Merge remote-tracking branch 'upstream/master' into import-export

CHANGELOG.md

@@ -33,13 +33,23 @@ v1.8.0 - 2020-09-28
 - Features: Added CardDAV-Plugin for webmail roundcube. ([#1298](https://github.com/Mailu/Mailu/issues/1298))
 - Features: Allow users to use server-sided full-text-search again by adding the dovecot fts-xapian plugin ([#1320](https://github.com/Mailu/Mailu/issues/1320))
 - Features: Relay a domain to a nonstandard SMTP port by adding ":<port_num>" to the remote hostname or IP address. ([#1357](https://github.com/Mailu/Mailu/issues/1357))
+- Features: Allow to enforce TLS for outbound mail by setting OUTBOUND_TLS_LEVEL=encrypt for postfix. ([#1478](https://github.com/Mailu/Mailu/issues/1478))
 - Features: Introduce option to disable dovecot full-text-search by an enviroment variable. ([#1538](https://github.com/Mailu/Mailu/issues/1538))
 - Features: Add support for AUTH LOGIN authentication mechanism for relaying email via smart hosts. ([#1635](https://github.com/Mailu/Mailu/issues/1635))
+- Bugfixes: Fix the password encoding upon authentication ([#1139](https://github.com/Mailu/Mailu/issues/1139))
+- Bugfixes: Fix piping mail into rspamd when moving from/to junk-folder ([#1177](https://github.com/Mailu/Mailu/issues/1177))
+- Bugfixes: Separate HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI because of different ports ([#1190](https://github.com/Mailu/Mailu/issues/1190))
+- Bugfixes: Make postfix mailqueue persistent ([#1208](https://github.com/Mailu/Mailu/issues/1208))
+- Bugfixes: Kubernetes manifests updated to be compatible with Kubernetes 1.16 (breaks compatibility with older k8s versions) ([#1241](https://github.com/Mailu/Mailu/issues/1241))
 - Bugfixes: Use pip package for radicale to fix failing builds caused by [alpine]upstream package rebuild against different python version ([#1255](https://github.com/Mailu/Mailu/issues/1255))
+- Bugfixes: Ratelimit counts up on failed auth only now ([#1278](https://github.com/Mailu/Mailu/issues/1278))
 - Bugfixes: Disable Health checks on swarm mode ([#1289](https://github.com/Mailu/Mailu/issues/1289))
+- Bugfixes: Enable the From header for message delivery report in Roundcube and ensure DKIM Signature ([#1381](https://github.com/Mailu/Mailu/issues/1381))
+- Bugfixes: Fix alias resolution in regard to case: A specifically matching alias of wrong case is now preferred over a wildcard alias that might have »eaten« it previously. ([#1387](https://github.com/Mailu/Mailu/issues/1387))
 - Bugfixes: Show SPF records in accordance with RFC 7208: Previously we instructed admins to create SPF and TXT records, where only TXT records are correct now. !! Attention !! You need to manually remove the SPF-typed records and keep only TXT in your DNS. ([#1394](https://github.com/Mailu/Mailu/issues/1394))
 - Bugfixes: Cover relearning messages when moving bewteen Ham and Spam status ([#1438](https://github.com/Mailu/Mailu/issues/1438))
 - Bugfixes: Defining POSTMASTER through setup tool apply also to DMARC_RUA and DMARC_RUF settings ([#1463](https://github.com/Mailu/Mailu/issues/1463))
+- Bugfixes: Allow IPv6 authenticated connections in PostgreSQL pg_hba.conf ([#1479](https://github.com/Mailu/Mailu/issues/1479))
 - Bugfixes: Check postfix mailqueue permissions before start-up ([#1486](https://github.com/Mailu/Mailu/issues/1486))
 - Bugfixes: Fixes certbot renewal ([#1564](https://github.com/Mailu/Mailu/issues/1564))
 - Improved Documentation: Added documentation that describes how spam filtering works in Mailu. ([#1167](https://github.com/Mailu/Mailu/issues/1167))

core/admin/mailu/internal/nginx.py

@@ -84,7 +84,7 @@ def get_status(protocol, status):
     return status, codes[protocol]
 
 def extract_host_port(host_and_port, default_port):
-    host, _, port = re.match('^(.*)(:([0-9]*))?$', host_and_port).groups()
+    host, _, port = re.match('^(.*?)(:([0-9]*))?$', host_and_port).groups()
     return host, int(port) if port else default_port
 
 def get_server(protocol, authenticated=False):

core/nginx/conf/nginx.conf

@@ -106,7 +106,7 @@ http {
       {% endif %}
 
       # If TLS is failing, prevent access to anything except certbot
-      {% if KUBERNETES_INGRESS != 'true' and TLS_ERROR and not TLS_FLAVOR == "mail" %}
+      {% if KUBERNETES_INGRESS != 'true' and TLS_ERROR and not (TLS_FLAVOR in [ 'mail-letsencrypt', 'mail' ]) %}
       location / {
         return 403;
       }

core/postfix/conf/main.cf

@@ -126,3 +126,5 @@ milter_default_action = tempfail
 ###############
 # Extra Settings
 ###############
+{# Ensure that the rendered file ends with newline in order to make `postconf` work correctly #}
+{{- "\n" }}

docs/features.rst

@@ -16,10 +16,6 @@ Admin interface screenshots
 
    Managing email domains
 
-.. figure:: assets/screenshots/status.png
-
-   Displaying service status
-
 .. figure:: assets/screenshots/token.png
 
    Creating an authentication token

docs/reverse.rst

@@ -225,6 +225,6 @@ You can also download the example configuration files:
 Disable completely Mailu reverse proxy
 --------------------------------------
 
-You can simply disable Mailu reverse proxy by removing the ``front`` section from the ``docker-compose.yml`` and use your own means to reverse proxy requests to the proper containers.
+You must not disable Mailu reverse proxy by removing the ``front`` section from the ``docker-compose.yml``.
 
-Be careful with this method as resolving container addresses outside the Docker Compose structure is a tricky task: there is no guarantee that addresses will remain after a restart and you are almost certain that addresses will change after every upgrade (and whenever containers are recreated).
+``front`` is handling authentication and is also proxying e.g. SMTP and IMAP. A basic HTTP reverse proxy as described in this document is not sufficient for this.

optional/fetchmail/fetchmail.py

@@ -28,7 +28,7 @@ poll "{host}" proto {protocol}  port {port}
 
 
 def extract_host_port(host_and_port, default_port):
-    host, _, port = re.match('^(.*)(:([0-9]*))?$', host_and_port).groups()
+    host, _, port = re.match('^(.*?)(:([0-9]*))?$', host_and_port).groups()
     return host, int(port) if port else default_port
 
 

setup/templates/macros.html

@@ -12,7 +12,7 @@
 {% macro radio(name, value, emph, text, current) %}
   <div class="radio">
     <label>
-      <input type="radio" name="{{ name }}" value="{{ value }}"{% if current == value %} checked="checked"{% endif %}>
+      <input type="radio" name="{{ name }}" value="{{ value }}"{% if current == value %} checked="checked"{% endif %} required="required">
       {% if emph %}
       <strong>{{ emph }}</strong>,
       {% endif %}

towncrier/1478.feature

@@ -1 +0,0 @@
-Allow to enforce TLS for outbound mail by setting OUTBOUND_TLS_LEVEL=encrypt for postfix.

towncrier/newsfragments/1139.fix

@@ -1 +0,0 @@
-Fix the password encoding upon authentication

towncrier/newsfragments/1177.bug

@@ -1 +0,0 @@
-Fix piping mail into rspamd when moving from/to junk-folder

towncrier/newsfragments/1190.fix

@@ -1 +0,0 @@
-Separate HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI because of different ports

towncrier/newsfragments/1208.fix

@@ -1 +0,0 @@
-Make postfix mailqueue persistent

towncrier/newsfragments/1241.fix

@@ -1 +0,0 @@
-Kubernetes manifests updated to be compatible with Kubernetes 1.16 (breaks compatibility with older k8s versions)

towncrier/newsfragments/1278.fix

@@ -1,2 +0,0 @@
-
-Ratelimit counts up on failed auth only now

towncrier/newsfragments/1381.fix

@@ -1 +0,0 @@
-Enable the From header for message delivery report in Roundcube and ensure DKIM Signature 

towncrier/newsfragments/1387.bug

@@ -1 +0,0 @@
-Fix alias resolution in regard to case: A specifically matching alias of wrong case is now preferred over a wildcard alias that might have »eaten« it previously.

towncrier/newsfragments/1479.bug

@@ -1 +0,0 @@
-Allow IPv6 authenticated connections in PostgreSQL pg_hba.conf

towncrier/newsfragments/1669.bugfix

@@ -0,0 +1 @@
+Fix "extract_host_port" function to support containers with custom / dynamic ports

towncrier/newsfragments/1686.bugfix

@@ -0,0 +1 @@
+Fix letsencrypt access to certbot for the mail-letsencrypt flavour

towncrier/newsfragments/1696.misc

@@ -0,0 +1 @@
+Hide x-powered-by PHP-version header from webmails

webmails/rainloop/php.ini

@@ -1,3 +1,4 @@
+expose_php=Off
 date.timezone=UTC
 upload_max_filesize = {{ MAX_FILESIZE }}M
 post_max_size = {{ MAX_FILESIZE }}M

webmails/roundcube/php.ini

@@ -1,3 +1,4 @@
+expose_php=Off
 date.timezone=UTC
 upload_max_filesize = {{ MAX_FILESIZE }}M
 post_max_size = {{ MAX_FILESIZE }}M