Commit Graph

1506 Commits (546884d10cc5ba995044891051a4c3278f7d686d)

Author SHA1 Message Date
Dimitri Huisman 4b491d9de5 Re-enable the built-in nginx resolver for traffic going through the mail plugin.
This is required for passing rDNS/ptr information to postfix.
The mail proxy uses the resolver info for passing XCLIENT info.
See http://nginx.org/en/docs/mail/ngx_mail_proxy_module.html#xclient
Without this info rspamd will flag all messages with DHFILTER_HOSTNAME_UNKNOWN due to the missing rDNS/ptr info.
enginefeeder101 82860d0f80
Moved parsing environment variable to global application config dictionary
Per requested changes added the ``DEFAULT_SPAM_THRESHOLD`` to the main
application configuration dictionary in ``configuration.py`` and updated
``models.py`` accordingly.
No error handling is added, as that was not required.
enginefeeder101 6c83d25312
Configurable default spam threshold used for new users
This commit adds functionality to set a custom default spam threshold
for new users. The environment variable ``DEFAULT_SPAM_THRESHOLD`` can
be used for this purpose. When not set, it defaults back to 80%, as the
default value was before
If ``DEFAULT_SPAM_THRESHOLD`` is set to a value that Python cannot
parse as an integer, a ValueError is thrown. There is no error handling
for that case built-in.
bors[bot] c2d85ecc32
Merge
2325: postfix: wrap IPv6 CIDRs in square brackets for RELAYNETS r=mergify[bot] a=pommi

## What type of PR?

bug-fix

## What does this PR do?

This PR wraps IPv6 CIDRs in the `RELAYNETS` environment variable in square brackets for the postfix configuration.

The `RELAYNETS` environment variable is used for configuring both postfix `mynetworks` and rspamd `local_networks`. Postfix requires IPv6 addresses to be wrapped in square brackets (eg. `[2001:db8::]/64`).

When an IPv6 address is not wrapped in square brackets in the postfix configuration for `mynetworks` it results in this error while processing an incoming email from an IPv6 sender:
```
postfix/smtpd[340]: warning: 2001:db8::/64 is unavailable. unsupported dictionary type: 2001
postfix/smtpd[340]: warning: smtpd_client_event_limit_exceptions: 2001:db8::/64: table lookup problem
```

The sender sees an error and the incoming email is refused:
```
451 4.3.0 <unknown[2001:xxx:xxx:xxx:xxx:xxx:xxx:xxx]>: Temporary lookup failure
```

I tried to work around this issue by wrapping the IPv6 CIDR in square brackets in the `RELAYNETS` environment variable, but it segfaults rspamd, because it can't deal with this non-standard IPv6 notation used by postfix:
```
kernel: [4305632.603704] rspamd[1954299]: segfault at 0 ip 00007fb848983871 sp 00007ffe02cc6d1
8 error 4 in ld-musl-x86_64.so.1[7fb848948000+48000]
```

### Related issue(s)
- 
- 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

**No changelog or documentation necessary for this minor change.**

Co-authored-by: Pim van den Berg <pim@nethuis.nl>
Pim van den Berg d495052b52 postfix: wrap IPv6 CIDRs in square brackets for RELAYNETS
The RELAYNETS environment variable is used for configuring both postfix
`mynetworks` and rspamd `local_networks`. Postfix requires IPv6
addresses to be wrapped in square brackets (eg. [2001:db8::]/64).
Alexander Graf e75201bb34
Add default to column spam_mark_as_read
Florent Daigniere 74c5e92628 Switch to ffdhe3072 to enable RFC 7919
The idea being:
- it's a "nothing up my sleeves" group
- it may help shave off some bytes of the SSL handshake; That being
said, I doubt that clients that are modern enough to support this RFC
won't offer an EC kex

https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem
Florent Daigniere 04b7ddfffd Merge remote-tracking branch 'upstream/master' into Riscue-master
Florent Daigniere d2aa647a9f l10n
bors[bot] e519ec9ae6
Merge
2310: Update deprecated rspamd config option r=mergify[bot] a=henniaufmrenni

## What type of PR?

Configuration update

## What does this PR do?

This is just a small config update to get rid of the following warning message:
`lua; antivirus.lua:109: CLAM_VIRUS [clamav]: Using attachments_only is deprecated. Please use scan_mime_parts = true instead`

As per the rspamd documentation https://rspamd.com/doc/modules/antivirus.html
> attachments_only = true; # Before 1.8.1
> scan_mime_parts = true; # After 1.8.1

The currently used version of rspamd is 3.1.

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: henniaufmrenni <henniaufmrenni@keinvergessen.org>
bors[bot] e92c67b118
Merge
2338: Update X-XSS-Protection to current recommendation r=mergify[bot] a=AvverbioPronome

See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection

## What type of PR?

Slight enhancement

## What does this PR do?

This PR turns off the XSS auditor in the few browsers that still have one.

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ?] In case of feature or enhancement: documentation updated accordingly
- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Giuseppe C <1191978+AvverbioPronome@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Florent Daigniere cb656fc9fd Silence some errors in nginx
"could not be resolved (3: Host not found) while in resolving client
address, client:"
Your Name f7a3ecee2c remove X-XSS-Protection header from nginx.conf
Giuseppe C 389438d18b
Update X-XSS-Protection to current recommendation
See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
bors[bot] c09253ede3
Merge
2323: Fix Postfix FileExistsError on startup r=mergify[bot] a=Pumba98

## What type of PR?

bug-fix

## What does this PR do?

I'm running mailu with the mailu helm-chart on kubernetes. Sometimes when a Pod restarts I get the following error during startup:
```
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python3.9/multiprocessing/process.py", line 315, in _bootstrap
self.run()
File "/usr/lib/python3.9/multiprocessing/process.py", line 108, in run
self._target(*self._args, **self._kwargs)
File "/start.py", line 18, in start_podop
os.mkdir('/dev/shm/postfix',mode=0o700)
FileExistsError: [Errno 17] File exists: '/dev/shm/postfix'
INFO:MAIN:MTA-STS daemon starting...
```

But that does not prevent the container startup. When mails arrive it will fail with something like:

```
postfix/trivial-rewrite[94979]: warning: connect to /tmp/podop.socket: No such file or directory
postfix/trivial-rewrite[94979]: warning: table socketmap:unix:/tmp/podop.socket:transport lookup error: No such file or directory
postfix/trivial-rewrite[94979]: warning: socketmap:unix:/tmp/podop.socket:transport lookup error for "*"
```

I'm running this quick fix now since almost two months without problems. Maybe you got a better approach how to solve this, but this works fine for me.

### Related issue(s)
- none

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

<!--
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
--->

**No changelog or documentation necessary for this minor change.**


Co-authored-by: Pumba98 <mail@pumba98.de>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
Florent Daigniere 193d835abe
Use os.makedirs instead
henniaufmrenni 8eb8cb1f48 Update deprecated rspamd config option
This gets rid of the following error message:
lua; antivirus.lua:109: CLAM_VIRUS [clamav]: Using attachments_only is deprecated. Please use scan_mime_parts = true instead

As per the rspamd documentation https://rspamd.com/doc/modules/antivirus.html
attachments_only = true; # Before 1.8.1
scan_mime_parts = true; # After 1.8.1

The currently used version is rspamd 3.1.
bors[bot] 6f89209f9f
Merge
2302: Update alpine-linux to 3.14.5 - Zlib security FIX r=mergify[bot] a=willofr

## What type of PR?
Security fix

## What does this PR do?
Update alpine docker image to alpine-3.14.5

- closes 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Will <will@packer-output-c8fcfb40-3d93-4475-8f87-e14a9dd683b6>
Will a54a784168 Update alpine-linux to 3.14.5 - Zlib security FIX
hitech95 fc8926493c admin: graceful fail on user fetch in basic auth
Signed-off-by: hitech95 <nicveronese@gmail.com>
Dimitri Huisman f2f859280c Merge remote-tracking branch 'origin/master' into feature-switch-snappymail
Dimitri Huisman 9519d07ba2 Switch from RainLoop to SnappyMail
bors[bot] c15e4e6015
Merge
2276: Autoconfig of email clients r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

It provides auto-configuration templates for email clients and encourages them to use implicit TLS (see https://nostarttls.secvuln.info/)

There are numerous caveats:
- it will only work if suitable DNS records are created and certificates obtained (autoconfig, autodiscover, ...)
- the mobileconfig file isn't signed
- the credentials will be prompted... we could/should provision a token on each request instead
- it currently doesn't advertise caldav
- it's IMAP only

### Related issue(s)
- close  

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 9b952da6c2 Allow nginx to lookup IPv6 addresses
It creates issues with RSPAMD/HFILTER_HOSTNAME_UNKNOWN on v6 enabled
setups see
https://github.com/Mailu/Mailu/issues/2260#issuecomment-1066797661
bors[bot] 8cc91bad75
Merge
2281: Update alpine-linux to 3.14.4 - OpenSSL security FIX r=mergify[bot] a=willofr

## What type of PR?
Security fix

## What does this PR do?
Update Dockerfiles to use alpine-linux 3.14.4 which contains a security fix for openssl
https://alpinelinux.org/posts/Alpine-3.12.10-3.13.8-3.14.4-released.html

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


2285: Update names of language json files r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

language json files of datatables i18n have been renamed
this updates the mappings to the current names


2286: Fix typo in Traefik reverse proxy docs r=mergify[bot] a=ghostwheel42

Slight typo in the Traefik reverse proxy docs. Found through running into the issue on my own instance.

## What type of PR?

documentation

## What does this PR do?

Adds   to master


2287: Fix typo in docs: cert not certs r=mergify[bot] a=ghostwheel42

## What type of PR?

documentation

## What does this PR do?

just a typo

Co-authored-by: Will <will@packer-output-c8fcfb40-3d93-4475-8f87-e14a9dd683b6>
Co-authored-by: willofr <willofr@users.noreply.github.com>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: DAHPr0gram3r <cbillwork02@gmail.com>
bors[bot] a7149b83d4
Merge
2284: Fixing AUTH_RATELIMIT_IP not working on imap/pop3/smtp r=mergify[bot] a=fischerscode



## What type of PR?

bug-fix

## What does this PR do?
This fixes AUTH_RATELIMIT_IP not working on imap/pop3/smtp.

### Related issue(s)
closes 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.

Co-authored-by: Maximilian Fischer <github@maaeps.de>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] 68d3d67b8c
Merge
2255: Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly

### Related issue(s)
- closes 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Alexander Graf d70596d431
Update names of language json files
Alexander Graf 64ad6931e9
Move 'is_valid_user = user is not None' into else
Alexander Graf 630a4e9b5e
Update auth.py
Add spaces
Maximilian Fischer 8775dc5b15 Fixing AUTH_RATELIMIT_IP not working on imap/pop3/smtp
Will d02296c3bc Update alpine-linux to 3.14.4 - OpenSSL security FIX
Florent Daigniere ce9dc3a335 ghostwheel42's suggestion
Florent Daigniere 83140322e0 ghostwheel42's suggestion
Florent Daigniere 3aa735cc2d ghostwheel42's suggestion
Florent Daigniere 6d80eea649 ghostwheel42's suggestion
Florent Daigniere 9bc963f19b don't think the escaping is required but it was there
Florent Daigniere 3e6f3a95a4 Reflect the data from the POST
Florent Daigniere 14931c4acd doh
Florent Daigniere c6c444cfa7 simplify
Florent Daigniere 373e6d2161 doh
Florent Daigniere 184c9bc566 Add json redirect
Florent Daigniere 9a2d8d63a3 Search and replace wasn't a good idea
Florent Daigniere c50750054b Allow POST
Florent Daigniere 71897f4ff0 Doh
Florent Daigniere d677c465a7 Handle spaces too
Florent Daigniere 6fc1273b58 Add a link to autoconfigure apple devices
Florent Daigniere 0bccb5045c STARTTLS is a bad idea
Florent Daigniere 3a56525e21 As discussed on #mailu-dev
Don't attempt to guess what the user wants
Florent Daigniere 81b592f3cb try to get LE certs for the new names
Florent Daigniere a3f9e2beee Use priorities instead
Florent Daigniere 2b62a6327a Do explicit TLS where possible
Florent Daigniere c817eaf608 Add the SRV record for autodiscover
Florent Daigniere cdc92aa65b Mobileconfig apple style
Florent Daigniere ccd2cad4f1 Autodiscovery microsoft style
Florent Daigniere 523cee1680 Autoconfig mozilla-style
bors[bot] 0b25854de0
Merge
2210: Add input validation for domain creation r=mergify[bot] a=0pc0deFR

## What type of PR?

bug-fix

## What does this PR do?

This patch add the input validation for domain creation.

### Related issue(s)
- Mention an issue like: 
- Auto close an issue like: closes 


Co-authored-by: Kevin Falcoz <0pc0defr@gmail.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
İbrahim Akyel f65e2fc469 Feature: Marking "Read" spam mails
Florent Daigniere a7f9a35fa1
Merge branch 'master' into fix2274
Florent Daigniere a4ed464170 doh
Florent Daigniere 0bfbb3bcd4
doh
Florent Daigniere cd3eee4c51 ghostwheel42's suggestion
Florent Daigniere d723326b8e style
Florent Daigniere f01d8cd9b9 improve
Florent Daigniere 7b9c4e01f7 improve
Florent Daigniere 91de20c49c Fix exception in logs
This was occuring when you had square brackets in the domain part
Florent Daigniere 8cf76afbab Catch the ValueError instead
Florent Daigniere 08aa32a5df Revert "Don't bother running the query without an address"
This reverts commit dc81979550.
Florent Daigniere 7ce7f2096b belt, braces and suspenders
Florent Daigniere dc81979550 Don't bother running the query without an address
This should solve the following in admin logs:
"WARNING in nginx: Invalid user 'xxxx': (builtins.ValueError)
invalid email address (no "@")"
Pumba98 f1952d0e97
Update start.py
bors[bot] 2e9b14d536
Merge
2254: Send ISRG_X1 on port 25, make DANE pin that r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Ensure we send ISRG_X1 in the handshake on port 25 (non-interactive, size doesn't really matter).

Update the DANE pin to reflect the change.

I am not sure whether we will need to add --preferred-chain= in the future; This may be the case when letsencrypt decides to use X2/the ECDSA chain

This needs to be tested on a letsencrypt account that isn't mine (I'm opted in for the alternate cert chains)

### Related issue(s)
- closes 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

There's already a towncrier news for it

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere f9869b1d79 ghostwheel42's suggestions
Dimitri Huisman c40a0f4b80 Change link in warning to master. Master is always available. 1.9 will be unavaiable in the future.
Florent Daigniere ab35492589 the first time the loop runs we don't have the second cert
Florent Daigniere 0816cb9497 simplify as per ghostwheel42's suggestion
Florent Daigniere 7166e7d2b2 Implement : slow transports
Florent Daigniere e4a32b55f5 Send ISRG_X1 on port 25, make DANE pin that
Florent Daigniere d3e7ea5389 spell it out
Florent Daigniere a8dc20962a workaround a bug in coredns
Dimitri Huisman 55a601de5a Add missing import for validators, improve behaviour when an error occurs.
Dimitri Huisman 7d801c560c Improve if statement
Florent Daigniere 9466ad4131 fix
Ezra Buehler 5d6b295013 Add support for custom NGINX config
Including *.conf files in /etc/nginx/conf.d same as the default NGINX
configuration gives the user more flexibility.
bors[bot] 855f3b065b
Merge
2211: Ensure we use IMAP IDLE like it's supposed to work r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Increase IMAP IDLE time from 2min to 29mins: this should massively help reduce network traffic & increase battery life of clients

See https://peterkieser.com/2011/03/25/androids-k-9-mail-battery-life-and-dovecots-push-imap/

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
Florent Daigniere 224880822f
remove space
Florent Daigniere 3d7b9fe194 Ensure we use IMAP IDLE like it's supposed to work
imap_idle_notify_interval = 2 mins -> 29 mins

See https://peterkieser.com/2011/03/25/androids-k-9-mail-battery-life-and-dovecots-push-imap/
Kevin Falcoz 278d74ce6f
Add title attribute on user-panel div
Kevin Falcoz 3fe1dbe881
Add input validation for domain creation
Kevin Falcoz c69f886a73 Update code with ghostwheel42 comments
Kevin Falcoz 3e394faf92
Patch function "Display Name" into admin page
Florent Daigniere f6ebf9fda2
Update tls.conf
Florent Daigniere 68ff6c8337
Use ISRG_ROOT_X1 as DST_ROOT is not available
Sebastian Klemke a6b4b9ae52 Removed ssl_trusted_certificate configuration setting from nginx.
Resolves an nginx startup issue when letsencrypt or
mail-letsencrypt is enabled.

Fixes 
Sebastian Klemke 89a86e9dda disabled rsyslogd pidfile
Florent Daigniere b9e614145f there too
Florent Daigniere b7fb8c661a switch to new API
Billy Chan 90394d7d8c 🎨 use resolver.resolve
shing6326 32446f03e7
Update start.py
fix missing leading . for the resolver test
bors[bot] 1e53530164
Merge
2144: Enable unbound by default, warn if the DNS resolver doesn't work r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Enable unbound by default, warn if the DNS resolver doesn't work

### Related issue(s)
- close 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
Florent Daigniere a9da0c084a
syntax error
Florent Daigniere a2f6243382
remove the error variable
Florent Daigniere b12616b93f
Make the recommendation clearer
Alexander Graf f809be39bf
supply missing fields argument
bors[bot] e3e3700187
Merge
2150: fix 2145: exceptions may be thrown when login is invalid or rate-limits exceeded r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Exceptions may be thrown when login is invalid or rate-limits exceeded for those running very recent builds of 1.9

For some reason I haven't caught it while testing #2130... that's when it was introduced.

### Related issue(s)
- close 
- close 
- 



Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 7bd1fd3489 fix 2145
Florent Daigniere 6425f440d3 fix 2147
Florent Daigniere 379fe18f7a test dns resolvers at startup
Florent Daigniere 98973223fd
reduce TTL to 1d
Florent Daigniere 792893caae change TTL to 1y
Florent Daigniere 671f3e382a Fix 2138: Pin DANE with the full cert
Florent Daigniere 7f89a29790 Fix 2125
Make the caller responsible to know whether the rate-limit code should
be called or not
bors[bot] 65d905fe62
Merge
2099: update Dockerfile to alpine 3.14.3 r=mergify[bot] a=willofr

## What type of PR?
Security fix

## What does this PR do?
Updated the Dockerfile to use the latest alpine version 3.14.3 where several CVEs have been fixed: https://alpinelinux.org/posts/Alpine-3.14.3-released.html
New images successfully built on my test env.

### Related issue(s)
None

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Will <will@packer-output-c8fcfb40-3d93-4475-8f87-e14a9dd683b6>
Co-authored-by: willofr <willofr@users.noreply.github.com>
bors[bot] 3eca813182
Merge
2116: fix 2114: redirect old path r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Old paths may still be cached in browsers, it's easy enough to redirect them

### Related issue(s)
- close 


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere c4675e6e75 fix 2114: redirect old path
Dimitri Huisman b4d3d4b3c9 Preparations for 1.9 release.
Erriez 4b0694705c Fix build dependencies pycares
Dimitri Huisman 51d94b8d14 Fix issue 2102
Will b2abbc8856 update Dockerfile to alpine 3.14.3
Florent Daigniere bee6e980e3 doh
Florent Daigniere 58d0faff7f ensure we clear the token on delete()
Florent Daigniere 2b29cfb3f0 fix cleanup_sessions()
Florent Daigniere f0247a2faf Use self where appropriate
Florent Daigniere c161a2c987 syntax
bors[bot] 18865bf03b
Merge
2094: Sessions tweaks r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

- Make all sessions permanent, introduce SESSION_TIMEOUT and PERMANENT_SESSION_LIFETIME.
- Prevent the creation of a session before there is a login attempt
- Ensure that webmail tokens are in sync with sessions

### Related issue(s)
- close  

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Dimitri Huisman d40be05117 Fix missing edit buttons in alias, relay and fetchmail lists in admin.
Florent Daigniere a28c7f903e do it once
Dimitri Huisman f88daa1e77 Add missing cast to int
Florent Daigniere 5f313310d4 regenerate() shouldn't extend lifetime
Florent Daigniere fe18cf9743 Fix 2080
Ensure that webmail tokens are in sync with sessions
Florent Daigniere 02c93c44f2 Tweak sessions
simplify:
- make all sessions permanent by default
- update the TTL of sessions on access (save always)
- fix session-expiry, modulo 8byte precision
Florent Daigniere ea96a68eb4 don't create a session if we don't have to
bors[bot] 7c03878347
Merge
1441: Rsyslog logging for postfix r=mergify[bot] a=micw


## What type of PR?

enhancement

## What does this PR do?
Changes postfix logging from stdout to rsyslog:
* stdout logging still enabled
* internal test request log messages are filtered out by rsyslog
* optional logging to file via POSTFIX_LOG_FILE env variable

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


2090: fix 2086 r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Fix a bug I've introduced in ae8db08bd

### Related issue(s)
- close 

Co-authored-by: Michael Wyraz <michael@wyraz.de>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 346ace5fb3 Make webmail the default action
bors[bot] 634318adba
Merge
2072: use dovecot-fts-xapian from alpine package r=mergify[bot] a=willofr

## What type of PR?

enhancement

## What does this PR do?
use dovecot-fts-xapian from alpine packages repository (newer) instead of compiling an older version from source
see https://pkgs.alpinelinux.org/package/edge/community/x86/dovecot-fts-xapian

### Related issue(s)
No

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: willofr <willofr@users.noreply.github.com>
Florent Daigniere 09926702d6 fix 2086
bors[bot] e7f77875e2
Merge
2084: Fix  (login to webmail did not work when WEB_WEBMAIL=/ was set) r=mergify[bot] a=Diman0

## What type of PR?

bug-fix

## What does this PR do?
It fixes . Login from SSO page to webmail did not work if WEB_WEBMAIL=/ was set in mailu.env.

I tested that it works with
- WEB_WEBMAIL=/webmail
- WEB_WEBMAIL=/

### Related issue(s)
- closes  

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] n/a In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
Florent Daigniere d7a8235b89
Simplify
bors[bot] 08be233607
Merge
2058: Implement versioning for CI/CD workflow. r=mergify[bot] a=Diman0

## What type of PR?

Feature!

## What does this PR do?
This PR introduces 3 things
- Add versioning (tagging) for branch x.y (1.8). E.g. 1.8.0, 1.8.1 etc.
  - docker repo will contain x.y (latest) and x.y.z (pinned version) images.
  - The X.Y.Z tag is incremented automatically. E.g. if 1.8.0 already exists, then the next merge on 1.8 will result in the new tag 1.8.1 being used.
- Make the version available in the image.
  -  For X.Y and X.Y.Z write the version (X.Y.Z) into /version on the image and add a label with version=X.Y.Z
	  -  This means that the latest X.Y image shows the pinned version (X.Y.Z e.g. 1.8.1) it was based on. Via the tag X.Y.Z you can see the commit hash that triggered the built.
  -  For master write the commit hash into /version on the image and add a label with version={commit hash}
-  Automatic releases. For x.y triggered builts (e.g. merge on 1.9) do a new github release for the pinned x.y.z (e.g. 1.9.2). 
  -  Release shows a static message (see RELEASE_TEMPLATE.md) that explains how to reach the newsfragments folder and change the branch to the tag (x.y.z) mentioned in the release. Now you can get the changelog by reading all newsfragment files in this folder.

This PR does not change anything to our workflow (what we (human persons) do). Our processes are still exactly the same. The above introduced logic is automatic. When we backport to X.Y all the magic for creating the pinned version X.Y.Z is handled by the CI/CD workflow.

### Related issue(s)
- closes 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.

## Testing
Suggested testing steps. This should cover all situations including BORS. It does require that you use your own docker repo or temporarily create a new one.
Suggested testing steps.
1. Create new github repo.
2. Add the required docker secrets to the project (see beginning of CI.yml for the secret names), DOCKER_UN, DOCKER_PW, DOCKER_ORG, DOCKER_ORG_TESTS.
3. Clone the project.
4. Copy the contents of the PR to the cloned project.
5. Push to your new github repo.
6. Now master images are built. Check that images with tag master are pushed to your docker repo
7. Check with docker inspect nginx:master that it has the label version={commit hash}.
8. Run an image, run `docker-compose exec <name> cat /version`. Note that /version also contains the pinned version. For master the pinned version is the commit hash.
9. Create branch 1.8. 
10. Push branch 1.8 to repo.
11. Note that tags 1.8 and 1.8.0 are built and pushed to docker repo
12. Inspect label and /version. Note that 1.8 and 1.8.0 both show version 1.8.0.
13. Push another commit to branch 1.8.
14. Note that tags 1.8 and 1.8.1 are built and pushed to docker repo
15. Inspect label and /version. Note that 1.8 and 1.8.1 both show version 1.8.1.
16. Let's check BORS stuff.
17. Create branch testing.
18. Push the commit with the exact commit text (IMPORTANT!!): `Try #1234:`'.
19. Note that images are built and pushed for tag `pr-1234`.
20. Inspect label and /version. Note that the version is `pr-1234`.
20. Create branch staging.
21. Push the commit with commit text: `Merge #1234`.
22. Note that this image is not pushed to docker (as expected).

but you could also check the GH repo and docker repo I used:
https://github.com/Diman0/Mailu_Fork
https://hub.docker.com/r/diman/rainloop/tags

Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
bors[bot] d2a2a3a8bf
Merge
2076: fix the default for DEFER_ON_TLS_ERROR r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

The default wasn't set anywhere

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Dimitri Huisman fdb10cfb85 Start crond when POSTFIX_LOG_FILE is set
Dimitri Huisman 5bedcc1cb1 Fix
Dimitri Huisman d76773b1df Also check the SMTP port for webmail/token
Dimitri Huisman f26fa8da84 Fix Webmail token check. Fix Auth-Port for Webmail.
Florent Daigniere 593e3ac5a4 fix DEFER_ON_TLS_ERROR
willofr 841b29e794
revert back to alpine 3.14.2 as requested
willofr 73f5291cdb
Merge branch 'Mailu:master' into patch-1
Dimitri Huisman 53975684b8 Using Syslog is the new standard. It is not optional anymore.
willofr 84af3a3e50
use dovecot-fts-xapian from alpine package
I suggest using the dovecot-fts-xapian package from the alpine repository (newer) instead of compiling an older version from source:
see https://pkgs.alpinelinux.org/package/edge/community/x86/dovecot-fts-xapian
Florent Daigniere 4fffdd95e9 Reduce logging level
Dimitri Huisman d5896fb2c6 Add log rotation (if logging to file). Make rsyslog the default.
Florent Daigniere 89a7a8ac13 Fix score of RCVD_NO_TLS_LAST
Florent Daigniere 1925b2e0fb Upgrade rspamd
Dimitri Huisman 567b5ef172
Merge branch 'master' into postfix-logging
Dimitri Huisman 0de2ec77c6 Process code review remarks
Dimitri Huisman f7677543c6 Process code review remarks
- Moved run to bottom of Dockerfile to allow using unmodified / cached states.
- Simplified bash code in deploy.sh.
- Improved the large bash one-liner in CI.yml. It could not handle >9 for 1.x.
Dimitri Huisman 56dd70cf4a Implement versioning for CI/CD workflow (see ).
Alexander Graf aa1d605665
Merge remote-tracking branch 'upstream/master' into passlib
Alexander Graf 84a5514a97
fixed auto reply form
Alexander Graf cf7914d050
fixed field iteration
Alexander Graf fd5bdc8650
added localized date output
Alexander Graf 0315ed78d9
Merge remote-tracking branch 'upstream/master' into update_deps
Till Skrodzki c48e00ee26 Do not call .split() on RELAYNETS if not specified
bors[bot] 56cbc56df7
Merge
2044: Vault/rspamd: don't return any key for relayed domains r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR 

Don't return any key for relayed domains. We may want to revisit this (ARC signing)... but in the meantime it saves from a scary message in rspamd.
    
```signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...```


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
bors[bot] 78dd13a217
Merge
2042: Add MESSAGE_RATELIMIT_EXEMPTION r=mergify[bot] a=nextgens

## What type of PR?

Enhancement

## What does this PR do?

Add a new knob called ```MESSAGE_RATELIMIT_EXEMPTION```.

### Related issue(s)
- 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 6bf1a178b9 Go with ghostwheel42's suggestion
Florent Daigniere b68033eb43 only parse it once
Alexander Graf 82e14f1292
Merge branch 'master' into update_deps
bors[bot] f0188d9623
Merge
2034: Add timezone to containers r=mergify[bot] a=DjVinnii

## What type of PR?

Enhancement

## What does this PR do?
This PR adds the tzdata package so that the environment variable `TZ` can be used to set the timezone of containers.

### Related issue(s)
- closes  

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: DjVinnii <vincentkling@msn.com>
Florent Daigniere dc6e970a7f handle HTTP too
Florent Daigniere bbef4bee27 Don't return any key for relayed domains
We may want to revisit this (ARC signing)... but in the meantime
it saves from a scary message in rspamd

signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...
Florent Daigniere 6c6b0b161c Set the right flags on the rate_limit cookie
Florent Daigniere f9373eacab Merge remote-tracking branch 'upstream/master' into misc
Florent Daigniere 5714b4f4b0 introduce MESSAGE_RATELIMIT_EXEMPTION
DjVinnii 30d7e72765 Move TZ to Advanced settings
DjVinnii 225160610b Set default TZ in Dockerfiles
DjVinnii 81e33d3679 Add default TZ to config manager
Alexander Graf 97e79a973f fix sso login button spacing again
Alexander Graf 73ab4327c2 updated database libraries (sqlalchemy etc.)
this is working fine, but introduces a sqlalchemy warning
when using config-import:

  /app/mailu/schemas.py:822:
    SAWarning: Identity map already had an identity for (...),
    replacing it with newly flushed object.
    Are there load operations occurring inside of an event handler
    within the flush?
Alexander Graf 4669374b9e use python wheels
Alexander Graf 85d86d4156 some more libs updated
Alexander Graf ffd99c3fa8 updated flask
ConfigManager should not replace app.config - this is causing trouble
with some other flask modules (swagger).
Updated ConfigManager to only modify app.config and not replace it.
Alexander Graf 87884213c4 update misc helper libs
Alexander Graf 56f65d724d update babel
Alexander Graf 5238b00f0b update alembic
Alexander Graf f613205fe1 update tenacity
Alexander Graf 833ccb5544 reload page using GET when selecting language
Alexander Graf 8b15820b01 fix sso login button spacing
Alexander Graf 26fb108a3f updated Flask-Login
Alexander Graf abc4112242 updated Werkzeug, Click and Flask-Migrate
Alexander Graf f1d7bedd1b fix display of range inputs (again)
Alexander Graf 13e6793c9f Merge remote-tracking branch 'upstream/master' into update_deps
Alexander Graf aca1e13648 update socrate - will be removed later
Alexander Graf 866741bcbe updated WTForms-Components deps
Alexander Graf ef19869cde updated redis
Alexander Graf d8efd3057c updated idna
Alexander Graf 8ad8cde0e2 removed some obsolete requirements
Alexander Graf 3ac1b3d86c update pyyaml and pygments
Alexander Graf 40cdff4911 updated dnspython
Alexander Graf dcbe55f062 updated crypto
Alexander Graf 771b2d1112 duh
Alexander Graf 23d0cd0466 update tabluate. fix audit.py and include in container
Alexander Graf 8d90a74624 update werkzeug to 1.x
bors[bot] 5e212ea46d
Merge
2036: round display of range inputs to 2 decimals r=mergify[bot] a=ghostwheel42

## What type of PR?

small fix

## What does this PR do?

rounds display of range inputs to 2 decimals 

### Related issue(s)

- small fix to 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf 80be3506da upgrade pip. completed reqs via pip freeze
Alexander Graf 598b2df5a0 update wtforms
Alexander Graf e8b5f1a185 round display of range inputs to 2 decimals
DjVinnii 1d6809193b Add tzdata to core
Florent Daigniere 74b31dc407 Ensure that RCVD_NO_TLS_LAST doesn't add spam points
bors[bot] 11bbceb9cc
Merge
2032: doh r=mergify[bot] a=nextgens

This should have been part of 

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 8dad40f67c doh
bors[bot] e52a3de1b0
Merge
2027: Make logs more quiet r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

It silences various useless log messages in front, specifically:
```
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/1.1" 301 162 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/2.0" 204 0 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 2021/10/30 03:11:04 [info] 476302#476302: *2622679 client 127.0.0.1 closed keepalive connection
Oct 30 03:13:02 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:13:02 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
```

`@micw` has requested it for k8s

2030: Fix RELAYNETS r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

RELAYNETS should be comma separated like everything else; rspamd should also be aware of what is considered "trusted".

I am not sure whether ```local_networks``` is the right configuration option for it though

- close 

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 2170e07731 Tell rspamd about RELAYNETS
Florent Daigniere 9d474f32a6 RELAYNETS is comma separated!
Florent Daigniere f3c93212c6 The Rate-limiter should run after the deny
Florent Daigniere 53a0363b9e Deal with the noisy keepalive messages
We don't particularly care about HTTP... and that's what's noisy.
Florent Daigniere 80a85c27a9 Silent healthchecks in logs
Alexander Graf 9bc685c30b removed some more whitespace
Alexander Graf 8c31699baf fixed locale selector for no_NB
Alexander Graf 882a27f87c simplified if's and added external link icon
Alexander Graf 3141ffe791 removed some whitespace
Dimitri Huisman 6b16756d92 Fix acessing antispam via sidebar.
Dimitri Huisman 3449b67c86 Process code review remarks PR2023
Dimitri Huisman 8784971b7f Merge rate limiting and failed login logging
Dimitri Huisman 503044ef6e Reintroduce ProxyFix. Use two buttons for logging in.
Dimitri Huisman c42ad8e71e Forgot to include changes for url_for of base.html
Dimitri Huisman fb0f005343 Get rid of complicated prefix logic. Further simplify /static handling and nginx config.
Dimitri Huisman da788ddee3 Merge branch 'fix-sso-1929' of github.com:Diman0/Mailu into fix-sso-1929
Dimitri Huisman bdcc183165 Redirect to configured ENV VAR for Admin/Webmail, further simplify nginx config.
Dimitri Huisman f1a60aa6ea Remove unneeded auth_request_set
Florent Daigniere fee13e6c4b Save a redirect
Florent Daigniere d3f07a0882 Simplify the handling of /static
Florent Daigniere aee089f3b1 Ensure that static assets are readable
Dimitri Huisman a47afec4ee Make logic more readable.
Dimitri Huisman 48764f0400 Ensure all requests from the page sso go through the page sso.
Dimitri Huisman 5232bd38fd Simplify webmail logout.
Dimitri Huisman aab258d284 Move handling of logging out in admin, to sso logout page.
Dimitri Huisman 615743b331 Improve indendation of conditions.
Dimitri Huisman 5d81846c5d Introduce the shared stub /static for providing all static files
Dimitri Huisman eb74a72a52 Moved locations to correct area in nginx.conf.
Dimitri Huisman aa7380ffba Doh!
Dimitri Huisman 44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting.
Dimitri Huisman f9eee0cbaf Adapt HEALTHCHECK to new URL
Dimitri Huisman ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929
Dimitri Huisman 913a6304a7 Finishing touches. Introduce /static stub for handling all static files.
bors[bot] a1192d8039
Merge
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Turn the rate-limiters into something useful (that won't fire for no reason).

- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.

Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)

### Related issue(s)
- close 
- close  
- close 


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
Florent Daigniere 693b578bbb The second strip isn't necessary
Florent Daigniere 1c6165213c better that way
Florent Daigniere 34497cff20 doh
Florent Daigniere e8871dd77f doh