204 Commits (master)

Author SHA1 Message Date
Florent Daigniere 67db72d774 Behave like documented 3 years ago
Florent Daigniere 05b57c972e remove the static policy as it will override MTA-STS and DANE 3 years ago
Florent Daigniere a8142dabbe Introduce DEFER_ON_TLS_ERROR
This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
3 years ago
Florent Daigniere 52d3a33875 Remove the domains that have a valid MTA-STS policy
gmail.com
comcast.net
mail.ru
googlemail.com
wp.pl
3 years ago
Florent Daigniere 4f96e99144 MTA-STS (use rather than publish policies) 3 years ago
Florent Daigniere 65a27b1c7f add additional options to make DANE easier 3 years ago
Florent Daigniere fb8d52ceb2 Merge branch 'master' of https://github.com/Mailu/Mailu into tls_policy_map 3 years ago
bors[bot] b57df78dac
Merge #1916
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of #1360 implementing per-user sender limits

### Related issue(s)
- close #1360 
- close #1031
- close #1774 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
Florent Daigniere 0b16291153 doh 3 years ago
Florent Daigniere 1db08018da Ensure that we get certificate validation on top90
I have found a list of the top100 email destinations online and ran them
through a script to ensure that all of their MX servers had valid
configuration... this is the result
3 years ago
Florent Daigniere b066a5e2ac add a default tls_policy_map 3 years ago
Florent Daigniere 1df79f8132 give PFS a chance 3 years ago
Florent Daigniere 925105075c this is required in fact 3 years ago
Florent Daigniere 772e5efb7d Disable pipelining to prevent bypass 3 years ago
Florent Daigniere 2b05e72ce4 Revert "maybe fix the tests"
This reverts commit f971b47fb9.
3 years ago
Florent Daigniere f971b47fb9 maybe fix the tests 3 years ago
Florent Daigniere 4a871c0905 this causes trouble with the test 3 years ago
Florent Daigniere 55cdb1a534 be explicit about what we support 3 years ago
Florent Daigniere ecadf46ac6 fix PFS 3 years ago
Florent Daigniere de3620da4a Don't send credentials in clear ever 3 years ago
Florent Daigniere 4535c42e70 This isn't required 3 years ago
Florent Daigniere 1101e401e8 Apply the restriction on the right port 3 years ago
Florent Daigniere d6ce5d0c06 Remove a warning: limits don't apply to trusted hosts 3 years ago
Florent Daigniere bcdc137677 Alpine has removed support for btree and hash 3 years ago
Florent Daigniere 1438253a06 Ratelimit outgoing emails per user 3 years ago
Florent Daigniere d44608ed04 Merge remote-tracking branch 'upstream/master' into upgrade-alpine 3 years ago
bors[bot] bf65a1248f
Merge #1885
1885: fix 1884: always lookup a FQDN r=mergify[bot] a=nextgens

## What type of PR?

bugfix

## What does this PR do?

Fix bug #1884. Ensure that we avoid the musl resolver bug by always looking up a FQDN

### Related issue(s)
- closes #1884

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere fa915d7862 Fix 1294 ensure podop's socket is owned by postfix 3 years ago
Florent Daigniere 9d2629a04e fix 1884: always lookup a FQDN 3 years ago
Florent Daigniere 1d65529c94 The lookup could fail; ensure we set something 3 years ago
Florent Daigniere 8bc1d6c08b Replace PUBLIC_HOSTNAME/IP in Received headers
This will ensure that we don't get spam points for not respecting the
RFC
3 years ago
Florent Daigniere 72735ab320 remove cyrus-sasl-plain 3 years ago
Florent Daigniere 420afa53f8 Upgrade to alpine 3.14 3 years ago
Florent Daigniere 513d2a4c5e Fix bug #1660: nested headers shouldn't be touched 4 years ago
Michael Wyraz ca6ea6465c make syslog optional 4 years ago
Michael Wyraz e979743226 Rsyslog logging for postfix, optional logging to file, no logging of test requests 4 years ago
Thomas Rehn 05ab244638 Ensure that the rendered file ends with newline in order to make `postconf` work correctly 4 years ago
Dimitri Huisman d9e7b8249b Add support for AUTH LOGIN authentication mechanism for relaying email via smart hosts. 4 years ago
ofthesun9 539114a3d6
Merge branch 'master' into test-alpine-3.12 4 years ago
bors[bot] 64f21d5b84
Merge #1478 #1501 #1532 #1543
1478: Allow to enforce TLS for outbound r=mergify[bot] a=micw

 using OUTBOUND_TLS_LEVEL=encrypt (default is 'may')

## What type of PR?

enhancement

## What does this PR do?

Add an option to postfix to enforce outbound traffic to be TLS encrypted.

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1501: In setup/flavor, change DMARC RUA and RUF email default settings r=mergify[bot] a=ofthesun9

## What type of PR?
bug-fix

## What does this PR do?
This PR changes the default value used to set DMARC_RUA and DMARC_RUF:
DMARC_RUA and DMARC_RUF defaults will reuse the value defined for POSTMASTER,
instead of 'admin' as previously.
Please note that the setup tool doesn't allow (yet?) to define dmarc_rua nor dmarc_ruf, so the default value is indeed used for the time being.

### Related issue(s)
closes #1463 

## Prerequistes
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1532: Replace SMPT with SMTP r=mergify[bot] a=dhoppe



1543: Disable Health checks on swarm mode r=mergify[bot] a=ofthesun9

ref: https://github.com/moby/moby/issues/35451

## What type of PR?
bug-fix

## What does this PR do?
Modify the docker-compose.yml template used by setup (swarm flavor) to disable Health checks on swarm mode for each service

### Related issue(s)
closes #1289

## Prerequistes
- [x]  add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Michael Wyraz <michael@wyraz.de>
Co-authored-by: ofthesun9 <olivier@ofthesun.net>
Co-authored-by: Dennis Hoppe <github@debian-solutions.de>
4 years ago
ofthesun9 cff2e76269 Switching to alpine:3.12 5 years ago
ofthesun9 381bf747cc Check permissions using postfix set-permissions 5 years ago
ofthesun9 3a9c9d0436 Fixed typo 5 years ago
ofthesun9 67caf0c8cf Check /queue permissions before postfix start
postfix and posdrop id might have changed after base image change
5 years ago
Michael Wyraz e4454d776a Allow to enforce TLS for outbound using OUTBOUND_TLS_LEVEL=encrypt (default is 'may') 5 years ago
SunMar ac6b8d62dd Remove `reject_unverified_recipient` from `smtpd_client_restrictions`
Fix for #1292, though I'm not sure if this is the right way to fix the issue. It was added in 175349a224.
5 years ago
Dario Ernst dbcab06587 Ignore newlines and comment-lines in postfix overrides
To make postfix override files understandable and readable, users may
want to insert empty newlines and #-commented lines in their postfix
override files too. This will now ignore such bogus-lines and not send
them to `postconf`, which produced ugly errors in the past.

closes #1098
5 years ago
kaiyou bd69b7a491 Add support for SRS, related to #328 5 years ago
Michael Wyraz fb9ddbca7a Install p3-yarn as dependency for podop 5 years ago
Michael Wyraz 09ee3ce95c Install py3-multidict from repository before installing socrate to avoid the need of gcc during build 5 years ago
bors[bot] 0417c791ff
Merge #985
985: Permit raspberry pi (and other architectures) builds r=mergify[bot] a=abondis

## What type of PR?

Enhancement

## What does this PR do?

Add an option to select base images and permit building for different CPU architectures.

### Related issue(s)
N/A

## Prerequistes

- [X] documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Aurélien Bondis <aurelien.bondis@gmail.com>
Co-authored-by: Aurelien <aurelien.bondis@gmail.com>
5 years ago
bors[bot] dcda412b99
Merge #1211
1211: Split HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI r=mergify[bot] a=micw

## What type of PR?

bug-fix

## What does this PR do?

Fixes #1190 by separating HOST_ANTISPAM into HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI

### Related issue(s)
- closes #1190
- closes #1150

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Michael Wyraz <michael@wyraz.de>
5 years ago
Michael Wyraz a907fe4cac Split HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI 5 years ago
Michael Wyraz 8ece8409f1 Remove unused volume /data from postfix. Add volume /queue to postfix 5 years ago
Michael Wyraz de2f166bd1 Resolve HOST_* to *_ADDRESS only if *_ADDRESS is not already set 5 years ago
Ionut Filip 075417bf90 Merged master and fixed conflicts 5 years ago
Aurélien Bondis 124b1d4c71 rebase and update for 3.10, avoid adding qemu file to x86 images 5 years ago
hoellen 9de5dc2592 Use python package socrate instead of Mailustart 5 years ago
Dario Ernst 1dbda71401 Adapt shared layer conf to now really-missing mailustart in admin (after merging webpack) 5 years ago
Dario Ernst a8c3530bfa Remove accidentally reintroduced rsyslogd config 5 years ago
Dario Ernst 0f146cd811 Require python3.7-compatible podop
Which is still unreleased, but serves as a placeholder here.
5 years ago
Dario Ernst 0306be1eed Re-add missing MailuStar in admin
It turns out we were all blind and admin *does* use MailuStart
5 years ago
Dario Ernst ce0c24e076 Merge branch 'master' into HorayNarea-feat-upgrade-alpine 5 years ago
Dario Ernst 53f754f5ac Remove MailuStart from admin and correct layer-sharing comments 5 years ago
Dario Ernst 93b54dcffe Install podop from pypi 5 years ago
Dario Ernst bb2edb6eb6 Revert "Move alpine version definition out to variable"
This reverts commit c787e4bdbd.
6 years ago
Dario Ernst c787e4bdbd Move alpine version definition out to variable 6 years ago
Daniel Huber ae290482c0
Format relay credentials file with jinja 6 years ago
Daniel Huber 515e95076a
Merge branch 'master' into feat-relay-auth 6 years ago
Dario Ernst ea851e77d4 Remove reference to rsyslogd 6 years ago
Dario Ernst 3bfdff155c Use official Mailu/Podop 6 years ago
Dario Ernst a253ca47fe Use official Mailu/MailuStart 6 years ago
Dario Ernst d155b2c533 Start postfix directly with stdout logging 6 years ago
Dario Ernst 9c1675e9d8 Use TEMPORARY workaround-branch for podop python 3.7 compatability 6 years ago
Dario Ernst f85b32914c Add newly missing plain SASL support in postfix 6 years ago
Dario Ernst d1f80cca99 Update Dockerfiles to most recent alpine 3.10 6 years ago
Dario Ernst 96fbaecc2f Correct executables moved by alpine 6 years ago
Thomas Sänger ef3c6c407a upgrade alpine base-image 6 years ago
Daniel Huber 7dcb2eb006
Add authentication for email relays 6 years ago
Florian Peschka b9fd29a52f
Add extra newline to main.cf
This should prevent jinja from stripping the newline, which causes overrides to be appended after the comment section

see #941
6 years ago
Ionut Filip 4c25c83419 HOST_* and *_ADDRESS variables cleanup 6 years ago
Ionut Filip f9e3cd3c5d Use corret host_* variables 6 years ago
Abel Alfonso Fírvida Donéstevez 39444c794e Install bash in alpine based images.
This fix https://github.com/Mailu/Mailu/issues/918

Bash shell is used by default in Kubernetes' dashboard console, which is very
useful for admins.
6 years ago
Ionut Filip 004a431e97
Change to mailustart functions 6 years ago
Ionut Filip 9684ebf33f Use mailustart package from git 6 years ago
Tim Möhlmann 7a9685bcb9
Resolve admin during start to work around Docker DNS flaky-ness 6 years ago
Tim Möhlmann 049ca9941f
Cleanup syntax and fix typo 6 years ago
Tim Möhlmann 7d01bb2a4d
LOG_LEVEL docs and changelog entry 6 years ago
Tim Möhlmann b04a9d1c28
Implement debug logging for template rendering 6 years ago
Tim Möhlmann b9313488dd
Add logging for tenacity.retry
In the process we found that the previous way of tenacity syntax caused it not to honor any args.
In this commit we've refactored to use the @decorator syntax, in which tenacity seems to behave better.
6 years ago
Tim Möhlmann 8172f3eab8
Move the Mailu Docker network to a fixed subnet.
This will make network configuration and host based authentication
more robust, across different deployment platforms.
The options `RELAYNETS` and`POD_ADDRESS_RANGE` are kept for compatibility.
However, their usage have become optional.
6 years ago
mergify[bot] 37027cfce7
Merge pull request #633 from kaiyou/fix-sender-checks
Improve sender checks
6 years ago
Tim Möhlmann 42e2dbe35d
Standarize image by using shared / similair layers 6 years ago
Ionut Filip 8a44a44688
Merge branch 'master' into feat-startup 6 years ago
Ionut Filip 1187cac5e1 Finished up switching from .sh to .py 6 years ago
Tim Möhlmann 2d382f2d67
Merge branch 'master' into fix-sender-checks 6 years ago
Ionut Filip eb7dfb5771 Cleaning up start.py 6 years ago
Thomas Sänger 603b6e7390
Merge pull request #2 from usrpro/fix-nginx-healthcheck
Fix nginx healthcheck
6 years ago
Tim Möhlmann 81b24f61e8
Merge branch 'master' into feat-healthchecks 6 years ago
Tim Möhlmann a2fea36c79
Increase HEALTHCHECK start time for services that need to wait for host resolving during startup.
In Docker Swarm mode the services listed below can get stuck in their start script, while they
are waiting for other services become available. Now, with HEALTHCHECK enabled, docker does not resolve
names of services that not pass HEALTHCHECK yet. Meaning that if one of the depenend services is not yet
available, it will create a chain of failing services.

The services below retry to resolve 100 time, with an average of 3.5 seconds. Hence, the --start-time
flag is now set at 350 seconds.
- dovecot (imap)
- postfix (smtp)
- rspamd (antispam)
6 years ago