enhanced security changelog entry and added recommendation to recreate secret_key

CHANGELOG.md

@@ -13,6 +13,15 @@ One major change for the docker compose file is that the antispam container need
 This is handled when you regenerate the docker-compose file. A fixed hostname is required to retain rspamd history. 
 This is also handled in the helm-chart repo.
 
+Improvements have been made to protect again session-fixation attacks. 
+To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading. 
+A new SECRET_KEY is generated when you recreate your docker-compose.yml & mailu.env file via setup.mailu.io.
+
+The SECRET_KEY is an uppercase alphanumeric string of length 16. You can manually create such a string via
+```cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w ${1:-16} | head -n 1```
+
+After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
+
 Please note that the shipped image for PostgreSQL database is deprecated.
 We advise to switch to an external PostgreSQL database server.
 
@@ -34,7 +43,7 @@ We advise to switch to an external PostgreSQL database server.
 - Bugfixes: Remove dot in blueprint name to prevent critical flask startup error in setup. ([#1874](https://github.com/Mailu/Mailu/issues/1874))
 - Bugfixes: fix punycode encoding of domain names ([#1891](https://github.com/Mailu/Mailu/issues/1891))
 - Improved Documentation: Update fail2ban documentation to use systemd backend instead of filepath for journald ([#1857](https://github.com/Mailu/Mailu/issues/1857))
-- Misc:  ([#1783](https://github.com/Mailu/Mailu/issues/1783))
+- Misc: Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading. ([#1783](https://github.com/Mailu/Mailu/issues/1783))
 
 
 v1.8.0rc - 2020-09-28

docs/releases.rst

@@ -21,7 +21,7 @@ Here’s a short summary of new features:
 - Roundcube and Rainloop have been updated.
 - All dependencies have been updated to the latest security update.
 - Fail2ban documentation has been improved.
-- Switch from client side (cookie) sessions to server side sessions.
+- Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading.
 - Full-text-search is back after having been disabled for a while due to nasty bugs. It can still be disabled via the mailu.env file.
 - Tons of documentation improvements, especially geared towards new users.
 - (Experimental) support for different architectures, such as ARM.
@@ -51,6 +51,18 @@ Override location changes
 If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
 Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
 
+Recreate SECRET_KEY after upgrading
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Improvements have been made to protect again session-fixation attacks. 
+To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading. 
+A new SECRET_KEY is generated when you recreate your docker-compose.yml & mailu.env file via setup.mailu.io.
+
+The SECRET_KEY is an uppercase alphanumeric string of length 16. You can manually create such a string via
+```cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w ${1:-16} | head -n 1```
+
+After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
+
 Update your DNS SPF Records
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^