1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-28 23:06:37 +02:00
Commit Graph

1066 Commits

Author SHA1 Message Date
Florent Daigniere
58d0faff7f ensure we clear the token on delete() 2021-12-21 15:59:00 +01:00
Florent Daigniere
2b29cfb3f0 fix cleanup_sessions() 2021-12-21 15:55:59 +01:00
Florent Daigniere
f0247a2faf Use self where appropriate 2021-12-21 15:45:05 +01:00
Florent Daigniere
c161a2c987 syntax 2021-12-21 15:42:12 +01:00
bors[bot]
18865bf03b
Merge #2094
2094: Sessions tweaks r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

- Make all sessions permanent, introduce SESSION_TIMEOUT and PERMANENT_SESSION_LIFETIME.
- Prevent the creation of a session before there is a login attempt
- Ensure that webmail tokens are in sync with sessions

### Related issue(s)
- close #2080 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-12-21 13:08:48 +00:00
Dimitri Huisman
d40be05117 Fix missing edit buttons in alias, relay and fetchmail lists in admin. 2021-12-21 12:10:04 +00:00
Florent Daigniere
a28c7f903e do it once 2021-12-21 09:50:01 +01:00
Dimitri Huisman
f88daa1e77 Add missing cast to int 2021-12-20 21:07:25 +00:00
Florent Daigniere
5f313310d4 regenerate() shouldn't extend lifetime 2021-12-20 09:37:11 +01:00
Florent Daigniere
fe18cf9743 Fix 2080
Ensure that webmail tokens are in sync with sessions
2021-12-19 23:24:44 +01:00
Florent Daigniere
02c93c44f2 Tweak sessions
simplify:
- make all sessions permanent by default
- update the TTL of sessions on access (save always)
- fix session-expiry, modulo 8byte precision
2021-12-19 20:52:51 +01:00
Florent Daigniere
ea96a68eb4 don't create a session if we don't have to 2021-12-19 20:48:29 +01:00
Florent Daigniere
346ace5fb3 Make webmail the default action 2021-12-18 15:38:07 +01:00
bors[bot]
08be233607
Merge #2058
2058: Implement versioning for CI/CD workflow. r=mergify[bot] a=Diman0

## What type of PR?

Feature!

## What does this PR do?
This PR introduces 3 things
- Add versioning (tagging) for branch x.y (1.8). E.g. 1.8.0, 1.8.1 etc.
  - docker repo will contain x.y (latest) and x.y.z (pinned version) images.
  - The X.Y.Z tag is incremented automatically. E.g. if 1.8.0 already exists, then the next merge on 1.8 will result in the new tag 1.8.1 being used.
- Make the version available in the image.
  -  For X.Y and X.Y.Z write the version (X.Y.Z) into /version on the image and add a label with version=X.Y.Z
	  -  This means that the latest X.Y image shows the pinned version (X.Y.Z e.g. 1.8.1) it was based on. Via the tag X.Y.Z you can see the commit hash that triggered the built.
  -  For master write the commit hash into /version on the image and add a label with version={commit hash}
-  Automatic releases. For x.y triggered builts (e.g. merge on 1.9) do a new github release for the pinned x.y.z (e.g. 1.9.2). 
  -  Release shows a static message (see RELEASE_TEMPLATE.md) that explains how to reach the newsfragments folder and change the branch to the tag (x.y.z) mentioned in the release. Now you can get the changelog by reading all newsfragment files in this folder.

This PR does not change anything to our workflow (what we (human persons) do). Our processes are still exactly the same. The above introduced logic is automatic. When we backport to X.Y all the magic for creating the pinned version X.Y.Z is handled by the CI/CD workflow.

### Related issue(s)
- closes #1182

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.

## Testing
Suggested testing steps. This should cover all situations including BORS. It does require that you use your own docker repo or temporarily create a new one.
Suggested testing steps.
1. Create new github repo.
2. Add the required docker secrets to the project (see beginning of CI.yml for the secret names), DOCKER_UN, DOCKER_PW, DOCKER_ORG, DOCKER_ORG_TESTS.
3. Clone the project.
4. Copy the contents of the PR to the cloned project.
5. Push to your new github repo.
6. Now master images are built. Check that images with tag master are pushed to your docker repo
7. Check with docker inspect nginx:master that it has the label version={commit hash}.
8. Run an image, run `docker-compose exec <name> cat /version`. Note that /version also contains the pinned version. For master the pinned version is the commit hash.
9. Create branch 1.8. 
10. Push branch 1.8 to repo.
11. Note that tags 1.8 and 1.8.0 are built and pushed to docker repo
12. Inspect label and /version. Note that 1.8 and 1.8.0 both show version 1.8.0.
13. Push another commit to branch 1.8.
14. Note that tags 1.8 and 1.8.1 are built and pushed to docker repo
15. Inspect label and /version. Note that 1.8 and 1.8.1 both show version 1.8.1.
16. Let's check BORS stuff.
17. Create branch testing.
18. Push the commit with the exact commit text (IMPORTANT!!): `Try #1234:`'.
19. Note that images are built and pushed for tag `pr-1234`.
20. Inspect label and /version. Note that the version is `pr-1234`.
20. Create branch staging.
21. Push the commit with commit text: `Merge #1234`.
22. Note that this image is not pushed to docker (as expected).

but you could also check the GH repo and docker repo I used:
https://github.com/Diman0/Mailu_Fork
https://hub.docker.com/r/diman/rainloop/tags

Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-12-15 09:29:08 +00:00
Dimitri Huisman
d76773b1df Also check the SMTP port for webmail/token 2021-12-14 14:52:15 +00:00
Dimitri Huisman
f26fa8da84 Fix Webmail token check. Fix Auth-Port for Webmail. #2079 2021-12-14 11:26:33 +00:00
Florent Daigniere
4fffdd95e9 Reduce logging level 2021-12-05 15:07:06 +01:00
Dimitri Huisman
f7677543c6 Process code review remarks
- Moved run to bottom of Dockerfile to allow using unmodified / cached states.
- Simplified bash code in deploy.sh.
- Improved the large bash one-liner in CI.yml. It could not handle >9 for 1.x.
2021-11-18 17:21:56 +00:00
Dimitri Huisman
56dd70cf4a Implement versioning for CI/CD workflow (see #1182). 2021-11-17 20:00:04 +00:00
Alexander Graf
aa1d605665
Merge remote-tracking branch 'upstream/master' into passlib 2021-11-16 10:21:08 +01:00
Alexander Graf
84a5514a97
fixed auto reply form 2021-11-12 12:19:45 +01:00
Alexander Graf
cf7914d050
fixed field iteration 2021-11-11 16:00:00 +01:00
Alexander Graf
fd5bdc8650
added localized date output 2021-11-11 12:20:52 +01:00
Alexander Graf
0315ed78d9
Merge remote-tracking branch 'upstream/master' into update_deps 2021-11-11 11:49:48 +01:00
bors[bot]
56cbc56df7
Merge #2044
2044: Vault/rspamd: don't return any key for relayed domains r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR 

Don't return any key for relayed domains. We may want to revisit this (ARC signing)... but in the meantime it saves from a scary message in rspamd.
    
```signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...```


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-11-08 16:01:10 +00:00
bors[bot]
78dd13a217
Merge #2042
2042: Add MESSAGE_RATELIMIT_EXEMPTION r=mergify[bot] a=nextgens

## What type of PR?

Enhancement

## What does this PR do?

Add a new knob called ```MESSAGE_RATELIMIT_EXEMPTION```.

### Related issue(s)
- #1774

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-11-08 15:29:50 +00:00
Florent Daigniere
6bf1a178b9 Go with ghostwheel42's suggestion 2021-11-08 09:34:02 +01:00
Florent Daigniere
b68033eb43 only parse it once 2021-11-08 09:23:24 +01:00
Alexander Graf
82e14f1292
Merge branch 'master' into update_deps 2021-11-07 21:25:08 +01:00
bors[bot]
f0188d9623
Merge #2034
2034: Add timezone to containers r=mergify[bot] a=DjVinnii

## What type of PR?

Enhancement

## What does this PR do?
This PR adds the tzdata package so that the environment variable `TZ` can be used to set the timezone of containers.

### Related issue(s)
- closes #1154 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: DjVinnii <vincentkling@msn.com>
2021-11-07 18:52:43 +00:00
Florent Daigniere
dc6e970a7f handle HTTP too 2021-11-07 12:41:29 +01:00
Florent Daigniere
bbef4bee27 Don't return any key for relayed domains
We may want to revisit this (ARC signing)... but in the meantime
it saves from a scary message in rspamd

signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...
2021-11-07 12:20:31 +01:00
Florent Daigniere
6c6b0b161c Set the right flags on the rate_limit cookie 2021-11-06 10:45:59 +01:00
Florent Daigniere
f9373eacab Merge remote-tracking branch 'upstream/master' into misc 2021-11-06 10:05:59 +01:00
Florent Daigniere
5714b4f4b0 introduce MESSAGE_RATELIMIT_EXEMPTION 2021-11-06 10:05:52 +01:00
DjVinnii
30d7e72765 Move TZ to Advanced settings 2021-11-05 14:44:12 +01:00
DjVinnii
225160610b Set default TZ in Dockerfiles 2021-11-04 14:22:12 +01:00
DjVinnii
81e33d3679 Add default TZ to config manager 2021-11-04 13:21:37 +01:00
Alexander Graf
97e79a973f fix sso login button spacing again 2021-11-04 08:32:53 +01:00
Alexander Graf
73ab4327c2 updated database libraries (sqlalchemy etc.)
this is working fine, but introduces a sqlalchemy warning
when using config-import:

  /app/mailu/schemas.py:822:
    SAWarning: Identity map already had an identity for (...),
    replacing it with newly flushed object.
    Are there load operations occurring inside of an event handler
    within the flush?
2021-11-03 22:57:07 +01:00
Alexander Graf
4669374b9e use python wheels 2021-11-03 22:55:41 +01:00
Alexander Graf
85d86d4156 some more libs updated 2021-11-03 22:55:26 +01:00
Alexander Graf
ffd99c3fa8 updated flask
ConfigManager should not replace app.config - this is causing trouble
with some other flask modules (swagger).
Updated ConfigManager to only modify app.config and not replace it.
2021-11-03 22:21:26 +01:00
Alexander Graf
87884213c4 update misc helper libs 2021-11-03 22:03:51 +01:00
Alexander Graf
56f65d724d update babel 2021-11-03 21:52:59 +01:00
Alexander Graf
5238b00f0b update alembic 2021-11-03 21:33:39 +01:00
Alexander Graf
f613205fe1 update tenacity 2021-11-03 21:30:34 +01:00
Alexander Graf
833ccb5544 reload page using GET when selecting language 2021-11-03 20:38:00 +01:00
Alexander Graf
8b15820b01 fix sso login button spacing 2021-11-03 20:35:05 +01:00
Alexander Graf
26fb108a3f updated Flask-Login 2021-11-03 20:22:47 +01:00
Alexander Graf
abc4112242 updated Werkzeug, Click and Flask-Migrate 2021-11-03 20:12:20 +01:00
Alexander Graf
f1d7bedd1b fix display of range inputs (again) 2021-11-03 19:54:15 +01:00
Alexander Graf
13e6793c9f Merge remote-tracking branch 'upstream/master' into update_deps 2021-11-03 19:35:51 +01:00
Alexander Graf
aca1e13648 update socrate - will be removed later 2021-11-02 20:47:53 +01:00
Alexander Graf
866741bcbe updated WTForms-Components deps 2021-11-02 19:22:58 +01:00
Alexander Graf
ef19869cde updated redis 2021-11-02 18:06:26 +01:00
Alexander Graf
d8efd3057c updated idna 2021-11-02 17:52:25 +01:00
Alexander Graf
8ad8cde0e2 removed some obsolete requirements 2021-11-02 17:06:28 +01:00
Alexander Graf
3ac1b3d86c update pyyaml and pygments 2021-11-02 17:02:54 +01:00
Alexander Graf
40cdff4911 updated dnspython 2021-11-02 16:49:25 +01:00
Alexander Graf
dcbe55f062 updated crypto 2021-11-02 16:28:37 +01:00
Alexander Graf
771b2d1112 duh 2021-11-02 16:21:31 +01:00
Alexander Graf
23d0cd0466 update tabluate. fix audit.py and include in container 2021-11-02 15:55:20 +01:00
Alexander Graf
8d90a74624 update werkzeug to 1.x 2021-11-02 15:39:41 +01:00
bors[bot]
5e212ea46d
Merge #2036
2036: round display of range inputs to 2 decimals r=mergify[bot] a=ghostwheel42

## What type of PR?

small fix

## What does this PR do?

rounds display of range inputs to 2 decimals 

### Related issue(s)

- small fix to #1966

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-11-02 13:34:59 +00:00
Alexander Graf
80be3506da upgrade pip. completed reqs via pip freeze 2021-11-02 13:32:12 +01:00
Alexander Graf
598b2df5a0 update wtforms 2021-11-02 13:04:40 +01:00
Alexander Graf
e8b5f1a185 round display of range inputs to 2 decimals 2021-11-02 12:59:59 +01:00
DjVinnii
1d6809193b Add tzdata to core 2021-11-02 11:18:21 +01:00
Florent Daigniere
f3c93212c6 The Rate-limiter should run after the deny 2021-10-31 19:41:12 +01:00
Alexander Graf
9bc685c30b removed some more whitespace 2021-10-29 15:34:00 +02:00
Alexander Graf
8c31699baf fixed locale selector for no_NB 2021-10-29 15:29:20 +02:00
Alexander Graf
882a27f87c simplified if's and added external link icon 2021-10-29 15:07:25 +02:00
Alexander Graf
3141ffe791 removed some whitespace 2021-10-29 14:26:23 +02:00
Dimitri Huisman
6b16756d92 Fix acessing antispam via sidebar. 2021-10-29 09:22:46 +00:00
Dimitri Huisman
3449b67c86 Process code review remarks PR2023 2021-10-29 08:18:50 +00:00
Dimitri Huisman
8784971b7f Merge rate limiting and failed login logging 2021-10-28 18:55:35 +00:00
Dimitri Huisman
503044ef6e Reintroduce ProxyFix. Use two buttons for logging in. 2021-10-27 21:51:49 +00:00
Dimitri Huisman
c42ad8e71e Forgot to include changes for url_for of base.html 2021-10-27 18:49:36 +00:00
Dimitri Huisman
fb0f005343 Get rid of complicated prefix logic. Further simplify /static handling and nginx config. 2021-10-27 18:36:50 +00:00
Dimitri Huisman
da788ddee3 Merge branch 'fix-sso-1929' of github.com:Diman0/Mailu into fix-sso-1929 2021-10-27 12:38:18 +00:00
Dimitri Huisman
bdcc183165 Redirect to configured ENV VAR for Admin/Webmail, further simplify nginx config. 2021-10-27 11:24:10 +00:00
Florent Daigniere
fee13e6c4b Save a redirect 2021-10-27 11:11:22 +02:00
Florent Daigniere
d3f07a0882 Simplify the handling of /static 2021-10-27 10:56:34 +02:00
Dimitri Huisman
a47afec4ee Make logic more readable. 2021-10-27 08:22:36 +00:00
Dimitri Huisman
48764f0400 Ensure all requests from the page sso go through the page sso. 2021-10-27 08:06:53 +00:00
Dimitri Huisman
aab258d284 Move handling of logging out in admin, to sso logout page. 2021-10-26 11:54:25 +00:00
Dimitri Huisman
615743b331 Improve indendation of conditions. 2021-10-26 11:39:56 +00:00
Dimitri Huisman
5d81846c5d Introduce the shared stub /static for providing all static files 2021-10-26 11:30:06 +00:00
Dimitri Huisman
44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting. 2021-10-25 19:21:38 +00:00
Dimitri Huisman
f9eee0cbaf Adapt HEALTHCHECK to new URL 2021-10-25 17:43:53 +00:00
Dimitri Huisman
ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 2021-10-25 17:31:25 +00:00
Dimitri Huisman
913a6304a7 Finishing touches. Introduce /static stub for handling all static files. 2021-10-25 17:24:41 +00:00
bors[bot]
a1192d8039
Merge #1987
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Turn the rate-limiters into something useful (that won't fire for no reason).

- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.

Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)

### Related issue(s)
- close #1926
- close #1745 
- close #1915


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
2021-10-16 15:52:47 +00:00
Florent Daigniere
693b578bbb The second strip isn't necessary 2021-10-16 17:24:12 +02:00
Florent Daigniere
1c6165213c better that way 2021-10-16 16:54:56 +02:00
Florent Daigniere
34497cff20 doh 2021-10-16 16:35:48 +02:00
Florent Daigniere
e8871dd77f doh 2021-10-16 16:06:13 +02:00
Florent Daigniere
5b72c32251 Doh 2021-10-16 15:44:26 +02:00
Florent Daigniere
19b784b198 Parse the network configuration only once
thanks @ghostwheel42
2021-10-16 15:18:41 +02:00
Florent Daigniere
98742268e6 Make it more readable 2021-10-16 15:12:20 +02:00
Florent Daigniere
94bbed9746 Ensure we have the right IP 2021-10-16 10:39:43 +02:00
Florent Daigniere
c5bd82650f doh 2021-10-16 10:30:57 +02:00
Florent Daigniere
99c81c20a7 Introduce AUTH_RATELIMIT_EXEMPTION
This disables rate limiting on specific CIDRs
2021-10-16 10:26:38 +02:00
Florent Daigniere
c674f1567a Merge branch 'ratelimits' of https://github.com/nextgens/Mailu into ratelimits 2021-10-16 09:55:15 +02:00
Florent Daigniere
8414dd5cf0 Merge remote-tracking branch 'upstream/master' into ratelimits 2021-10-16 09:52:20 +02:00
Florent Daigniere
e14d2e7c03 Error out explictely if Auth-Port isn't set 2021-10-16 09:49:01 +02:00
Florent Daigniere
abaa2e8cc3 simplify client_ip 2021-10-16 09:46:21 +02:00
Florent Daigniere
de276a6822 Simplify extract_network_from_ip 2021-10-16 09:45:10 +02:00
Florent Daigniere
3bda8368e4 simplify the Auth-Status check 2021-10-16 09:39:34 +02:00
Florent Daigniere
2dd9ea1506 simplify 2021-10-16 09:36:49 +02:00
Florent Daigniere
068170c0ff Use app instead of flask.current_app where possible 2021-10-16 09:35:01 +02:00
Florent Daigniere
57b0dd490c Initialize user_email in all cases 2021-10-16 09:29:17 +02:00
qy117121
b1425015ef
Update messages.po
Fix wrong text
2021-10-16 03:51:22 +08:00
bors[bot]
afffe4063e
Merge #2018
2018: show dmarc record for report domain in domain details r=mergify[bot] a=ghostwheel42

## What type of PR?

documentation

## What does this PR do?

show dmarc record for report domain in domain details

### Related issue(s)

closes #1382

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-15 12:52:16 +00:00
bors[bot]
9f2aa0aadc
Merge #1986 #2014
1986: Document how to setup client autoconfig r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Document how to setup autoconfig. This works with most open-source MUAs (thunderbird, evolution, ...)

We could go further than that by providing dynamic configuration (issue an auth token for each MUA request)... but it won't work unless a new DNS entry (and matching certificate) is created.

### Related issue(s)
- #224

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


2014: Update Chinese translation r=mergify[bot] a=qy117121

## What type of PR?

translation

## What does this PR do?

Update Chinese translation. Use `zh` instead of `zh_CN`.

### Related issue(s)

none

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: qy117121 <mixuan121@gmail.com>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-15 12:29:46 +00:00
Alexander Graf
7fe15ea9cf added dmarc record for report domain 2021-10-15 14:22:50 +02:00
bors[bot]
a5b1d36171
Merge #2017
2017: rspamd: get dkim keys via REST API instead of filesystem r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement

## What does this PR do?

rspamd now uses hashicorp's vault api v1 to get dkim keys and selectors for a domain.
this allows future enhancement (multiple keys) without reconfiguring and restarting rspamd.
it also makes mounting the /dkim volume into the rspamd container unnecessary.

### Related issue(s)

- improves and closes #2012 
- allows to implement key rotation using multiple selectors (see #1700)
- allows to implement dkim for alternate domains (see #1519)
- fixes and closes #1345 (selector transmitted by admin container is used)
- closes #1179 (no keys on disk)
- allows to implement key rotation from the outside (ie. via a helper script talking to some dns provider's api) (see #547)

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-15 12:08:40 +00:00
Alexander Graf
7b0c5935a8 only support GET method in vault 2021-10-15 13:16:37 +02:00
Alexander Graf
303fae00fb cleanup modules. use dkim selector from config 2021-10-14 23:25:42 +02:00
Alexander Graf
dc9f970a91 removed zh_CN and updated locale-map for datatables 2021-10-14 23:15:42 +02:00
Alexander Graf
893705169e PoC rspamd use dkimkeys from admin using vault api 2021-10-14 23:01:53 +02:00
Florent Daigniere
632ce663ee Prevent logins with no password 2021-10-14 18:04:49 +02:00
qy117121
866f784d06
Create messages.po
Update the translation
2021-10-14 15:05:32 +08:00
qy117121
251eea5553
Update messages.po
Updated translation
2021-10-14 15:03:23 +08:00
Florent Daigniere
7277e0b4e4
Merge branch 'master' into ratelimits 2021-10-12 14:47:00 +02:00
bors[bot]
8c8c1b2015
Merge #1997
1997: Prevent traceback when using non-email in login r=mergify[bot] a=ghostwheel42

There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('`@',` 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "`@")`
```

## What type of PR?

enhancement

## What does this PR do?

replace traceback (ERROR) with error message (WARNING)

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-10-12 12:07:08 +00:00
bors[bot]
9b01e663b2
Merge #2007
2007: allow sending emails as user+detail@domain.tld r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix or enhancement

## What does this PR do?

Allows sending emails with an added "+detail" in the local part.
 
### Related issue(s)

closes #1948

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: root <ghostwheel42@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-10-09 17:01:25 +00:00
Florent Daigniere
14360f8926 RECIPIENT_DELIMITER can have several characters 2021-10-09 18:28:50 +02:00
root
8c59f35697 use RECIPIENT_DELIMITER for splitting 2021-10-09 17:43:09 +02:00
Alexander Graf
1d571dedfc split localpart into user and tag 2021-10-09 17:11:12 +02:00
Florent Daigniere
d131d863ba The if needs to be inside the block 2021-10-09 15:44:56 +02:00
Alexander Graf
aaf3ddd002 moved javascript to app.js 2021-10-08 20:06:21 +02:00
Florent Daigniere
b48779ea70 SESSION_COOKIE_SECURE and HTTP won't work 2021-10-08 10:17:03 +02:00
Florent Daigniere
10d78a888b Derive a new subkey for SRS 2021-10-01 15:00:10 +02:00
Alexander Graf
65133a960a Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
2021-09-28 10:38:37 +02:00
Diman0
f4cde61148 Make header translatable. More finishing touches. 2021-09-24 15:29:28 +02:00
Florent Daigniere
7d56ed3b70 Merge branch 'master' of https://github.com/Mailu/Mailu into ratelimits 2021-09-24 13:40:59 +02:00
Diman0
fbe0a446b9 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 2021-09-24 13:05:06 +02:00
Florent Daigniere
1e07b85fa1 doh 2021-09-24 10:20:21 +02:00
Diman0
9894b49cbd Merge/Update with changes from master 2021-09-24 10:07:52 +02:00
Florent Daigniere
24aadf2f52 ensure we log when the rate limiter hits 2021-09-24 10:07:41 +02:00
Florent Daigniere
64bc7972cc Make AUTH_RATELIMIT_IP 60/hour as discussed 2021-09-24 09:57:28 +02:00
Florent Daigniere
cab0ce2017 doh 2021-09-23 19:01:09 +02:00
Florent Daigniere
a9340e61f5 Log auth attempts on /admin 2021-09-23 18:48:23 +02:00
Florent Daigniere
89ea51d570 Implement rate-limits 2021-09-23 18:40:49 +02:00
Diman0
bf0aad9820 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 2021-09-22 17:04:13 +02:00
bors[bot]
4c5c6c3b5f
Merge #1966
1966: AdminLTE3 optimizations & compression and caching r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement, bugfix

## What does this PR do?

Optimization and cleanup of styles and javascript code for AdminLTE 3
Adds caching headers, gzip and robots.txt to nginx.

### Related issue(s)

Makes #1800 even better. Thanks to `@DjVinnii` and `@Diman0` for the good work.
Closes #1905

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-09-22 10:00:34 +00:00
bors[bot]
b329971b87
Merge #1971
1971: Updated Polish translation. r=mergify[bot] a=ghostwheel42

## What type of PR?

translation

## What does this PR do?

Update polish translation. Used `pl/LC_MESSAGES/messages.po` from PR #1751 created by `@martys71`
Part of Discussion of 1.9 roadmap #1930

### Related issue(s)

closes #1751 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-09-22 09:01:37 +00:00
Alexander Graf
25cf8b5358 better help formatting 2021-09-13 15:13:29 +02:00
Alexander Graf
b63081cb48 display error (not exception) when creating admin
repleace misleading python exception (mailu broken)
with error message stating that the admin user is
already present
2021-09-13 14:49:49 +02:00
Alexander Graf
7bec8029a4 strip not necessary anymore 2021-09-09 21:41:03 +02:00
Alexander Graf
1e8b41f731 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 2021-09-09 13:22:15 +02:00
Alexander Graf
b883e3c4a6 duh. 2021-09-09 12:10:34 +02:00
Alexander Graf
bb40ccc4b0 normalize HOSTNAMES
should be moved to python lib and normalized in start.py
2021-09-09 11:58:27 +02:00
Alexander Graf
45a2be3766 Updated Polish translation.
Used pl/LC_MESSAGES/messages.po from PR#1751 created by martys71
2021-09-06 18:42:50 +02:00
bors[bot]
d464187477
Merge #1964
1964: Alpine3.14.2 r=mergify[bot] a=nextgens

Upgrade to alpine 3.14.2, retry upgrading unbound & switch back to libressl

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-09-06 15:59:10 +00:00
Alexander Graf
0094268410 allow to change logo. default color for flash msg
- two new environment variables allow to change logo background color
  and graphic
- flash messages are now green (not cyan)
2021-09-06 09:08:51 +02:00
Alexander Graf
d8b4a016af use blue color from https://mailu.io/ 2021-09-06 08:41:49 +02:00
bors[bot]
6fe265b548
Merge #1968
1968: optimize handle_authentication r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

catch utf-8 decoding errors and log a warning in handle_authentication instead of writing a traceback into the log.

### Related issue(s)

closes #1361

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-09-05 20:19:00 +00:00
Alexander Graf
90c96bdddc optimize handle_authentication
- catch decoding of nginx headers (utf-8 exception)
- re-ordered function
2021-09-05 19:47:10 +02:00
Florent Daigniere
0ee52ba65b Doh 2021-09-05 19:03:54 +02:00
Florent Daigniere
0f0459e9b2 suggestions from @ghostwheel42 2021-09-05 18:49:07 +02:00
Alexander Graf
7bede55fce more verbose cleaning message 2021-09-05 17:48:20 +02:00
Florent Daigniere
a9a1b3e55e Reduce the EDNS0 size to 1232
@see
https://github.com/dns-violations/dnsflagday/issues/125
2021-09-05 15:28:59 +02:00
Alexander Graf
7fd605cc21 fixed brand link target for normal users 2021-09-03 13:41:33 +02:00
Diman0
b148e41d9b Fix nginx config 2021-09-03 13:01:09 +02:00
Florent Daigniere
d8c22db547 Merge remote-tracking branch 'upstream/master' into policyd-mta-sts 2021-09-03 11:37:43 +02:00
Alexander Graf
8cdd7e911d duh. removed debug 2021-09-02 23:36:49 +02:00
Alexander Graf
2ba0d552e0 Merge remote-tracking branch 'upstream/master' into passlib 2021-09-02 23:00:39 +02:00
Alexander Graf
34df8b3168 AdminLTE3 optimizations & compression and caching
- fixed copy of qemu-arm-static for alpine
- added 'set -eu' safeguard
- silenced npm update notification
- added color to webpack call
- changed Admin-LTE default blue
  (core/admin/Dockerfile)

- AdminLTE 3 style tweaks
  (core/admin/assets/app.css)
  (core/admin/mailu/ui/templates/base.html)
  (core/admin/mailu/ui/templates/sidebar.html)

- localized datatables
  (core/admin/Dockerfile)
  (core/admin/assets/app.js)
  (core/admin/package.json)

- moved external javascript code to vendor.js
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/webpack.config.js)

- added mailu logo
  (core/admin/assets/app.js)
  (core/admin/assets/app.css)
  (core/admin/assets/mailu.png)

- moved all inline javascript to app.js
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/domain/create.html)
  (core/admin/mailu/ui/templates/user/create.html)

- added iframe display of rspamd page
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/views/base.py)
  (core/admin/mailu/ui/templates/sidebar.html)
  (core/admin/mailu/ui/templates/antispam.html)

- updated language-selector to display full language names and use post
  (core/admin/assets/app.js)
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/utils.py)
  (core/admin/mailu/ui/views/languages.py)

- added fieldset to group and en/disable input fields
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/user/settings.html)
  (core/admin/mailu/ui/templates/user/reply.html)

- added clipboard copy buttons
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/domain/details.html)

- cleaned external javascript imports
  (core/admin/assets/vendor.js)

- pre-split first hostname for further use
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/client.html)
  (core/admin/mailu/ui/templates/domain/signup.html)

- cache dns_* properties of domain object (immutable during runtime)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/domain/details.html)

- fixed and splitted dns_dkim property of domain object (space missing)
- added autoconfig and tlsa properties to domain object
  (core/admin/mailu/models.py)

- suppressed extra vertical spacing in jinja2 templates
- improved accessibility for screen reader
  (core/admin/mailu/ui/templates/**.html)

- deleted unused/broken /user/forward route
  (core/admin/mailu/ui/templates/user/forward.html)
  (core/admin/mailu/ui/views/users.py)

- updated gunicorn to 20.1.0 to get rid of buffering error at startup
  (core/admin/requirements-prod.txt)

- switched webpack to production mode
  (core/admin/webpack.config.js)

- added css and javascript minimization
- added pre-compression of assets (gzip)
  (core/admin/webpack.config.js)
  (core/admin/package.json)

- removed obsolte dependencies
- switched from node-sass to dart-sass
  (core/admin/package.json)

- changed startup cleaning message from error to info
  (core/admin/mailu/utils.py)

- move client config to "my account" section when logged in
  (core/admin/mailu/ui/templates/sidebar.html)
2021-09-02 22:49:36 +02:00
Diman0
960033525d configure sso in nginx 2021-09-02 18:02:20 +02:00
Diman0
8868aec0dc Merge master. Make sso login working for admin. 2021-09-02 17:08:50 +02:00
Diman0
1cfc9ee1c4 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 2021-09-02 13:38:57 +02:00
Diman0
9fac3d7ad3 Initial implementation for standalone sso page 2021-09-02 13:36:42 +02:00
Florent Daigniere
d7c2b510c7 Give alpine 3.14.2 a shot 2021-09-01 18:56:44 +02:00
Florent Daigniere
fe186afb6f Revert "Switch to openssl to workaround alpine #12763"
This reverts commit f8362d04e4.
2021-09-01 18:52:35 +02:00
Florent Daigniere
c1d94bb725 Ensure that postfix will be able to use the TLSA records
see https://www.huque.com/dane/testsite/ for the testcases
2021-09-01 09:01:04 +02:00
Florent Daigniere
9f66e2672b Use DEFER_ON_TLS_ERROR here too
We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
2021-08-31 20:44:57 +02:00
Florent Daigniere
a1da4daa4c Implement the DANE-only lookup policyd
https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67 for
context
2021-08-31 20:24:06 +02:00
Dimitri Huisman
5f18860669 Remove workaround. Remove deprecated url-loader. 2021-08-31 10:04:44 +00:00
Dimitri Huisman
60be06e298 Temporary workaround to get FontAwesome icons working. 2021-08-31 08:08:33 +00:00
Dimitri Huisman
5da7a06675 Resolve webpack.config.js error 2021-08-30 15:01:05 +00:00
Dimitri Huisman
00276d8b70
Merge branch 'master' into AdminLTE-3 2021-08-28 17:43:29 +02:00
bors[bot]
6e32092abd
Merge #1873
1873: Completed Hebrew translation r=mergify[bot] a=yarons

The Hebrew translation is incomplete so I've completed it.

Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com>
2021-08-27 14:37:54 +00:00
Dimitri Huisman
169a540692 Use punycode for HTTP header for radicale and create changelog 2021-08-27 08:20:52 +00:00
Dimitri Huisman
4f5cb0974e Make sure HTTP header only contains ASCII 2021-08-26 15:11:35 +00:00
Florent Daigniere
b4102ba464 doh 2021-08-19 15:21:39 +02:00
Florent Daigniere
9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders 2021-08-19 11:10:14 +02:00
Florent Daigniere
7252a73e11 WILDCARD_SENDERS can have spaces 2021-08-19 11:02:03 +02:00
bors[bot]
b57df78dac
Merge #1916
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of #1360 implementing per-user sender limits

### Related issue(s)
- close #1360 
- close #1031
- close #1774 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2021-08-18 19:28:28 +00:00
Dimitri Huisman
e5972bd9ec Set default message rate limit to 200/day 2021-08-18 15:01:10 +00:00
Florent Daigniere
facc4b6427 Allow specific users to send email from any address 2021-08-14 09:03:57 +02:00
Diman0
5afbf37292 Resolve build issues 2021-08-13 15:12:33 +02:00
Dimitri Huisman
df64601b28
Merge branch 'master' into AdminLTE-3 2021-08-13 14:06:46 +02:00
Florent Daigniere
dccd8afd51 Thanks @Diman0!
ENEEDSLEEP
2021-08-10 10:20:15 +02:00
Florent Daigniere
5e7d5adf17 AUTH shouldn't happen on port 25 2021-08-09 20:10:49 +02:00
Florent Daigniere
6d244222da better error message 2021-08-09 09:28:19 +02:00
Florent Daigniere
1438253a06 Ratelimit outgoing emails per user 2021-08-08 09:21:14 +02:00
Diman0
588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value. 2021-08-06 16:27:07 +02:00
Florent Daigniere
defea3258d update arm builds too 2021-08-03 13:58:54 +02:00
Florent Daigniere
d44608ed04 Merge remote-tracking branch 'upstream/master' into upgrade-alpine 2021-08-03 13:46:47 +02:00
Florent Daigniere
f8362d04e4 Switch to openssl to workaround alpine #12763 2021-08-03 13:44:56 +02:00
bors[bot]
6ea4e3217a
Merge #1901
1901: treat localpart case insensitive again r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

fixes error introduced by #1604 where the localpart of an email address was handled case sensitive.
this screwed things up at various other places.
 
### Related issue(s)

closes #1895
closes #1900

Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-31 08:31:13 +00:00
Alexander Graf
6856c2c80f treat localpart case insensitive again
by lowercasing it where necessary
2021-07-30 22:26:20 +02:00
bors[bot]
656cf22126
Merge #1856
1856: update asset builder dependencies r=mergify[bot] a=ghostwheel42

## What type of PR?

update asset builder dependencies

## What does this PR do?

only include needed dependencies to build mailu assets with nodejs v8

### Related issue(s)

update dependencies as discussed in #1829


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-27 11:55:12 +00:00
bors[bot]
9289fa6420
Merge #1896
1896: save dkim key after creation r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

saves generated dkim key after creation vi web ui.
after the model change the domain object needs to be added and flushed via sqlalchemy.

### Related issue(s)

closes #1892


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-27 10:45:29 +00:00
bors[bot]
9a4c6385e5
Merge #1888
1888: Use threads in gunicorn rather than workers/processes r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-07-25 20:30:47 +00:00
Alexander Graf
54b46a13c6 save dkim key after creation 2021-07-25 15:51:13 +02:00
Alexander Graf
c2c3030a2f rephrased comments 2021-07-24 20:54:58 +02:00
Alexander Graf
ad1b036f20 fix Email class 2021-07-24 20:21:38 +02:00
Florent Daigniere
8d9f3214cc Use threads in gunicorn rather than processes
This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"
2021-07-24 15:45:25 +02:00
Yaron Shahrabani
e0bf75ae17
Completed Hebrew translation 2021-07-19 09:15:42 +03:00
bors[bot]
c5ff72d657
Merge #1857
1857: disable startdate when autoreply is disabled r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

disable the reply startdate field when autoreply is disabled


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-16 06:58:57 +00:00
Florent Daigniere
a0dcd46483 fix #1861: Handle colons in passwords 2021-07-14 09:27:00 +02:00
Alexander Graf
180026bd77 also disable startdate 2021-07-07 11:33:48 +02:00
Alexander Graf
56cfcf8b64 converted tabs to spaces 2021-07-07 10:32:59 +02:00
Alexander Graf
6377ccb2cb re-add jquery and select2 used in app.js 2021-07-07 10:30:07 +02:00
Alexander Graf
3c8a8aa8f0 use less v3 to make less-loader happy 2021-07-06 19:47:13 +02:00
Alexander Graf
1bb059f4c1 switched to newest possible versions for nodejs v8 2021-07-06 19:36:28 +02:00
Alexander Graf
858312a5cb remove explicit jQuery dependency 2021-07-06 18:01:44 +02:00
Alexander Graf
3f91dcb7af compile scheme list using a generator 2021-07-06 13:48:53 +02:00
Alexander Graf
3bb0d68ead add cargo to build cryptography 2021-07-05 23:27:42 +02:00
Alexander Graf
9790dcdabe updated dependencies 2021-07-05 23:04:07 +02:00
Florent Daigniere
420afa53f8 Upgrade to alpine 3.14 2021-07-05 15:50:49 +02:00
bors[bot]
4a5f6b1f92
Merge #1791
1791: Enhanced session handling r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

- replaces flask_kvsession and simplekv with a mailu-specific session store
- call cleanup_sessions before first request and not on startup.
  this allows to run cmdline actions without redis (and makes it faster)
- allow running without redis for debugging purposes by setting MEMORY_SESSIONS to True
- don't sign session id, as it has plenty of entropy (as suggested by nextgens)
- adds method to prune a user's sessions

### Related issue(s)
- enhances and close #1787


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-07-04 18:04:15 +00:00
Alexander Graf
8b71a92219 use fixed msg for key derivation 2021-07-03 22:32:47 +02:00
Alexander Graf
92896ae646 fix bugs in model and schema introduced by #1604 2021-07-03 11:40:32 +02:00
Alexander Graf
6740c77e43 small bugfix for exception 2021-07-02 18:44:21 +02:00
Alexander Graf
fab3168c23 Merge remote-tracking branch 'upstream/master' into kvsession 2021-06-29 16:38:38 +02:00
Alexander Graf
fbd945390d cleaned imports and fixed datetime and passlib use 2021-06-29 16:13:04 +02:00
Dimitri Huisman
6dc1a19390
Merge branch 'master' into import-export 2021-06-29 15:26:51 +02:00
bors[bot]
fc1a663da2
Merge #1754
1754: centralize Webmail authentication behind the admin panel (SSO) r=mergify[bot] a=nextgens

## What type of PR?

Enhancement: it centralizes the authentication of webmails to the admin interface.

## What does this PR do?

It implements the glue required for webmails to do SSO using the admin interface.
One of the main advantages of centralizing things this way is that it reduces significantly the attack surface available to an unauthenticated attacker (no webmail access until there is a valid Flask session).

Others include the ability to implement 2FA down the line and rate-limit things as required.

### Related issue(s)
- #783

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-06-29 12:32:21 +00:00
bors[bot]
4ff90683ca
Merge #1758 #1776
1758: Implement a simpler credential cache (alternative to #1755) r=mergify[bot] a=nextgens

## What type of PR?

Feature: it implements a credential cache to speedup authentication requests.

## What does this PR do?

Credentials are stored in cold-storage using a slow, salted/iterated hash function to prevent offline bruteforce attacks. This creates a performance bottleneck for no valid reason (see the
rationale/long version on https://github.com/Mailu/Mailu/issues/1194#issuecomment-762115549).

The new credential cache makes things fast again.

This is the simpler version of #1755 (with no new dependencies)

### Related issue(s)
- close #1411
- close #1194 
- close #1755

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1776: optimize generation of transport nexthop r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix and enhancement.

## What does this PR do?

Possibly there should be more input validation when editing a relay, but for now this tries to make the best out of the existing "smtp" attribute while maintaining backwards compatibility. When relay is empty, the transport's nexthop is the MX of the relayed domain to fix #1588 

```
RELAY			NEXTHOP						TRANSPORT
empty			use MX of relay domain				smtp:domain
:port			use MX of relay domain and use port	smtp:domain:port
target			resolve A/AAAA of target			smtp:[target]
target:port		resolve A/AAAA of target and use port	smtp:[target]:port
mx:target		resolve MX of target				smtp:target
mx:target:port	resolve MX of target and use port	smtp:target:port
lmtp:target		resolve A/AAAA of target			lmtp:target
lmtp:target:port	resolve A/AAAA of target and use port	lmtp:target:port

target can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: [2001:DB8::]).
```

When there is proper input validation and existing database entries are migrated this function can be made much shorter again.

### Related issue(s)
- closes #1588 
- closes #1815 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2021-06-29 12:15:03 +00:00
bors[bot]
d9da8e4bb2
Merge #1746
1746: DNS records for client autoconfiguration (RFC6186) r=Diman0 a=nextgens

## What type of PR?

Feature

## What does this PR do?

Add instructions on how to configure rfc6186 DNS records for client autoconfiguration

### Related issue(s)
- #224
- #498

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-06-29 06:50:27 +00:00
Alexander Graf
3f23e199f6 modified generation of session key and added refresh
- the session key is now generated using
  - a hash of the uid seeded by the apps secret_key (size: SESSION_KEY_BITS)
  - a random token (size: 128 bits)
  - the session's creation time (size: 32 bits)

- redis server side sessions are now refreshed after 1/2 the session lifetime
  even if not modified
- the cookie is also updated if necessary
2021-06-17 17:53:15 +02:00
Alexander Graf
9ef8aaf698 removed double confiog and fixed shaker 2021-06-16 22:06:28 +02:00
Alexander Graf
a1fd44fced added lmtp: prefix and documentation 2021-06-16 16:19:31 +02:00
Florent Daigniere
875308d405 Revert "In fact it could be global"
This reverts commit f52984e4c3.
2021-06-04 09:51:58 +02:00
Florent Daigniere
f52984e4c3 In fact it could be global 2021-06-04 09:41:12 +02:00
Florent Daigniere
ae9206e968 Implement a simple credential cache 2021-06-04 09:41:12 +02:00
DjVinnii
419fed5e6e Add language selector 2021-04-12 14:23:06 +02:00
Alexander Graf
731ce8ede9 fix permanent sessions. hash uid using SECRET_KEY
clean session in redis only once when starting
2021-04-04 18:02:43 +02:00
Alexander Graf
4b8bbf760b default to 128 bits 2021-04-04 14:40:49 +02:00
Alexander Graf
4b71bd56c4 replace flask_kvsession with mailu's own storage 2021-04-04 14:35:31 +02:00
DjVinnii
7dafa22762 Add /language/<language> route for changing the locale using a session variable 2021-04-03 10:33:08 +02:00
DjVinnii
f30cca1263 Do imports based on AdminLTE plugins 2021-04-03 10:32:01 +02:00
DjVinnii
a4bb42faeb Remove extra space between 'AdminLTE' and 'on' in footer 2021-04-02 09:22:05 +02:00
DjVinnii
b2498e8c8f Refactor box macro to card 2021-04-01 19:47:59 +02:00
DjVinnii
5ddea07c9a Fix form input append class 2021-04-01 19:46:38 +02:00
DjVinnii
1db0a870f3 Fix log in icon in sidebar 2021-04-01 19:45:49 +02:00
DjVinnii
51346c4860 Fix pre- and append styling 2021-04-01 18:30:13 +02:00
DjVinnii
e963e7495d Create datatable based on dataTable class instead of table class 2021-04-01 18:02:50 +02:00
DjVinnii
0984173504 Change label to badge 2021-04-01 16:54:25 +02:00
DjVinnii
8246497d16 Add card header to tables 2021-04-01 16:51:33 +02:00
DjVinnii
49d68fa6d1 Fix horizontal scrollbar in sidebar 2021-04-01 16:51:13 +02:00
DjVinnii
7d3c9d412d Change tables to datatables 2021-04-01 16:05:30 +02:00
DjVinnii
cdfa94c243 Make main action float right 2021-04-01 14:59:12 +02:00
DjVinnii
0c5fda3fca Change macros.box to macros.card 2021-04-01 14:47:41 +02:00
DjVinnii
deca6e0c4a update user/settings 2021-04-01 14:45:12 +02:00
DjVinnii
6b3170cb4c Update side menu 2021-04-01 14:42:15 +02:00
DjVinnii
c97728289b Update node version for building the image (AdminLTE requires node 10 or higher) 2021-04-01 11:34:03 +02:00
DjVinnii
e46d9e1fc9 Update admin-lte version in package.json 2021-04-01 11:26:37 +02:00
Vincent Kling
c6d0ef229f
Update messages.po 2021-03-19 10:46:42 +01:00
Alexander Graf
f0f79b23a3 Allow cleanup of sessions by key&value in data
This can be used to delete all sessions belonging to a user/login.
For no it just iterates over all sessions.
This could be enhanced by using a prefix for and deleting by prefix.
2021-03-14 21:38:16 +01:00
Alexander Graf
83b1fbb9d6 Lazy loading of KVSessionExtension
- call cleanup_sessions on first kvstore access
  this allows to run cmdline actions without redis (and makes it faster)
- Allow development using DictStore by setting REDIS_ADDRESS to the empty string in env
- don't sign 64bit random session id as suggested by nextgens
2021-03-14 18:09:21 +01:00
Alexander Graf
8bc4445572 Sync update of localpart, domain_name and email 2021-03-12 17:56:17 +01:00
Alexander Graf
0c38128c4e Add pygments to requirements 2021-03-11 18:38:00 +01:00
Alexander Graf
9cb6962335 Moved MyYamlLexer into logger
now cmdline runs without pygments
2021-03-11 18:12:50 +01:00
Alexander Graf
ce9a9ec572 always init Logger first 2021-03-10 18:50:52 +01:00
Alexander Graf
c17bfae240 correct rfc3339 datetime serialization
now using correct timezone
2021-03-10 18:50:25 +01:00
Alexander Graf
dc5464f254 Merge remote-tracking branch 'upstream/master' into import-export 2021-03-10 18:32:19 +01:00
Alexander Graf
e90d5548a6 use RFC3339 for last_check
fixed to UTC for now
2021-03-10 18:30:28 +01:00
Florent Daigniere
dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso 2021-03-10 14:41:12 +01:00
bors[bot]
25e8910b89
Merge #1783
1783: Switch to server-side sessions r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-10 09:44:31 +00:00
lub
f3f0a4d86d
Merge branch 'master' into enforce-tls-admin 2021-03-09 23:40:51 +01:00
Florent Daigniere
64d757582d Disable anti-csrf on the login form
The rationale is that the attacker doesn't have the password...
and that doing it this way we avoid creating useless sessions
2021-03-09 14:21:02 +01:00
Florent Daigniere
481cb67392 cleanup old sessions on startup 2021-03-09 14:21:02 +01:00
Florent Daigniere
b9becd8649 make sessions expire 2021-03-09 14:21:02 +01:00
Florent Daigniere
a1d32568d6 Regenerate session-ids to prevent session fixation 2021-03-09 14:20:22 +01:00
Florent Daigniere
d459c37432 make session IDs 128bits 2021-03-09 14:20:22 +01:00
Florent Daigniere
22af5b8432 Switch to server-side sessions in redis 2021-03-09 14:20:22 +01:00
Alexander Graf
dd2e218375 Merge remote-tracking branch 'upstream/master' into import-export 2021-03-09 13:31:21 +01:00
Florent Daigniere
96ae54d04d CryptContext should be a singleton 2021-03-09 12:05:46 +01:00
Florent Daigniere
5f05fee8b3 Don't need regexps anymore 2021-03-09 12:05:46 +01:00
Florent Daigniere
1c5b58cba4 Remove scheme_dict 2021-03-09 12:05:46 +01:00
Florent Daigniere
df230cb482 Refactor auth under nginx.check_credentials() 2021-03-09 12:05:46 +01:00
Florent Daigniere
f9ed517b39 Be specific token length 2021-03-09 12:05:46 +01:00
Florent Daigniere
d0b34f8e24 Move CREDENTIAL_ROUNDS to advanced settings 2021-03-09 12:05:46 +01:00
Florent Daigniere
fda758e2b4 remove merge artifact 2021-03-09 12:04:42 +01:00
Florent Daigniere
57a6abaf50 Remove {scheme} from the DB if mailu has set it 2021-03-09 12:04:42 +01:00
Florent Daigniere
7137ba6ff1 Misc improvements to PASSWORD_SCHEME
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see #1706: ldap_salted_sha512 support)
2021-03-09 12:04:42 +01:00
Florent Daigniere
00b001f76b Improve the token storage format
shortcomings of the previous format included:
- 1000x slower than it should be (no point in adding rounds since there
 is enough entropy: they are not bruteforceable)
- vulnerable to DoS as explained in
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha256_crypt.html#security-issues
2021-03-09 12:04:42 +01:00
Florent Daigniere
eb7895bd1c Don't do more work than necessary (/webdav)
This is also fixing tokens on /webdav/
2021-03-09 12:04:42 +01:00
Florent Daigniere
58b2cdc428 Don't do more work than necessary 2021-03-09 12:04:42 +01:00
bors[bot]
464e46b02b
Merge #1765
1765: Set sensible cookie flags on the admin app r=mergify[bot] a=nextgens

## What type of PR?

Bugfix

## What does this PR do?

It sets the right flags on the session cookie issued by the admin app.
This should probably be backported as the lack of secure flag on TLS-enabled setup is a high risk vulnerability.

SameSite is hardening / helps against CSRF on modern browsers
HTTPOnly is hardening / helps reduce the impact of XSS

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-09 09:25:04 +00:00
bors[bot]
47d6c697d0
Merge #1763
1763: show flash messages again r=mergify[bot] a=lub

## What type of PR?

bug-fix

## What does this PR do?
This basically restores the behaviour, that got removed in
ecdf0c25b3 during refactoring.

### Related issue(s)
- noticed it while reviewing #1756

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [-] In case of feature or enhancement: documentation updated accordingly
- [-] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 11:53:10 +00:00
bors[bot]
cca4b50915
Merge #1607
1607: _FILE variables for Docker swarm secrets r=mergify[bot] a=lub

## What type of PR?

enhancement

## What does this PR do?

This PR enables usage of DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY to load these values from files instead of supplying them directly. That way it's possible to use Docker secrets.

### Related issue(s)


## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-08 09:07:10 +00:00
Florent Daigniere
0dcc059cd6 Add a new knob as discussed on matrix with lub 2021-03-05 22:26:46 +01:00
Jaume Barber
5bb67dfcbb Translated using Weblate (Basque)
Currently translated at 100.0% (151 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/eu/
2021-03-04 18:46:27 +00:00