1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Commit Graph

2436 Commits

Author SHA1 Message Date
Florent Daigniere
b872b46097 towncrier 2021-03-09 20:13:31 +01:00
Florent Daigniere
64d757582d Disable anti-csrf on the login form
The rationale is that the attacker doesn't have the password...
and that doing it this way we avoid creating useless sessions
2021-03-09 14:21:02 +01:00
Florent Daigniere
481cb67392 cleanup old sessions on startup 2021-03-09 14:21:02 +01:00
Florent Daigniere
b9becd8649 make sessions expire 2021-03-09 14:21:02 +01:00
Florent Daigniere
a1d32568d6 Regenerate session-ids to prevent session fixation 2021-03-09 14:20:22 +01:00
Florent Daigniere
d459c37432 make session IDs 128bits 2021-03-09 14:20:22 +01:00
Florent Daigniere
22af5b8432 Switch to server-side sessions in redis 2021-03-09 14:20:22 +01:00
bors[bot]
7e2db9c9c3
Merge #1753
1753: Better password storage r=nextgens a=nextgens

## What type of PR?

Enhancement: optimization of the logic to speedup authentication requests, support the import of most hashes passlib supports.

## What does this PR do?

- it changes the default password cold-storage format to sha256+bcrypt
- it enhances the logic to ensure that no CPU cycles are wasted when valid credentials are found
- it fixes token authentication on /webdav/
- it lowers the number of rounds used for token storage (on the basis that they are high-entropy: not bruteforceable and speed matters)
- it introduces a new setting to set the number of rounds used by the password hashing function (CREDENTIAL_ROUNDS). The setting can be adjusted as required and existing hashes will be migrated to the new cost-factor.
- it updates the version of passlib in use and enables all supported hash types (that will be converted to the current settings on first use)
- it removes the PASSWORD_SCHEME setting

### Related issue(s)
- close #1194
- close #1662
- close #1706

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-09 11:12:36 +00:00
Florent Daigniere
96ae54d04d CryptContext should be a singleton 2021-03-09 12:05:46 +01:00
Florent Daigniere
5f05fee8b3 Don't need regexps anymore 2021-03-09 12:05:46 +01:00
Florent Daigniere
1c5b58cba4 Remove scheme_dict 2021-03-09 12:05:46 +01:00
Florent Daigniere
45e5cb9bb3 Improve the towncrier messages 2021-03-09 12:05:46 +01:00
Florent Daigniere
20d2b621aa Improve the description of CREDENTIAL_ROUNDS 2021-03-09 12:05:46 +01:00
Florent Daigniere
df230cb482 Refactor auth under nginx.check_credentials() 2021-03-09 12:05:46 +01:00
Florent Daigniere
f9ed517b39 Be specific token length 2021-03-09 12:05:46 +01:00
Florent Daigniere
d0b34f8e24 Move CREDENTIAL_ROUNDS to advanced settings 2021-03-09 12:05:46 +01:00
Florent Daigniere
29306d5abb Fix the tests (again) 2021-03-09 12:04:42 +01:00
Florent Daigniere
89d88e0c19 Fix the test 2021-03-09 12:04:42 +01:00
Florent Daigniere
fda758e2b4 remove merge artifact 2021-03-09 12:04:42 +01:00
Florent Daigniere
927bd2bd8e towncrier 2021-03-09 12:04:42 +01:00
Florent Daigniere
57a6abaf50 Remove {scheme} from the DB if mailu has set it 2021-03-09 12:04:42 +01:00
Florent Daigniere
7137ba6ff1 Misc improvements to PASSWORD_SCHEME
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see #1706: ldap_salted_sha512 support)
2021-03-09 12:04:42 +01:00
Florent Daigniere
00b001f76b Improve the token storage format
shortcomings of the previous format included:
- 1000x slower than it should be (no point in adding rounds since there
 is enough entropy: they are not bruteforceable)
- vulnerable to DoS as explained in
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha256_crypt.html#security-issues
2021-03-09 12:04:42 +01:00
Florent Daigniere
eb7895bd1c Don't do more work than necessary (/webdav)
This is also fixing tokens on /webdav/
2021-03-09 12:04:42 +01:00
Florent Daigniere
58b2cdc428 Don't do more work than necessary 2021-03-09 12:04:42 +01:00
bors[bot]
c0266ef455
Merge #1777
1777: Add mergify to the list of trusted authors r=Diman0 a=nextgens

The idea is to prevent backports from being stuck pending review for too long.

#1767 was created by a trusted author (p0) ... reviewed and merged to master relatively quickly... but it's backport got stuck for a week (#1768) as it required double the number of reviews.

This probably needs to be backported to be effective

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-09 10:29:37 +00:00
bors[bot]
464e46b02b
Merge #1765
1765: Set sensible cookie flags on the admin app r=mergify[bot] a=nextgens

## What type of PR?

Bugfix

## What does this PR do?

It sets the right flags on the session cookie issued by the admin app.
This should probably be backported as the lack of secure flag on TLS-enabled setup is a high risk vulnerability.

SameSite is hardening / helps against CSRF on modern browsers
HTTPOnly is hardening / helps reduce the impact of XSS

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-09 09:25:04 +00:00
bors[bot]
0f8d2077a5
Merge #1691
1691: update webmails to PHP 7.4 r=mergify[bot] a=lub

## What type of PR?

update

## What does this PR do?

### Related issue(s)

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.



I think it's a minor change, which needs no changelog.

I've tested rainloop, would be great if someone could test roundcube, because I don't use it.

Co-authored-by: lub <git@lubiland.de>
2021-03-09 08:20:10 +00:00
bors[bot]
47d6c697d0
Merge #1763
1763: show flash messages again r=mergify[bot] a=lub

## What type of PR?

bug-fix

## What does this PR do?
This basically restores the behaviour, that got removed in
ecdf0c25b3 during refactoring.

### Related issue(s)
- noticed it while reviewing #1756

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [-] In case of feature or enhancement: documentation updated accordingly
- [-] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 11:53:10 +00:00
bors[bot]
81f8cbec56
Merge #1711 #1712
1711: fix typo in faq.rst r=Diman0 a=tomwojcik



1712: Add details for postfix-overrides r=mergify[bot] a=sholl

## What type of PR?

Documentation clarification

## What does this PR do?

### Related issue(s)

this clarifies the FAQ about overrides and fixes #1628 


Co-authored-by: Tomasz Wójcik <tomwojcik@users.noreply.github.com>
Co-authored-by: Stephan Holl <stephan@holl-land.de>
Co-authored-by: Stephan Holl <1610827+sholl@users.noreply.github.com>
2021-03-08 10:10:52 +00:00
bors[bot]
ce0c93a681
Merge #1618
1618: add OCSP stapling to nginx.conf r=mergify[bot] a=lub

It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.

## What type of PR?

enhancement

## What does this PR do?

It enables OCSP stapling for the http server. OCSP stapling reduces roundtrips for the client and reduces load on OCSP responders.

### Related issue(s)
- fixes  #1616

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 09:39:25 +00:00
bors[bot]
cca4b50915
Merge #1607
1607: _FILE variables for Docker swarm secrets r=mergify[bot] a=lub

## What type of PR?

enhancement

## What does this PR do?

This PR enables usage of DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY to load these values from files instead of supplying them directly. That way it's possible to use Docker secrets.

### Related issue(s)


## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 09:07:10 +00:00
Florent Daigniere
0dcc059cd6 Add a new knob as discussed on matrix with lub 2021-03-05 22:26:46 +01:00
Jaume Barber
5bb67dfcbb Translated using Weblate (Basque)
Currently translated at 100.0% (151 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/eu/
2021-03-04 18:46:27 +00:00
Jaume Barber
a49b9d7974 Translated using Weblate (Catalan)
Currently translated at 99.3% (150 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ca/
2021-03-04 18:46:26 +00:00
Jaume Barber
cd9992f79c Translated using Weblate (Swedish)
Currently translated at 74.2% (121 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/sv/
2021-03-04 18:46:25 +00:00
Jaume Barber
afae5d1c24 Translated using Weblate (Russian)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ru/
2021-03-04 18:46:25 +00:00
Jaume Barber
7a01a63389 Translated using Weblate (Portuguese)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/pt/
2021-03-04 18:46:24 +00:00
Jaume Barber
480ec29d3d Translated using Weblate (Italian)
Currently translated at 91.4% (149 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/it/
2021-03-04 18:46:24 +00:00
Jaume Barber
5e96a4bfcf Translated using Weblate (Spanish)
Currently translated at 91.4% (149 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/es/
2021-03-04 18:46:24 +00:00
Jaume Barber
6143d66eb8 Translated using Weblate (English)
Currently translated at 39.2% (64 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-04 18:46:24 +00:00
Anonymous
6da5978870 Translated using Weblate (German)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/de/
2021-03-04 18:46:24 +00:00
Anonymous
58c22fd2c6 Translated using Weblate (English)
Currently translated at 38.6% (63 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 18:18:39 +00:00
Jaume Barber
0dc8817f32 Translated using Weblate (English)
Currently translated at 38.6% (63 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 18:18:39 +00:00
Anonymous
3d17000ceb Translated using Weblate (English)
Currently translated at 29.4% (48 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 17:57:27 +00:00
Jaume Barber
a2933d00f3 Translated using Weblate (English)
Currently translated at 29.4% (48 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 17:57:26 +00:00
Jaume Barber
7c0158c5f8 Translated using Weblate (English)
Currently translated at 17.7% (29 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 17:17:18 +00:00
Anonymous
7de94275a0 Translated using Weblate (English)
Currently translated at 17.7% (29 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
2021-03-03 17:17:18 +00:00
Jaume Barber
43133d8515 Added translation using Weblate (Basque) 2021-03-03 17:05:23 +00:00
Jaume Barber
5e0aa65c8d Translated using Weblate (Italian)
Currently translated at 96.3% (157 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/it/
2021-03-03 17:03:23 +00:00