242 Commits (35331a4295d1740c71e77debfec6c3081bc767c3)

Author SHA1 Message Date
bors[bot] 7e60ba4e98
Merge #2613
2613: Enhance network segregation r=nextgens a=nextgens

## What type of PR?

enhancement

## What does this PR do?

- put radicale and webmail on their own network: this is done for security: that way they have no privileged access anywhere (no access to redis, no access to XCLIENT, ...)
- remove the EXPOSE statements from the dockerfiles. These ports are for internal comms and are not meant to be exposed in any way to the outside world.

### Related issue(s)
- #2611

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Dimitri Huisman bcceac359d
Merge branch 'apiv1' of https://github.com/ghostwheel42/Mailu into feature-445-restful-api-ghostwheel 2 years ago
Florent Daigniere 9d555b0eec Don't expose any port (suggestion from ghost) 2 years ago
Florent Daigniere e85a2a7e99 Step1: expose managesieve, make the webmails use it 2 years ago
Florent Daigniere 4d80c95c41 Fix authentication submission
Don't talk haproxy to postfix; it's more headaches than it is currently
worth.
2 years ago
bors[bot] bba6c5bb88
Merge #2603
2603: Enable HAPROXY protocol on SUBNET r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

- Enable HAPROXY in between front and imap: With this we avoid running into the limitations of  ``mail_max_userip_connections`` and the logfiles reflect the real IP.
- Enable HAPROXY in between front and smtp: with this postfix and rspamd are aware of whether TLS was used or not on the last hop. In practice this won't work as nginx doesn't send PROTO yet.
- Discard redundant log messages from postfix

With all of this, not only are the logs easier to understand but ``doveadm who`` also works as one would expect.

### Related issue(s)
- closes #894
- #1328
- closes #1364
- #1705

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere cd107182c1 comment 2 years ago
Florent Daigniere 8539344331 Reduce nginx ssl_session_cache to 3m each 2 years ago
Florent Daigniere 55c1e55529 Same for front-smtp
This should enable postfix to have visibility on TLS usage and fix the
following: #1705
2 years ago
Florent Daigniere 4ae0d7d768 Enable HAPROXY protocol in between front and imap
With this we avoid running into the limitations of
 mail_max_userip_connections (see #894 amd #1364) and the
 logfiles as well as ``doveadm who`` give an accurate picture.
2 years ago
Alexander Graf be40781394
Add default for WEB_API, re-add flask-restx to deps, remove whitespace 2 years ago
Dimitri Huisman 3cb8358090
Process review comments PR#2464
- When visiting root of WEB_API, the swaggerui is shown
- simplify the condition for endpoint WEB_API
2 years ago
Dimitri Huisman 5c9cdfe1de
Introduction of the Mailu RESTful API.
Anything that can be configured in the web administration interface,
can also be configured via the Mailu RESTful API.
See the section Advanced configuration in the configuration reference
for the relevant settings in mailu.env for enabling the API.
(API, WEB_API, API_TOKEN).
2 years ago
Florent Daigniere 4e3874b0c1 Enable dynamic resolution of hostnames 2 years ago
bors[bot] 5703e97c73
Merge #2460
2460: Switch to a base image containing base tools and the podop and socrate libs r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement of build process

## What does this PR do?

Changes build.hcl to build core images using a base image.
Also adds a "assets" base image for the admin container.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Pierre Jaury <pierre@jaury.eu>
Co-authored-by: kaiyou <pierre@jaury.eu>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
2 years ago
Blaž Zupan 56617bbe12 Quote SMTP SIZE to avoid splitting keyword and parameter in EHLO response 2 years ago
Vincent Kling 23d06a5761 Fix a bunch of typos 2 years ago
Alexander Graf 146921f619
Move curl to base image 2 years ago
Alexander Graf 4c1071a497
Move all requirements*.txt to base image 2 years ago
Alexander Graf a29f066858
Move even more python deps to base image 2 years ago
Alexander Graf 9fe452e3d1
Use base image when building core images 2 years ago
bors[bot] e600f20762
Merge #2468
2468: Ensure that Mailu keeps working even if it can't obtain a certificate from LE r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES

Without this TLS configuration would fail and Mailu would operate without TLS completely.

I haven't tested it but thought this used to work previously... maybe certbot has changed something

### Related issue(s)
- closes #2467

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere 1630a18dd8 Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES 2 years ago
Florent Daigniere 85a2aafcdf ghostwheel42's suggestions 2 years ago
Florent Daigniere 6a0e881522 Introduce TLS_PERMISSIVE for port 25
This new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so.
2 years ago
Alexander Graf 822abc9136
Put ipv6 resolver address in square brackets 2 years ago
bors[bot] 3327500f96
Merge #2221
2221: Add support for custom NGINX config r=mergify[bot] a=easybe

## What type of PR?

enhancement

## What does this PR do?

Add support for custom NGINX config. Including *.conf files in /etc/nginx/conf.d same as the default NGINX configuration gives the user more flexibility.

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Ezra Buehler <ezra@easyb.ch>
2 years ago
bors[bot] 1069c02bc8
Merge #2357
2357: Switch to ffdhe3072 to enable RFC 7919 r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

The idea being:
- it's a "nothing up my sleeves" group
- it may help shave off some bytes of the SSL handshake; That being said, I doubt that clients that are modern enough to support this RFC won't offer an EC kex

https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Dimitri Huisman ee78a34da4 Process code review feedback
Remove unneeded IF statement in /admin block in nginx.conf of front.
Fix contributions made to Dockerfile, add missing trailing \ and add back curl
Change healthcheck to monitoring page of fpm. Now we check nginx and fpm.
3 years ago
Dimitri Huisman d19208d3d1 Merge branch 'master' of github.com:Mailu/Mailu into feature-switch-snappymail 3 years ago
Dimitri Huisman 4b491d9de5 Re-enable the built-in nginx resolver for traffic going through the mail plugin.
This is required for passing rDNS/ptr information to postfix.
The mail proxy uses the resolver info for passing XCLIENT info.
See http://nginx.org/en/docs/mail/ngx_mail_proxy_module.html#xclient
Without this info rspamd will flag all messages with DHFILTER_HOSTNAME_UNKNOWN due to the missing rDNS/ptr info.
3 years ago
Florent Daigniere 74c5e92628 Switch to ffdhe3072 to enable RFC 7919
The idea being:
- it's a "nothing up my sleeves" group
- it may help shave off some bytes of the SSL handshake; That being
said, I doubt that clients that are modern enough to support this RFC
won't offer an EC kex

https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem
3 years ago
bors[bot] e92c67b118
Merge #2338
2338: Update X-XSS-Protection to current recommendation r=mergify[bot] a=AvverbioPronome

See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection

## What type of PR?

Slight enhancement

## What does this PR do?

This PR turns off the XSS auditor in the few browsers that still have one.

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ?] In case of feature or enhancement: documentation updated accordingly
- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Giuseppe C <1191978+AvverbioPronome@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
3 years ago
Florent Daigniere cb656fc9fd Silence some errors in nginx
"could not be resolved (3: Host not found) while in resolving client
address, client:"
3 years ago
Your Name f7a3ecee2c remove X-XSS-Protection header from nginx.conf 3 years ago
Giuseppe C 389438d18b
Update X-XSS-Protection to current recommendation
See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
3 years ago
Will a54a784168 Update alpine-linux to 3.14.5 - Zlib security FIX 3 years ago
Dimitri Huisman f2f859280c Merge remote-tracking branch 'origin/master' into feature-switch-snappymail 3 years ago
Dimitri Huisman 9519d07ba2 Switch from RainLoop to SnappyMail 3 years ago
bors[bot] c15e4e6015
Merge #2276
2276: Autoconfig of email clients r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

It provides auto-configuration templates for email clients and encourages them to use implicit TLS (see https://nostarttls.secvuln.info/)

There are numerous caveats:
- it will only work if suitable DNS records are created and certificates obtained (autoconfig, autodiscover, ...)
- the mobileconfig file isn't signed
- the credentials will be prompted... we could/should provision a token on each request instead
- it currently doesn't advertise caldav
- it's IMAP only

### Related issue(s)
- close #224 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 9b952da6c2 Allow nginx to lookup IPv6 addresses
It creates issues with RSPAMD/HFILTER_HOSTNAME_UNKNOWN on v6 enabled
setups see
https://github.com/Mailu/Mailu/issues/2260#issuecomment-1066797661
3 years ago
Will d02296c3bc Update alpine-linux to 3.14.4 - OpenSSL security FIX 3 years ago
Florent Daigniere 6d80eea649 ghostwheel42's suggestion 3 years ago
Florent Daigniere 184c9bc566 Add json redirect 3 years ago
Florent Daigniere d677c465a7 Handle spaces too 3 years ago
Florent Daigniere 6fc1273b58 Add a link to autoconfigure apple devices 3 years ago
Florent Daigniere 3a56525e21 As discussed on #mailu-dev
Don't attempt to guess what the user wants
3 years ago
Florent Daigniere 81b592f3cb try to get LE certs for the new names 3 years ago
Florent Daigniere cdc92aa65b Mobileconfig apple style 3 years ago
Florent Daigniere ccd2cad4f1 Autodiscovery microsoft style 3 years ago