diff --git a/docs/configuration.rst b/docs/configuration.rst index 1a40bf65..fee15737 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -100,6 +100,12 @@ by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidd internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS support or e.g. mismatching TLS versions to deliver emails to Mailu. +The ``SCAN_MACROS`` (default: True) setting controls whether Mailu will endavour +to reject emails containing documents with malicious macros. Under the hood, it uses +`mraptor from oletools`_ to determine whether a macro is malicious or not. + +.. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor + .. _`RFC 3207`: https://tools.ietf.org/html/rfc3207 .. _fetchmail: diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index 11af9eff..fe766c0d 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -103,6 +103,7 @@ services: - {{ dns }} {% endif %} +{% if oletools_enabled %} oletools: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-{{ version }}} hostname: oletools @@ -115,21 +116,26 @@ services: dns: - {{ dns }} {% endif %} +{% endif %} antispam: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}} hostname: antispam restart: always env_file: {{ env }} +{% if oletools_enabled %} networks: - default - noinet +{% endif %} volumes: - "{{ root }}/filter:/var/lib/rspamd" - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro" depends_on: - front +{% if oletools_enabled %} - oletools +{% endif %} - redis {% if resolver_enabled %} - resolver @@ -217,6 +223,8 @@ networks: {% if ipv6_enabled %} - subnet: {{ subnet6 }} {% endif %} +{% if oletools_enabled %} noinet: driver: bridge internal: true +{% endif %} diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env index cc99912e..980788ce 100644 --- a/setup/flavors/compose/mailu.env +++ b/setup/flavors/compose/mailu.env @@ -58,6 +58,9 @@ WEBDAV={{ webdav_enabled or 'none' }} # Antivirus solution (value: clamav, none) ANTIVIRUS={{ antivirus_enabled or 'none' }} +# Scan Macros solution (value: true, false) +SCAN_MACROS={{ oletools_enabled or 'false' }} + ################################### # Mail settings ################################### diff --git a/setup/templates/steps/compose/02_services.html b/setup/templates/steps/compose/02_services.html index a801f807..cb9ba807 100644 --- a/setup/templates/steps/compose/02_services.html +++ b/setup/templates/steps/compose/02_services.html @@ -55,6 +55,15 @@ the security implications caused by such an increase of attack surface.
Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox. +