1343 Commits (005a8fa1fc85ab8e3f68dd46aaebb15116cbb6c5)

Author SHA1 Message Date
bors[bot] 3eca813182
Merge #2116
2116: fix 2114: redirect old path r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Old paths may still be cached in browsers, it's easy enough to redirect them

### Related issue(s)
- close #2114


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere c4675e6e75 fix 2114: redirect old path 3 years ago
Dimitri Huisman b4d3d4b3c9 Preparations for 1.9 release. 3 years ago
Erriez 4b0694705c Fix build dependencies pycares 3 years ago
Dimitri Huisman 51d94b8d14 Fix issue 2102 3 years ago
Will b2abbc8856 update Dockerfile to alpine 3.14.3 3 years ago
Florent Daigniere bee6e980e3 doh 3 years ago
Florent Daigniere 58d0faff7f ensure we clear the token on delete() 3 years ago
Florent Daigniere 2b29cfb3f0 fix cleanup_sessions() 3 years ago
Florent Daigniere f0247a2faf Use self where appropriate 3 years ago
Florent Daigniere c161a2c987 syntax 3 years ago
bors[bot] 18865bf03b
Merge #2094
2094: Sessions tweaks r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

- Make all sessions permanent, introduce SESSION_TIMEOUT and PERMANENT_SESSION_LIFETIME.
- Prevent the creation of a session before there is a login attempt
- Ensure that webmail tokens are in sync with sessions

### Related issue(s)
- close #2080 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
Dimitri Huisman d40be05117 Fix missing edit buttons in alias, relay and fetchmail lists in admin. 3 years ago
Florent Daigniere a28c7f903e do it once 3 years ago
Dimitri Huisman f88daa1e77 Add missing cast to int 3 years ago
Florent Daigniere 5f313310d4 regenerate() shouldn't extend lifetime 3 years ago
Florent Daigniere fe18cf9743 Fix 2080
Ensure that webmail tokens are in sync with sessions
3 years ago
Florent Daigniere 02c93c44f2 Tweak sessions
simplify:
- make all sessions permanent by default
- update the TTL of sessions on access (save always)
- fix session-expiry, modulo 8byte precision
3 years ago
Florent Daigniere ea96a68eb4 don't create a session if we don't have to 3 years ago
bors[bot] 7c03878347
Merge #1441 #2090
1441: Rsyslog logging for postfix r=mergify[bot] a=micw


## What type of PR?

enhancement

## What does this PR do?
Changes postfix logging from stdout to rsyslog:
* stdout logging still enabled
* internal test request log messages are filtered out by rsyslog
* optional logging to file via POSTFIX_LOG_FILE env variable

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


2090: fix 2086 r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Fix a bug I've introduced in ae8db08bd

### Related issue(s)
- close #2086

Co-authored-by: Michael Wyraz <michael@wyraz.de>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 346ace5fb3 Make webmail the default action 3 years ago
bors[bot] 634318adba
Merge #2072
2072: use dovecot-fts-xapian from alpine package r=mergify[bot] a=willofr

## What type of PR?

enhancement

## What does this PR do?
use dovecot-fts-xapian from alpine packages repository (newer) instead of compiling an older version from source
see https://pkgs.alpinelinux.org/package/edge/community/x86/dovecot-fts-xapian

### Related issue(s)
No

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: willofr <willofr@users.noreply.github.com>
3 years ago
Florent Daigniere 09926702d6 fix 2086 3 years ago
bors[bot] e7f77875e2
Merge #2084
2084: Fix #2078 (login to webmail did not work when WEB_WEBMAIL=/ was set) r=mergify[bot] a=Diman0

## What type of PR?

bug-fix

## What does this PR do?
It fixes #2078. Login from SSO page to webmail did not work if WEB_WEBMAIL=/ was set in mailu.env.

I tested that it works with
- WEB_WEBMAIL=/webmail
- WEB_WEBMAIL=/

### Related issue(s)
- closes #2078 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] n/a In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
3 years ago
Florent Daigniere d7a8235b89
Simplify 3 years ago
bors[bot] 08be233607
Merge #2058
2058: Implement versioning for CI/CD workflow. r=mergify[bot] a=Diman0

## What type of PR?

Feature!

## What does this PR do?
This PR introduces 3 things
- Add versioning (tagging) for branch x.y (1.8). E.g. 1.8.0, 1.8.1 etc.
  - docker repo will contain x.y (latest) and x.y.z (pinned version) images.
  - The X.Y.Z tag is incremented automatically. E.g. if 1.8.0 already exists, then the next merge on 1.8 will result in the new tag 1.8.1 being used.
- Make the version available in the image.
  -  For X.Y and X.Y.Z write the version (X.Y.Z) into /version on the image and add a label with version=X.Y.Z
	  -  This means that the latest X.Y image shows the pinned version (X.Y.Z e.g. 1.8.1) it was based on. Via the tag X.Y.Z you can see the commit hash that triggered the built.
  -  For master write the commit hash into /version on the image and add a label with version={commit hash}
-  Automatic releases. For x.y triggered builts (e.g. merge on 1.9) do a new github release for the pinned x.y.z (e.g. 1.9.2). 
  -  Release shows a static message (see RELEASE_TEMPLATE.md) that explains how to reach the newsfragments folder and change the branch to the tag (x.y.z) mentioned in the release. Now you can get the changelog by reading all newsfragment files in this folder.

This PR does not change anything to our workflow (what we (human persons) do). Our processes are still exactly the same. The above introduced logic is automatic. When we backport to X.Y all the magic for creating the pinned version X.Y.Z is handled by the CI/CD workflow.

### Related issue(s)
- closes #1182

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.

## Testing
Suggested testing steps. This should cover all situations including BORS. It does require that you use your own docker repo or temporarily create a new one.
Suggested testing steps.
1. Create new github repo.
2. Add the required docker secrets to the project (see beginning of CI.yml for the secret names), DOCKER_UN, DOCKER_PW, DOCKER_ORG, DOCKER_ORG_TESTS.
3. Clone the project.
4. Copy the contents of the PR to the cloned project.
5. Push to your new github repo.
6. Now master images are built. Check that images with tag master are pushed to your docker repo
7. Check with docker inspect nginx:master that it has the label version={commit hash}.
8. Run an image, run `docker-compose exec <name> cat /version`. Note that /version also contains the pinned version. For master the pinned version is the commit hash.
9. Create branch 1.8. 
10. Push branch 1.8 to repo.
11. Note that tags 1.8 and 1.8.0 are built and pushed to docker repo
12. Inspect label and /version. Note that 1.8 and 1.8.0 both show version 1.8.0.
13. Push another commit to branch 1.8.
14. Note that tags 1.8 and 1.8.1 are built and pushed to docker repo
15. Inspect label and /version. Note that 1.8 and 1.8.1 both show version 1.8.1.
16. Let's check BORS stuff.
17. Create branch testing.
18. Push the commit with the exact commit text (IMPORTANT!!): `Try #1234:`'.
19. Note that images are built and pushed for tag `pr-1234`.
20. Inspect label and /version. Note that the version is `pr-1234`.
20. Create branch staging.
21. Push the commit with commit text: `Merge #1234`.
22. Note that this image is not pushed to docker (as expected).

but you could also check the GH repo and docker repo I used:
https://github.com/Diman0/Mailu_Fork
https://hub.docker.com/r/diman/rainloop/tags

Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
bors[bot] d2a2a3a8bf
Merge #2076
2076: fix the default for DEFER_ON_TLS_ERROR r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

The default wasn't set anywhere

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Dimitri Huisman fdb10cfb85 Start crond when POSTFIX_LOG_FILE is set 3 years ago
Dimitri Huisman 5bedcc1cb1 Fix #2078 3 years ago
Dimitri Huisman d76773b1df Also check the SMTP port for webmail/token 3 years ago
Dimitri Huisman f26fa8da84 Fix Webmail token check. Fix Auth-Port for Webmail. #2079 3 years ago
Florent Daigniere 593e3ac5a4 fix DEFER_ON_TLS_ERROR 3 years ago
willofr 841b29e794
revert back to alpine 3.14.2 as requested 3 years ago
willofr 73f5291cdb
Merge branch 'Mailu:master' into patch-1 3 years ago
Dimitri Huisman 53975684b8 Using Syslog is the new standard. It is not optional anymore. 3 years ago
willofr 84af3a3e50
use dovecot-fts-xapian from alpine package
I suggest using the dovecot-fts-xapian package from the alpine repository (newer) instead of compiling an older version from source:
see https://pkgs.alpinelinux.org/package/edge/community/x86/dovecot-fts-xapian
3 years ago
Florent Daigniere 4fffdd95e9 Reduce logging level 3 years ago
Dimitri Huisman d5896fb2c6 Add log rotation (if logging to file). Make rsyslog the default. 3 years ago
Florent Daigniere 89a7a8ac13 Fix score of RCVD_NO_TLS_LAST 3 years ago
Florent Daigniere 1925b2e0fb Upgrade rspamd 3 years ago
Dimitri Huisman 567b5ef172
Merge branch 'master' into postfix-logging 3 years ago
Dimitri Huisman 0de2ec77c6 Process code review remarks #1441 3 years ago
Dimitri Huisman f7677543c6 Process code review remarks
- Moved run to bottom of Dockerfile to allow using unmodified / cached states.
- Simplified bash code in deploy.sh.
- Improved the large bash one-liner in CI.yml. It could not handle >9 for 1.x.
3 years ago
Dimitri Huisman 56dd70cf4a Implement versioning for CI/CD workflow (see #1182). 3 years ago
Alexander Graf aa1d605665
Merge remote-tracking branch 'upstream/master' into passlib 3 years ago
Alexander Graf 84a5514a97
fixed auto reply form 3 years ago
Alexander Graf cf7914d050
fixed field iteration 3 years ago
Alexander Graf fd5bdc8650
added localized date output 3 years ago
Alexander Graf 0315ed78d9
Merge remote-tracking branch 'upstream/master' into update_deps 3 years ago
Till Skrodzki c48e00ee26 Do not call .split() on RELAYNETS if not specified 3 years ago
bors[bot] 56cbc56df7
Merge #2044
2044: Vault/rspamd: don't return any key for relayed domains r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR 

Don't return any key for relayed domains. We may want to revisit this (ARC signing)... but in the meantime it saves from a scary message in rspamd.
    
```signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...```


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
bors[bot] 78dd13a217
Merge #2042
2042: Add MESSAGE_RATELIMIT_EXEMPTION r=mergify[bot] a=nextgens

## What type of PR?

Enhancement

## What does this PR do?

Add a new knob called ```MESSAGE_RATELIMIT_EXEMPTION```.

### Related issue(s)
- #1774

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 6bf1a178b9 Go with ghostwheel42's suggestion 3 years ago
Florent Daigniere b68033eb43 only parse it once 3 years ago
Alexander Graf 82e14f1292
Merge branch 'master' into update_deps 3 years ago
bors[bot] f0188d9623
Merge #2034
2034: Add timezone to containers r=mergify[bot] a=DjVinnii

## What type of PR?

Enhancement

## What does this PR do?
This PR adds the tzdata package so that the environment variable `TZ` can be used to set the timezone of containers.

### Related issue(s)
- closes #1154 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: DjVinnii <vincentkling@msn.com>
3 years ago
Florent Daigniere dc6e970a7f handle HTTP too 3 years ago
Florent Daigniere bbef4bee27 Don't return any key for relayed domains
We may want to revisit this (ARC signing)... but in the meantime
it saves from a scary message in rspamd

signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...
3 years ago
Florent Daigniere 6c6b0b161c Set the right flags on the rate_limit cookie 3 years ago
Florent Daigniere f9373eacab Merge remote-tracking branch 'upstream/master' into misc 3 years ago
Florent Daigniere 5714b4f4b0 introduce MESSAGE_RATELIMIT_EXEMPTION 3 years ago
DjVinnii 30d7e72765 Move TZ to Advanced settings 3 years ago
DjVinnii 225160610b Set default TZ in Dockerfiles 3 years ago
DjVinnii 81e33d3679 Add default TZ to config manager 3 years ago
Alexander Graf 97e79a973f fix sso login button spacing again 3 years ago
Alexander Graf 73ab4327c2 updated database libraries (sqlalchemy etc.)
this is working fine, but introduces a sqlalchemy warning
when using config-import:

  /app/mailu/schemas.py:822:
    SAWarning: Identity map already had an identity for (...),
    replacing it with newly flushed object.
    Are there load operations occurring inside of an event handler
    within the flush?
3 years ago
Alexander Graf 4669374b9e use python wheels 3 years ago
Alexander Graf 85d86d4156 some more libs updated 3 years ago
Alexander Graf ffd99c3fa8 updated flask
ConfigManager should not replace app.config - this is causing trouble
with some other flask modules (swagger).
Updated ConfigManager to only modify app.config and not replace it.
3 years ago
Alexander Graf 87884213c4 update misc helper libs 3 years ago
Alexander Graf 56f65d724d update babel 3 years ago
Alexander Graf 5238b00f0b update alembic 3 years ago
Alexander Graf f613205fe1 update tenacity 3 years ago
Alexander Graf 833ccb5544 reload page using GET when selecting language 3 years ago
Alexander Graf 8b15820b01 fix sso login button spacing 3 years ago
Alexander Graf 26fb108a3f updated Flask-Login 3 years ago
Alexander Graf abc4112242 updated Werkzeug, Click and Flask-Migrate 3 years ago
Alexander Graf f1d7bedd1b fix display of range inputs (again) 3 years ago
Alexander Graf 13e6793c9f Merge remote-tracking branch 'upstream/master' into update_deps 3 years ago
Alexander Graf aca1e13648 update socrate - will be removed later 3 years ago
Alexander Graf 866741bcbe updated WTForms-Components deps 3 years ago
Alexander Graf ef19869cde updated redis 3 years ago
Alexander Graf d8efd3057c updated idna 3 years ago
Alexander Graf 8ad8cde0e2 removed some obsolete requirements 3 years ago
Alexander Graf 3ac1b3d86c update pyyaml and pygments 3 years ago
Alexander Graf 40cdff4911 updated dnspython 3 years ago
Alexander Graf dcbe55f062 updated crypto 3 years ago
Alexander Graf 771b2d1112 duh 3 years ago
Alexander Graf 23d0cd0466 update tabluate. fix audit.py and include in container 3 years ago
Alexander Graf 8d90a74624 update werkzeug to 1.x 3 years ago
bors[bot] 5e212ea46d
Merge #2036
2036: round display of range inputs to 2 decimals r=mergify[bot] a=ghostwheel42

## What type of PR?

small fix

## What does this PR do?

rounds display of range inputs to 2 decimals 

### Related issue(s)

- small fix to #1966

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
Alexander Graf 80be3506da upgrade pip. completed reqs via pip freeze 3 years ago
Alexander Graf 598b2df5a0 update wtforms 3 years ago
Alexander Graf e8b5f1a185 round display of range inputs to 2 decimals 3 years ago
DjVinnii 1d6809193b Add tzdata to core 3 years ago
Florent Daigniere 74b31dc407 Ensure that RCVD_NO_TLS_LAST doesn't add spam points 3 years ago
bors[bot] 11bbceb9cc
Merge #2032
2032: doh r=mergify[bot] a=nextgens

This should have been part of #2030

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 8dad40f67c doh 3 years ago
bors[bot] e52a3de1b0
Merge #2027 #2030
2027: Make logs more quiet r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

It silences various useless log messages in front, specifically:
```
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/1.1" 301 162 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/2.0" 204 0 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 2021/10/30 03:11:04 [info] 476302#476302: *2622679 client 127.0.0.1 closed keepalive connection
Oct 30 03:13:02 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:13:02 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
```

`@micw` has requested it for k8s

2030: Fix RELAYNETS r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

RELAYNETS should be comma separated like everything else; rspamd should also be aware of what is considered "trusted".

I am not sure whether ```local_networks``` is the right configuration option for it though

- close #360

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 2170e07731 Tell rspamd about RELAYNETS 3 years ago
Florent Daigniere 9d474f32a6 RELAYNETS is comma separated! 3 years ago
Florent Daigniere f3c93212c6 The Rate-limiter should run after the deny 3 years ago
Florent Daigniere 53a0363b9e Deal with the noisy keepalive messages
We don't particularly care about HTTP... and that's what's noisy.
3 years ago
Florent Daigniere 80a85c27a9 Silent healthchecks in logs 3 years ago
Alexander Graf 9bc685c30b removed some more whitespace 3 years ago
Alexander Graf 8c31699baf fixed locale selector for no_NB 3 years ago
Alexander Graf 882a27f87c simplified if's and added external link icon 3 years ago
Alexander Graf 3141ffe791 removed some whitespace 3 years ago
Dimitri Huisman 6b16756d92 Fix acessing antispam via sidebar. 3 years ago
Dimitri Huisman 3449b67c86 Process code review remarks PR2023 3 years ago
Dimitri Huisman 8784971b7f Merge rate limiting and failed login logging 3 years ago
Dimitri Huisman 503044ef6e Reintroduce ProxyFix. Use two buttons for logging in. 3 years ago
Dimitri Huisman c42ad8e71e Forgot to include changes for url_for of base.html 3 years ago
Dimitri Huisman fb0f005343 Get rid of complicated prefix logic. Further simplify /static handling and nginx config. 3 years ago
Dimitri Huisman da788ddee3 Merge branch 'fix-sso-1929' of github.com:Diman0/Mailu into fix-sso-1929 3 years ago
Dimitri Huisman bdcc183165 Redirect to configured ENV VAR for Admin/Webmail, further simplify nginx config. 3 years ago
Dimitri Huisman f1a60aa6ea Remove unneeded auth_request_set 3 years ago
Florent Daigniere fee13e6c4b Save a redirect 3 years ago
Florent Daigniere d3f07a0882 Simplify the handling of /static 3 years ago
Florent Daigniere aee089f3b1 Ensure that static assets are readable 3 years ago
Dimitri Huisman a47afec4ee Make logic more readable. 3 years ago
Dimitri Huisman 48764f0400 Ensure all requests from the page sso go through the page sso. 3 years ago
Dimitri Huisman 5232bd38fd Simplify webmail logout. 3 years ago
Dimitri Huisman aab258d284 Move handling of logging out in admin, to sso logout page. 3 years ago
Dimitri Huisman 615743b331 Improve indendation of conditions. 3 years ago
Dimitri Huisman 5d81846c5d Introduce the shared stub /static for providing all static files 3 years ago
Dimitri Huisman eb74a72a52 Moved locations to correct area in nginx.conf. 3 years ago
Dimitri Huisman aa7380ffba Doh! 3 years ago
Dimitri Huisman 44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting. 3 years ago
Dimitri Huisman f9eee0cbaf Adapt HEALTHCHECK to new URL 3 years ago
Dimitri Huisman ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 3 years ago
Dimitri Huisman 913a6304a7 Finishing touches. Introduce /static stub for handling all static files. 3 years ago
bors[bot] a1192d8039
Merge #1987
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Turn the rate-limiters into something useful (that won't fire for no reason).

- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.

Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)

### Related issue(s)
- close #1926
- close #1745 
- close #1915


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
3 years ago
Florent Daigniere 693b578bbb The second strip isn't necessary 3 years ago
Florent Daigniere 1c6165213c better that way 3 years ago
Florent Daigniere 34497cff20 doh 3 years ago
Florent Daigniere e8871dd77f doh 3 years ago
Florent Daigniere 5b72c32251 Doh 3 years ago
Florent Daigniere 19b784b198 Parse the network configuration only once
thanks @ghostwheel42
3 years ago
Florent Daigniere 98742268e6 Make it more readable 3 years ago
Florent Daigniere 94bbed9746 Ensure we have the right IP 3 years ago
Florent Daigniere c5bd82650f doh 3 years ago
Florent Daigniere 99c81c20a7 Introduce AUTH_RATELIMIT_EXEMPTION
This disables rate limiting on specific CIDRs
3 years ago
Florent Daigniere c674f1567a Merge branch 'ratelimits' of https://github.com/nextgens/Mailu into ratelimits 3 years ago
Florent Daigniere 8414dd5cf0 Merge remote-tracking branch 'upstream/master' into ratelimits 3 years ago
Florent Daigniere e14d2e7c03 Error out explictely if Auth-Port isn't set 3 years ago
Florent Daigniere abaa2e8cc3 simplify client_ip 3 years ago
Florent Daigniere de276a6822 Simplify extract_network_from_ip 3 years ago
Florent Daigniere 3bda8368e4 simplify the Auth-Status check 3 years ago
Florent Daigniere 2dd9ea1506 simplify 3 years ago
Florent Daigniere 068170c0ff Use app instead of flask.current_app where possible 3 years ago
Florent Daigniere 57b0dd490c Initialize user_email in all cases 3 years ago
qy117121 b1425015ef
Update messages.po
Fix wrong text
3 years ago
bors[bot] afffe4063e
Merge #2018
2018: show dmarc record for report domain in domain details r=mergify[bot] a=ghostwheel42

## What type of PR?

documentation

## What does this PR do?

show dmarc record for report domain in domain details

### Related issue(s)

closes #1382

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
bors[bot] 9f2aa0aadc
Merge #1986 #2014
1986: Document how to setup client autoconfig r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Document how to setup autoconfig. This works with most open-source MUAs (thunderbird, evolution, ...)

We could go further than that by providing dynamic configuration (issue an auth token for each MUA request)... but it won't work unless a new DNS entry (and matching certificate) is created.

### Related issue(s)
- #224

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


2014: Update Chinese translation r=mergify[bot] a=qy117121

## What type of PR?

translation

## What does this PR do?

Update Chinese translation. Use `zh` instead of `zh_CN`.

### Related issue(s)

none

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: qy117121 <mixuan121@gmail.com>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
Alexander Graf 7fe15ea9cf added dmarc record for report domain 3 years ago
bors[bot] a5b1d36171
Merge #2017
2017: rspamd: get dkim keys via REST API instead of filesystem r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement

## What does this PR do?

rspamd now uses hashicorp's vault api v1 to get dkim keys and selectors for a domain.
this allows future enhancement (multiple keys) without reconfiguring and restarting rspamd.
it also makes mounting the /dkim volume into the rspamd container unnecessary.

### Related issue(s)

- improves and closes #2012 
- allows to implement key rotation using multiple selectors (see #1700)
- allows to implement dkim for alternate domains (see #1519)
- fixes and closes #1345 (selector transmitted by admin container is used)
- closes #1179 (no keys on disk)
- allows to implement key rotation from the outside (ie. via a helper script talking to some dns provider's api) (see #547)

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
Alexander Graf 7b0c5935a8 only support GET method in vault 3 years ago
Alexander Graf 303fae00fb cleanup modules. use dkim selector from config 3 years ago
Alexander Graf dc9f970a91 removed zh_CN and updated locale-map for datatables 3 years ago
Alexander Graf 893705169e PoC rspamd use dkimkeys from admin using vault api 3 years ago
Florent Daigniere 632ce663ee Prevent logins with no password 3 years ago
qy117121 866f784d06
Create messages.po
Update the translation
3 years ago
qy117121 251eea5553
Update messages.po
Updated translation
3 years ago
Florent Daigniere 7277e0b4e4
Merge branch 'master' into ratelimits 3 years ago
bors[bot] 8c8c1b2015
Merge #1997
1997: Prevent traceback when using non-email in login r=mergify[bot] a=ghostwheel42

There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('`@',` 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "`@")`
```

## What type of PR?

enhancement

## What does this PR do?

replace traceback (ERROR) with error message (WARNING)

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
bors[bot] 9b01e663b2
Merge #2007
2007: allow sending emails as user+detail@domain.tld r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix or enhancement

## What does this PR do?

Allows sending emails with an added "+detail" in the local part.
 
### Related issue(s)

closes #1948

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: root <ghostwheel42@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 14360f8926 RECIPIENT_DELIMITER can have several characters 3 years ago
root 8c59f35697 use RECIPIENT_DELIMITER for splitting 3 years ago
Alexander Graf 1d571dedfc split localpart into user and tag 3 years ago
Florent Daigniere d131d863ba The if needs to be inside the block 3 years ago
Alexander Graf aaf3ddd002 moved javascript to app.js 3 years ago
Florent Daigniere b48779ea70 SESSION_COOKIE_SECURE and HTTP won't work 3 years ago
Florent Daigniere 502affbe66 Use the regexp engine since we have one 3 years ago
Florent Daigniere a349190e52 simplify 3 years ago
Florent Daigniere 10d78a888b Derive a new subkey for SRS 3 years ago
Florent Daigniere 995ce8d437 Remove OUTCLEAN_ADDRESS
I believe that this isn't relevant anymore as we don't use OpenDKIM
anymore

Background on:
https://bofhskull.wordpress.com/2014/03/25/postfix-opendkim-and-missing-from-header/
3 years ago
Alexander Graf 65133a960a Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
3 years ago
Diman0 41f5b43b38 Set nginx logging to level info again. 3 years ago
Diman0 f4cde61148 Make header translatable. More finishing touches. 3 years ago
Florent Daigniere 7d56ed3b70 Merge branch 'master' of https://github.com/Mailu/Mailu into ratelimits 3 years ago
Diman0 fbe0a446b9 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 3 years ago
Florent Daigniere 1e07b85fa1 doh 3 years ago
Diman0 9894b49cbd Merge/Update with changes from master 3 years ago
Florent Daigniere 24aadf2f52 ensure we log when the rate limiter hits 3 years ago
Florent Daigniere 64bc7972cc Make AUTH_RATELIMIT_IP 60/hour as discussed 3 years ago
Florent Daigniere cab0ce2017 doh 3 years ago
Florent Daigniere a9340e61f5 Log auth attempts on /admin 3 years ago
Florent Daigniere 89ea51d570 Implement rate-limits 3 years ago
Diman0 bf0aad9820 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929 3 years ago
bors[bot] 4c5c6c3b5f
Merge #1966
1966: AdminLTE3 optimizations & compression and caching r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement, bugfix

## What does this PR do?

Optimization and cleanup of styles and javascript code for AdminLTE 3
Adds caching headers, gzip and robots.txt to nginx.

### Related issue(s)

Makes #1800 even better. Thanks to `@DjVinnii` and `@Diman0` for the good work.
Closes #1905

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
bors[bot] b329971b87
Merge #1971
1971: Updated Polish translation. r=mergify[bot] a=ghostwheel42

## What type of PR?

translation

## What does this PR do?

Update polish translation. Used `pl/LC_MESSAGES/messages.po` from PR #1751 created by `@martys71`
Part of Discussion of 1.9 roadmap #1930

### Related issue(s)

closes #1751 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
bors[bot] 72e8ec53b7
Merge #1975
1975: Replace traceback with error message when creating initial admin user r=mergify[bot] a=ghostwheel42

## What type of PR?

small enhancement

## What does this PR do?

when creating the admin user via cli a traceback is shown when this user is already present in the database.
This is confusing users. I've replaced the traceback with an error message.

### Related issue(s)

#1921

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
Alexander Graf 25cf8b5358 better help formatting 3 years ago
Alexander Graf b63081cb48 display error (not exception) when creating admin
repleace misleading python exception (mailu broken)
with error message stating that the admin user is
already present
3 years ago
Alexander Graf 065215d4d1 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 3 years ago
Alexander Graf 7bec8029a4 strip not necessary anymore 3 years ago
Alexander Graf 05c79b0e3c copy (and not parse) mta sts override config 3 years ago
Alexander Graf b02ceab72f handle DEFER_ON_TLS_ERROR as bool
use /conf/mta-sts-daemon.yml when override is missing
3 years ago
Alexander Graf 1e8b41f731 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 3 years ago