479 Commits (4abf49edf429e2ebb594a002c9f5e922a6e824e7)

Author SHA1 Message Date
Florent Daigniere ef5f82362c Merge remote-tracking branch 'upstream/master' into policyd-mta-sts 3 years ago
Florent Daigniere d607ba0ef2 Clarify that a restart may be required 3 years ago
Florent Daigniere fb34f53493 Do operations in the right (safe) order 3 years ago
Florent Daigniere fccb0cc57f Add a longer max_age (15days) 3 years ago
Florent Daigniere 67db72d774 Behave like documented 3 years ago
Florent Daigniere a8142dabbe Introduce DEFER_ON_TLS_ERROR
This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
3 years ago
bors[bot] 7e86f5cb57
Merge #1959
1959: Ensure that we don't trust client headers r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Document how REAL_IP_FROM and REAL_IP_HEADER should be used. Ensure that we strip True-Client-IP and X-Forwarded-For if neither are set.

We should also update the documentation on reverse-proxies... but that's #1958

### Related issue(s)
- #1958

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 5efe35329b doh 3 years ago
Florent Daigniere 5634354911 document how to publish an MTA-STS policy 3 years ago
Florent Daigniere 394c2fe22c Document REAL_IP_HEADER and REAL_IP_FROM
Fix a security vulnerability whereby we were not clearing other headers
3 years ago
Florent Daigniere 0e45bb3ae5 use example.com 3 years ago
Florent Daigniere d65993886a Fix the links 3 years ago
Florent Daigniere 9e306bf255 use example.com 3 years ago
Florent Daigniere 5ed77750f2 clarify 3 years ago
Florent Daigniere 13e0b56a0d This breaks SSO 3 years ago
Florent Daigniere e742c5432b simplify 3 years ago
Florent Daigniere 0a6f3448ec k8s is helm-chart only 3 years ago
Florent Daigniere fb8d52ceb2 Merge branch 'master' of https://github.com/Mailu/Mailu into tls_policy_map 3 years ago
Florent Daigniere fc5758e352 Clarify that it will only work for existing addresses 3 years ago
Florent Daigniere 9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders 3 years ago
bors[bot] b57df78dac
Merge #1916
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of #1360 implementing per-user sender limits

### Related issue(s)
- close #1360 
- close #1031
- close #1774 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
Dimitri Huisman 4c056db4aa Added documentation for all user statuses. 3 years ago
Dimitri Huisman b7403c850a Document the new setting in webadministration.rst. 3 years ago
Florent Daigniere facc4b6427 Allow specific users to send email from any address 3 years ago
Diman0 146b081119 enhanced security changelog entry and added recommendation to recreate secret_key 3 years ago
Diman0 2132adcc38 Fixed typing error. 3 years ago
Diman0 b7db90b7ff Update documentation config and release notes page. 3 years ago
David Fairbrother 24747e33de Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
3 years ago
Florent Daigniere 7b847852af fix typo 3 years ago
Florent Daigniere e1a7657999 Now that postfix has CAs we can switch to secure
encrypt means "ensure we have some confidentiality" whereas secure means
"ensure we have confidentiality while talking to the right peer"
(protects against passive or/and active MITM attacks)
3 years ago
Florent Daigniere c76a76c0b0 make it optional, add a knob 3 years ago
Diman0 14a1871511 enhanced security changelog entry and added recommendation to recreate secret_key 3 years ago
Diman0 21e7a338e7 Fixed typing error. 3 years ago
Diman0 4b89143362 Update documentation config and release notes page. 3 years ago
bors[bot] 48f3b1fd49
Merge #1656
1656: Add ability to set no WEBROOT_REDIRECT to Nginx r=mergify[bot] a=DavidFair

## What type of PR?

Enhancement / Documentation

## What does this PR do?

From commit:

---

Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.

---

I've also added bullet points to break up a long flowing sentence in `configuration.rst` - it should be a bit easier to read now

### Related issue(s)
No Related Issue - I just jumped to a PR

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly

@ Maintainers - Is this worthy of the changelog, it's useful to know about but I imagine the number of people it affects is equally minimal?
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
3 years ago
Diman0 588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value. 3 years ago
Erriez 44e963ab1a
Merge branch 'master' into fix-docs-image 3 years ago
Erriez 98933f9478 Optimize docs/Dockerfile
- Convert .rst to .html in temporary python:3.8-alpine3.14 build image
- Remove all unused packages
- Use nginx:1.21-alpine deployment image
3 years ago
bors[bot] f9e49dc43a
Merge #1877
1877: Fix missing bullet points and styling in documentation r=nextgens a=Diman0

## What type of PR?
Bug-fix

## What does this PR do?
It brings back the bullet points and correct styling to the documentation.
Conf.py was missing an extension declaration.
The requirement docutils was missing. Currently Sphinx only supports docutils 0.16. 

To see the issue yourself compare
Ok: https://mailu.io/1.7/
Not Ok: https://mailu.io/1.8.

### Related issue(s)
- None

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Diman0 <diman@huisman.xyz>
3 years ago
Florent Daigniere 2b63280f59 doh 3 years ago
Florent Daigniere ccb3631622 still need pip3 3 years ago
Florent Daigniere d44608ed04 Merge remote-tracking branch 'upstream/master' into upgrade-alpine 3 years ago
networkException 8235085848
Docs: Limit fail2ban matches to front container
Previously fail2ban matched against all journal entries. This patch
adds a tag to the logdriver and fail2ban filter documentation that
limits the matches to entries from the front container
3 years ago
Diman0 64bf75efb1 Added missing extension in conf.py. Added missing library in requirements.txt. Sphinx is only compatible with docutils<0.17 3 years ago
networkException a2cf13c548
Template: Update link to changelog entry documentation for pull requests 3 years ago
networkException f80e04a8c5
Docs: Replace hardcoded journald logpath with systemd backend
The file at /var/log/messages is not universal for every
distribution. Fail2ban can access journald logs directly
by using the systemd backend.
3 years ago
Dimitri Huisman 0772e172ff
Merge pull request #1666 from cipianpascu/patch-1
Update front.yaml
3 years ago
Florent Daigniere 420afa53f8 Upgrade to alpine 3.14 3 years ago
Dimitri Huisman 6dc1a19390
Merge branch 'master' into import-export 3 years ago
bors[bot] 4ff90683ca
Merge #1758 #1776
1758: Implement a simpler credential cache (alternative to #1755) r=mergify[bot] a=nextgens

## What type of PR?

Feature: it implements a credential cache to speedup authentication requests.

## What does this PR do?

Credentials are stored in cold-storage using a slow, salted/iterated hash function to prevent offline bruteforce attacks. This creates a performance bottleneck for no valid reason (see the
rationale/long version on https://github.com/Mailu/Mailu/issues/1194#issuecomment-762115549).

The new credential cache makes things fast again.

This is the simpler version of #1755 (with no new dependencies)

### Related issue(s)
- close #1411
- close #1194 
- close #1755

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1776: optimize generation of transport nexthop r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix and enhancement.

## What does this PR do?

Possibly there should be more input validation when editing a relay, but for now this tries to make the best out of the existing "smtp" attribute while maintaining backwards compatibility. When relay is empty, the transport's nexthop is the MX of the relayed domain to fix #1588 

```
RELAY			NEXTHOP						TRANSPORT
empty			use MX of relay domain				smtp:domain
:port			use MX of relay domain and use port	smtp:domain:port
target			resolve A/AAAA of target			smtp:[target]
target:port		resolve A/AAAA of target and use port	smtp:[target]:port
mx:target		resolve MX of target				smtp:target
mx:target:port	resolve MX of target and use port	smtp:target:port
lmtp:target		resolve A/AAAA of target			lmtp:target
lmtp:target:port	resolve A/AAAA of target and use port	lmtp:target:port

target can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: [2001:DB8::]).
```

When there is proper input validation and existing database entries are migrated this function can be made much shorter again.

### Related issue(s)
- closes #1588 
- closes #1815 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago