1
0
mirror of https://github.com/Mailu/Mailu.git synced 2025-06-15 00:05:11 +02:00
Commit Graph

89 Commits

Author SHA1 Message Date
b4d3d4b3c9 Preparations for 1.9 release. 2021-12-29 14:40:45 +00:00
a28c7f903e do it once 2021-12-21 09:50:01 +01:00
02c93c44f2 Tweak sessions
simplify:
- make all sessions permanent by default
- update the TTL of sessions on access (save always)
- fix session-expiry, modulo 8byte precision
2021-12-19 20:52:51 +01:00
0315ed78d9 Merge remote-tracking branch 'upstream/master' into update_deps 2021-11-11 11:49:48 +01:00
78dd13a217 Merge #2042
2042: Add MESSAGE_RATELIMIT_EXEMPTION r=mergify[bot] a=nextgens

## What type of PR?

Enhancement

## What does this PR do?

Add a new knob called ```MESSAGE_RATELIMIT_EXEMPTION```.

### Related issue(s)
- #1774

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-11-08 15:29:50 +00:00
b68033eb43 only parse it once 2021-11-08 09:23:24 +01:00
82e14f1292 Merge branch 'master' into update_deps 2021-11-07 21:25:08 +01:00
5714b4f4b0 introduce MESSAGE_RATELIMIT_EXEMPTION 2021-11-06 10:05:52 +01:00
30d7e72765 Move TZ to Advanced settings 2021-11-05 14:44:12 +01:00
81e33d3679 Add default TZ to config manager 2021-11-04 13:21:37 +01:00
ffd99c3fa8 updated flask
ConfigManager should not replace app.config - this is causing trouble
with some other flask modules (swagger).
Updated ConfigManager to only modify app.config and not replace it.
2021-11-03 22:21:26 +01:00
ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 2021-10-25 17:31:25 +00:00
693b578bbb The second strip isn't necessary 2021-10-16 17:24:12 +02:00
1c6165213c better that way 2021-10-16 16:54:56 +02:00
34497cff20 doh 2021-10-16 16:35:48 +02:00
e8871dd77f doh 2021-10-16 16:06:13 +02:00
5b72c32251 Doh 2021-10-16 15:44:26 +02:00
19b784b198 Parse the network configuration only once
thanks @ghostwheel42
2021-10-16 15:18:41 +02:00
99c81c20a7 Introduce AUTH_RATELIMIT_EXEMPTION
This disables rate limiting on specific CIDRs
2021-10-16 10:26:38 +02:00
8414dd5cf0 Merge remote-tracking branch 'upstream/master' into ratelimits 2021-10-16 09:52:20 +02:00
14360f8926 RECIPIENT_DELIMITER can have several characters 2021-10-09 18:28:50 +02:00
8c59f35697 use RECIPIENT_DELIMITER for splitting 2021-10-09 17:43:09 +02:00
64bc7972cc Make AUTH_RATELIMIT_IP 60/hour as discussed 2021-09-24 09:57:28 +02:00
89ea51d570 Implement rate-limits 2021-09-23 18:40:49 +02:00
bf0aad9820 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 2021-09-22 17:04:13 +02:00
1e8b41f731 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 2021-09-09 13:22:15 +02:00
b883e3c4a6 duh. 2021-09-09 12:10:34 +02:00
bb40ccc4b0 normalize HOSTNAMES
should be moved to python lib and normalized in start.py
2021-09-09 11:58:27 +02:00
0094268410 allow to change logo. default color for flash msg
- two new environment variables allow to change logo background color
  and graphic
- flash messages are now green (not cyan)
2021-09-06 09:08:51 +02:00
34df8b3168 AdminLTE3 optimizations & compression and caching
- fixed copy of qemu-arm-static for alpine
- added 'set -eu' safeguard
- silenced npm update notification
- added color to webpack call
- changed Admin-LTE default blue
  (core/admin/Dockerfile)

- AdminLTE 3 style tweaks
  (core/admin/assets/app.css)
  (core/admin/mailu/ui/templates/base.html)
  (core/admin/mailu/ui/templates/sidebar.html)

- localized datatables
  (core/admin/Dockerfile)
  (core/admin/assets/app.js)
  (core/admin/package.json)

- moved external javascript code to vendor.js
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/webpack.config.js)

- added mailu logo
  (core/admin/assets/app.js)
  (core/admin/assets/app.css)
  (core/admin/assets/mailu.png)

- moved all inline javascript to app.js
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/domain/create.html)
  (core/admin/mailu/ui/templates/user/create.html)

- added iframe display of rspamd page
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/views/base.py)
  (core/admin/mailu/ui/templates/sidebar.html)
  (core/admin/mailu/ui/templates/antispam.html)

- updated language-selector to display full language names and use post
  (core/admin/assets/app.js)
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/utils.py)
  (core/admin/mailu/ui/views/languages.py)

- added fieldset to group and en/disable input fields
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/user/settings.html)
  (core/admin/mailu/ui/templates/user/reply.html)

- added clipboard copy buttons
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/domain/details.html)

- cleaned external javascript imports
  (core/admin/assets/vendor.js)

- pre-split first hostname for further use
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/client.html)
  (core/admin/mailu/ui/templates/domain/signup.html)

- cache dns_* properties of domain object (immutable during runtime)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/domain/details.html)

- fixed and splitted dns_dkim property of domain object (space missing)
- added autoconfig and tlsa properties to domain object
  (core/admin/mailu/models.py)

- suppressed extra vertical spacing in jinja2 templates
- improved accessibility for screen reader
  (core/admin/mailu/ui/templates/**.html)

- deleted unused/broken /user/forward route
  (core/admin/mailu/ui/templates/user/forward.html)
  (core/admin/mailu/ui/views/users.py)

- updated gunicorn to 20.1.0 to get rid of buffering error at startup
  (core/admin/requirements-prod.txt)

- switched webpack to production mode
  (core/admin/webpack.config.js)

- added css and javascript minimization
- added pre-compression of assets (gzip)
  (core/admin/webpack.config.js)
  (core/admin/package.json)

- removed obsolte dependencies
- switched from node-sass to dart-sass
  (core/admin/package.json)

- changed startup cleaning message from error to info
  (core/admin/mailu/utils.py)

- move client config to "my account" section when logged in
  (core/admin/mailu/ui/templates/sidebar.html)
2021-09-02 22:49:36 +02:00
8868aec0dc Merge master. Make sso login working for admin. 2021-09-02 17:08:50 +02:00
9f66e2672b Use DEFER_ON_TLS_ERROR here too
We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
2021-08-31 20:44:57 +02:00
9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders 2021-08-19 11:10:14 +02:00
e5972bd9ec Set default message rate limit to 200/day 2021-08-18 15:01:10 +00:00
facc4b6427 Allow specific users to send email from any address 2021-08-14 09:03:57 +02:00
1438253a06 Ratelimit outgoing emails per user 2021-08-08 09:21:14 +02:00
588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value. 2021-08-06 16:27:07 +02:00
9ef8aaf698 removed double confiog and fixed shaker 2021-06-16 22:06:28 +02:00
4b8bbf760b default to 128 bits 2021-04-04 14:40:49 +02:00
4b71bd56c4 replace flask_kvsession with mailu's own storage 2021-04-04 14:35:31 +02:00
25e8910b89 Merge #1783
1783: Switch to server-side sessions r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-10 09:44:31 +00:00
lub
f3f0a4d86d Merge branch 'master' into enforce-tls-admin 2021-03-09 23:40:51 +01:00
b9becd8649 make sessions expire 2021-03-09 14:21:02 +01:00
d459c37432 make session IDs 128bits 2021-03-09 14:20:22 +01:00
d0b34f8e24 Move CREDENTIAL_ROUNDS to advanced settings 2021-03-09 12:05:46 +01:00
7137ba6ff1 Misc improvements to PASSWORD_SCHEME
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see #1706: ldap_salted_sha512 support)
2021-03-09 12:04:42 +01:00
464e46b02b Merge #1765
1765: Set sensible cookie flags on the admin app r=mergify[bot] a=nextgens

## What type of PR?

Bugfix

## What does this PR do?

It sets the right flags on the session cookie issued by the admin app.
This should probably be backported as the lack of secure flag on TLS-enabled setup is a high risk vulnerability.

SameSite is hardening / helps against CSRF on modern browsers
HTTPOnly is hardening / helps reduce the impact of XSS

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-09 09:25:04 +00:00
cca4b50915 Merge #1607
1607: _FILE variables for Docker swarm secrets r=mergify[bot] a=lub

## What type of PR?

enhancement

## What does this PR do?

This PR enables usage of DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY to load these values from files instead of supplying them directly. That way it's possible to use Docker secrets.

### Related issue(s)


## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 09:07:10 +00:00
0dcc059cd6 Add a new knob as discussed on matrix with lub 2021-03-05 22:26:46 +01:00
aa8cb98906 Set sensible cookie options 2021-02-18 15:47:13 +01:00