From e7caff9811512dc47bddcd9aa11ce983254e7c40 Mon Sep 17 00:00:00 2001
From: David Fairbrother <DavidFair@users.noreply.github.com>
Date: Mon, 5 Oct 2020 15:13:07 +0100
Subject: [PATCH 01/44] Add ability to set no WEBROOT_REDIRECT to Nginx

Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
---
 core/nginx/conf/nginx.conf |  2 +-
 docs/configuration.rst     | 15 ++++++++++-----
 docs/faq.rst               |  2 ++
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 8f6eaa0d..f672c7a3 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -115,7 +115,7 @@ http {
       include /overrides/*.conf;
 
       # Actual logic
-      {% if WEB_WEBMAIL != '/' %}
+      {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
       location / {
       {% if WEBROOT_REDIRECT %}
         try_files $uri {{ WEBROOT_REDIRECT }};
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 5ff3546a..c2c55190 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -92,14 +92,19 @@ the localpart for DMARC rua and ruf email addresses.
 Full-text search is enabled for IMAP is enabled by default. This feature can be disabled
 (e.g. for performance reasons) by setting the optional variable ``FULL_TEXT_SEARCH`` to ``off``.
 
+.. _web_settings:
+
 Web settings
 ------------
 
-The ``WEB_ADMIN`` contains the path to the main admin interface, while
-``WEB_WEBMAIL`` contains the path to the Web email client.
-The ``WEBROOT_REDIRECT`` redirects all non-found queries to the set path.
-An empty ``WEBROOT_REDIRECT`` value disables redirecting and enables classic
-behavior of a 404 result when not found.
+- ``WEB_ADMIN`` contains the path to the main admin interface 
+
+- ``WEB_WEBMAIL`` contains the path to the Web email client.
+
+- ``WEBROOT_REDIRECT`` redirects all non-found queries to the set path.
+  An empty ``WEBROOT_REDIRECT`` value disables redirecting and enables classic behavior of a 404 result when not found. 
+  Alternatively, ``WEBROOT_REDIRECT`` can be set to ``none`` if you are using an Nginx override for ``location /``.
+
 All three options need a leading slash (``/``) to work.
 
   .. note:: ``WEBROOT_REDIRECT`` has to point to a valid path on the webserver.
diff --git a/docs/faq.rst b/docs/faq.rst
index b292cd05..296cd59f 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -262,6 +262,8 @@ correct syntax. The following file names will be taken as override configuration
 - `Nginx`_ - All ``*.conf`` files in the ``nginx`` sub-directory;
 - `Rspamd`_ - All files in the ``rspamd`` sub-directory.
 
+To override the root location (``/``) in Nginx ``WEBROOT_REDIRECT`` needs to be set to ``none`` in the env file (see :ref:`web settings <web_settings>`).
+
 *Issue reference:* `206`_, `1368`_.
 
 I want to integrate Nextcloud 15 (and newer) with Mailu

From a7d99bdedd3decc7dc02609fc070337451302eb2 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 6 Aug 2021 22:35:37 +0200
Subject: [PATCH 02/44] Update CHANGELOG.md and process towncrier
 newsfragments.

---
 CHANGELOG.md                         | 32 +++++++++++++++++++++++++---
 towncrier/newsfragments/1660.bugfix  |  1 -
 towncrier/newsfragments/1686.bugfix  |  1 -
 towncrier/newsfragments/1720.bugfix  |  2 --
 towncrier/newsfragments/1783.misc    |  1 -
 towncrier/newsfragments/1837.bugfix  |  1 -
 towncrier/newsfragments/1841.feature |  1 -
 towncrier/newsfragments/1845.feature |  1 -
 towncrier/newsfragments/1857.doc     |  1 -
 towncrier/newsfragments/1861.bugfix  |  1 -
 towncrier/newsfragments/1867.feature |  1 -
 towncrier/newsfragments/1874.bugfix  |  1 -
 towncrier/newsfragments/1880.feature |  1 -
 towncrier/newsfragments/191.bugfix   |  1 -
 14 files changed, 29 insertions(+), 17 deletions(-)
 delete mode 100644 towncrier/newsfragments/1660.bugfix
 delete mode 100644 towncrier/newsfragments/1686.bugfix
 delete mode 100644 towncrier/newsfragments/1720.bugfix
 delete mode 100644 towncrier/newsfragments/1783.misc
 delete mode 100644 towncrier/newsfragments/1837.bugfix
 delete mode 100644 towncrier/newsfragments/1841.feature
 delete mode 100644 towncrier/newsfragments/1845.feature
 delete mode 100644 towncrier/newsfragments/1857.doc
 delete mode 100644 towncrier/newsfragments/1861.bugfix
 delete mode 100644 towncrier/newsfragments/1867.feature
 delete mode 100644 towncrier/newsfragments/1874.bugfix
 delete mode 100644 towncrier/newsfragments/1880.feature
 delete mode 100644 towncrier/newsfragments/191.bugfix

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 579f3e82..09b9f68f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,18 +4,44 @@ Changelog
 Upgrade should run fine as long as you generate a new compose or stack
 configuration and upgrade your mailu.env.
 
-Please note that the current 1.8 is what we call a "soft release": It’s there for everyone to see and use, but to limit possible user-impact of this very big release, it’s not yet the default in the setup-utility for new users. When upgrading, please treat it with some care, and be sure to always have backups!
-
 There are some changes to the configuration overrides. Override files are now mounted read-only into the containers.
 The Dovecot and Postfix overrides are moved in their own sub-directory.
 If there are local override files, they will need to be moved from overrides/ to overrides/dovecot and overrides/postfix/.
 See https://mailu.io/1.8/faq.html#how-can-i-override-settings for all the mappings.
 
+<<<<<<< HEAD
 Please note that the shipped image for PostgreSQL database is deprecated.
 We advise to switch to an external database server.
+=======
+One major change for the docker compose file is that the antispam needs a fixed hostname [#1837](https://github.com/Mailu/Mailu/issues/1837).
+This is handled when you regenerate the docker-compose file. A fixed hostname is required to retain rspamd history.
+
+Please not that the shipped image for PostgreSQL database is deprecated.
+We advise to switch to an external PostgreSQL database server.
+>>>>>>> afaacf5a... Update CHANGELOG.md and process towncrier newsfragments.
 
 <!-- TOWNCRIER -->
-v1.8.0 - 2020-09-28
+1.8.0 - 2021-08-06
+--------------------
+
+- Features: Update version of roundcube webmail and carddav plugin. This is a security update. ([#1841](https://github.com/Mailu/Mailu/issues/1841))
+- Features: Update version of rainloop webmail to 1.16.0. This is a security update. ([#1845](https://github.com/Mailu/Mailu/issues/1845))
+- Features: Changed default value of AUTH_RATELIMIT_SUBNET to false. Increased default value of the rate limit in setup utility (AUTH_RATELIMIT) to a higher value. ([#1867](https://github.com/Mailu/Mailu/issues/1867))
+- Features: Update jquery used in setup. Set pinned versions in requirements.txt for setup. This is a security update. ([#1880](https://github.com/Mailu/Mailu/issues/1880))
+- Bugfixes: Replace PUBLIC_HOSTNAME and PUBLIC_IP in "Received" headers to ensure that no undue spam points are attributed ([#191](https://github.com/Mailu/Mailu/issues/191))
+- Bugfixes: Don't replace nested headers (typically in attached emails) ([#1660](https://github.com/Mailu/Mailu/issues/1660))
+- Bugfixes: Fix letsencrypt access to certbot for the mail-letsencrypt flavour ([#1686](https://github.com/Mailu/Mailu/issues/1686))
+- Bugfixes: Fix CVE-2020-25275 and CVE-2020-24386 by using alpine 3.13 for
+  dovecot which contains a fixed dovecot version. ([#1720](https://github.com/Mailu/Mailu/issues/1720))
+- Bugfixes: Antispam service now uses a static hostname. Rspamd history is only retained when the service has a fixed hostname. ([#1837](https://github.com/Mailu/Mailu/issues/1837))
+- Bugfixes: Fix a bug preventing colons from being used in passwords when using radicale/webdav. ([#1861](https://github.com/Mailu/Mailu/issues/1861))
+- Bugfixes: Remove dot in blueprint name to prevent critical flask startup error in setup. ([#1874](https://github.com/Mailu/Mailu/issues/1874))
+- Bugfixes: fix punycode encoding of domain names ([#1891](https://github.com/Mailu/Mailu/issues/1891))
+- Improved Documentation: Update fail2ban documentation to use systemd backend instead of filepath for journald ([#1857](https://github.com/Mailu/Mailu/issues/1857))
+- Misc:  ([#1783](https://github.com/Mailu/Mailu/issues/1783))
+
+
+v1.8.0rc - 2020-09-28
 --------------------
 
 - Features: Add support for backward-forwarding using SRS ([#328](https://github.com/Mailu/Mailu/issues/328))
diff --git a/towncrier/newsfragments/1660.bugfix b/towncrier/newsfragments/1660.bugfix
deleted file mode 100644
index a90fb099..00000000
--- a/towncrier/newsfragments/1660.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Don't replace nested headers (typically in attached emails)
diff --git a/towncrier/newsfragments/1686.bugfix b/towncrier/newsfragments/1686.bugfix
deleted file mode 100644
index 932d7d7c..00000000
--- a/towncrier/newsfragments/1686.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix letsencrypt access to certbot for the mail-letsencrypt flavour
diff --git a/towncrier/newsfragments/1720.bugfix b/towncrier/newsfragments/1720.bugfix
deleted file mode 100644
index 0bf2b8e6..00000000
--- a/towncrier/newsfragments/1720.bugfix
+++ /dev/null
@@ -1,2 +0,0 @@
-Fix CVE-2020-25275 and CVE-2020-24386 by using alpine 3.13 for
-dovecot which contains a fixed dovecot version.
diff --git a/towncrier/newsfragments/1783.misc b/towncrier/newsfragments/1783.misc
deleted file mode 100644
index 2ee4c97f..00000000
--- a/towncrier/newsfragments/1783.misc
+++ /dev/null
@@ -1 +0,0 @@
-Switch from client side sessions (cookies) to server-side sessions (Redis). This simplies the security model a lot and allows for an easier recovery should a cookie ever land in the hands of an attacker.
diff --git a/towncrier/newsfragments/1837.bugfix b/towncrier/newsfragments/1837.bugfix
deleted file mode 100644
index dcabcc6b..00000000
--- a/towncrier/newsfragments/1837.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Antispam service now uses a static hostname. Rspamd history is only retained when the service has a fixed hostname.
diff --git a/towncrier/newsfragments/1841.feature b/towncrier/newsfragments/1841.feature
deleted file mode 100644
index c91f805f..00000000
--- a/towncrier/newsfragments/1841.feature
+++ /dev/null
@@ -1 +0,0 @@
-Update version of roundcube webmail and carddav plugin. This is a security update.
\ No newline at end of file
diff --git a/towncrier/newsfragments/1845.feature b/towncrier/newsfragments/1845.feature
deleted file mode 100644
index afde9313..00000000
--- a/towncrier/newsfragments/1845.feature
+++ /dev/null
@@ -1 +0,0 @@
-Update version of rainloop webmail to 1.16.0. This is a security update.
diff --git a/towncrier/newsfragments/1857.doc b/towncrier/newsfragments/1857.doc
deleted file mode 100644
index 06cb91ab..00000000
--- a/towncrier/newsfragments/1857.doc
+++ /dev/null
@@ -1 +0,0 @@
-Update fail2ban documentation to use systemd backend instead of filepath for journald
\ No newline at end of file
diff --git a/towncrier/newsfragments/1861.bugfix b/towncrier/newsfragments/1861.bugfix
deleted file mode 100644
index 1e28d1b6..00000000
--- a/towncrier/newsfragments/1861.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix a bug preventing colons from being used in passwords when using radicale/webdav.
diff --git a/towncrier/newsfragments/1867.feature b/towncrier/newsfragments/1867.feature
deleted file mode 100644
index fbd3a7d7..00000000
--- a/towncrier/newsfragments/1867.feature
+++ /dev/null
@@ -1 +0,0 @@
-Changed default value of AUTH_RATELIMIT_SUBNET to false. Increased default value of the rate limit in setup utility (AUTH_RATELIMIT) to a higher value.
diff --git a/towncrier/newsfragments/1874.bugfix b/towncrier/newsfragments/1874.bugfix
deleted file mode 100644
index a301835e..00000000
--- a/towncrier/newsfragments/1874.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Remove dot in blueprint name to prevent critical flask startup error in setup.
diff --git a/towncrier/newsfragments/1880.feature b/towncrier/newsfragments/1880.feature
deleted file mode 100644
index 212dc906..00000000
--- a/towncrier/newsfragments/1880.feature
+++ /dev/null
@@ -1 +0,0 @@
-Update jquery used in setup. Set pinned versions in requirements.txt for setup. This is a security update.
diff --git a/towncrier/newsfragments/191.bugfix b/towncrier/newsfragments/191.bugfix
deleted file mode 100644
index 185d3074..00000000
--- a/towncrier/newsfragments/191.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Replace PUBLIC_HOSTNAME and PUBLIC_IP in "Received" headers to ensure that no undue spam points are attributed

From 4b89143362d9ef8cfb985c030047ce74642f7952 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 6 Aug 2021 23:00:27 +0200
Subject: [PATCH 03/44] Update documentation config and release notes page.

---
 docs/conf.py      |  2 +-
 docs/releases.rst | 65 +++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 64 insertions(+), 3 deletions(-)

diff --git a/docs/conf.py b/docs/conf.py
index 8f174b64..db7008b3 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -36,7 +36,7 @@ html_context = {
     'github_user': 'mailu',
     'github_repo': 'mailu',
     'github_version': version,
-    'stable_version': '1.7',
+    'stable_version': '1.8',
     'versions': [
         ('1.5', '/1.5/'),
         ('1.6', '/1.6/'),
diff --git a/docs/releases.rst b/docs/releases.rst
index 7a15d1fa..7473b033 100644
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -1,8 +1,69 @@
 Release notes
 =============
 
-Mailu 1.8 - 2020-10-02
-----------------------
+Mailu 1.8 - 2021-08-7
+---------------------
+
+The full 1.8 release is finally ready. There have been some changes in the contributors team. Many people from the contributors team have stepped back due to changed priorities in their life.
+We are very grateful for all their contributions and hope we will see them back again in the future.
+This is the main reason why it took so long for 1.8 to be fully released. 
+
+Fortunately more people have decided to join the project. Some very nice contributions have been made which will become part of the next 1.9 release.
+We hope that future Mailu releases will be released more quickly now we have more active contributors again.
+
+For a list of all changes refer to `CHANGELOG.md` in the root folder of the Mailu github project. Please read the 'Override location changes' section further on this page. It contains important information for the people who use the overrides folder.
+
+New Functionality & Improvements
+````````````````````````````````
+
+Here’s a short summary of new features:
+
+- Roundcube and Rainloop have been updated.
+- All dependencies have been updated to the latest security update.
+- Fail2ban documentation has been improved.
+- Switch from client side (cookie) sessions to server side sessions.
+- Full-text-search is back after having been disabled for a while due to nasty bugs. It can still be disabled via the mailu.env file.
+- Tons of documentation improvements, especially geared towards new users.
+- (Experimental) support for different architectures, such as ARM.
+- Improvements around webmails, such as CardDAV, GPG and a new skin for an updated roundcube, and support for MySQL for it. Updated Rainloop, too.
+- Improvements around relaying, such as AUTH LOGIN and non-standard port support.
+- Update to alpine:3.14 as baseimage for most containers.
+- Setup warns users about compose-IPv6 deployments which have caused open relays in the past.
+- Improved handling of upper-vs-lowercase aliases and user-addresses.
+- Improved rate-limiting system.
+- Support for SRS.
+- Japanese localisation is now available.
+
+
+Upgrading
+`````````
+
+Upgrade should run fine as long as you generate a new compose or stack
+configuration and upgrade your mailu.env.
+
+Please not that the shipped image for PostgreSQL database is deprecated.
+The shipped image for PostgreSQL is not maintained anymore from release 1.8.
+We recommend switching to an external PostgreSQL image as soon as possible.
+
+Override location changes
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
+Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
+
+Update your DNS SPF Records
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+It has become known that the SPF DNS records generated by the admin interface are not completely standard compliant anymore. Please check the DNS records for your domains and compare them to what the new admin-interface instructs you to use. In most cases, this should be a simple copy-paste operation for you ….
+
+Fixed hostname for antispam service
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+For history to be retained in Rspamd, the antispam container requires a static hostname. When you re-generate your docker-compose.yml file (or helm-chart), this will be covered.
+
+
+Mailu 1.8rc - 2020-10-02
+------------------------
 
 Release 1.8 has come a long way again. Due to corona the project slowed down to a crawl. Fortunately new contributors have joined the team what enabled us to still release Mailu 1.8 this year.
 

From 6581f8f087d62b841e9939ea3cf3814ea9e9a518 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Date: Fri, 6 Aug 2021 23:17:41 +0200
Subject: [PATCH 04/44] Resolve merge conflict

---
 CHANGELOG.md | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 09b9f68f..3ad0061b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,18 +9,14 @@ The Dovecot and Postfix overrides are moved in their own sub-directory.
 If there are local override files, they will need to be moved from overrides/ to overrides/dovecot and overrides/postfix/.
 See https://mailu.io/1.8/faq.html#how-can-i-override-settings for all the mappings.
 
-<<<<<<< HEAD
-Please note that the shipped image for PostgreSQL database is deprecated.
-We advise to switch to an external database server.
-=======
-One major change for the docker compose file is that the antispam needs a fixed hostname [#1837](https://github.com/Mailu/Mailu/issues/1837).
-This is handled when you regenerate the docker-compose file. A fixed hostname is required to retain rspamd history.
+One major change for the docker compose file is that the antispam container needs a fixed hostname [#1837](https://github.com/Mailu/Mailu/issues/1837).
+This is handled when you regenerate the docker-compose file. A fixed hostname is required to retain rspamd history. 
+This is also handled in the helm-chart repo.
 
 Please not that the shipped image for PostgreSQL database is deprecated.
 We advise to switch to an external PostgreSQL database server.
->>>>>>> afaacf5a... Update CHANGELOG.md and process towncrier newsfragments.
 
-<!-- TOWNCRIER -->
+
 1.8.0 - 2021-08-06
 --------------------
 

From f0997ed0fd5b3be5e8a6964bfd3197ced1aa5ef9 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Sat, 7 Aug 2021 09:12:43 +0200
Subject: [PATCH 05/44] Improved changelog entry

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3ad0061b..0a128163 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,7 +27,7 @@ We advise to switch to an external PostgreSQL database server.
 - Bugfixes: Replace PUBLIC_HOSTNAME and PUBLIC_IP in "Received" headers to ensure that no undue spam points are attributed ([#191](https://github.com/Mailu/Mailu/issues/191))
 - Bugfixes: Don't replace nested headers (typically in attached emails) ([#1660](https://github.com/Mailu/Mailu/issues/1660))
 - Bugfixes: Fix letsencrypt access to certbot for the mail-letsencrypt flavour ([#1686](https://github.com/Mailu/Mailu/issues/1686))
-- Bugfixes: Fix CVE-2020-25275 and CVE-2020-24386 by using alpine 3.13 for
+- Bugfixes: Fix CVE-2020-25275 and CVE-2020-24386 by upgrading alpine for
   dovecot which contains a fixed dovecot version. ([#1720](https://github.com/Mailu/Mailu/issues/1720))
 - Bugfixes: Antispam service now uses a static hostname. Rspamd history is only retained when the service has a fixed hostname. ([#1837](https://github.com/Mailu/Mailu/issues/1837))
 - Bugfixes: Fix a bug preventing colons from being used in passwords when using radicale/webdav. ([#1861](https://github.com/Mailu/Mailu/issues/1861))

From 21e7a338e75437afd59ae4185c87f59d18f8f4e9 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Sat, 7 Aug 2021 09:14:09 +0200
Subject: [PATCH 06/44] Fixed typing error.

---
 CHANGELOG.md      | 2 +-
 docs/releases.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a128163..82f04acc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,7 +13,7 @@ One major change for the docker compose file is that the antispam container need
 This is handled when you regenerate the docker-compose file. A fixed hostname is required to retain rspamd history. 
 This is also handled in the helm-chart repo.
 
-Please not that the shipped image for PostgreSQL database is deprecated.
+Please note that the shipped image for PostgreSQL database is deprecated.
 We advise to switch to an external PostgreSQL database server.
 
 
diff --git a/docs/releases.rst b/docs/releases.rst
index 7473b033..3ae25f48 100644
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -41,7 +41,7 @@ Upgrading
 Upgrade should run fine as long as you generate a new compose or stack
 configuration and upgrade your mailu.env.
 
-Please not that the shipped image for PostgreSQL database is deprecated.
+Please note that the shipped image for PostgreSQL database is deprecated.
 The shipped image for PostgreSQL is not maintained anymore from release 1.8.
 We recommend switching to an external PostgreSQL image as soon as possible.
 

From 14a18715111e4d21fd9cac0c7e18a293771f3fd0 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Sat, 7 Aug 2021 09:25:40 +0200
Subject: [PATCH 07/44] enhanced security changelog entry and added
 recommendation to recreate secret_key

---
 CHANGELOG.md      | 11 ++++++++++-
 docs/releases.rst | 14 +++++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 82f04acc..da945c72 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,15 @@ One major change for the docker compose file is that the antispam container need
 This is handled when you regenerate the docker-compose file. A fixed hostname is required to retain rspamd history. 
 This is also handled in the helm-chart repo.
 
+Improvements have been made to protect again session-fixation attacks. 
+To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading. 
+A new SECRET_KEY is generated when you recreate your docker-compose.yml & mailu.env file via setup.mailu.io.
+
+The SECRET_KEY is an uppercase alphanumeric string of length 16. You can manually create such a string via
+```cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w ${1:-16} | head -n 1```
+
+After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
+
 Please note that the shipped image for PostgreSQL database is deprecated.
 We advise to switch to an external PostgreSQL database server.
 
@@ -34,7 +43,7 @@ We advise to switch to an external PostgreSQL database server.
 - Bugfixes: Remove dot in blueprint name to prevent critical flask startup error in setup. ([#1874](https://github.com/Mailu/Mailu/issues/1874))
 - Bugfixes: fix punycode encoding of domain names ([#1891](https://github.com/Mailu/Mailu/issues/1891))
 - Improved Documentation: Update fail2ban documentation to use systemd backend instead of filepath for journald ([#1857](https://github.com/Mailu/Mailu/issues/1857))
-- Misc:  ([#1783](https://github.com/Mailu/Mailu/issues/1783))
+- Misc: Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading. ([#1783](https://github.com/Mailu/Mailu/issues/1783))
 
 
 v1.8.0rc - 2020-09-28
diff --git a/docs/releases.rst b/docs/releases.rst
index 3ae25f48..6c672538 100644
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -21,7 +21,7 @@ Here’s a short summary of new features:
 - Roundcube and Rainloop have been updated.
 - All dependencies have been updated to the latest security update.
 - Fail2ban documentation has been improved.
-- Switch from client side (cookie) sessions to server side sessions.
+- Switch from client side (cookie) sessions to server side sessions and protect against session-fixation attacks. We recommend that you change your SECRET_KEY after upgrading.
 - Full-text-search is back after having been disabled for a while due to nasty bugs. It can still be disabled via the mailu.env file.
 - Tons of documentation improvements, especially geared towards new users.
 - (Experimental) support for different architectures, such as ARM.
@@ -51,6 +51,18 @@ Override location changes
 If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
 Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
 
+Recreate SECRET_KEY after upgrading
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Improvements have been made to protect again session-fixation attacks. 
+To be fully protected, it is required to change your SECRET_KEY in Mailu.env after upgrading. 
+A new SECRET_KEY is generated when you recreate your docker-compose.yml & mailu.env file via setup.mailu.io.
+
+The SECRET_KEY is an uppercase alphanumeric string of length 16. You can manually create such a string via
+```cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w ${1:-16} | head -n 1```
+
+After changing mailu.env, it is required to recreate all containers for the changes to be propagated.
+
 Update your DNS SPF Records
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

From 3157fc3623424f7af991f2de86981c2aeced4cca Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Sat, 7 Aug 2021 09:27:47 +0200
Subject: [PATCH 08/44] Give docker containers in each test one more minute for
 starting.

---
 .github/workflows/CI.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 19a445b4..e2a535dd 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -121,7 +121,7 @@ jobs:
       - name: Copy all certs
         run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
       - name: Test core suite
-        run: python tests/compose/test.py core 1
+        run: python tests/compose/test.py core 2
         env:
           MAILU_VERSION: ${{ env.MAILU_VERSION }}
           TRAVIS_BRANCH: ${{ env.BRANCH }} 
@@ -168,7 +168,7 @@ jobs:
       - name: Copy all certs
         run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
       - name: Test fetch
-        run: python tests/compose/test.py fetchmail 1
+        run: python tests/compose/test.py fetchmail 2
         env:
           MAILU_VERSION: ${{ env.MAILU_VERSION }}
           TRAVIS_BRANCH: ${{ env.BRANCH }}
@@ -215,7 +215,7 @@ jobs:
       - name: Copy all certs
         run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
       - name: Test clamvav
-        run: python tests/compose/test.py filters 2
+        run: python tests/compose/test.py filters 3
         env:
           MAILU_VERSION: ${{ env.MAILU_VERSION }}
           TRAVIS_BRANCH: ${{ env.BRANCH }}
@@ -262,7 +262,7 @@ jobs:
       - name: Copy all certs
         run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
       - name: Test rainloop
-        run: python tests/compose/test.py rainloop 1
+        run: python tests/compose/test.py rainloop 2
         env:
           MAILU_VERSION: ${{ env.MAILU_VERSION }}
           TRAVIS_BRANCH: ${{ env.BRANCH }} 
@@ -309,7 +309,7 @@ jobs:
       - name: Copy all certs
         run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
       - name: Test roundcube
-        run: python tests/compose/test.py roundcube 1
+        run: python tests/compose/test.py roundcube 2
         env:
           MAILU_VERSION: ${{ env.MAILU_VERSION }}
           TRAVIS_BRANCH: ${{ env.BRANCH }} 
@@ -356,7 +356,7 @@ jobs:
       - name: Copy all certs
         run: sudo -- sh -c 'mkdir -p /mailu && cp -r tests/certs /mailu && chmod 600 /mailu/certs/*'
       - name: Test webdav
-        run: python tests/compose/test.py webdav 1
+        run: python tests/compose/test.py webdav 2
         env:
           MAILU_VERSION: ${{ env.MAILU_VERSION }}
           TRAVIS_BRANCH: ${{ env.BRANCH }}

From 1438253a069da3b10831ef89dc119177f16f5216 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 8 Aug 2021 09:21:14 +0200
Subject: [PATCH 09/44] Ratelimit outgoing emails per user

---
 core/admin/mailu/configuration.py            |  1 +
 core/admin/mailu/internal/views/postfix.py   | 10 ++++++++--
 core/admin/mailu/models.py                   |  8 +++++++-
 core/admin/mailu/ui/templates/user/list.html |  5 ++++-
 core/postfix/conf/main.cf                    |  1 +
 core/postfix/start.py                        |  3 ++-
 setup/flavors/compose/mailu.env              |  5 +++++
 setup/templates/steps/config.html            |  7 +++++++
 towncrier/newsfragments/1031.feature         |  1 +
 9 files changed, 36 insertions(+), 5 deletions(-)
 create mode 100644 towncrier/newsfragments/1031.feature

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index d2d34d88..50733d52 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -46,6 +46,7 @@ DEFAULT_CONFIG = {
     'DKIM_SELECTOR': 'dkim',
     'DKIM_PATH': '/dkim/{domain}.{selector}.key',
     'DEFAULT_QUOTA': 1000000000,
+    'MESSAGE_RATELIMIT': '100/hour',
     # Web settings
     'SITENAME': 'Mailu',
     'WEBSITE': 'https://mailu.io',
diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index c358c37f..06918c61 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -1,5 +1,6 @@
-from mailu import models
+from mailu import models, utils
 from mailu.internal import internal
+from flask import current_app as app
 
 import flask
 import idna
@@ -31,7 +32,6 @@ def postfix_alias_map(alias):
     destination = models.Email.resolve_destination(localpart, domain_name)
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
 
-
 @internal.route("/postfix/transport/<path:email>")
 def postfix_transport(email):
     if email == '*' or re.match("(^|.*@)\[.*\]$", email):
@@ -139,6 +139,12 @@ def postfix_sender_login(sender):
     destination = models.Email.resolve_destination(localpart, domain_name, True)
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
 
+@internal.route("/postfix/sender/rate/<path:sender>")
+def postfix_sender_rate(sender):
+    """ Rate limit outbound emails per sender login
+    """
+    user = models.User.get(sender) or flask.abort(404)
+    return flask.abort(404) if user.sender_limiter.hit() else flask.jsonify("REJECT")
 
 @internal.route("/postfix/sender/access/<path:sender>")
 def postfix_sender_access(sender):
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 3a299786..5760c27f 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -27,7 +27,7 @@ from sqlalchemy.ext.hybrid import hybrid_property
 from sqlalchemy.inspection import inspect
 from werkzeug.utils import cached_property
 
-from mailu import dkim
+from mailu import dkim, utils
 
 
 db = flask_sqlalchemy.SQLAlchemy()
@@ -501,6 +501,12 @@ class User(Base, Email):
             self.reply_enddate > now
         )
 
+    @property
+    def sender_limiter(self):
+        return utils.limiter.get_limiter(
+            app.config["MESSAGE_RATELIMIT"], "sender", self.email
+        )
+
     @classmethod
     def get_password_context(cls):
         """ create password context for hashing and verification
diff --git a/core/admin/mailu/ui/templates/user/list.html b/core/admin/mailu/ui/templates/user/list.html
index 2aff662f..746afd45 100644
--- a/core/admin/mailu/ui/templates/user/list.html
+++ b/core/admin/mailu/ui/templates/user/list.html
@@ -19,7 +19,8 @@
   <th>{% trans %}User settings{% endtrans %}</th>
   <th>{% trans %}Email{% endtrans %}</th>
   <th>{% trans %}Features{% endtrans %}</th>
-  <th>{% trans %}Quota{% endtrans %}</th>
+  <th>{% trans %}Storage Quota{% endtrans %}</th>
+  <th>{% trans %}Sending Quota{% endtrans %}</th>
   <th>{% trans %}Comment{% endtrans %}</th>
   <th>{% trans %}Created{% endtrans %}</th>
   <th>{% trans %}Last edit{% endtrans %}</th>
@@ -41,6 +42,8 @@
     {% if user.enable_pop %}<span class="label label-info">pop3</span>{% endif %}
   </td>
   <td>{{ user.quota_bytes_used | filesizeformat }} / {{ (user.quota_bytes | filesizeformat) if user.quota_bytes else '∞' }}</td>
+  {% set limiter = user.sender_limiter %}
+  <td>{{ limiter.get_window_stats()[1] }} / {{ limiter.limit }}</td>
   <td>{{ user.comment or '-' }}</td>
   <td>{{ user.created_at }}</td>
   <td>{{ user.updated_at or '' }}</td>
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 8f35f609..6f5a20b8 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -100,6 +100,7 @@ smtpd_sender_login_maps = ${podop}senderlogin
 smtpd_helo_required = yes
 
 smtpd_client_restrictions =
+  check_sasl_access ${podop}senderrate,
   permit_mynetworks,
   check_sender_access ${podop}senderaccess,
   reject_non_fqdn_sender,
diff --git a/core/postfix/start.py b/core/postfix/start.py
index e0c781b7..139616b2 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -25,7 +25,8 @@ def start_podop():
         ("recipientmap", "url", url + "recipient/map/§"),
         ("sendermap", "url", url + "sender/map/§"),
         ("senderaccess", "url", url + "sender/access/§"),
-        ("senderlogin", "url", url + "sender/login/§")
+        ("senderlogin", "url", url + "sender/login/§"),
+        ("senderrate", "url", url + "sender/rate/§")
     ])
 
 def is_valid_postconf_line(line):
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index d45f5517..52f4ee04 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -62,6 +62,11 @@ ANTIVIRUS={{ antivirus_enabled or 'none' }}
 # Max attachment size will be 33% smaller
 MESSAGE_SIZE_LIMIT={{ message_size_limit or '50000000' }}
 
+# Message rate limit (per user)
+{% if message_ratelimit_pd > '0' %}
+MESSAGE_RATELIMIT={{ message_ratelimit_pd }}/day
+{% endif %}
+
 # Networks granted relay permissions
 # Use this with care, all hosts in this networks will be able to send mail without authentication!
 RELAYNETS=
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index 72b83915..87410fca 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -55,6 +55,13 @@ Or in plain english: if receivers start to classify your mail as spam, this post
   </p>
 </div>
 
+<div class="form-group">
+  <label>Outgoing message rate limit (per user)</label>
+  <!--   Validates number input only -->
+  <p><input class="form-control" style="width: 7%; display: inline;" type="number" name="message_ratelimit_pd" value="100" required > / day
+  </p>
+</div>
+
 <div class="form-check form-check-inline">
   <label class="form-check-label">
     <input class="form-check-input" type="checkbox" name="disable_statistics" value="True">
diff --git a/towncrier/newsfragments/1031.feature b/towncrier/newsfragments/1031.feature
new file mode 100644
index 00000000..5f369262
--- /dev/null
+++ b/towncrier/newsfragments/1031.feature
@@ -0,0 +1 @@
+Add sending quotas per user

From 6b3c208fc9e4166b45c7ef21eacf75a86239bf24 Mon Sep 17 00:00:00 2001
From: Erriez <Erriez@users.noreply.github.com>
Date: Sun, 8 Aug 2021 14:50:20 +0200
Subject: [PATCH 10/44] Update Alpine version from 3.10 to 3.14

---
 tests/build_arm.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/build_arm.sh b/tests/build_arm.sh
index 04836ddb..32dba421 100755
--- a/tests/build_arm.sh
+++ b/tests/build_arm.sh
@@ -1,6 +1,6 @@
 #!/bin/bash -x
 
-ALPINE_VER="3.10"
+ALPINE_VER="3.14"
 DISTRO="balenalib/rpi-alpine:$ALPINE_VER"
 # Used for webmails
 QEMU="arm"

From bcdc137677efef597ff8729ca40626924ee042f9 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 8 Aug 2021 19:18:33 +0200
Subject: [PATCH 11/44] Alpine has removed support for btree and hash

---
 core/postfix/conf/main.cf     | 4 ++--
 core/postfix/conf/sasl_passwd | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 8f35f609..9cd4010e 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -32,7 +32,7 @@ mydestination =
 relayhost = {{ RELAYHOST }}
 {% if RELAYUSER %}
 smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous
 {% endif %}
 
@@ -58,7 +58,7 @@ tls_ssl_options = NO_COMPRESSION
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache
 
 ###############
 # Virtual
diff --git a/core/postfix/conf/sasl_passwd b/core/postfix/conf/sasl_passwd
index e19d0657..1e32322a 100644
--- a/core/postfix/conf/sasl_passwd
+++ b/core/postfix/conf/sasl_passwd
@@ -1 +1,2 @@
-{{ RELAYHOST }} {{ RELAYUSER }}:{{ RELAYPASSWORD }}
\ No newline at end of file
+{{ RELAYHOST }} {{ RELAYUSER }}:{{ RELAYPASSWORD }}
+

From 1029cad04807371ac11133a43d95307005c003dc Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 8 Aug 2021 19:21:55 +0200
Subject: [PATCH 12/44] towncrier

---
 towncrier/newsfragments/1917.bugfix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/1917.bugfix

diff --git a/towncrier/newsfragments/1917.bugfix b/towncrier/newsfragments/1917.bugfix
new file mode 100644
index 00000000..68187d61
--- /dev/null
+++ b/towncrier/newsfragments/1917.bugfix
@@ -0,0 +1 @@
+Alpine has removed support for btree and hash in postfix... please use lmdb instead

From d6ce5d0c068566f86e5a061ce4819e9cd9e71246 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 8 Aug 2021 20:21:24 +0200
Subject: [PATCH 13/44] Remove a warning: limits don't apply to trusted hosts

---
 core/postfix/conf/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 6f5a20b8..428502ac 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -100,8 +100,8 @@ smtpd_sender_login_maps = ${podop}senderlogin
 smtpd_helo_required = yes
 
 smtpd_client_restrictions =
-  check_sasl_access ${podop}senderrate,
   permit_mynetworks,
+  check_sasl_access ${podop}senderrate,
   check_sender_access ${podop}senderaccess,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,

From 6d244222dae55c83f77b3938df911a9b7ded2546 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 09:28:19 +0200
Subject: [PATCH 14/44] better error message

---
 core/admin/mailu/internal/views/postfix.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 06918c61..811dd4c0 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -144,7 +144,7 @@ def postfix_sender_rate(sender):
     """ Rate limit outbound emails per sender login
     """
     user = models.User.get(sender) or flask.abort(404)
-    return flask.abort(404) if user.sender_limiter.hit() else flask.jsonify("REJECT")
+    return flask.abort(404) if user.sender_limiter.hit() else flask.jsonify("450 4.2.1 You are sending too many emails too fast.")
 
 @internal.route("/postfix/sender/access/<path:sender>")
 def postfix_sender_access(sender):

From 1101e401e80be9f2a62c85d490a308680a2e009c Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 14:58:58 +0200
Subject: [PATCH 15/44] Apply the restriction on the right port

---
 core/postfix/conf/main.cf   | 3 ++-
 core/postfix/conf/master.cf | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 428502ac..0c442fb3 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -99,9 +99,10 @@ smtpd_sender_login_maps = ${podop}senderlogin
 # Restrictions for incoming SMTP, other restrictions are applied in master.cf
 smtpd_helo_required = yes
 
+check_ratelimit = check_sasl_access ${podop}senderrate
+
 smtpd_client_restrictions =
   permit_mynetworks,
-  check_sasl_access ${podop}senderrate,
   check_sender_access ${podop}senderaccess,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf
index e45a8ccf..eca0ad77 100644
--- a/core/postfix/conf/master.cf
+++ b/core/postfix/conf/master.cf
@@ -7,7 +7,7 @@ smtp      inet  n       -       n       -       -       smtpd
 # Internal SMTP service
 10025     inet  n       -       n       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
-  -o smtpd_client_restrictions=reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
+  -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
   -o smtpd_reject_unlisted_recipient={% if REJECT_UNLISTED_RECIPIENT %}{{ REJECT_UNLISTED_RECIPIENT }}{% else %}no{% endif %}
   -o cleanup_service_name=outclean
 outclean  unix n       -       n       -       0       cleanup

From 4535c42e70a2c5d62e97339dd3a05237de4a34e0 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 16:54:33 +0200
Subject: [PATCH 16/44] This isn't required

---
 core/postfix/conf/main.cf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 9cd4010e..1a9c6bc9 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -31,7 +31,6 @@ mydestination =
 # Relayhost if any is configured
 relayhost = {{ RELAYHOST }}
 {% if RELAYUSER %}
-smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous
 {% endif %}

From de3620da4aeca8fb37ad5af2462bc8fc6e32a80e Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 16:55:23 +0200
Subject: [PATCH 17/44] Don't send credentials in clear ever

---
 core/postfix/conf/main.cf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 1a9c6bc9..9b3e30ff 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -32,7 +32,8 @@ mydestination =
 relayhost = {{ RELAYHOST }}
 {% if RELAYUSER %}
 smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
-smtp_sasl_security_options = noanonymous
+smtp_sasl_security_options = noanonymous, noplaintext
+smtp_sasl_tls_security_options = noanonymous
 {% endif %}
 
 # Recipient delimiter for extended addresses

From 7285c6bfd98fed56addf8d1b736f10feb6cb8048 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 17:28:16 +0200
Subject: [PATCH 18/44] admin won't understand LOGIN

---
 core/nginx/conf/nginx.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 5158ca5c..718e90b9 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -302,7 +302,7 @@ mail {
       starttls only;
       {% endif %}
       protocol smtp;
-      smtp_auth plain login;
+      smtp_auth plain;
     }
 
     {% if TLS %}
@@ -310,7 +310,7 @@ mail {
       listen 465 ssl;
       listen [::]:465 ssl;
       protocol smtp;
-      smtp_auth plain login;
+      smtp_auth plain;
     }
 
     server {

From ecadf46ac620d2585e96d316910f607162905834 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 17:39:15 +0200
Subject: [PATCH 19/44] fix PFS

---
 core/postfix/conf/main.cf | 5 +++--
 core/postfix/start.py     | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 9b3e30ff..dfa31514 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -50,7 +50,7 @@ smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }}
 # General TLS configuration
 tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 tls_preempt_cipherlist = yes
-tls_ssl_options = NO_COMPRESSION
+tls_ssl_options = NO_COMPRESSION, NO_TICKET
 
 # By default, outgoing TLS is more flexible because
 # 1. not all receiving servers will support TLS,
@@ -58,7 +58,8 @@ tls_ssl_options = NO_COMPRESSION
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
-smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache
+smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
+smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
 
 ###############
 # Virtual
diff --git a/core/postfix/start.py b/core/postfix/start.py
index e0c781b7..df290a3a 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -15,6 +15,7 @@ log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
 
 def start_podop():
     os.setuid(getpwnam('postfix').pw_uid)
+    os.mkdir('/dev/shm/postfix',mode=0o700)
     url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/postfix/"
     # TODO: Remove verbosity setting from Podop?
     run_server(0, "postfix", "/tmp/podop.socket", [

From 55cdb1a5349c8d35492efb5e2e69472f10f97827 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 17:42:33 +0200
Subject: [PATCH 20/44] be explicit about what we support

---
 core/postfix/conf/main.cf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index dfa31514..d83db600 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -43,6 +43,8 @@ recipient_delimiter = {{ RECIPIENT_DELIMITER }}
 # In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead.
 smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }}
 
+auth_mechanisms = plain
+
 ###############
 # TLS
 ###############

From 5e7d5adf179d1a40c40c169d594995ff4de2f391 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 20:10:49 +0200
Subject: [PATCH 21/44] AUTH shouldn't happen on port 25

---
 core/admin/mailu/internal/nginx.py | 7 +++++++
 core/nginx/conf/nginx.conf         | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 3f5582cc..0c03b866 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -81,6 +81,13 @@ def handle_authentication(headers):
         raw_password = urllib.parse.unquote(headers["Auth-Pass"])
         password = raw_password.encode("iso8859-1").decode("utf8")
         ip = urllib.parse.unquote(headers["Client-Ip"])
+        port = int(urllib.parse.unquote(headers["Auth-Port"]))
+        if port == 25:
+            return {
+                "Auth-Status": "AUTH not supported",
+                "Auth-Error-Code": "502 5.5.1",
+                "Auth-Wait": 0
+            }
         user = models.User.query.get(user_email)
         if check_credentials(user, password, ip, protocol):
             return {
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 718e90b9..82e7ca36 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -250,6 +250,7 @@ mail {
       listen 10025;
       protocol smtp;
       smtp_auth plain;
+      auth_http_header Auth-Port 10025;
     }
 
     # Default IMAP server for the webmail (no encryption, but authentication)
@@ -257,6 +258,7 @@ mail {
       listen 10143;
       protocol imap;
       smtp_auth plain;
+      auth_http_header Auth-Port 10043;
     }
 
     # SMTP is always enabled, to avoid losing emails when TLS is failing
@@ -271,6 +273,7 @@ mail {
       {% endif %}
       protocol smtp;
       smtp_auth none;
+      auth_http_header Auth-Port 25;
     }
 
     # All other protocols are disabled if TLS is failing
@@ -283,6 +286,7 @@ mail {
       {% endif %}
       protocol imap;
       imap_auth plain;
+      auth_http_header Auth-Port 143;
     }
 
     server {
@@ -293,6 +297,7 @@ mail {
       {% endif %}
       protocol pop3;
       pop3_auth plain;
+      auth_http_header Auth-Port 110;
     }
 
     server {
@@ -303,6 +308,7 @@ mail {
       {% endif %}
       protocol smtp;
       smtp_auth plain;
+      auth_http_header Auth-Port 587;
     }
 
     {% if TLS %}
@@ -311,6 +317,7 @@ mail {
       listen [::]:465 ssl;
       protocol smtp;
       smtp_auth plain;
+      auth_http_header Auth-Port 465;
     }
 
     server {
@@ -318,6 +325,7 @@ mail {
       listen [::]:993 ssl;
       protocol imap;
       imap_auth plain;
+      auth_http_header Auth-Port 993;
     }
 
     server {
@@ -325,6 +333,7 @@ mail {
       listen [::]:995 ssl;
       protocol pop3;
       pop3_auth plain;
+      auth_http_header Auth-Port 995;
     }
     {% endif %}
     {% endif %}

From cb68cb312b781810f0ad57a8722bf2315f272458 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 20:40:56 +0200
Subject: [PATCH 22/44] Reduce the size of the RSA key to 3072bits

This is already generous for certificates that have a 3month validity!

We rekey every single time.
---
 core/nginx/letsencrypt.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index 3fe8ea92..ed106fa1 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -14,7 +14,7 @@ command = [
     "--cert-name", "mailu",
     "--preferred-challenges", "http", "--http-01-port", "8008",
     "--keep-until-expiring",
-    "--rsa-key-size", "4096",
+    "--rsa-key-size", "3072",
     "--config-dir", "/certs/letsencrypt",
     "--post-hook", "/config.py"
 ]

From f05cc99dc0b25ad02f17d91e0aee9852b7558bf0 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 21:06:15 +0200
Subject: [PATCH 23/44] Add ECC certs for modern clients

---
 core/nginx/conf/tls.conf  |  4 ++++
 core/nginx/config.py      |  4 ++--
 core/nginx/letsencrypt.py | 15 ++++++++++++++-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf
index 5d7ec031..9100243d 100644
--- a/core/nginx/conf/tls.conf
+++ b/core/nginx/conf/tls.conf
@@ -1,5 +1,9 @@
 ssl_certificate {{ TLS[0] }};
 ssl_certificate_key {{ TLS[1] }};
+{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt] %}
+ssl_certificate {{ TLS[2] }};
+ssl_certificate_key {{ TLS[3] }};
+{% endif %}
 ssl_session_timeout 1d;
 ssl_session_tickets off;
 ssl_dhparam /conf/dhparam.pem;
diff --git a/core/nginx/config.py b/core/nginx/config.py
index 6fc9c082..a9bce89b 100755
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@@ -27,10 +27,10 @@ keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem")
 args["TLS"] = {
     "cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
     "letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem"),
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
     "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem"),
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "notls": None
 }[args["TLS_FLAVOR"]]
 
diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index ed106fa1..73659f7c 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -14,7 +14,19 @@ command = [
     "--cert-name", "mailu",
     "--preferred-challenges", "http", "--http-01-port", "8008",
     "--keep-until-expiring",
-    "--rsa-key-size", "3072",
+    "--config-dir", "/certs/letsencrypt",
+    "--post-hook", "/config.py"
+]
+command2 = [
+    "certbot",
+    "-n", "--agree-tos", # non-interactive
+    "-d", os.environ["HOSTNAMES"],
+    "-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
+    "certonly", "--standalone",
+    "--cert-name", "mailu-ecdsa",
+    "--preferred-challenges", "http", "--http-01-port", "8008",
+    "--keep-until-expiring",
+    "--key-type", "ecdsa",
     "--config-dir", "/certs/letsencrypt",
     "--post-hook", "/config.py"
 ]
@@ -25,5 +37,6 @@ time.sleep(5)
 # Run certbot every hour
 while True:
     subprocess.call(command)
+    subprocess.call(command2)
     time.sleep(3600)
 

From 92ec446c20f317c2c188c821fb561e020ec6d5d7 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 21:29:05 +0200
Subject: [PATCH 24/44] doh

---
 core/nginx/conf/tls.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf
index 9100243d..4372c5af 100644
--- a/core/nginx/conf/tls.conf
+++ b/core/nginx/conf/tls.conf
@@ -1,6 +1,6 @@
 ssl_certificate {{ TLS[0] }};
 ssl_certificate_key {{ TLS[1] }};
-{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt] %}
+{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
 ssl_certificate {{ TLS[2] }};
 ssl_certificate_key {{ TLS[3] }};
 {% endif %}

From 98b903fe13c10ed99c9bae2167e046888114d3b8 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 21:38:03 +0200
Subject: [PATCH 25/44] don't send the rootcert

---
 core/nginx/config.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/core/nginx/config.py b/core/nginx/config.py
index a9bce89b..1b0f7235 100755
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@@ -26,11 +26,11 @@ cert_name = os.getenv("TLS_CERT_FILENAME", default="cert.pem")
 keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem")
 args["TLS"] = {
     "cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
-    "letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
+    "letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem",
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
-    "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
+    "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem",
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "notls": None
 }[args["TLS_FLAVOR"]]
 

From 24f9bf106440f98a757a368b01187e7ddc16d1f0 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 22:51:23 +0200
Subject: [PATCH 26/44] format certs for nginx

---
 core/nginx/conf/tls.conf  |  1 +
 core/nginx/config.py      |  8 ++++----
 core/nginx/letsencrypt.py | 19 ++++++++++++++++++-
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf
index 4372c5af..f663bfd2 100644
--- a/core/nginx/conf/tls.conf
+++ b/core/nginx/conf/tls.conf
@@ -3,6 +3,7 @@ ssl_certificate_key {{ TLS[1] }};
 {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
 ssl_certificate {{ TLS[2] }};
 ssl_certificate_key {{ TLS[3] }};
+ssl_trusted_certificate /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem;
 {% endif %}
 ssl_session_timeout 1d;
 ssl_session_tickets off;
diff --git a/core/nginx/config.py b/core/nginx/config.py
index 1b0f7235..9fa75877 100755
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@@ -26,11 +26,11 @@ cert_name = os.getenv("TLS_CERT_FILENAME", default="cert.pem")
 keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem")
 args["TLS"] = {
     "cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
-    "letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
+    "letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem",
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
-    "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
+    "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem",
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "notls": None
 }[args["TLS_FLAVOR"]]
 
diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index 73659f7c..9a5ba18a 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -4,7 +4,6 @@ import os
 import time
 import subprocess
 
-
 command = [
     "certbot",
     "-n", "--agree-tos", # non-interactive
@@ -31,12 +30,30 @@ command2 = [
     "--post-hook", "/config.py"
 ]
 
+def format_for_nginx(fullchain, output):
+    """ nginx expects cert + intermediate
+    whereas letsencrypt provides ca + intermediate + cert
+    """
+    certs = []
+    with open(fullchain, 'r') as pem:
+        cert = ''
+        for line in pem:
+            cert += line
+            if '-----END CERTIFICATE-----' in line:
+                certs += [cert]
+                cert = ''
+    with open(output, 'w') as pem:
+        for cert in reversed(certs[1:]):
+            pem.write(cert)
+
 # Wait for nginx to start
 time.sleep(5)
 
 # Run certbot every hour
 while True:
     subprocess.call(command)
+    format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
     subprocess.call(command2)
+    format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
     time.sleep(3600)
 

From 12c842c4b99be47d1a7eb630780337a8995309d8 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 23:27:03 +0200
Subject: [PATCH 27/44] In fact in fullchain we want all but the last

---
 core/nginx/letsencrypt.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index 9a5ba18a..3f8f6067 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -31,8 +31,7 @@ command2 = [
 ]
 
 def format_for_nginx(fullchain, output):
-    """ nginx expects cert + intermediate
-    whereas letsencrypt provides ca + intermediate + cert
+    """ nginx doesn't need the "compat"
     """
     certs = []
     with open(fullchain, 'r') as pem:
@@ -43,7 +42,7 @@ def format_for_nginx(fullchain, output):
                 certs += [cert]
                 cert = ''
     with open(output, 'w') as pem:
-        for cert in reversed(certs[1:]):
+        for cert in certs[:-1]:
             pem.write(cert)
 
 # Wait for nginx to start

From 4a871c090538e89d1aed1c148f036d1acec70e70 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 23:29:17 +0200
Subject: [PATCH 28/44] this causes trouble with the test

---
 core/postfix/conf/main.cf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index d83db600..dfa31514 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -43,8 +43,6 @@ recipient_delimiter = {{ RECIPIENT_DELIMITER }}
 # In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead.
 smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }}
 
-auth_mechanisms = plain
-
 ###############
 # TLS
 ###############

From f971b47fb93190ee6d84961e4ea0e6ade510c0c8 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 10 Aug 2021 08:22:23 +0200
Subject: [PATCH 29/44] maybe fix the tests

---
 core/postfix/conf/main.cf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index dfa31514..a35ca16c 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -31,6 +31,7 @@ mydestination =
 # Relayhost if any is configured
 relayhost = {{ RELAYHOST }}
 {% if RELAYUSER %}
+smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous, noplaintext
 smtp_sasl_tls_security_options = noanonymous

From 2b05e72ce4027e3022a960d862bdbf0243583356 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 10 Aug 2021 08:51:55 +0200
Subject: [PATCH 30/44] Revert "maybe fix the tests"

This reverts commit f971b47fb93190ee6d84961e4ea0e6ade510c0c8.
---
 core/postfix/conf/main.cf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index a35ca16c..dfa31514 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -31,7 +31,6 @@ mydestination =
 # Relayhost if any is configured
 relayhost = {{ RELAYHOST }}
 {% if RELAYUSER %}
-smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous, noplaintext
 smtp_sasl_tls_security_options = noanonymous

From 974bcba5ab8d8bf2d2f581f74e338fda491595f5 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 10 Aug 2021 09:05:02 +0200
Subject: [PATCH 31/44] Restore LOGIN as tests assume it's there

---
 core/nginx/conf/nginx.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 82e7ca36..9ce12980 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -307,7 +307,7 @@ mail {
       starttls only;
       {% endif %}
       protocol smtp;
-      smtp_auth plain;
+      smtp_auth plain login;
       auth_http_header Auth-Port 587;
     }
 
@@ -316,7 +316,7 @@ mail {
       listen 465 ssl;
       listen [::]:465 ssl;
       protocol smtp;
-      smtp_auth plain;
+      smtp_auth plain login;
       auth_http_header Auth-Port 465;
     }
 

From dccd8afd5167eb2852567ad02062e802ba4834fb Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 10 Aug 2021 10:20:15 +0200
Subject: [PATCH 32/44] Thanks @Diman0!

ENEEDSLEEP
---
 core/admin/mailu/internal/nginx.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 0c03b866..5e60cd0c 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -81,8 +81,8 @@ def handle_authentication(headers):
         raw_password = urllib.parse.unquote(headers["Auth-Pass"])
         password = raw_password.encode("iso8859-1").decode("utf8")
         ip = urllib.parse.unquote(headers["Client-Ip"])
-        port = int(urllib.parse.unquote(headers["Auth-Port"]))
-        if port == 25:
+        service_port = int(urllib.parse.unquote(headers["Auth-Port"]))
+        if service_port == 25:
             return {
                 "Auth-Status": "AUTH not supported",
                 "Auth-Error-Code": "502 5.5.1",

From 109a8aa000ec4556240fd56cb1deef1b36130d6f Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 10 Aug 2021 10:55:21 +0200
Subject: [PATCH 33/44] Ensure that we always have CERT+INTERMEDIARY CA

Let's encrypt may change things up in the future...
---
 core/nginx/letsencrypt.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index 3f8f6067..d6575c11 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -42,7 +42,7 @@ def format_for_nginx(fullchain, output):
                 certs += [cert]
                 cert = ''
     with open(output, 'w') as pem:
-        for cert in certs[:-1]:
+        for cert in certs[:-1] if len(certs)>2 else certs:
             pem.write(cert)
 
 # Wait for nginx to start

From 5e1ba9d4ffbff68780c9f6e4ef4ba353744a7b4f Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 10 Aug 2021 12:09:11 +0200
Subject: [PATCH 34/44] towncrier

---
 towncrier/newsfragments/1922.enhancement | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 towncrier/newsfragments/1922.enhancement

diff --git a/towncrier/newsfragments/1922.enhancement b/towncrier/newsfragments/1922.enhancement
new file mode 100644
index 00000000..4b01fa88
--- /dev/null
+++ b/towncrier/newsfragments/1922.enhancement
@@ -0,0 +1,5 @@
+Add support for ECDSA certificates when letsencrypt is used. This means dropping compatibility for android < 4.1.1
+Add LETSENCRYPT_SHORTCHAIN to your configuration to avoid sending ISRG Root X1 (this will break compatibility with android < 7.1.1)
+Disable AUTH command on port 25
+Disable TLS tickets, reconfigure the cache to improve Forward Secrecy
+Prevent clear-text credentials from being sent to relays

From c76a76c0b01890a07cc6b7490174334857e88bf9 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 10 Aug 2021 12:19:51 +0200
Subject: [PATCH 35/44] make it optional, add a knob

---
 core/nginx/letsencrypt.py | 4 ++--
 docs/configuration.rst    | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index d6575c11..1f7e20dc 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -31,7 +31,7 @@ command2 = [
 ]
 
 def format_for_nginx(fullchain, output):
-    """ nginx doesn't need the "compat"
+    """ We may want to strip ISRG Root X1 out
     """
     certs = []
     with open(fullchain, 'r') as pem:
@@ -42,7 +42,7 @@ def format_for_nginx(fullchain, output):
                 certs += [cert]
                 cert = ''
     with open(output, 'w') as pem:
-        for cert in certs[:-1] if len(certs)>2 else certs:
+        for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs:
             pem.write(cert)
 
 # Wait for nginx to start
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 21effc52..83bc9d90 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -163,6 +163,11 @@ See the `python docs`_ for more information.
 
 .. _`python docs`: https://docs.python.org/3.6/library/logging.html#logging-levels
 
+The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send the ISRG Root X1 certificate in TLS handshakes. This is required for `android handsets older than 7.1.1` but slows down the performance of modern devices.
+
+.. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739
+
+
 Antivirus settings
 ------------------
 

From 772e5efb7d16c2f5519cf38ddef35a7f8644fd3f Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 11 Aug 2021 22:47:29 +0200
Subject: [PATCH 36/44] Disable pipelining to prevent bypass

---
 core/postfix/conf/master.cf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf
index eca0ad77..15613476 100644
--- a/core/postfix/conf/master.cf
+++ b/core/postfix/conf/master.cf
@@ -7,6 +7,7 @@ smtp      inet  n       -       n       -       -       smtpd
 # Internal SMTP service
 10025     inet  n       -       n       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
+  -o smtpd_discard_ehlo_keywords=pipelining
   -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
   -o smtpd_reject_unlisted_recipient={% if REJECT_UNLISTED_RECIPIENT %}{{ REJECT_UNLISTED_RECIPIENT }}{% else %}no{% endif %}
   -o cleanup_service_name=outclean

From 925105075c163e908f0927c90cfbba03db14d5b7 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 13 Aug 2021 20:35:40 +0200
Subject: [PATCH 37/44] this is required in fact

---
 core/postfix/conf/main.cf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index dfa31514..a35ca16c 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -31,6 +31,7 @@ mydestination =
 # Relayhost if any is configured
 relayhost = {{ RELAYHOST }}
 {% if RELAYUSER %}
+smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous, noplaintext
 smtp_sasl_tls_security_options = noanonymous

From 7e5a35660aadb1c4aa571aa58c5250ca9b992d32 Mon Sep 17 00:00:00 2001
From: Jack Murray <github@c0rporation.com>
Date: Sat, 14 Aug 2021 14:04:02 +0100
Subject: [PATCH 38/44] Change letsencrypt timer from 1h --> 1 day

There's no need to be calling certbot so frequently
---
 core/nginx/letsencrypt.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index 3fe8ea92..b8a0ed2e 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -22,8 +22,8 @@ command = [
 # Wait for nginx to start
 time.sleep(5)
 
-# Run certbot every hour
+# Run certbot every day
 while True:
     subprocess.call(command)
-    time.sleep(3600)
+    time.sleep(86400)
 

From e304c352a13519afbd9e2b9bc04b069add8e7bf4 Mon Sep 17 00:00:00 2001
From: Jack Murray <github@c0rporation.com>
Date: Sat, 14 Aug 2021 14:04:02 +0100
Subject: [PATCH 39/44] Change letsencrypt timer from 1h --> 1 day

There's no need to be calling certbot so frequently
---
 core/nginx/letsencrypt.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index 1f7e20dc..cfd14e73 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -48,7 +48,7 @@ def format_for_nginx(fullchain, output):
 # Wait for nginx to start
 time.sleep(5)
 
-# Run certbot every hour
+# Run certbot every day
 while True:
     subprocess.call(command)
     format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')

From 6704cb869aa6e724df9ebf8e9697f356ef07592a Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 18 Aug 2021 15:46:22 +0200
Subject: [PATCH 40/44] Switch to 3072bits dhparam (instead of 4096bits)

We aim for 128bits of security here
---
 core/nginx/conf/dhparam.pem | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/core/nginx/conf/dhparam.pem b/core/nginx/conf/dhparam.pem
index 3cf0fcbc..4f25f663 100644
--- a/core/nginx/conf/dhparam.pem
+++ b/core/nginx/conf/dhparam.pem
@@ -1,13 +1,11 @@
 -----BEGIN DH PARAMETERS-----
-MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
-7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
-nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
-8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
-iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
-zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+MIIBiAKCAYEAtQlUSOKGjpdXJ154qmMEa1pEs+9CdSxWiZFkiXBJb0lTafOh8cfF
+2IkcWSwzxWwjW4Ad26UQQFh1poGf2QBzVk2vuKCekYzPAs/WqH8VwiXBiWR5R9lh
+v/+CkEBYuQOzAhXLN6ZGdPPa2sjdI49rlaIqyLJE4D0TI/VHYmC/vEwqkJUgaGrS
+19LhHZimnmouvrnyBPyf00czXlMow0RnmYeHVZ7W5hu7t9TH9o3QAN/GKiFfxFj+
+RkdLM7beQdS0He5YeTaElM5l1YT5d5gHFbOzEQyKHd10ux+bgVcgUeVbBnI1SAIC
+w53yc1PkDAiRijSP5j5aWq1djtJPheS13o35HyIf0cHzkNYhKfX5JWPj/cbgdM+C
+FL1bnRc8sL5oxmkDoGJhiNZIf4n2WtS8Zu28gUgat6S+vCm/4yavIc/T1g6UiNKE
+X41HPbsma/QWUwOL6S+b2qr+7rKqjI5TzVek8vBMellEV4mBvfQU3NDSQ4WvxbTq
+ZEOgLPA178nrAgEC
 -----END DH PARAMETERS-----

From dd127f8f06520befbf52be325c4462cb6c7fbc2d Mon Sep 17 00:00:00 2001
From: Jack Murray <github@c0rporation.com>
Date: Sat, 14 Aug 2021 14:04:02 +0100
Subject: [PATCH 41/44] Change letsencrypt timer from 1h --> 1 day

There's no need to be calling certbot so frequently
---
 core/nginx/letsencrypt.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index cfd14e73..1dd2cba4 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -54,5 +54,4 @@ while True:
     format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
     subprocess.call(command2)
     format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
-    time.sleep(3600)
-
+    time.sleep(86400)

From b7403c850a730a54c5720d7582ee570468a42560 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 18 Aug 2021 14:56:12 +0000
Subject: [PATCH 42/44] Document the new setting in webadministration.rst.

---
 docs/webadministration.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/webadministration.rst b/docs/webadministration.rst
index 86ce41c0..a916cd9d 100644
--- a/docs/webadministration.rst
+++ b/docs/webadministration.rst
@@ -334,7 +334,10 @@ For adding a new user the following options can be configured.
 * Enabled. Tick this checkbox to enable the user account. When an user is disabled, the user is unable to login to the Admin GUI or webmail or access his email via IMAP/POP3 or send mail.
   The email inbox of the user is still retained. This option can be used to temporarily suspend an user account.
 
-* Quota. The maximum quota for the user's email box.
+* Storage Quota. The maximum quota for the user's email box.
+
+* Sending Quota. The sending quota is the limit of messages a single user can send per day. 
+  This is meant to fight outbound spam in case of a compromised or malicious account on the server.
 
 * Allow IMAP access. When ticked, allows email retrieval via the IMAP protocol.
 

From e5972bd9ecdb81c22998a380311add36538caea1 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 18 Aug 2021 15:01:10 +0000
Subject: [PATCH 43/44] Set default message rate limit to 200/day

---
 core/admin/mailu/configuration.py | 2 +-
 setup/templates/steps/config.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 50733d52..c1016949 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -46,7 +46,7 @@ DEFAULT_CONFIG = {
     'DKIM_SELECTOR': 'dkim',
     'DKIM_PATH': '/dkim/{domain}.{selector}.key',
     'DEFAULT_QUOTA': 1000000000,
-    'MESSAGE_RATELIMIT': '100/hour',
+    'MESSAGE_RATELIMIT': '200/day',
     # Web settings
     'SITENAME': 'Mailu',
     'WEBSITE': 'https://mailu.io',
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index 87410fca..f532f757 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -58,7 +58,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 <div class="form-group">
   <label>Outgoing message rate limit (per user)</label>
   <!--   Validates number input only -->
-  <p><input class="form-control" style="width: 7%; display: inline;" type="number" name="message_ratelimit_pd" value="100" required > / day
+  <p><input class="form-control" style="width: 7%; display: inline;" type="number" name="message_ratelimit_pd" value="200" required > / day
   </p>
 </div>
 

From 4c056db4aac6a304e3d1867fbb0f374ad3eaeea3 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 18 Aug 2021 18:53:50 +0000
Subject: [PATCH 44/44] Added documentation for all user statuses.

---
 docs/webadministration.rst | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/docs/webadministration.rst b/docs/webadministration.rst
index a916cd9d..03b07ba2 100644
--- a/docs/webadministration.rst
+++ b/docs/webadministration.rst
@@ -315,6 +315,21 @@ This page is also accessible for domain managers. On the users page new users ca
 
 * Fetched accounts. Access the fetched accounts page of the user. See the :ref:`fetched accounts page <webadministration_fetched_accounts>` for more information.
 
+This page also shows an overview of the following settings of an user:
+
+* Email. The email address of the user.
+
+* Features. Shows if IMAP or POP3 access is enabled.
+
+* Storage quota. Shows how much assigned storage has been consumed.
+
+* Sending Quota. The sending quota is the limit of messages a single user can send per day. 
+
+* Comment. A desription for the user. 
+
+* Created. Date when the user was created.
+
+* Last edit. Last date when the user was modified. 
 
 .. _webadministration_add_user:
 
@@ -336,9 +351,6 @@ For adding a new user the following options can be configured.
 
 * Storage Quota. The maximum quota for the user's email box.
 
-* Sending Quota. The sending quota is the limit of messages a single user can send per day. 
-  This is meant to fight outbound spam in case of a compromised or malicious account on the server.
-
 * Allow IMAP access. When ticked, allows email retrieval via the IMAP protocol.
 
 * Allow POP3 access. When ticked, allows email retrieval via the POP3 protocol.