1731 Commits (main)

Author SHA1 Message Date
lub 2506bc3a7f keep key during certificate renewal 2 years ago
Dimitri Huisman 6d31831cf5
Sigh. Forgot to actually save the modified requirements-dev.txt file.
Remove the pinned version for requirements for dev.
The blocking issue is resolved, so no need to pin the old version.
2 years ago
Dimitri Huisman 709edb522b
Introduce connection string (database url) for roundcube.
Remove database choice from setup.
Remove the old *DB_* database env variables from the documentation.
The env vars are deprecated now. They will be removed after the upcoming
Mailu release.
2 years ago
bors[bot] 5044c78740
Merge #2709
2709: Validate proxy ip with PROXY_AUTH_WHITELIST r=mergify[bot] a=Diman0

## What type of PR?

bug fix

## What does this PR do?
The Proxy code validated the real client ip against the proxy auth whitelist. It should be the proxy ip that is checked. That is changed with this PR.

### Related issue(s)
- closes #2708
- #2692

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [n/a] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2 years ago
bors[bot] c15595836a
Merge #2690
2690: Change rspamd override system to use .include with lowest priority. r=mergify[bot] a=Diman0

## What does this PR do?

All override files are used as if they were placed in the rspamd local.d folder.

New override system for Rspamd. In the old system, all files were placed in the Rspamd overrides folder. These overrides would override everything, including the Mailu Rspamd config.

Now overrides are placed in /overrides.
If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file. It works as following.
* If the override file overrides a Mailu defined config file, it will be included in the Mailu config file with lowest priority. It will merge with existing sections.
* If the override file does not override a Mailu defined config file, then the file will be placed in the rspamd local.d folder. It will merge with existing sections.

For more information, see the description of the local.d folder on the rspamd website: https://www.rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories

## What type of PR?

enhancement

### Related issue(s)
- closes #2555 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2 years ago
Dimitri Huisman ee1f0f94a3
Don't use the header when we don't need it. 2 years ago
Dimitri Huisman f20208fb4b
Fix error in check for proxy scenario 2 years ago
Dimitri Huisman 4912fa1dff
Fix a typo. 2 years ago
Dimitri Huisman 20bf0e8a65
Add fix for wrong redirect in proxy scenario and accessing WEBROOT_REDIRECT 2 years ago
Dimitri Huisman 29bfc9dd9d
Add fallback just in case X-Forwarded-By is empty. 2 years ago
Dimitri Huisman 25b9db4b00
Proxy endpoint was checking real client ip instead of proxy ip
for validating PROXY_AUTH_WHITELIST
2 years ago
bors[bot] 1d9791ceaa
Merge #2703
2703: Paranoia: drop the headers we don't use r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Paranoia: drop the headers we don't use. This ensures there is no misunderstanding in between front and the other containers.

### Related issue(s)


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
bors[bot] 5fbfb3cb1c
Merge #2566
2566: Make it clear that we don't delete users r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Make it clear that we don't delete users. Users can and should be disabled when not in use anymore.

### Related issue(s)
- closes #1820

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
2 years ago
Dimitri Huisman c482c71f6c
Add missing () 2 years ago
Florent Daigniere 698f1f377c Check https://attackshipsonfi.re/p/exploiting-cors-misconfigurations out 2 years ago
Florent Daigniere 8eb1542f64 Paranoia: drop the headers we don't use 2 years ago
Dimitri Huisman 31faee4218
Merge branch 'master' into delete-disable 2 years ago
Florent Daigniere 1831ca3b1e Handle WEBROOT_REDIRECT better 2 years ago
Florent Daigniere e1739befc0 Make it work for /admin/antispam too 2 years ago
Florent Daigniere f44cd24bf8 doh 2 years ago
Florent Daigniere 925c753f40 Merge branch 'master' of https://github.com/Mailu/Mailu into guess-target 2 years ago
Florent Daigniere b607375603 Fix 2692: make the external auth proxy usable 2 years ago
Florent Daigniere dd912169fb Make the login page guess where to redirect 2 years ago
Florent Daigniere 1b045b4a94 Introduce AUTH_PROXY_LOGOUT_URL 2 years ago
Dimitri Huisman 45177bd25a
bring back removed blank lines 2 years ago
Dimitri Huisman 7ce28bd6e9
Fix some small errors 2 years ago
Dimitri Huisman 8861ce6edb
Change rspamd override system to use include with lowest priority.
All override files are used as if they were placed in the rspamd
local.d folder.

From the newsfragment:
New override system for Rspamd. In the old system, all files were placed in the Rspamd overrides folder.
These overrides would override everything, including the Mailu Rspamd config.

Now overrides are placed in /overrides.
If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file.
It works as following.
* If the override file overrides a Mailu defined config file,
  it will be included in the Mailu config file with lowest priority.
  It will merge with existing sections.
* If the override file does not override a Mailu defined config file,
  then the file will be placed in the rspamd local.d folder.
  It will merge with existing sections.

For more information, see the description of the local.d folder on the rspamd website:
https://www.rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories
2 years ago
S474N 92be819053
Update messages.po 2 years ago
S474N d6757514af
Czech translation
Czech translation
2 years ago
bors[bot] 0de2430868
Merge #2664
2664: Fix the bug reported by fastlorenzo r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Fix the bug reported by fastlorenzo: when using proxy-auth, if the user doesn't exist you have to hit the URL twice.

### Related issue(s)


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere fed5ab1564 Alpine 3.17.2 2 years ago
Florent Daigniere 6a4d8603fc Create the user before logging it in 2 years ago
Florent Daigniere f125420400 Fix the bug reported by fastlorenzo 2 years ago
Florent Daigniere 66b7c76836 Doh. Without this email delivery from RELAYNET is broken 2 years ago
bors[bot] aea7407044
Merge #2646
2646: Smarter ratelimit r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Only account for **distinct** usernames in the IP rate-limiter.

This enables to have a much tighter default as a user with a misconfigured device will now only account for a single attempt.

The goal here is to make the rate-limiter more acceptable and to avoid people disabling it altogether.

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2 years ago
bors[bot] 46429ab247
Merge #2640
2640: Add env variable to set sieve_vacation_to_header_ignore_envelope r=mergify[bot] a=nwinkelstraeter

When used with SRS the vacation plugin creates a reply with SRS in the To: header which does not look nice for the recipient. Setting sieve_vacation_to_header_ignore_envelope will use the headers from the original source message instead of potentially rewritten ones.

Without this option auto-replies are sent with a To header with SRS, e.g `SRS0=uetG=43=sender.com=user@autoresponder.com`
With this option they are sent with just `user@sender.com`

This option is for whatever reason not part of the [pigeonhole docs](https://doc.dovecot.org/configuration_manual/sieve/extensions/vacation/) but it is documented here: 34431d7a67/NEWS (L338)

## What type of PR?

enhancement

## What does this PR do?
This PR adds an environment variable to the set the `sieve_vacation_to_header_ignore_envelope` configuration

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly



Co-authored-by: Nico Winkelsträter <nico.winkelstraeter@initos.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Nico Winkelsträter 9cb2ef7632 Let vacation plugin ignore envelope sender to avoid SRS recipient
This is done by setting sieve_vacation_to_header_ignore_envelope to yes
The envelope is rewritten by recipent_canonical_maps to reverse SRS after the plugin checks it
so we need the plugin to ignore it at this point.
2 years ago
Florent Daigniere 085bac6e08 Change AUTH_RATELIMIT_IP_V6_MASK from /56 to /48 2 years ago
Alexander Graf fa084d7b1c
Styling only 2 years ago
Florent Daigniere caa8412d82 close #1236: Allow + in localpart of addresses 2 years ago
Florent Daigniere 294ac4adb2 Revert "Clarify"
This reverts commit 35e9bfb8ab.
2 years ago
Florent Daigniere 35e9bfb8ab Clarify 2 years ago
Florent Daigniere d30f71234d Apply the mask on the IP too 2 years ago
Florent Daigniere a60159a0db update defaults, rephrase doc 2 years ago
Florent Daigniere e2a25c79fc only account attempts for distinct usernames in ratelimits 2 years ago
Dimitri Huisman 44ad14811d
Missed some IF statements that must be modified for normalized config. 2 years ago
Dimitri Huisman d9a6777d9d
Forgot to adapt some IF statements. All config is normalized now for front.
So true/false now matches the boolean value True/False.
Instead if {% IF X == 'true' %} we should now use {% IF X %}
2 years ago
bors[bot] 4a24bd9e24
Merge #2638
2638: further finishing touches for restful api r=mergify[bot] a=Diman0

- Fix setup utility setting correct value to env var API. It now also sets `false` when the API is disabled in the setup utility.
- Fix IF statement for enabling API in nginx.conf. Setting a different value than `API=true` in mailu.env now disabled the API endpoint in nginx.
- Use safer command for regenerating example API token. It uses crypto.getRandomValues() (as suggested by nextgens) which should be more random than the previously used method. 

## What type of PR?

bug-fix

## What does this PR do?

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2 years ago
Dimitri Huisman 7bcac3bbaa
Get the value from the correct dict (args) 2 years ago
Alexander Graf ab5caac6f7
Remove webmail cookies on logout. 2 years ago