1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Commit Graph

2466 Commits

Author SHA1 Message Date
DjVinnii
e963e7495d Create datatable based on dataTable class instead of table class 2021-04-01 18:02:50 +02:00
DjVinnii
0984173504 Change label to badge 2021-04-01 16:54:25 +02:00
DjVinnii
8246497d16 Add card header to tables 2021-04-01 16:51:33 +02:00
DjVinnii
49d68fa6d1 Fix horizontal scrollbar in sidebar 2021-04-01 16:51:13 +02:00
DjVinnii
7d3c9d412d Change tables to datatables 2021-04-01 16:05:30 +02:00
DjVinnii
cdfa94c243 Make main action float right 2021-04-01 14:59:12 +02:00
DjVinnii
0c5fda3fca Change macros.box to macros.card 2021-04-01 14:47:41 +02:00
DjVinnii
deca6e0c4a update user/settings 2021-04-01 14:45:12 +02:00
DjVinnii
6b3170cb4c Update side menu 2021-04-01 14:42:15 +02:00
DjVinnii
c97728289b Update node version for building the image (AdminLTE requires node 10 or higher) 2021-04-01 11:34:03 +02:00
DjVinnii
e46d9e1fc9 Update admin-lte version in package.json 2021-04-01 11:26:37 +02:00
Vincent Kling
d9a9cb409e
Merge pull request #1 from Mailu/master
Update branche from remote/master
2021-04-01 10:42:43 +02:00
Vincent Kling
c6d0ef229f
Update messages.po 2021-03-19 10:46:42 +01:00
bors[bot]
ff4d3f4d37
Merge #1792
1792: Update fail2ban documentation r=mergify[bot] a=ronivay

## What type of PR?

documentation

## What does this PR do?

Update fail2ban documentation. Use DOCKER-USER chain instead of FORWARD chain for fail2ban rules so that they are always processed before any other rules added by docker itself. Also add instructions how to make fail2ban start after docker to prevent fail2ban from failing because of missing DOCKER-USER chain in iptables.

### Related issue(s)
closes #1727 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.




Co-authored-by: ronivay <roni@vayrynen.info>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
2021-03-19 09:18:29 +00:00
Dimitri Huisman
0bdf84dd25
Update faq.rst
Some spelling improvements.
2021-03-19 09:59:16 +01:00
ronivay
75baa1da99 Update fail2ban documentation 2021-03-18 09:46:27 +02:00
bors[bot]
1fd7a9c578
Merge #1761
1761: check for `ipv6_enabled` in the compose template r=nextgens a=lub

Checking only `ipv6` isn't sufficient, because it has a default value.

## What type of PR?

bug-fix

## What does this PR do?

### Related issue(s)
-

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [it's a minor change] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-11 07:03:59 +00:00
bors[bot]
9c57f2ac39
Merge #1785
1785: Fix bug #1660 (don't replace nested headers) r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Don't replace nested headers (typically in forwarded/attached emails). This will ensure we don't break cryptographic signatures.

### Related issue(s)
- close #1660

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-10 10:14:29 +00:00
bors[bot]
25e8910b89
Merge #1783
1783: Switch to server-side sessions r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-10 09:44:31 +00:00
bors[bot]
327884e07c
Merge #1610
1610: add option to enforce inbound starttls r=mergify[bot] a=lub

## What type of PR?

Feature

## What does this PR do?
It implements a check in the auth_http handler to check for Auth-SSL == on and otherwise returns a 530 starttls error.
If INBOUND_TLS_ENFORCE is not set the behaviour is still the same as before, so existing installations should be unaffected.

Although there is a small difference to e.g. smtpd_tls_security_level of Postfix.

Postfix already throws a 530 after mail from, but this solution only throws it after rcpt to. auth_http is only the request after rcpt to, so it's not possible to do it earlier.

### Related issue(s)
#1328 is kinda related, although this PR doesn't solve the issue that the headers will still display ESMTP instead of ESMTPS

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
2021-03-10 09:14:23 +00:00
bors[bot]
7469bb7087
Merge #1638
1638: Remove the username from the milter_headers r=mergify[bot] a=githtz

Rspamd adds the name of the authenticated user by default. Setting add_smtp_user to false prevents the login to be leaked.

## What type of PR?
Enhancement

## What does this PR do?
This PR prevents the user login to be leaked in sent emails (for example using an alias)

### Related issue(s)
Closes https://github.com/Mailu/Mailu/issues/1465

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: anrc <15327800+githtz@users.noreply.github.com>
2021-03-10 07:30:25 +00:00
lub
f3f0a4d86d
Merge branch 'master' into enforce-tls-admin 2021-03-09 23:40:51 +01:00
Florent Daigniere
b872b46097 towncrier 2021-03-09 20:13:31 +01:00
Florent Daigniere
97be7359fe towncrier 2021-03-09 19:47:34 +01:00
Florent Daigniere
513d2a4c5e Fix bug #1660: nested headers shouldn't be touched 2021-03-09 19:43:08 +01:00
Florent Daigniere
64d757582d Disable anti-csrf on the login form
The rationale is that the attacker doesn't have the password...
and that doing it this way we avoid creating useless sessions
2021-03-09 14:21:02 +01:00
Florent Daigniere
481cb67392 cleanup old sessions on startup 2021-03-09 14:21:02 +01:00
Florent Daigniere
b9becd8649 make sessions expire 2021-03-09 14:21:02 +01:00
Florent Daigniere
a1d32568d6 Regenerate session-ids to prevent session fixation 2021-03-09 14:20:22 +01:00
Florent Daigniere
d459c37432 make session IDs 128bits 2021-03-09 14:20:22 +01:00
Florent Daigniere
22af5b8432 Switch to server-side sessions in redis 2021-03-09 14:20:22 +01:00
bors[bot]
7e2db9c9c3
Merge #1753
1753: Better password storage r=nextgens a=nextgens

## What type of PR?

Enhancement: optimization of the logic to speedup authentication requests, support the import of most hashes passlib supports.

## What does this PR do?

- it changes the default password cold-storage format to sha256+bcrypt
- it enhances the logic to ensure that no CPU cycles are wasted when valid credentials are found
- it fixes token authentication on /webdav/
- it lowers the number of rounds used for token storage (on the basis that they are high-entropy: not bruteforceable and speed matters)
- it introduces a new setting to set the number of rounds used by the password hashing function (CREDENTIAL_ROUNDS). The setting can be adjusted as required and existing hashes will be migrated to the new cost-factor.
- it updates the version of passlib in use and enables all supported hash types (that will be converted to the current settings on first use)
- it removes the PASSWORD_SCHEME setting

### Related issue(s)
- close #1194
- close #1662
- close #1706

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-09 11:12:36 +00:00
Florent Daigniere
96ae54d04d CryptContext should be a singleton 2021-03-09 12:05:46 +01:00
Florent Daigniere
5f05fee8b3 Don't need regexps anymore 2021-03-09 12:05:46 +01:00
Florent Daigniere
1c5b58cba4 Remove scheme_dict 2021-03-09 12:05:46 +01:00
Florent Daigniere
45e5cb9bb3 Improve the towncrier messages 2021-03-09 12:05:46 +01:00
Florent Daigniere
20d2b621aa Improve the description of CREDENTIAL_ROUNDS 2021-03-09 12:05:46 +01:00
Florent Daigniere
df230cb482 Refactor auth under nginx.check_credentials() 2021-03-09 12:05:46 +01:00
Florent Daigniere
f9ed517b39 Be specific token length 2021-03-09 12:05:46 +01:00
Florent Daigniere
d0b34f8e24 Move CREDENTIAL_ROUNDS to advanced settings 2021-03-09 12:05:46 +01:00
Florent Daigniere
29306d5abb Fix the tests (again) 2021-03-09 12:04:42 +01:00
Florent Daigniere
89d88e0c19 Fix the test 2021-03-09 12:04:42 +01:00
Florent Daigniere
fda758e2b4 remove merge artifact 2021-03-09 12:04:42 +01:00
Florent Daigniere
927bd2bd8e towncrier 2021-03-09 12:04:42 +01:00
Florent Daigniere
57a6abaf50 Remove {scheme} from the DB if mailu has set it 2021-03-09 12:04:42 +01:00
Florent Daigniere
7137ba6ff1 Misc improvements to PASSWORD_SCHEME
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see #1706: ldap_salted_sha512 support)
2021-03-09 12:04:42 +01:00
Florent Daigniere
00b001f76b Improve the token storage format
shortcomings of the previous format included:
- 1000x slower than it should be (no point in adding rounds since there
 is enough entropy: they are not bruteforceable)
- vulnerable to DoS as explained in
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha256_crypt.html#security-issues
2021-03-09 12:04:42 +01:00
Florent Daigniere
eb7895bd1c Don't do more work than necessary (/webdav)
This is also fixing tokens on /webdav/
2021-03-09 12:04:42 +01:00
Florent Daigniere
58b2cdc428 Don't do more work than necessary 2021-03-09 12:04:42 +01:00
bors[bot]
c0266ef455
Merge #1777
1777: Add mergify to the list of trusted authors r=Diman0 a=nextgens

The idea is to prevent backports from being stuck pending review for too long.

#1767 was created by a trusted author (p0) ... reviewed and merged to master relatively quickly... but it's backport got stuck for a week (#1768) as it required double the number of reviews.

This probably needs to be backported to be effective

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2021-03-09 10:29:37 +00:00