-03-09 23:12:02 +11:00
Dario Ernst
09024c8008 Use environment variables for cert paths/names in nginx certwatcher
Previously, nginx certwatcher would only react to the hardcoded paths. It should have
honored the enviroment variables that are used by config.py too for this.

closes 
2020-03-07 17:17:17 +00:00
Tom Radtke
4f973f63e6
Upgrading nginx TLS configuration 2020-01-20 10:09:11 +01:00
Michael Wyraz
ace475d23c Certwatcher: Use polling observer to workaround some symlink limitations 2020-01-04 14:39:31 +01:00
Michael Wyraz
09ee3ce95c Install py3-multidict from repository before installing socrate to avoid the need of gcc during build 2019-12-04 19:05:14 +01:00
bors[bot]
0417c791ff
Merge
985: Permit raspberry pi (and other architectures) builds r=mergify[bot] a=abondis

## What type of PR?

Enhancement

## What does this PR do?

Add an option to select base images and permit building for different CPU architectures.

### Related issue(s)
N/A

## Prerequistes

- [X] documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Aurélien Bondis <aurelien.bondis@gmail.com>
Co-authored-by: Aurelien <aurelien.bondis@gmail.com>
2019-10-20 20:41:03 +00:00
bors[bot]
dcda412b99
Merge
1211: Split HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI r=mergify[bot] a=micw

## What type of PR?

bug-fix

## What does this PR do?

Fixes  by separating HOST_ANTISPAM into HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI

### Related issue(s)
- closes 
- closes 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Michael Wyraz <michael@wyraz.de>
2019-10-13 19:44:25 +00:00
bors[bot]
b668eccc17
Merge
1181: Update to address issue  (HTTP headers) r=muhlemmer a=bladeswords

This change should remove the duplicate `x-xss-protection` header and also the `x-powered-by` header.  Hopefully a pull request to main is appropriate, but may be worth back porting to 1.7.

Tested config by modifying live 1.7 nginx config and reloading.  Has had the desired outcome of removing the headers.

```/etc/nginx # nginx -t -c /etc/nginx/nginx.conf 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/nginx # nginx -s reload
```

These steps were based on:
- https://serverfault.com/questions/928912/how-do-i-remove-a-server-added-header-from-proxied-location
- https://serverfault.com/questions/929571/overwrite-http-headers-comming-back-from-a-web-application-server-proxied-in-ngi
- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header

## What type of PR?

Enhancement

## What does this PR do?
Removes duplicate and unneeded headers.  See issue  

### Related issue(s)
- issue:  

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ X ] In case of feature or enhancement: documentation updated accordingly
- [ X ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: bladeswords <bladeswords@users.noreply.github.com>
2019-10-13 18:32:51 +00:00
Michael Wyraz
a907fe4cac Split HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI 2019-10-13 20:13:02 +02:00
Michael Wyraz
c20976f071 Allow smtp auth login for TLS port (similar to SSL port) 2019-10-10 10:20:14 +02:00
bors[bot]
20e00ac0c4
Merge
1158: Use nginx for kubernetes ingress r=kaiyou a=micw

## What type of PR?

enhancement

## What does this PR do?

Currently, kubernetes uses a complex ingress setting which is not portable across different ingress controllers. This PR simplifies the ingress and delegates everythins special to Mailu to the front container,

### Related issue(s)
- closes 
- closes 
- closes 
- closes 

## Prerequistes

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog]

Co-authored-by: Michael Wyraz <michael@wyraz.de>
2019-10-07 19:36:45 +00:00
bladeswords
b13d143b34
Update to address issue (HTTP headers)
This change should remove the duplicate `x-xss-protection` header and also the `x-powered-by` header.  Hopefully a pull request to main is appropriate, but may be worth back porting to 1.7.

Tested config by modifying live 1.7 nginx config and reloading.  Has had the desired outcome of removing the headers.

```/etc/nginx # nginx -t -c /etc/nginx/nginx.conf 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/nginx # nginx -s reload
```

These steps were based on:
- https://serverfault.com/questions/928912/how-do-i-remove-a-server-added-header-from-proxied-location
- https://serverfault.com/questions/929571/overwrite-http-headers-comming-back-from-a-web-application-server-proxied-in-ngi
- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
2019-09-26 19:43:29 +10:00
bors[bot]
e46153c0b1
Merge
1114: Resolve HOST to ADDRESS only if ADDRESS is not already set r=mergify[bot] a=micw

## What type of PR?

bug-fix

## What does this PR do?

~Makes the rsolving from hosts to ips at startup configurable~

I rewrote the pull request after  was merged. Now it resolves HOSTs to ADDRESSes only of ADDRESSes are not already set. So on kubernetes we can jsut set the address and have working service discovery.

### Related issue(s)
- closes 

## Prerequistes

~Minor change, backward compatible~
Changelog will be added

Co-authored-by: Michael Wyraz <michael@wyraz.de>
2019-09-17 18:30:27 +00:00
Thomas Sänger
5fa87fbdf7
front: advertise real capabilites of mail-backends 2019-09-04 17:37:28 +02:00
Michael Wyraz
92645bcd4a Use nginx for kubernetes ingress 2019-09-03 10:27:10 +02:00
Michael Wyraz
de2f166bd1 Resolve HOST_* to *_ADDRESS only if *_ADDRESS is not already set 2019-08-31 18:18:58 +02:00
kaiyou
4afbc09d6e Remove unnecessary host variable assignments 2019-08-22 22:44:49 +02:00
Tim Möhlmann
ed0fb77a01
Catch empty WEBMAIL and WEBDAV address 2019-08-21 22:54:42 +03:00
Ionut Filip
075417bf90 Merged master and fixed conflicts 2019-08-21 20:35:24 +03:00
Aurélien Bondis
124b1d4c71 rebase and update for 3.10, avoid adding qemu file to x86 images 2019-08-21 12:24:30 -04:00
hoellen
9de5dc2592 Use python package socrate instead of Mailustart 2019-07-25 10:33:57 +02:00
Dario Ernst
1dbda71401 Adapt shared layer conf to now really-missing mailustart in admin (after merging webpack) 2019-07-14 13:12:59 +00:00
Dario Ernst
0306be1eed Re-add missing MailuStar in admin
It turns out we were all blind and admin *does* use MailuStart
2019-07-14 10:27:57 +00:00