1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-20 20:22:38 +02:00
Commit Graph

595 Commits

Author SHA1 Message Date
Diman0
588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value. 2021-08-06 16:27:07 +02:00
Florent Daigniere
defea3258d update arm builds too 2021-08-03 13:58:54 +02:00
Florent Daigniere
d44608ed04 Merge remote-tracking branch 'upstream/master' into upgrade-alpine 2021-08-03 13:46:47 +02:00
Florent Daigniere
f8362d04e4 Switch to openssl to workaround alpine #12763 2021-08-03 13:44:56 +02:00
bors[bot]
6ea4e3217a
Merge #1901
1901: treat localpart case insensitive again r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

fixes error introduced by #1604 where the localpart of an email address was handled case sensitive.
this screwed things up at various other places.
 
### Related issue(s)

closes #1895
closes #1900

Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-31 08:31:13 +00:00
Alexander Graf
6856c2c80f treat localpart case insensitive again
by lowercasing it where necessary
2021-07-30 22:26:20 +02:00
bors[bot]
656cf22126
Merge #1856
1856: update asset builder dependencies r=mergify[bot] a=ghostwheel42

## What type of PR?

update asset builder dependencies

## What does this PR do?

only include needed dependencies to build mailu assets with nodejs v8

### Related issue(s)

update dependencies as discussed in #1829


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-27 11:55:12 +00:00
bors[bot]
9289fa6420
Merge #1896
1896: save dkim key after creation r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

saves generated dkim key after creation vi web ui.
after the model change the domain object needs to be added and flushed via sqlalchemy.

### Related issue(s)

closes #1892


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-27 10:45:29 +00:00
bors[bot]
9a4c6385e5
Merge #1888
1888: Use threads in gunicorn rather than workers/processes r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-07-25 20:30:47 +00:00
Alexander Graf
54b46a13c6 save dkim key after creation 2021-07-25 15:51:13 +02:00
Alexander Graf
ad1b036f20 fix Email class 2021-07-24 20:21:38 +02:00
Florent Daigniere
8d9f3214cc Use threads in gunicorn rather than processes
This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"
2021-07-24 15:45:25 +02:00
bors[bot]
c5ff72d657
Merge #1857
1857: disable startdate when autoreply is disabled r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

disable the reply startdate field when autoreply is disabled


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-16 06:58:57 +00:00
Florent Daigniere
a0dcd46483 fix #1861: Handle colons in passwords 2021-07-14 09:27:00 +02:00
Alexander Graf
180026bd77 also disable startdate 2021-07-07 11:33:48 +02:00
Alexander Graf
56cfcf8b64 converted tabs to spaces 2021-07-07 10:32:59 +02:00
Alexander Graf
6377ccb2cb re-add jquery and select2 used in app.js 2021-07-07 10:30:07 +02:00
Alexander Graf
3c8a8aa8f0 use less v3 to make less-loader happy 2021-07-06 19:47:13 +02:00
Alexander Graf
1bb059f4c1 switched to newest possible versions for nodejs v8 2021-07-06 19:36:28 +02:00
Alexander Graf
858312a5cb remove explicit jQuery dependency 2021-07-06 18:01:44 +02:00
Alexander Graf
3bb0d68ead add cargo to build cryptography 2021-07-05 23:27:42 +02:00
Alexander Graf
9790dcdabe updated dependencies 2021-07-05 23:04:07 +02:00
Florent Daigniere
420afa53f8 Upgrade to alpine 3.14 2021-07-05 15:50:49 +02:00
bors[bot]
4a5f6b1f92
Merge #1791
1791: Enhanced session handling r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

- replaces flask_kvsession and simplekv with a mailu-specific session store
- call cleanup_sessions before first request and not on startup.
  this allows to run cmdline actions without redis (and makes it faster)
- allow running without redis for debugging purposes by setting MEMORY_SESSIONS to True
- don't sign session id, as it has plenty of entropy (as suggested by nextgens)
- adds method to prune a user's sessions

### Related issue(s)
- enhances and close #1787


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-04 18:04:15 +00:00
Alexander Graf
8b71a92219 use fixed msg for key derivation 2021-07-03 22:32:47 +02:00
Alexander Graf
92896ae646 fix bugs in model and schema introduced by #1604 2021-07-03 11:40:32 +02:00
Alexander Graf
6740c77e43 small bugfix for exception 2021-07-02 18:44:21 +02:00
Alexander Graf
fab3168c23 Merge remote-tracking branch 'upstream/master' into kvsession 2021-06-29 16:38:38 +02:00
Alexander Graf
fbd945390d cleaned imports and fixed datetime and passlib use 2021-06-29 16:13:04 +02:00
Dimitri Huisman
6dc1a19390
Merge branch 'master' into import-export 2021-06-29 15:26:51 +02:00
bors[bot]
fc1a663da2
Merge #1754
1754: centralize Webmail authentication behind the admin panel (SSO) r=mergify[bot] a=nextgens

## What type of PR?

Enhancement: it centralizes the authentication of webmails to the admin interface.

## What does this PR do?

It implements the glue required for webmails to do SSO using the admin interface.
One of the main advantages of centralizing things this way is that it reduces significantly the attack surface available to an unauthenticated attacker (no webmail access until there is a valid Flask session).

Others include the ability to implement 2FA down the line and rate-limit things as required.

### Related issue(s)
- #783

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-06-29 12:32:21 +00:00
bors[bot]
4ff90683ca
Merge #1758 #1776
1758: Implement a simpler credential cache (alternative to #1755) r=mergify[bot] a=nextgens

## What type of PR?

Feature: it implements a credential cache to speedup authentication requests.

## What does this PR do?

Credentials are stored in cold-storage using a slow, salted/iterated hash function to prevent offline bruteforce attacks. This creates a performance bottleneck for no valid reason (see the
rationale/long version on https://github.com/Mailu/Mailu/issues/1194#issuecomment-762115549).

The new credential cache makes things fast again.

This is the simpler version of #1755 (with no new dependencies)

### Related issue(s)
- close #1411
- close #1194 
- close #1755

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1776: optimize generation of transport nexthop r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix and enhancement.

## What does this PR do?

Possibly there should be more input validation when editing a relay, but for now this tries to make the best out of the existing "smtp" attribute while maintaining backwards compatibility. When relay is empty, the transport's nexthop is the MX of the relayed domain to fix #1588 

```
RELAY			NEXTHOP						TRANSPORT
empty			use MX of relay domain				smtp:domain
:port			use MX of relay domain and use port	smtp:domain:port
target			resolve A/AAAA of target			smtp:[target]
target:port		resolve A/AAAA of target and use port	smtp:[target]:port
mx:target		resolve MX of target				smtp:target
mx:target:port	resolve MX of target and use port	smtp:target:port
lmtp:target		resolve A/AAAA of target			lmtp:target
lmtp:target:port	resolve A/AAAA of target and use port	lmtp:target:port

target can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: [2001:DB8::]).
```

When there is proper input validation and existing database entries are migrated this function can be made much shorter again.

### Related issue(s)
- closes #1588 
- closes #1815 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-06-29 12:15:03 +00:00
bors[bot]
d9da8e4bb2
Merge #1746
1746: DNS records for client autoconfiguration (RFC6186) r=Diman0 a=nextgens

## What type of PR?

Feature

## What does this PR do?

Add instructions on how to configure rfc6186 DNS records for client autoconfiguration

### Related issue(s)
- #224
- #498

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-06-29 06:50:27 +00:00
Alexander Graf
3f23e199f6 modified generation of session key and added refresh
- the session key is now generated using
  - a hash of the uid seeded by the apps secret_key (size: SESSION_KEY_BITS)
  - a random token (size: 128 bits)
  - the session's creation time (size: 32 bits)

- redis server side sessions are now refreshed after 1/2 the session lifetime
  even if not modified
- the cookie is also updated if necessary
2021-06-17 17:53:15 +02:00
Alexander Graf
9ef8aaf698 removed double confiog and fixed shaker 2021-06-16 22:06:28 +02:00
Alexander Graf
a1fd44fced added lmtp: prefix and documentation 2021-06-16 16:19:31 +02:00
Florent Daigniere
875308d405 Revert "In fact it could be global"
This reverts commit f52984e4c3.
2021-06-04 09:51:58 +02:00
Florent Daigniere
f52984e4c3 In fact it could be global 2021-06-04 09:41:12 +02:00
Florent Daigniere
ae9206e968 Implement a simple credential cache 2021-06-04 09:41:12 +02:00
Alexander Graf
731ce8ede9 fix permanent sessions. hash uid using SECRET_KEY
clean session in redis only once when starting
2021-04-04 18:02:43 +02:00
Alexander Graf
4b8bbf760b default to 128 bits 2021-04-04 14:40:49 +02:00
Alexander Graf
4b71bd56c4 replace flask_kvsession with mailu's own storage 2021-04-04 14:35:31 +02:00
Vincent Kling
c6d0ef229f
Update messages.po 2021-03-19 10:46:42 +01:00
Alexander Graf
f0f79b23a3 Allow cleanup of sessions by key&value in data
This can be used to delete all sessions belonging to a user/login.
For no it just iterates over all sessions.
This could be enhanced by using a prefix for and deleting by prefix.
2021-03-14 21:38:16 +01:00
Alexander Graf
83b1fbb9d6 Lazy loading of KVSessionExtension
- call cleanup_sessions on first kvstore access
  this allows to run cmdline actions without redis (and makes it faster)
- Allow development using DictStore by setting REDIS_ADDRESS to the empty string in env
- don't sign 64bit random session id as suggested by nextgens
2021-03-14 18:09:21 +01:00
Alexander Graf
8bc4445572 Sync update of localpart, domain_name and email 2021-03-12 17:56:17 +01:00
Alexander Graf
0c38128c4e Add pygments to requirements 2021-03-11 18:38:00 +01:00
Alexander Graf
9cb6962335 Moved MyYamlLexer into logger
now cmdline runs without pygments
2021-03-11 18:12:50 +01:00
Alexander Graf
ce9a9ec572 always init Logger first 2021-03-10 18:50:52 +01:00
Alexander Graf
c17bfae240 correct rfc3339 datetime serialization
now using correct timezone
2021-03-10 18:50:25 +01:00