1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-20 20:22:38 +02:00
Commit Graph

53 Commits

Author SHA1 Message Date
Diman0
588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value. 2021-08-06 16:27:07 +02:00
Alexander Graf
9ef8aaf698 removed double confiog and fixed shaker 2021-06-16 22:06:28 +02:00
Alexander Graf
4b8bbf760b default to 128 bits 2021-04-04 14:40:49 +02:00
Alexander Graf
4b71bd56c4 replace flask_kvsession with mailu's own storage 2021-04-04 14:35:31 +02:00
bors[bot]
25e8910b89
Merge #1783
1783: Switch to server-side sessions r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-10 09:44:31 +00:00
lub
f3f0a4d86d
Merge branch 'master' into enforce-tls-admin 2021-03-09 23:40:51 +01:00
Florent Daigniere
b9becd8649 make sessions expire 2021-03-09 14:21:02 +01:00
Florent Daigniere
d459c37432 make session IDs 128bits 2021-03-09 14:20:22 +01:00
Florent Daigniere
d0b34f8e24 Move CREDENTIAL_ROUNDS to advanced settings 2021-03-09 12:05:46 +01:00
Florent Daigniere
7137ba6ff1 Misc improvements to PASSWORD_SCHEME
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see #1706: ldap_salted_sha512 support)
2021-03-09 12:04:42 +01:00
bors[bot]
464e46b02b
Merge #1765
1765: Set sensible cookie flags on the admin app r=mergify[bot] a=nextgens

## What type of PR?

Bugfix

## What does this PR do?

It sets the right flags on the session cookie issued by the admin app.
This should probably be backported as the lack of secure flag on TLS-enabled setup is a high risk vulnerability.

SameSite is hardening / helps against CSRF on modern browsers
HTTPOnly is hardening / helps reduce the impact of XSS

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-09 09:25:04 +00:00
bors[bot]
cca4b50915
Merge #1607
1607: _FILE variables for Docker swarm secrets r=mergify[bot] a=lub

## What type of PR?

enhancement

## What does this PR do?

This PR enables usage of DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY to load these values from files instead of supplying them directly. That way it's possible to use Docker secrets.

### Related issue(s)


## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 09:07:10 +00:00
Florent Daigniere
0dcc059cd6 Add a new knob as discussed on matrix with lub 2021-03-05 22:26:46 +01:00
Florent Daigniere
aa8cb98906 Set sensible cookie options 2021-02-18 15:47:13 +01:00
Dimitri Huisman
78890a97ff Preparations for 1.8 release. 2020-10-01 20:32:05 +02:00
lub
f0f873ffe7 add option to enforce inbound starttls 2020-09-01 21:48:09 +02:00
lub
02cfe326d3 support using files for SECRET_KEY and DB_PW
this enables usage of e.g. docker swarm secrets instead of exposing the
passwords directly via environment variables

just use DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY
2020-08-30 01:04:36 +02:00
Philip Rosenberg-Watt
27e37577c6 Add IPv6 to allow_nets
Roundcube was not connecting to sieve with IPv6 enabled.

Fixes #1336
2020-02-03 14:53:04 -07:00
Michael Wyraz
a7f787f914 Make rate limit for subnet (webmail) configurable 2019-12-16 18:46:17 +01:00
Michael Wyraz
a907fe4cac Split HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI 2019-10-13 20:13:02 +02:00
hoellen
d3dd4802f4 Change default password scheme to PBKDF2 (#1194) 2019-10-07 22:29:03 +02:00
Michael Wyraz
de2f166bd1 Resolve HOST_* to *_ADDRESS only if *_ADDRESS is not already set 2019-08-31 18:18:58 +02:00
kaiyou
d50504fa2b Only set the redis address once, fixes #1125 2019-08-23 00:29:00 +02:00
Tim Möhlmann
348ea1a572
Remove obsolete log call 2019-08-21 21:33:49 +03:00
Ionut Filip
075417bf90 Merged master and fixed conflicts 2019-08-21 20:35:24 +03:00
Mildred Ki'Lya
95dce5575b Parameterize redis address 2019-08-15 11:28:17 +02:00
hoellen
81a8acf9ec fix resolve issue 2019-06-30 13:18:55 +02:00
kaiyou
baa5a8a4e0 Fix hostname resolution 2019-06-24 23:54:53 +02:00
kaiyou
c20a502695 Do not forcefully resolve optional hostnames 2019-06-24 20:54:50 +02:00
kaiyou
d7747639e9 Remove the dependency to mailustart, introducing socrate 2019-06-23 14:19:05 +02:00
Ionut Filip
dd7710951e
Replaced double quotes with single ones 2019-03-08 14:45:22 +02:00
Ionut Filip
4c25c83419 HOST_* and *_ADDRESS variables cleanup 2019-02-18 14:46:48 +02:00
Ionut Filip
f9e3cd3c5d Use corret host_* variables 2019-02-15 16:49:56 +02:00
Ionut Filip
ef49357eb3 Update redis urls 2019-02-15 16:07:23 +02:00
Ionut Filip
43abbf4d63 Resolve redis and add logging 2019-02-15 15:37:55 +02:00
Ionut Filip
cebc64a280 Resolve HOST_WEBMAIL in admin 2019-02-13 11:48:32 +02:00
bors[bot]
86b4242f82 Merge #886
886: Ipv6 support r=mergify[bot] a=muhlemmer

## What type of PR?

(Feature, enhancement, bug-fix, documentation) -> A bit of everything

## What does this PR do?

Document how to use ipv6nat. This, however triggers some kind of flaky behavior with the Docker DNS resolver, resulting in lookup failures between containers.  So all resolving needs to be done during container startup/configuration.

In order not to pollute every single start.py file, we've created a small library called [Mailu/MailuStart](https://github.com/Mailu/MailuStart). As an addition, this library also defines the template generation function, including its logging facility.

Note: `docker-compose.yml` downgrade is necessary, as IPv6 settings are not supported by the Docker Compose file format 3 😞  

### Related issue(s)
Supersedes  PR #844
- Fixes #827 
- Hopefully helps with #829 and #834

## No backport yet

This PR directly imports MailuStart from git. This makes it a bit more simple to implement on the short term an do some testing and probably some future improvements. When everything is proved stable, we will create a proper PyPi package with versioning and consider back porting.

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: place entry in the [changelog](CHANGELOG.md), under the latest un-released version.


Co-authored-by: Ionut Filip <ionut.philip@gmail.com>
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
2019-02-06 12:56:40 +00:00
Ionut Filip
f8dffe5a19
Resolve hosts in admin 2019-01-25 17:26:45 +02:00
Tim Möhlmann
fd236e4ea5
Fix syntax error 2019-01-17 18:06:40 +02:00
nathan-sain
23bad0e042
Set value for SQLALCHEMY_DATABASE_URI in admin DEFAULT_CONFIG to SQLite URI 2019-01-17 07:58:47 -06:00
nathan-sain
db8977e17a
Update SQLite DB file in DEFAULT_CONFIG and DB_TEMPLATES 2019-01-17 00:32:12 -06:00
Dario Ernst
66df7a31b0 Unify and coerce booleans from env used in admin
At some places, the string that DOMAIN_REGISTRATION is got used like a boolean
(an easy misassumption to make while in python and dealing with the config
dict), making `DOMAIN_REGISTRATION=False` act as a truthy value. To stop such
future problems from happening, coerce environment config strings to real
bools.

closes #830
2019-01-13 10:22:32 +01:00
Ionut Filip
01ec6e7bf3 Removed undefined function 2019-01-04 16:48:51 +02:00
Tim Möhlmann
b2823c23b8
Merge remote-tracking branch 'upstream/master' into feat-psql-support 2018-12-31 18:20:39 +02:00
kaiyou
8707b0fcd7 Use a dictionary of db connection string templates 2018-12-10 15:30:53 +01:00
kaiyou
a881a1a839 Revert "Make current migrations work with postgresql"
This reverts commit 9b9f3731f6.
2018-12-10 15:03:12 +01:00
Tim Möhlmann
8172f3eab8
Move the Mailu Docker network to a fixed subnet.
This will make network configuration and host based authentication
more robust, across different deployment platforms.
The options `RELAYNETS` and`POD_ADDRESS_RANGE` are kept for compatibility.
However, their usage have become optional.
2018-12-06 12:08:22 +02:00
Tim Möhlmann
47a3fd47b5
Fix DB_FLAVOR condition testing for models.py 2018-11-20 18:18:33 +02:00
Tim Möhlmann
9b9f3731f6
Make current migrations work with postgresql 2018-11-19 19:10:38 +02:00
Tim Möhlmann
8bdc0c71af
Allow for setting a different DB flavor 2018-11-14 14:58:54 +02:00