From 9fa3a3e0c7283da2d8fdb6a9e2de4d6decfef9b4 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 22 Nov 2022 10:14:15 +0100 Subject: [PATCH] doc --- README.md | 2 +- docs/index.rst | 2 +- webmails/snuffleupagus.rules | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0fd737b6..b6ed040b 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Main features include: - **Web access**, multiple Webmails and administration interface - **User features**, aliases, auto-reply, auto-forward, fetched accounts - **Admin features**, global admins, announcements, per-domain delegation, quotas -- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner +- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/) - **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing - **Freedom**, all FOSS components, no tracker included diff --git a/docs/index.rst b/docs/index.rst index 5c004dc1..0b37cf43 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -28,7 +28,7 @@ Main features include: - **Web access**, multiple Webmails and administration interface - **User features**, aliases, auto-reply, auto-forward, fetched accounts - **Admin features**, global admins, announcements, per-domain delegation, quotas -- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner +- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, Snuffleupagus - **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing - **Freedom**, all FOSS components, no tracker included diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules index baa5ecf8..ec7bee13 100644 --- a/webmails/snuffleupagus.rules +++ b/webmails/snuffleupagus.rules @@ -72,6 +72,7 @@ sp.disable_function.function("include").drop() sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +# This is **very** broad but doing better is non-straightforward sp.disable_function.function("proc_open").param("command").value_r("^gpg ").allow(); sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); @@ -121,8 +122,12 @@ sp.disable_function.function("ini_set").param("option").value_r("error_log").dro sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() sp.auto_cookie_secure.enable(); +# TODO: consider encrypting the cookies? +# TODO: ensure this is up to date sp.cookie.name("roundcube_sessauth").samesite("strict"); sp.cookie.name("roundcube_sessid").samesite("strict"); sp.ini_protection.policy_silent_fail(); +# roundcube uses unserialize() everywhere. +# This should do the job until https://github.com/jvoisin/snuffleupagus/issues/438 is implemented. sp.disable_function.function("unserialize").param("data").value_r("[cCoO]:\d+:[\"{]").drop();