diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 4db963d3..71cbf9ee 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -1,7 +1,7 @@ # Basic configuration user nginx; worker_processes auto; -error_log /dev/stderr info; +error_log /dev/stderr notice; pid /var/run/nginx.pid; load_module "modules/ngx_mail_module.so"; @@ -13,7 +13,6 @@ http { # Standard HTTP configuration with slight hardening include /etc/nginx/mime.types; default_type application/octet-stream; - access_log /dev/stdout; sendfile on; keepalive_timeout 65; server_tokens off; @@ -38,6 +37,13 @@ http { ~*\.(ico|css|js|gif|jpeg|jpg|png|woff2?|ttf|otf|svg|tiff|eot|webp)$ 97d; } + map $request_uri $loggable { + /health 0; + /auth/email 0; + default 1; + } + access_log /dev/stdout combined if=$loggable; + # compression gzip on; gzip_static on; @@ -246,6 +252,7 @@ mail { auth_http http://127.0.0.1:8000/auth/email; proxy_pass_error_message on; resolver {{ RESOLVER }} ipv6=off valid=30s; + error_log /dev/stderr info; {% if TLS and not TLS_ERROR %} include /etc/nginx/tls.conf; diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 3f478ed5..9a609ee3 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -17,7 +17,7 @@ queue_directory = /queue message_size_limit = {{ MESSAGE_SIZE_LIMIT }} # Relayed networks -mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS }} +mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS.split(",") }} # Empty alias list to override the configuration variable and disable NIS alias_maps = diff --git a/core/rspamd/conf/options.inc b/core/rspamd/conf/options.inc new file mode 100644 index 00000000..22bae565 --- /dev/null +++ b/core/rspamd/conf/options.inc @@ -0,0 +1,3 @@ +{% if RELAYNETS %} +local_networks = [{{ RELAYNETS }}]; +{% endif %} diff --git a/docs/configuration.rst b/docs/configuration.rst index f5bd9582..fa574415 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -73,14 +73,14 @@ The ``MESSAGE_RATELIMIT`` is the limit of messages a single user can send. This meant to fight outbound spam in case of compromised or malicious account on the server. -The ``RELAYNETS`` are network addresses for which mail is relayed for free with -no authentication required. This should be used with great care. If you want other -Docker services' outbound mail to be relayed, you can set this to ``172.16.0.0/12`` -to include **all** Docker networks. The default is to leave this empty. +The ``RELAYNETS`` (default: unset) is a comma delimited list of network addresses +for which mail is relayed for with no authentication required. This should be +used with great care as misconfigurations may turn your Mailu instance into an +open-relay! -The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing -mail in following format: ``[HOST]:PORT``. -``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed. +The ``RELAYHOST`` is an optional address to use as a smarthost for all outgoing +mail in following format: ``[HOST]:PORT``. ``RELAYUSER`` and ``RELAYPASSWORD`` +can be used when authentication is required. By default postfix uses "opportunistic TLS" for outbound mail. This can be changed by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is diff --git a/towncrier/newsfragments/360.bugfix b/towncrier/newsfragments/360.bugfix new file mode 100644 index 00000000..d433e0e3 --- /dev/null +++ b/towncrier/newsfragments/360.bugfix @@ -0,0 +1 @@ +RELAYNETS should be a comma separated list of networks