1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-20 20:22:38 +02:00
Commit Graph

2809 Commits

Author SHA1 Message Date
parisni
278878d48d Remove unused deps 2021-06-18 23:36:14 +02:00
parisni
5386e33af3 Reformat python 2021-06-18 23:21:24 +02:00
parisni
49c5c0eba6 Split mailu / roundcube db config
There is no reason to share the flavor since at least the dbname shall be different.
2021-06-18 23:20:25 +02:00
Alexander Graf
3f23e199f6 modified generation of session key and added refresh
- the session key is now generated using
  - a hash of the uid seeded by the apps secret_key (size: SESSION_KEY_BITS)
  - a random token (size: 128 bits)
  - the session's creation time (size: 32 bits)

- redis server side sessions are now refreshed after 1/2 the session lifetime
  even if not modified
- the cookie is also updated if necessary
2021-06-17 17:53:15 +02:00
Alexander Graf
9ef8aaf698 removed double confiog and fixed shaker 2021-06-16 22:06:28 +02:00
Alexander Graf
a1fd44fced added lmtp: prefix and documentation 2021-06-16 16:19:31 +02:00
lub
587901ca51 fix comment in compose .env 2021-06-16 15:03:09 +02:00
lub
18f5a2fc11 update newsfragment #1694 2021-06-16 15:01:55 +02:00
lub
40ad3ca032 only load zlib when compression is used 2021-06-16 14:56:53 +02:00
lub
2316ef1162 update compression algorithms for dovecot 3.3.14
xz is deprecated; lz4 and zstd were not present in our configs before
2021-06-16 14:56:09 +02:00
Dimitri Huisman
21a362fdae Changed config-update to config-import in config-import description. 2021-06-08 07:09:07 +00:00
Linus Gasser
ffa7562079
configurations changed place in 1.8 2021-06-07 07:57:30 +02:00
bors[bot]
42cefab4c2
Merge #1760
1760: Security updates to postgresql r=mergify[bot] a=WebSpider

## What type of PR?

Security update

## What does this PR do?

It fixes vulnerabilities in the sudo package in the postgresql optional container documented in
CVE-2021-23240, CVE-2021-3156 and CVE-2021-23239

### Related issue(s)

None

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Nils Vogels <n.vogels@aves-it.nl>
2021-06-04 07:56:29 +00:00
Florent Daigniere
875308d405 Revert "In fact it could be global"
This reverts commit f52984e4c3.
2021-06-04 09:51:58 +02:00
Florent Daigniere
feff121a9b Merge remote-tracking branch 'upstream/master' into credential-cache-simple 2021-06-04 09:47:43 +02:00
Florent Daigniere
f52984e4c3 In fact it could be global 2021-06-04 09:41:12 +02:00
Florent Daigniere
ae9206e968 Implement a simple credential cache 2021-06-04 09:41:12 +02:00
Dario Ernst
4dbefe8e3a
Merge pull request #1631 from toastboy70/bug/#1536
Change unbound logfile to the empty string
2021-06-03 21:23:29 +02:00
Linus Gasser
1f2aee278c
Reflect override settings for postfix
Also added a stumbling stone when changing postfix.cf
2021-05-13 18:59:18 +02:00
Alexander Graf
731ce8ede9 fix permanent sessions. hash uid using SECRET_KEY
clean session in redis only once when starting
2021-04-04 18:02:43 +02:00
Alexander Graf
4b8bbf760b default to 128 bits 2021-04-04 14:40:49 +02:00
Alexander Graf
4b71bd56c4 replace flask_kvsession with mailu's own storage 2021-04-04 14:35:31 +02:00
Vincent Kling
c6d0ef229f
Update messages.po 2021-03-19 10:46:42 +01:00
bors[bot]
ff4d3f4d37
Merge #1792
1792: Update fail2ban documentation r=mergify[bot] a=ronivay

## What type of PR?

documentation

## What does this PR do?

Update fail2ban documentation. Use DOCKER-USER chain instead of FORWARD chain for fail2ban rules so that they are always processed before any other rules added by docker itself. Also add instructions how to make fail2ban start after docker to prevent fail2ban from failing because of missing DOCKER-USER chain in iptables.

### Related issue(s)
closes #1727 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.




Co-authored-by: ronivay <roni@vayrynen.info>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
2021-03-19 09:18:29 +00:00
Dimitri Huisman
0bdf84dd25
Update faq.rst
Some spelling improvements.
2021-03-19 09:59:16 +01:00
ronivay
75baa1da99 Update fail2ban documentation 2021-03-18 09:46:27 +02:00
Alexander Graf
f0f79b23a3 Allow cleanup of sessions by key&value in data
This can be used to delete all sessions belonging to a user/login.
For no it just iterates over all sessions.
This could be enhanced by using a prefix for and deleting by prefix.
2021-03-14 21:38:16 +01:00
Alexander Graf
83b1fbb9d6 Lazy loading of KVSessionExtension
- call cleanup_sessions on first kvstore access
  this allows to run cmdline actions without redis (and makes it faster)
- Allow development using DictStore by setting REDIS_ADDRESS to the empty string in env
- don't sign 64bit random session id as suggested by nextgens
2021-03-14 18:09:21 +01:00
Alexander Graf
8bc4445572 Sync update of localpart, domain_name and email 2021-03-12 17:56:17 +01:00
Alexander Graf
0c38128c4e Add pygments to requirements 2021-03-11 18:38:00 +01:00
Alexander Graf
9cb6962335 Moved MyYamlLexer into logger
now cmdline runs without pygments
2021-03-11 18:12:50 +01:00
bors[bot]
1fd7a9c578
Merge #1761
1761: check for `ipv6_enabled` in the compose template r=nextgens a=lub

Checking only `ipv6` isn't sufficient, because it has a default value.

## What type of PR?

bug-fix

## What does this PR do?

### Related issue(s)
-

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [it's a minor change] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-11 07:03:59 +00:00
Alexander Graf
ce9a9ec572 always init Logger first 2021-03-10 18:50:52 +01:00
Alexander Graf
c17bfae240 correct rfc3339 datetime serialization
now using correct timezone
2021-03-10 18:50:25 +01:00
Alexander Graf
dc5464f254 Merge remote-tracking branch 'upstream/master' into import-export 2021-03-10 18:32:19 +01:00
Alexander Graf
e90d5548a6 use RFC3339 for last_check
fixed to UTC for now
2021-03-10 18:30:28 +01:00
Florent Daigniere
dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso 2021-03-10 14:41:12 +01:00
bors[bot]
9c57f2ac39
Merge #1785
1785: Fix bug #1660 (don't replace nested headers) r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Don't replace nested headers (typically in forwarded/attached emails). This will ensure we don't break cryptographic signatures.

### Related issue(s)
- close #1660

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-10 10:14:29 +00:00
bors[bot]
25e8910b89
Merge #1783
1783: Switch to server-side sessions r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-10 09:44:31 +00:00
bors[bot]
327884e07c
Merge #1610
1610: add option to enforce inbound starttls r=mergify[bot] a=lub

## What type of PR?

Feature

## What does this PR do?
It implements a check in the auth_http handler to check for Auth-SSL == on and otherwise returns a 530 starttls error.
If INBOUND_TLS_ENFORCE is not set the behaviour is still the same as before, so existing installations should be unaffected.

Although there is a small difference to e.g. smtpd_tls_security_level of Postfix.

Postfix already throws a 530 after mail from, but this solution only throws it after rcpt to. auth_http is only the request after rcpt to, so it's not possible to do it earlier.

### Related issue(s)
#1328 is kinda related, although this PR doesn't solve the issue that the headers will still display ESMTP instead of ESMTPS

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-10 09:14:23 +00:00
bors[bot]
7469bb7087
Merge #1638
1638: Remove the username from the milter_headers r=mergify[bot] a=githtz

Rspamd adds the name of the authenticated user by default. Setting add_smtp_user to false prevents the login to be leaked.

## What type of PR?
Enhancement

## What does this PR do?
This PR prevents the user login to be leaked in sent emails (for example using an alias)

### Related issue(s)
Closes https://github.com/Mailu/Mailu/issues/1465

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: anrc <15327800+githtz@users.noreply.github.com>
2021-03-10 07:30:25 +00:00
lub
f3f0a4d86d
Merge branch 'master' into enforce-tls-admin 2021-03-09 23:40:51 +01:00
Florent Daigniere
b872b46097 towncrier 2021-03-09 20:13:31 +01:00
Florent Daigniere
97be7359fe towncrier 2021-03-09 19:47:34 +01:00
Florent Daigniere
513d2a4c5e Fix bug #1660: nested headers shouldn't be touched 2021-03-09 19:43:08 +01:00
Florent Daigniere
64d757582d Disable anti-csrf on the login form
The rationale is that the attacker doesn't have the password...
and that doing it this way we avoid creating useless sessions
2021-03-09 14:21:02 +01:00
Florent Daigniere
481cb67392 cleanup old sessions on startup 2021-03-09 14:21:02 +01:00
Florent Daigniere
b9becd8649 make sessions expire 2021-03-09 14:21:02 +01:00
Florent Daigniere
a1d32568d6 Regenerate session-ids to prevent session fixation 2021-03-09 14:20:22 +01:00
Florent Daigniere
d459c37432 make session IDs 128bits 2021-03-09 14:20:22 +01:00