2735 Commits (5062ee58dcdf561fc3447a5650e83b9005c2b694)
 

Author SHA1 Message Date
bors[bot] 5062ee58dc
Merge #1935
1935: Fix bug #1934: logs flooded with "unbound udp connect failed: Address not available for" r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Revert back to alpine 1.12 for the resolver/unbound container. The official fix is at:
08968baec1
but alpine doesn't ship it yet:
https://pkgs.alpinelinux.org/packages?name=unbound&branch=v3.14

### Related issue(s)
- closes #1934 


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere e1ddbb6eec Rollback to alpine 1.12
it ships unbound 1.10 that doesn't have the bug I think
08968baec1
3 years ago
bors[bot] b57df78dac
Merge #1916
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of #1360 implementing per-user sender limits

### Related issue(s)
- close #1360 
- close #1031
- close #1774 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
Dimitri Huisman 4c056db4aa Added documentation for all user statuses. 3 years ago
Dimitri Huisman e5972bd9ec Set default message rate limit to 200/day 3 years ago
Dimitri Huisman b7403c850a Document the new setting in webadministration.rst. 3 years ago
bors[bot] 34b35ca9b7
Merge #1922
1922: Harden postfix's configuration r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

It hardens the default configuration:
- disable AUTH commands on port 25 (nginx was not advertising the capability: normal clients wouldn't attempt it)
- fix Forward Secrecy by ensuring that we don't use session tickets and don't cache on forensically carveable mediums
- prevent clear-text credentials from being sent while authenticating to remote relays (this may break things if the relay doesn't support challenge-based authentication NOR STARTTLS - unlikely).
- switch to default RSA keysizes (2048 bits and they get rekeyed every 3 months -modern clients will do ECC)
- enable ECC certificates (much smaller than RSA keys, faster for better security margin)
- configure nginx so that it doesn't send the legacy/root CA (clients that require it are unlikely to do TLS1.2 any ways)

I don't think that any of those changes is impactful enough to warrant being documented.

### Related issue(s)
- close #1804

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Jack Murray <github@c0rporation.com>
3 years ago
Jack Murray dd127f8f06 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
3 years ago
Florent Daigniere 6704cb869a Switch to 3072bits dhparam (instead of 4096bits)
We aim for 128bits of security here
3 years ago
Florent Daigniere f74497d929 Merge remote-tracking branch 'upstream/master' into harden_postfix 3 years ago
Jack Murray e304c352a1 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
3 years ago
bors[bot] 966b9cb918
Merge #1928
1928: Change letsencrypt timer from 1h --> 1 day r=mergify[bot] a=jackmurray

There's no need to be calling certbot so frequently. Letsencrypt certificates last for 90 days so polling every hour is just wasteful. Once per day should be more than sufficient to catch any certificates before they even get close to expiring.

## What type of PR?

Enhancement

## What does this PR do?

Reduces unnecessary load on the Letsencrypt ACME servers.

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Jack Murray <github@c0rporation.com>
3 years ago
Jack Murray 7e5a35660a
Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
3 years ago
Florent Daigniere 925105075c this is required in fact 3 years ago
Florent Daigniere 772e5efb7d Disable pipelining to prevent bypass 3 years ago
Florent Daigniere c76a76c0b0 make it optional, add a knob 3 years ago
Florent Daigniere 5e1ba9d4ff towncrier 3 years ago
Florent Daigniere 109a8aa000 Ensure that we always have CERT+INTERMEDIARY CA
Let's encrypt may change things up in the future...
3 years ago
Florent Daigniere dccd8afd51 Thanks @Diman0!
ENEEDSLEEP
3 years ago
Florent Daigniere 974bcba5ab Restore LOGIN as tests assume it's there 3 years ago
Florent Daigniere 2b05e72ce4 Revert "maybe fix the tests"
This reverts commit f971b47fb9.
3 years ago
Florent Daigniere f971b47fb9 maybe fix the tests 3 years ago
Florent Daigniere 4a871c0905 this causes trouble with the test 3 years ago
Florent Daigniere 12c842c4b9 In fact in fullchain we want all but the last 3 years ago
Florent Daigniere 24f9bf1064 format certs for nginx 3 years ago
Florent Daigniere 98b903fe13 don't send the rootcert 3 years ago
Florent Daigniere 92ec446c20 doh 3 years ago
Florent Daigniere f05cc99dc0 Add ECC certs for modern clients 3 years ago
Florent Daigniere cb68cb312b Reduce the size of the RSA key to 3072bits
This is already generous for certificates that have a 3month validity!

We rekey every single time.
3 years ago
Florent Daigniere 5e7d5adf17 AUTH shouldn't happen on port 25 3 years ago
Florent Daigniere 55cdb1a534 be explicit about what we support 3 years ago
Florent Daigniere ecadf46ac6 fix PFS 3 years ago
Florent Daigniere 7285c6bfd9 admin won't understand LOGIN 3 years ago
Florent Daigniere de3620da4a Don't send credentials in clear ever 3 years ago
Florent Daigniere 4535c42e70 This isn't required 3 years ago
Florent Daigniere 1101e401e8 Apply the restriction on the right port 3 years ago
Florent Daigniere 6d244222da better error message 3 years ago
bors[bot] 3a96bf2170
Merge #1917
1917: Update Alpine version from 3.10 to 3.14 build_arm.sh r=mergify[bot] a=Erriez

## What type of PR?

Update Alpine version from 3.10 to 3.14 in `build_arm.sh` script.

## What does this PR do?

### Related issue(s)
- Mention an issue like: #1200

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.

Co-authored-by: Erriez <Erriez@users.noreply.github.com>
3 years ago
Florent Daigniere d6ce5d0c06 Remove a warning: limits don't apply to trusted hosts 3 years ago
bors[bot] f38576b75a
Merge #1918
1918: Alpine has removed support for btree and hash from postfix r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

fix the following errors:
Aug 08 16:52:03 ocloud postfix/smtp[376]: error: unsupported dictionary type: hash
Aug 08 16:52:03 ocloud postfix/tlsmgr[377]: error: unsupported dictionary type: btree
Aug 08 16:52:03 ocloud postfix/tlsmgr[377]: warning: btree:/var/lib/postfix/smtp_scache is unavailable. unsupported dictionary type: btree

Without it Mailu is unusable with a relay.

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 1029cad048 towncrier 3 years ago
Florent Daigniere bcdc137677 Alpine has removed support for btree and hash 3 years ago
Erriez 6b3c208fc9 Update Alpine version from 3.10 to 3.14 3 years ago
Florent Daigniere 1438253a06 Ratelimit outgoing emails per user 3 years ago
bors[bot] 6b0e8a0dfb
Merge #1912
1912: 1.8 release r=mergify[bot] a=Diman0

## What type of PR?

1.8 release.

## What does this PR do?
Final changes required for the 1.8 release.

### Related issue(s)
- #1829 can be closed after this PR is backported.

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
3 years ago
Diman0 3157fc3623 Give docker containers in each test one more minute for starting. 3 years ago
Diman0 14a1871511 enhanced security changelog entry and added recommendation to recreate secret_key 3 years ago
Diman0 21e7a338e7 Fixed typing error. 3 years ago
Diman0 f0997ed0fd Improved changelog entry 3 years ago
Dimitri Huisman 6581f8f087
Resolve merge conflict 3 years ago