1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Commit Graph

512 Commits

Author SHA1 Message Date
Dimitri Huisman
4f5cb0974e Make sure HTTP header only contains ASCII 2021-08-26 15:11:35 +00:00
Florent Daigniere
b4102ba464 doh 2021-08-19 15:21:39 +02:00
Florent Daigniere
9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders 2021-08-19 11:10:14 +02:00
Florent Daigniere
7252a73e11 WILDCARD_SENDERS can have spaces 2021-08-19 11:02:03 +02:00
bors[bot]
b57df78dac
Merge #1916
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of #1360 implementing per-user sender limits

### Related issue(s)
- close #1360 
- close #1031
- close #1774 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-08-18 19:28:28 +00:00
Dimitri Huisman
e5972bd9ec Set default message rate limit to 200/day 2021-08-18 15:01:10 +00:00
Florent Daigniere
facc4b6427 Allow specific users to send email from any address 2021-08-14 09:03:57 +02:00
Florent Daigniere
dccd8afd51 Thanks @Diman0!
ENEEDSLEEP
2021-08-10 10:20:15 +02:00
Florent Daigniere
5e7d5adf17 AUTH shouldn't happen on port 25 2021-08-09 20:10:49 +02:00
Florent Daigniere
6d244222da better error message 2021-08-09 09:28:19 +02:00
Florent Daigniere
1438253a06 Ratelimit outgoing emails per user 2021-08-08 09:21:14 +02:00
Diman0
588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value. 2021-08-06 16:27:07 +02:00
bors[bot]
6ea4e3217a
Merge #1901
1901: treat localpart case insensitive again r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

fixes error introduced by #1604 where the localpart of an email address was handled case sensitive.
this screwed things up at various other places.
 
### Related issue(s)

closes #1895
closes #1900

Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-31 08:31:13 +00:00
Alexander Graf
6856c2c80f treat localpart case insensitive again
by lowercasing it where necessary
2021-07-30 22:26:20 +02:00
bors[bot]
9289fa6420
Merge #1896
1896: save dkim key after creation r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

saves generated dkim key after creation vi web ui.
after the model change the domain object needs to be added and flushed via sqlalchemy.

### Related issue(s)

closes #1892


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-27 10:45:29 +00:00
Alexander Graf
54b46a13c6 save dkim key after creation 2021-07-25 15:51:13 +02:00
Alexander Graf
ad1b036f20 fix Email class 2021-07-24 20:21:38 +02:00
bors[bot]
c5ff72d657
Merge #1857
1857: disable startdate when autoreply is disabled r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

disable the reply startdate field when autoreply is disabled


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-16 06:58:57 +00:00
Florent Daigniere
a0dcd46483 fix #1861: Handle colons in passwords 2021-07-14 09:27:00 +02:00
Alexander Graf
180026bd77 also disable startdate 2021-07-07 11:33:48 +02:00
bors[bot]
4a5f6b1f92
Merge #1791
1791: Enhanced session handling r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

- replaces flask_kvsession and simplekv with a mailu-specific session store
- call cleanup_sessions before first request and not on startup.
  this allows to run cmdline actions without redis (and makes it faster)
- allow running without redis for debugging purposes by setting MEMORY_SESSIONS to True
- don't sign session id, as it has plenty of entropy (as suggested by nextgens)
- adds method to prune a user's sessions

### Related issue(s)
- enhances and close #1787


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-04 18:04:15 +00:00
Alexander Graf
8b71a92219 use fixed msg for key derivation 2021-07-03 22:32:47 +02:00
Alexander Graf
92896ae646 fix bugs in model and schema introduced by #1604 2021-07-03 11:40:32 +02:00
Alexander Graf
6740c77e43 small bugfix for exception 2021-07-02 18:44:21 +02:00
Alexander Graf
fab3168c23 Merge remote-tracking branch 'upstream/master' into kvsession 2021-06-29 16:38:38 +02:00
Alexander Graf
fbd945390d cleaned imports and fixed datetime and passlib use 2021-06-29 16:13:04 +02:00
Dimitri Huisman
6dc1a19390
Merge branch 'master' into import-export 2021-06-29 15:26:51 +02:00
bors[bot]
fc1a663da2
Merge #1754
1754: centralize Webmail authentication behind the admin panel (SSO) r=mergify[bot] a=nextgens

## What type of PR?

Enhancement: it centralizes the authentication of webmails to the admin interface.

## What does this PR do?

It implements the glue required for webmails to do SSO using the admin interface.
One of the main advantages of centralizing things this way is that it reduces significantly the attack surface available to an unauthenticated attacker (no webmail access until there is a valid Flask session).

Others include the ability to implement 2FA down the line and rate-limit things as required.

### Related issue(s)
- #783

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-06-29 12:32:21 +00:00
bors[bot]
4ff90683ca
Merge #1758 #1776
1758: Implement a simpler credential cache (alternative to #1755) r=mergify[bot] a=nextgens

## What type of PR?

Feature: it implements a credential cache to speedup authentication requests.

## What does this PR do?

Credentials are stored in cold-storage using a slow, salted/iterated hash function to prevent offline bruteforce attacks. This creates a performance bottleneck for no valid reason (see the
rationale/long version on https://github.com/Mailu/Mailu/issues/1194#issuecomment-762115549).

The new credential cache makes things fast again.

This is the simpler version of #1755 (with no new dependencies)

### Related issue(s)
- close #1411
- close #1194 
- close #1755

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1776: optimize generation of transport nexthop r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix and enhancement.

## What does this PR do?

Possibly there should be more input validation when editing a relay, but for now this tries to make the best out of the existing "smtp" attribute while maintaining backwards compatibility. When relay is empty, the transport's nexthop is the MX of the relayed domain to fix #1588 

```
RELAY			NEXTHOP						TRANSPORT
empty			use MX of relay domain				smtp:domain
:port			use MX of relay domain and use port	smtp:domain:port
target			resolve A/AAAA of target			smtp:[target]
target:port		resolve A/AAAA of target and use port	smtp:[target]:port
mx:target		resolve MX of target				smtp:target
mx:target:port	resolve MX of target and use port	smtp:target:port
lmtp:target		resolve A/AAAA of target			lmtp:target
lmtp:target:port	resolve A/AAAA of target and use port	lmtp:target:port

target can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: [2001:DB8::]).
```

When there is proper input validation and existing database entries are migrated this function can be made much shorter again.

### Related issue(s)
- closes #1588 
- closes #1815 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-06-29 12:15:03 +00:00
bors[bot]
d9da8e4bb2
Merge #1746
1746: DNS records for client autoconfiguration (RFC6186) r=Diman0 a=nextgens

## What type of PR?

Feature

## What does this PR do?

Add instructions on how to configure rfc6186 DNS records for client autoconfiguration

### Related issue(s)
- #224
- #498

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-06-29 06:50:27 +00:00
Alexander Graf
3f23e199f6 modified generation of session key and added refresh
- the session key is now generated using
  - a hash of the uid seeded by the apps secret_key (size: SESSION_KEY_BITS)
  - a random token (size: 128 bits)
  - the session's creation time (size: 32 bits)

- redis server side sessions are now refreshed after 1/2 the session lifetime
  even if not modified
- the cookie is also updated if necessary
2021-06-17 17:53:15 +02:00
Alexander Graf
9ef8aaf698 removed double confiog and fixed shaker 2021-06-16 22:06:28 +02:00
Alexander Graf
a1fd44fced added lmtp: prefix and documentation 2021-06-16 16:19:31 +02:00
Florent Daigniere
875308d405 Revert "In fact it could be global"
This reverts commit f52984e4c3.
2021-06-04 09:51:58 +02:00
Florent Daigniere
f52984e4c3 In fact it could be global 2021-06-04 09:41:12 +02:00
Florent Daigniere
ae9206e968 Implement a simple credential cache 2021-06-04 09:41:12 +02:00
Alexander Graf
731ce8ede9 fix permanent sessions. hash uid using SECRET_KEY
clean session in redis only once when starting
2021-04-04 18:02:43 +02:00
Alexander Graf
4b8bbf760b default to 128 bits 2021-04-04 14:40:49 +02:00
Alexander Graf
4b71bd56c4 replace flask_kvsession with mailu's own storage 2021-04-04 14:35:31 +02:00
Vincent Kling
c6d0ef229f
Update messages.po 2021-03-19 10:46:42 +01:00
Alexander Graf
f0f79b23a3 Allow cleanup of sessions by key&value in data
This can be used to delete all sessions belonging to a user/login.
For no it just iterates over all sessions.
This could be enhanced by using a prefix for and deleting by prefix.
2021-03-14 21:38:16 +01:00
Alexander Graf
83b1fbb9d6 Lazy loading of KVSessionExtension
- call cleanup_sessions on first kvstore access
  this allows to run cmdline actions without redis (and makes it faster)
- Allow development using DictStore by setting REDIS_ADDRESS to the empty string in env
- don't sign 64bit random session id as suggested by nextgens
2021-03-14 18:09:21 +01:00
Alexander Graf
8bc4445572 Sync update of localpart, domain_name and email 2021-03-12 17:56:17 +01:00
Alexander Graf
0c38128c4e Add pygments to requirements 2021-03-11 18:38:00 +01:00
Alexander Graf
9cb6962335 Moved MyYamlLexer into logger
now cmdline runs without pygments
2021-03-11 18:12:50 +01:00
Alexander Graf
ce9a9ec572 always init Logger first 2021-03-10 18:50:52 +01:00
Alexander Graf
c17bfae240 correct rfc3339 datetime serialization
now using correct timezone
2021-03-10 18:50:25 +01:00
Alexander Graf
dc5464f254 Merge remote-tracking branch 'upstream/master' into import-export 2021-03-10 18:32:19 +01:00
Alexander Graf
e90d5548a6 use RFC3339 for last_check
fixed to UTC for now
2021-03-10 18:30:28 +01:00
Florent Daigniere
dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso 2021-03-10 14:41:12 +01:00