1887: Docs: Limit fail2ban matches to front container r=mergify[bot] a=networkException
## What type of PR?
documentation
## What does this PR do?
Previously fail2ban matched against all journal entries. This pull request adds a tag to the logdriver and fail2ban filter documentation that limits the matches to entries from the front container
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: networkException <git@nwex.de>
1886: Fix 1294: ensure podop's socket is owned by postfix r=mergify[bot] a=nextgens
## What type of PR?
bugfix
## What does this PR do?
Ensure that the podop socket is always owned by the postfix user (wasn't the case when build using non-standard base images... typically for arm64)
### Related issue(s)
- closes#1294
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Previously fail2ban matched against all journal entries. This patch
adds a tag to the logdriver and fail2ban filter documentation that
limits the matches to entries from the front container
1880: Update jquery dependency of setup and set pinned versions r=mergify[bot] a=Diman0
## What type of PR?
enhancement
## What does this PR do?
Update used jquery javascript files.
Also sets pinned (fixed) versions in requirements.txt. I set the same versions as used in requirements-prod.txt for the admin image.
### Related issue(s)
- Update dependencies as discussed in #1829
- closes#1868
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
1871: Replace PUBLIC_HOSTNAME/IP with real data in Received headers r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
This will ensure that we don't get spam points for not respecting the RFC (gmail is notorious for not liking it)
### Related issue(s)
- close#1448
- #466
- #191
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1874: Remove dot in blueprint name to prevent critical flask error r=mergify[bot] a=Diman0
## What type of PR?
Bug-fix
## What does this PR do?
Currently setup uses the version (1.7, 1.8, master) as the blueprint name for the setup flask instance. Flask introduced a breaking change that does not allow a dot in the blueprint name anymore. As a result the setup container does not start. This PR contains the bug fix for this issue.
```
stable_1 | File "/app/server.py", line 58, in build_app
stable_1 | prefix_bp = flask.Blueprint(version, __name__)
stable_1 | File "/usr/local/lib/python3.9/site-packages/flask/blueprints.py", line 195, in __init__
stable_1 | raise ValueError("'name' may not contain a dot '.' character.")
stable_1 | ValueError: 'name' may not contain a dot '.' character.
stable_1 | Traceback (most recent call last):
```
See https://flask.palletsprojects.com/en/2.0.x/changes/
```
Show an error when a blueprint name contains a dot. The . has special meaning, it is used to separate (nested) blueprint names and the endpoint name. #4041
```
### Related issue(s)
- #1814
- Closes#1818
- Closes#1869
I will close the linked issues personally once I have made the necessary changes on the infra machine after the backported PR has been merged.
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
1857: disable startdate when autoreply is disabled r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix
## What does this PR do?
disable the reply startdate field when autoreply is disabled
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1858: Docs: Replace hardcoded journald logpath with systemd backend r=mergify[bot] a=networkException
The file at /var/log/messages is not universal for every
distribution. Fail2ban can access journald logs directly
by using the systemd backend.
## What type of PR?
documentation
## What does this PR do?
The path /var/log/messages does not apply for Ubuntu 20.04 for example, because of that I have looked
at alternative ways to access journald in fail2ban. The proper way seems to be to use the systemd
backend, this patch updates the documentation accordingly.
### Related issue(s)
*none*
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: networkException <git@nwex.de>
1862: fix#1861: allow colons in passwords: fix the parsing of http-basic auth headers r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Fix a bug preventing colons from being used in passwords when using radicale/webdav.
Thank you to @parisni for reporting it and @ghostwheel42 for spotting it.
### Related issue(s)
- close#1861
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1845: Update rainloop to 1.16.0 r=mergify[bot] a=nextgens
## What type of PR?
Security-update for rainloop.
## What does this PR do?
Upgrade to rainloop v1.16
### Related issue(s)
- #1829
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1852: Improve ci r=mergify[bot] a=Diman0
## What type of PR?
Enhancement for CI.
## What does this PR do?
Moved logic for configuring the tag for images for testing branch (bors try) and building the images, from deploy.sh (deploy job) to the Build job. Now the images are only built once during the build job. This saves about ~10 minutes for the CI workflow for bors try. Now for all situations (bors try, bors r+ and merge with master) should take around 20 minutes.
I did not create yet another newsfragment since it is an internal enhancement.
### Related issue(s)
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
1853: Update dependencies r=mergify[bot] a=ghostwheel42
## What type of PR?
security update python dependencies
## What does this PR do?
updates cryptography, Jinja2, pyOpenSSL and PyYAML to current versions
### Related issue(s)
security updates as discussed in #1829
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1791: Enhanced session handling r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix
## What does this PR do?
- replaces flask_kvsession and simplekv with a mailu-specific session store
- call cleanup_sessions before first request and not on startup.
this allows to run cmdline actions without redis (and makes it faster)
- allow running without redis for debugging purposes by setting MEMORY_SESSIONS to True
- don't sign session id, as it has plenty of entropy (as suggested by nextgens)
- adds method to prune a user's sessions
### Related issue(s)
- enhances and close#1787
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1846: fix newsfragment of #1841 r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix
## What does this PR do?
moves newsfragment to correct location.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1841: Update version of roundcube webmail and carddav plugin. r=mergify[bot] a=ghostwheel42
## What type of PR?
Security-update for roundcube-webmailer.
## What does this PR do?
This PR updates the Roundcube webmail to the latest version, also updates the roundcube carddav-plugin to a new version.
- roundcube 1.4.11
- carddav 4.1.2
### Related issue(s)
This PR superseeds PR #1739
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1843: fix bugs in model and schema introduced by #1604 r=mergify[bot] a=ghostwheel42
## What type of PR?
bug fix. linter complained about "== True" but with sqlalchemy this is correct
## What does this PR do?
### Related issue(s)
closes#1842
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1604: Added CLI command to export and import the configuration r=mergify[bot] a=ghostwheel42
## What type of PR?
enhancement
## What does this PR do?
This PR adds a `config-dump` cli command and updates the `config-update` cli command to
handle all possible items and parameters.
This was done by adding generic **to_dict** and **from_dict** methods to the Base model, so it should be quite future-proof.
The changes to `config-update` are backwards-compatible to the old command.
I've only removed the undocumented yaml-section _managers_ - managers can now be defined in the _users_ section.
The YAML now looks like this:
```
aliases:
- email: email@example.com
destination:
- address@example.com
domains:
- name: example.com
alternatives:
- alternative.tld
relays:
- name: relay.example.com
smtp: mx.example.com
users:
- email: postmaster@example.com
displayed_name: 'Postmaster'
enable_imap: true
enable_pop: false
enabled: true
forward_destination:
- address@remote.example.com
forward_enabled: true
forward_keep: true
global_admin: true
manager_of:
- example.com
password: '{BLF-CRYPT}$2b$12$...'
spam_enabled: true
spam_threshold: 80
```
### Related issue(s)
- Closes issue #1377
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1754: centralize Webmail authentication behind the admin panel (SSO) r=mergify[bot] a=nextgens
## What type of PR?
Enhancement: it centralizes the authentication of webmails to the admin interface.
## What does this PR do?
It implements the glue required for webmails to do SSO using the admin interface.
One of the main advantages of centralizing things this way is that it reduces significantly the attack surface available to an unauthenticated attacker (no webmail access until there is a valid Flask session).
Others include the ability to implement 2FA down the line and rate-limit things as required.
### Related issue(s)
- #783
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1758: Implement a simpler credential cache (alternative to #1755) r=mergify[bot] a=nextgens
## What type of PR?
Feature: it implements a credential cache to speedup authentication requests.
## What does this PR do?
Credentials are stored in cold-storage using a slow, salted/iterated hash function to prevent offline bruteforce attacks. This creates a performance bottleneck for no valid reason (see the
rationale/long version on https://github.com/Mailu/Mailu/issues/1194#issuecomment-762115549).
The new credential cache makes things fast again.
This is the simpler version of #1755 (with no new dependencies)
### Related issue(s)
- close#1411
- close#1194
- close#1755
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
1776: optimize generation of transport nexthop r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix and enhancement.
## What does this PR do?
Possibly there should be more input validation when editing a relay, but for now this tries to make the best out of the existing "smtp" attribute while maintaining backwards compatibility. When relay is empty, the transport's nexthop is the MX of the relayed domain to fix#1588
```
RELAY NEXTHOP TRANSPORT
empty use MX of relay domain smtp:domain
:port use MX of relay domain and use port smtp:domain:port
target resolve A/AAAA of target smtp:[target]
target:port resolve A/AAAA of target and use port smtp:[target]:port
mx:target resolve MX of target smtp:target
mx:target:port resolve MX of target and use port smtp:target:port
lmtp:target resolve A/AAAA of target lmtp:target
lmtp:target:port resolve A/AAAA of target and use port lmtp:target:port
target can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: [2001:DB8::]).
```
When there is proper input validation and existing database entries are migrated this function can be made much shorter again.
### Related issue(s)
- closes#1588
- closes#1815
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1831: Fix roundcube database env configuration r=mergify[bot] a=parisni
## What type of PR?
bug-fix
## What does this PR do?
Both roundcube and mailu admin website can be backed by postgres/mysql. Before this PR, the `DB_FLAVOR` is shared by both services. However, the other roundcube dedicated DB params are prefixed with `ROUNDCUBE_`. (eg: `ROUNDCUBE_DB_NAME`)
There is no reason to share the DB_FLAVOR for both: This PR makes them be considered independently to make things clear and avoid bugs.
Also, the roundcube_db_flavor and db_flavor are made separated in this PR. However for simplicity, the template generator bind them : roundcube_db_flavor = db_flavor. This makes the template generator UI more simple. I considered most of the time people want to have both roundcube and mailu share the same RDBMS.
Also, AFAIK the internal postgresql service is deprecated and will be removed in 1.9. This is why this PR does not integrate roundcube in postgres when the internal DB is choosen: in case of internal postgres, the roundcube is backed with sqlite.
Both documentation and setup website have been updated accordingly.
### Related issue(s)
- Auto close an issue like: closes#1648#1471
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: parisni <nicolas.paris@riseup.net>
Co-authored-by: Nicolas Paris <nicolas.paris@riseup.net>