From 80a85c27a98a3a2a7ea62cacaa2ad4f2f71f2c32 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 30 Oct 2021 15:30:59 +0200
Subject: [PATCH 1/6] Silent healthchecks in logs

---
 core/nginx/conf/nginx.conf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 4db963d3..bc0a51ec 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -13,7 +13,6 @@ http {
     # Standard HTTP configuration with slight hardening
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
-    access_log /dev/stdout;
     sendfile on;
     keepalive_timeout 65;
     server_tokens off;
@@ -38,6 +37,13 @@ http {
       ~*\.(ico|css|js|gif|jpeg|jpg|png|woff2?|ttf|otf|svg|tiff|eot|webp)$ 97d;
     }
 
+    map $request_uri $loggable {
+      /health 0;
+      /auth/email 0;
+      default 1;
+    }
+    access_log /dev/stdout combined if=$loggable;
+
     # compression
     gzip on;
     gzip_static on;

From 53a0363b9e86a6a0219e712ace280004bcfee6c0 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 30 Oct 2021 15:39:13 +0200
Subject: [PATCH 2/6] Deal with the noisy keepalive messages

We don't particularly care about HTTP... and that's what's noisy.
---
 core/nginx/conf/nginx.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index bc0a51ec..71cbf9ee 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -1,7 +1,7 @@
 # Basic configuration
 user nginx;
 worker_processes auto;
-error_log /dev/stderr info;
+error_log /dev/stderr notice;
 pid /var/run/nginx.pid;
 load_module "modules/ngx_mail_module.so";
 
@@ -252,6 +252,7 @@ mail {
     auth_http http://127.0.0.1:8000/auth/email;
     proxy_pass_error_message on;
     resolver {{ RESOLVER }} ipv6=off valid=30s;
+    error_log /dev/stderr info;
 
     {% if TLS and not TLS_ERROR %}
     include /etc/nginx/tls.conf;

From 9d474f32a6f9eade5a312dea7e509e86ac0653d4 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 31 Oct 2021 19:47:16 +0100
Subject: [PATCH 3/6] RELAYNETS is comma separated!

---
 core/postfix/conf/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 3f478ed5..9a609ee3 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -17,7 +17,7 @@ queue_directory = /queue
 message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
 
 # Relayed networks
-mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS }}
+mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS.split(",") }}
 
 # Empty alias list to override the configuration variable and disable NIS
 alias_maps =

From 2170e07731a423cf30cb8f70b0a171c7bfcfa606 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 31 Oct 2021 19:57:51 +0100
Subject: [PATCH 4/6] Tell rspamd about RELAYNETS

---
 core/rspamd/conf/options.inc | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 core/rspamd/conf/options.inc

diff --git a/core/rspamd/conf/options.inc b/core/rspamd/conf/options.inc
new file mode 100644
index 00000000..22bae565
--- /dev/null
+++ b/core/rspamd/conf/options.inc
@@ -0,0 +1,3 @@
+{% if RELAYNETS %}
+local_networks = [{{ RELAYNETS }}];
+{% endif %}

From 70b374c46f1a1c2ae673d26a13c9cf894cc8e0c0 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 1 Nov 2021 09:24:26 +0100
Subject: [PATCH 5/6] Document that RELAYNETS is comma separated

---
 docs/configuration.rst             | 13 ++++++-------
 towncrier/newsfragments/360.bugfix |  1 +
 2 files changed, 7 insertions(+), 7 deletions(-)
 create mode 100644 towncrier/newsfragments/360.bugfix

diff --git a/docs/configuration.rst b/docs/configuration.rst
index f5bd9582..0e2a275a 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -73,14 +73,13 @@ The ``MESSAGE_RATELIMIT`` is the limit of messages a single user can send. This
 meant to fight outbound spam in case of compromised or malicious account on the
 server.
 
-The ``RELAYNETS`` are network addresses for which mail is relayed for free with
-no authentication required. This should be used with great care. If you want other
-Docker services' outbound mail to be relayed, you can set this to ``172.16.0.0/12``
-to include **all** Docker networks. The default is to leave this empty.
+The ``RELAYNETS`` (default: unset) is a comma delimited list of network addresses
+for which mail is relayed for, with no authentication required. This should be
+used with great care.
 
-The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing
-mail in following format: ``[HOST]:PORT``.
-``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
+The ``RELAYHOST`` is an optional address of a mail server to use as a smarthost for
+all outgoing mail in following format: ``[HOST]:PORT``.
+``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is required.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is
diff --git a/towncrier/newsfragments/360.bugfix b/towncrier/newsfragments/360.bugfix
new file mode 100644
index 00000000..d433e0e3
--- /dev/null
+++ b/towncrier/newsfragments/360.bugfix
@@ -0,0 +1 @@
+RELAYNETS should be a comma separated list of networks

From c8316cead101c6fd53bbf8ea770879d775068500 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 1 Nov 2021 09:26:54 +0100
Subject: [PATCH 6/6] Improve wording

---
 docs/configuration.rst | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 0e2a275a..fa574415 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -74,12 +74,13 @@ meant to fight outbound spam in case of compromised or malicious account on the
 server.
 
 The ``RELAYNETS`` (default: unset) is a comma delimited list of network addresses
-for which mail is relayed for, with no authentication required. This should be
-used with great care.
+for which mail is relayed for with no authentication required. This should be
+used with great care as misconfigurations may turn your Mailu instance into an
+open-relay!
 
-The ``RELAYHOST`` is an optional address of a mail server to use as a smarthost for
-all outgoing mail in following format: ``[HOST]:PORT``.
-``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is required.
+The ``RELAYHOST`` is an optional address to use as a smarthost for all outgoing
+mail in following format: ``[HOST]:PORT``. ``RELAYUSER`` and ``RELAYPASSWORD``
+can be used when authentication is required.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is