Merge #2027 #2030

2027: Make logs more quiet r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

It silences various useless log messages in front, specifically:
```
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/1.1" 301 162 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/2.0" 204 0 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 2021/10/30 03:11:04 [info] 476302#476302: *2622679 client 127.0.0.1 closed keepalive connection
Oct 30 03:13:02 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:13:02 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
```

`@micw` has requested it for k8s

2030: Fix RELAYNETS r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

RELAYNETS should be comma separated like everything else; rspamd should also be aware of what is considered "trusted".

I am not sure whether ```local_networks``` is the right configuration option for it though

- close #360

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>

core/nginx/conf/nginx.conf

@@ -1,7 +1,7 @@
 # Basic configuration
 user nginx;
 worker_processes auto;
-error_log /dev/stderr info;
+error_log /dev/stderr notice;
 pid /var/run/nginx.pid;
 load_module "modules/ngx_mail_module.so";
 
@@ -13,7 +13,6 @@ http {
     # Standard HTTP configuration with slight hardening
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
-    access_log /dev/stdout;
     sendfile on;
     keepalive_timeout 65;
     server_tokens off;
@@ -38,6 +37,13 @@ http {
       ~*\.(ico|css|js|gif|jpeg|jpg|png|woff2?|ttf|otf|svg|tiff|eot|webp)$ 97d;
     }
 
+    map $request_uri $loggable {
+      /health 0;
+      /auth/email 0;
+      default 1;
+    }
+    access_log /dev/stdout combined if=$loggable;
+
     # compression
     gzip on;
     gzip_static on;
@@ -246,6 +252,7 @@ mail {
     auth_http http://127.0.0.1:8000/auth/email;
     proxy_pass_error_message on;
     resolver {{ RESOLVER }} ipv6=off valid=30s;
+    error_log /dev/stderr info;
 
     {% if TLS and not TLS_ERROR %}
     include /etc/nginx/tls.conf;

core/postfix/conf/main.cf

@@ -17,7 +17,7 @@ queue_directory = /queue
 message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
 
 # Relayed networks
-mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS }}
+mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS.split(",") }}
 
 # Empty alias list to override the configuration variable and disable NIS
 alias_maps =

core/rspamd/conf/options.inc

@@ -0,0 +1,3 @@
+{% if RELAYNETS %}
+local_networks = [{{ RELAYNETS }}];
+{% endif %}

docs/configuration.rst

@@ -73,14 +73,14 @@ The ``MESSAGE_RATELIMIT`` is the limit of messages a single user can send. This
 meant to fight outbound spam in case of compromised or malicious account on the
 server.
 
-The ``RELAYNETS`` are network addresses for which mail is relayed for free with
-no authentication required. This should be used with great care. If you want other
-Docker services' outbound mail to be relayed, you can set this to ``172.16.0.0/12``
-to include **all** Docker networks. The default is to leave this empty.
+The ``RELAYNETS`` (default: unset) is a comma delimited list of network addresses
+for which mail is relayed for with no authentication required. This should be
+used with great care as misconfigurations may turn your Mailu instance into an
+open-relay!
 
-The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing
-mail in following format: ``[HOST]:PORT``.
-``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
+The ``RELAYHOST`` is an optional address to use as a smarthost for all outgoing
+mail in following format: ``[HOST]:PORT``. ``RELAYUSER`` and ``RELAYPASSWORD``
+can be used when authentication is required.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is

towncrier/newsfragments/360.bugfix

@@ -0,0 +1 @@
+RELAYNETS should be a comma separated list of networks