1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Commit Graph

2763 Commits

Author SHA1 Message Date
Florent Daigniere
65a27b1c7f add additional options to make DANE easier 2021-08-20 14:18:07 +02:00
Florent Daigniere
fb8d52ceb2 Merge branch 'master' of https://github.com/Mailu/Mailu into tls_policy_map 2021-08-20 14:17:34 +02:00
bors[bot]
a461f5fa7c
Merge #1904
1904: Allow specific users to send email from any address r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

Allow specific users to send email from any address using the WILDCARD_SENDERS configuration variable.

### Related issue(s)
- closes #1096

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Erriez <Erriez@users.noreply.github.com>
2021-08-19 14:48:46 +00:00
bors[bot]
5062ee58dc
Merge #1935
1935: Fix bug #1934: logs flooded with "unbound udp connect failed: Address not available for" r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Revert back to alpine 1.12 for the resolver/unbound container. The official fix is at:
08968baec1
but alpine doesn't ship it yet:
https://pkgs.alpinelinux.org/packages?name=unbound&branch=v3.14

### Related issue(s)
- closes #1934 


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-08-19 14:21:27 +00:00
Florent Daigniere
e1ddbb6eec Rollback to alpine 1.12
it ships unbound 1.10 that doesn't have the bug I think
08968baec1
2021-08-19 15:33:26 +02:00
Florent Daigniere
b4102ba464 doh 2021-08-19 15:21:39 +02:00
Florent Daigniere
fc5758e352 Clarify that it will only work for existing addresses 2021-08-19 11:26:30 +02:00
Florent Daigniere
9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders 2021-08-19 11:10:14 +02:00
Florent Daigniere
3d018f916c Merge branch 'wildcard_senders' of github.com:nextgens/Mailu into wildcard_senders 2021-08-19 11:03:54 +02:00
Florent Daigniere
7252a73e11 WILDCARD_SENDERS can have spaces 2021-08-19 11:02:03 +02:00
bors[bot]
b57df78dac
Merge #1916
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of #1360 implementing per-user sender limits

### Related issue(s)
- close #1360 
- close #1031
- close #1774 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-08-18 19:28:28 +00:00
Dimitri Huisman
4c056db4aa Added documentation for all user statuses. 2021-08-18 18:53:50 +00:00
Dimitri Huisman
e5972bd9ec Set default message rate limit to 200/day 2021-08-18 15:01:10 +00:00
Dimitri Huisman
b7403c850a Document the new setting in webadministration.rst. 2021-08-18 14:56:12 +00:00
bors[bot]
34b35ca9b7
Merge #1922
1922: Harden postfix's configuration r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

It hardens the default configuration:
- disable AUTH commands on port 25 (nginx was not advertising the capability: normal clients wouldn't attempt it)
- fix Forward Secrecy by ensuring that we don't use session tickets and don't cache on forensically carveable mediums
- prevent clear-text credentials from being sent while authenticating to remote relays (this may break things if the relay doesn't support challenge-based authentication NOR STARTTLS - unlikely).
- switch to default RSA keysizes (2048 bits and they get rekeyed every 3 months -modern clients will do ECC)
- enable ECC certificates (much smaller than RSA keys, faster for better security margin)
- configure nginx so that it doesn't send the legacy/root CA (clients that require it are unlikely to do TLS1.2 any ways)

I don't think that any of those changes is impactful enough to warrant being documented.

### Related issue(s)
- close #1804

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Jack Murray <github@c0rporation.com>
2021-08-18 14:25:20 +00:00
Jack Murray
dd127f8f06 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
2021-08-18 15:57:53 +02:00
Florent Daigniere
6704cb869a Switch to 3072bits dhparam (instead of 4096bits)
We aim for 128bits of security here
2021-08-18 15:51:16 +02:00
Florent Daigniere
f74497d929 Merge remote-tracking branch 'upstream/master' into harden_postfix 2021-08-18 15:41:59 +02:00
Jack Murray
e304c352a1 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
2021-08-18 15:40:44 +02:00
bors[bot]
966b9cb918
Merge #1928
1928: Change letsencrypt timer from 1h --> 1 day r=mergify[bot] a=jackmurray

There's no need to be calling certbot so frequently. Letsencrypt certificates last for 90 days so polling every hour is just wasteful. Once per day should be more than sufficient to catch any certificates before they even get close to expiring.

## What type of PR?

Enhancement

## What does this PR do?

Reduces unnecessary load on the Letsencrypt ACME servers.

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Jack Murray <github@c0rporation.com>
2021-08-14 21:59:37 +00:00
Jack Murray
7e5a35660a
Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
2021-08-14 14:04:02 +01:00
Florent Daigniere
facc4b6427 Allow specific users to send email from any address 2021-08-14 09:03:57 +02:00
Erriez
a5534a34dc Update Alpine version from 3.10 to 3.14 2021-08-14 09:03:57 +02:00
Florent Daigniere
9e5cfaaec8 towncrier 2021-08-14 09:03:57 +02:00
Florent Daigniere
ee54a615c1 Alpine has removed support for btree and hash 2021-08-14 09:03:57 +02:00
Diman0
4e16c9000b Give docker containers in each test one more minute for starting. 2021-08-14 09:03:57 +02:00
Diman0
146b081119 enhanced security changelog entry and added recommendation to recreate secret_key 2021-08-14 09:03:57 +02:00
Diman0
2132adcc38 Fixed typing error. 2021-08-14 09:03:57 +02:00
Diman0
e3fbf48c5a Improved changelog entry 2021-08-14 09:03:57 +02:00
Dimitri Huisman
9b2afbfa89 Resolve merge conflict 2021-08-14 09:03:57 +02:00
Diman0
b7db90b7ff Update documentation config and release notes page. 2021-08-14 09:03:57 +02:00
Diman0
529994c095 Update CHANGELOG.md and process towncrier newsfragments. 2021-08-14 09:03:57 +02:00
David Fairbrother
24747e33de Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
2021-08-14 09:03:57 +02:00
Florent Daigniere
0b16291153 doh 2021-08-14 08:49:28 +02:00
Florent Daigniere
7b847852af fix typo 2021-08-14 08:48:42 +02:00
Florent Daigniere
1db08018da Ensure that we get certificate validation on top90
I have found a list of the top100 email destinations online and ran them
through a script to ensure that all of their MX servers had valid
configuration... this is the result
2021-08-14 08:48:42 +02:00
Florent Daigniere
e1a7657999 Now that postfix has CAs we can switch to secure
encrypt means "ensure we have some confidentiality" whereas secure means
"ensure we have confidentiality while talking to the right peer"
(protects against passive or/and active MITM attacks)
2021-08-14 08:48:42 +02:00
Florent Daigniere
6149c759f4 doc 2021-08-14 08:48:42 +02:00
Florent Daigniere
b066a5e2ac add a default tls_policy_map 2021-08-14 08:48:42 +02:00
Florent Daigniere
1df79f8132 give PFS a chance 2021-08-14 08:48:04 +02:00
Florent Daigniere
925105075c this is required in fact 2021-08-13 20:35:40 +02:00
Florent Daigniere
772e5efb7d Disable pipelining to prevent bypass 2021-08-11 22:47:29 +02:00
Florent Daigniere
c76a76c0b0 make it optional, add a knob 2021-08-10 12:19:51 +02:00
Florent Daigniere
5e1ba9d4ff towncrier 2021-08-10 12:09:11 +02:00
Florent Daigniere
109a8aa000 Ensure that we always have CERT+INTERMEDIARY CA
Let's encrypt may change things up in the future...
2021-08-10 10:55:21 +02:00
Florent Daigniere
dccd8afd51 Thanks @Diman0!
ENEEDSLEEP
2021-08-10 10:20:15 +02:00
Florent Daigniere
974bcba5ab Restore LOGIN as tests assume it's there 2021-08-10 09:05:02 +02:00
Florent Daigniere
2b05e72ce4 Revert "maybe fix the tests"
This reverts commit f971b47fb9.
2021-08-10 08:51:55 +02:00
Florent Daigniere
f971b47fb9 maybe fix the tests 2021-08-10 08:22:23 +02:00
Florent Daigniere
4a871c0905 this causes trouble with the test 2021-08-09 23:29:17 +02:00