246 Commits (5b4f2fb0753709c94563c01e4870c6059b4c7231)

Author SHA1 Message Date
Florent Daigniere 1edef755f1 Fix bug #2466 2 years ago
Florent Daigniere dc9e2a3e70 Upgrade Snappymail to 2.21 and merge the webmail containers 2 years ago
Dimitri Huisman 0e5443a867
Update php8 to php81. Update snappymail to 2.19.4 2 years ago
Dimitri Huisman 59c5b152b2
Switch to using set -euxo pipefail for better error handling
-e immediately exit when a command fails. No further commands are processed.
-o pipefail, if a series of piped commands fail, do NOt return the last commands returncode, but DO return the return code of the failing command in the pipeline series
-u, raise an error when an unset variable is used. Not using this results in an empty value being used and the script being executed differently without you knowing why.
-x, print each command before executing it. Actual arguments are expanded. So you see the command with the actual parameter values. This is printed in red in the buildx log output.
2 years ago
Dimitri Huisman f6cdfb3392
Allow Healthcheck requests over IPv6 2 years ago
Dimitri Huisman 2a894cb15d
Process nextgens review remarks 2 years ago
Dimitri Huisman 92f270c94e
Update the webmail images:
Roundcube
  - Switch to base image (alpine)
  - Switch to php-fpm
SnappyMail
  - Switch to base image
  - Upgrade php7 to php8.
2 years ago
Vincent Kling 23d06a5761 Fix a bunch of typos 2 years ago
bors[bot] 04a932bf66
Merge #2423
2423: Correct the extension of files used for Roundcube overrides r=mergify[bot] a=DannyDaemonic

This adds ".inc.php" files to the included overrides while maintaining support for existing ".inc" files previously included via overrides. It also updates the corresponding documentation.

Roundcube itself uses "inc.php" files and these overrides are expected to match that format. Switching to "inc.php" both tells the user that these need to be proper php files and conveys they are used for changing the same settings that Roundcube's inc.php files modify.

## What type of PR?

bug-fix, documentation

## What does this PR do?

- Adds ".inc.php" to the list of include files being built in roundcube's start.py
- Updates override information in the faq section: [How can I override settings?](https://github.com/Mailu/Mailu/blob/master/docs/faq.rst#how-can-i-override-settings)
- Includes changelog recommends using .inc.php moving forward

## Related issue(s)
- This addresses confusion seen in issues like: #2388

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Danny Daemonic <DannyDaemonic@gmail.com>
2 years ago
Dimitri Huisman dd3f1a3376 Switch to mode=min for GHA cache for docker buildx to prevent ratelimiting in GHA workflow 2 years ago
Danny Daemonic 3eeb7962c2 Correct the extension used for Roundcube overrides
This adds ".inc.php" files to the included overrides while maintaining
support for existing ".inc" files previously included via overrides.

Roundcube itself uses "inc.php" files and these overrides are expected
to match that format. Switching to "inc.php" both tells the user that
these need to be proper php files and conveys they are used for changing
the same settings that Roundcube's inc.php files modify.
2 years ago
bors[bot] 53de7b7d60
Merge #2403
2403: Feature: switch CI/CD from build to buildx r=mergify[bot] a=Diman0

## What type of PR?

Feature and enhancement

## What does this PR do?

Switch from docker build to buildx for CI/CD.
    - The main workflow file has been optimised and simplified.
    - Images are built in parallel when building locally resulting in much faster build times.
    - The github action workflow is about 50% faster.
    - Arm images are built as well. These images are not tested due to restrictions of github actions (no arm runners). The tags of the images have -arm appended to it. The arm images are built on merge on master and release branch (x.y). They do not influence the normal CI/CD workflow used for bors (for PR) and real releases (merge on master and branch x.y for x86_64). 
    - Arm images (and normal x86_64 images) can also be built locally.
    - Reusable workflow is introduced for building, testing and deploying the images. This allows the workflow to be reused for other purposes in the future.
    - Workflow can be manually triggered. This allows forked Mailu projects to also use the workflow for building images.

The main workflow makes use of github actions cache to store the cache layer. This layer is used to quickly rebuilt the images in the testing step and deploy step.

Unfortunately the building the arm images fails sometimes due to timeouts. Sometimes the connection to github actions cache is very slow. Restarting the workflow from the last failed step resolves this. I have not observed this with the normal build.

Just as previous time, you can use a forked project for testing the changes (https://github.com/Diman0/Mailu_Fork). You should still have owner access. I have created branch 1.11 for testing. You can see I already push 4 times to branch 1.11 (current version is 1.11.3).

### Related issue(s)
- Mention an issue like: #001
- closes #2383 
- closes #1830
- closes #1200

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2 years ago
Will 72a5bbf53d Update roundcube to 1.5.3 and rcmcarddav plugin 2 years ago
Dimitri Huisman 3aafecafe7 Merge branch 'master' into feat-switch-buildx 2 years ago
Dimitri Huisman f6de2b2938 Switch from docker build to buildx for CI/CD.
- The main workflow file has been optimised and simplified.
- Images are built in parallel when building locally resulting in faster build times.
- The github action workflow is about 50% faster.
- Arm images are built as well. These images are not tested due to restrictions of github actions (no arm runners). The tags of the images have -arm appended to it.
- Arm images can also be built locally.
- Reusable workflow is introduced for building, testing and deploying the images.
  This allows the workflow to be reused for other purposes in the future.
- Workflow can be manually triggered. This allows forked Mailu projects to also use the workflow for building images.
2 years ago
bors[bot] 238daef6d8
Merge #2295
2295: Switch from Rainloop to SnappyMail r=mergify[bot] a=Diman0

## What type of PR?

Feature

## What does this PR do?
As discussed in the project meeting (#1582), we decided we want to switch from Rainloop to an alternative. Rainloop has multiple open security issues which were not patched for a long time. 

We decided to switch to SnappyMail because it is more secure and based on RainLoop. This means that users using RainLoop will still have a webmail that looks familiar for them.

This PR replaces RainLoop with SnappyMail.

### Related issue(s)
- #2215 
- #1582

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
2 years ago
Dimitri Huisman 2a527a38cf Deny access to hidden files for snappymail 2 years ago
bors[bot] e50f6c58c0
Merge #2360
2360: roundcube: disable apache2 access log r=mergify[bot] a=pommi

## What type of PR?

bug-fix

## What does this PR do?

It disables the access log of apache2 in the roundcube webmail container. Requests are already logged by the front container. The requests logged in the roundcube container contained contained the wrong client IP: the IP address of the front container.

----

Original PR:

~~Roundcube webmail is accessed through the nginx reverse proxy in the front container. Each access logline logged by apache2 in the roundcube container did not contain the actual client IP address, but the IP address of the front container, for example:~~

```
192.168.203.3 - - [28/May/2022:12:33:52 +0000] "POST /?_task=mail&_action=refresh HTTP/1.1" 200 677 "https://[REDACTED]/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
^
IP address of the front container
```

~~By enabling the apache2 remoteip module and configuring it to get the actual client IP address from the X-Forwarded-For header, it logs the correct client IP address to the access log.~~

### Related issue(s)
- None

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

**No changelog or documentation necessary for this minor change.**


Co-authored-by: Pim van den Berg <pim@nethuis.nl>
2 years ago
Dimitri Huisman ee78a34da4 Process code review feedback
Remove unneeded IF statement in /admin block in nginx.conf of front.
Fix contributions made to Dockerfile, add missing trailing \ and add back curl
Change healthcheck to monitoring page of fpm. Now we check nginx and fpm.
2 years ago
Pim van den Berg 6f884c6c93 roundcube: disable access log
As per discussion in #2360: The front container (nginx reverse proxy) is
already logging all requests, disable the access logs for apache2 in the
roundcube container completely.
2 years ago
Eddy Vervest baea3d4086
Update Dockerfile
missed this one
3 years ago
Eddy Vervest c4c442d000
Update Dockerfile
apt is intended for interactive usage, for scripts use apt-get (https://manpages.debian.org/bullseye/apt/apt.8.en.html) to avoid warnings.
3 years ago
Pim van den Berg e8b7d6afed roundcube: log actual client ip by using apache2 remoteip
Roundcube webmail is accessed through the nginx reverse proxy in the
front container. Each access logline logged by apache2 in the roundcube
container did not contain the actual client IP address, but the IP
address of the front container, for example:

> 192.168.203.3 - - [28/May/2022:12:33:52 +0000] "POST /?_task=mail&_action=refresh HTTP/1.1" 200 677 "https://[REDACTED]/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
  ^
  IP address of the front container

By enabling the apache2 remoteip module and configuring it to get the
actual client IP address from the X-Forwarded-For header, it logs the
correct client IP address to the access log.
3 years ago
Florent Daigniere c5c2ee9f1c
simplify 3 years ago
Dimitri Huisman dc7613b34a Fix healthcheck 3 years ago
Dimitri Huisman 22010ddb4f fix applications.ini 3 years ago
Dimitri Huisman f2f859280c Merge remote-tracking branch 'origin/master' into feature-switch-snappymail 3 years ago
Dimitri Huisman 9519d07ba2 Switch from RainLoop to SnappyMail 3 years ago
the-djmaze a3c01a2bbf
Update application.ini
`contacts_autosave` is part of `[defaults]`, not `[plugins]`
3 years ago
bors[bot] bcecbda9de
Merge #2195
2195: roundcube: Add /overrides directory in include r=mergify[bot] a=mnival

Added the /overrides directory in the roundcube config.inc.php file

## What type of PR?

bug-fix

## What does this PR do?

### Related issue(s)
none

Co-authored-by: mnival <1595998+mnival@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
bors[bot] b73963aae5
Merge #2207
2207: Update webmail container configuration to support MESSAGE_SIZE_LIMIT r=mergify[bot] a=marioja

## What type of PR?

bug-fix

## What does this PR do?

### Related issue(s)
- Auto close an issue like: closes #2186 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Mario Jauvin <marioja@users.noreply.github.com>
3 years ago
Mario Jauvin 490e27e229 Start fastcgi process manager after config files updated 3 years ago
bors[bot] 6d348b1650
Merge #2196
2196: roundcube-carddav : Use des_key for pwstore_scheme  r=nextgens a=mnival

roundcube-carddav: Configuring pwstore_scheme in carddav plugin with des_key because Mailu is incompatible with encrypted

https://github.com/mstilkerich/rcmcarddav/blob/master/doc/ADMIN-SETTINGS.md#password-storing-scheme

## What type of PR?

bug-fix

## What does this PR do?

### Related issue(s)
- closes #2230

Co-authored-by: mnival <1595998+mnival@users.noreply.github.com>
3 years ago
Mario Jauvin e47d9bf9be Revert "Set client_max_body_size in default nginx config file"
This reverts commit db39d6b1e2.
3 years ago
Mario Jauvin db39d6b1e2 Set client_max_body_size in default nginx config file 3 years ago
Mario Jauvin 53a8543772 update permission 3 years ago
Mario Jauvin 5a909bd45d Add config.py and set permissions 3 years ago
Mario Jauvin 7dc9802447 Added subprocess import 3 years ago
Mario Jauvin a9f4fc1b3c Use MESSAGE_SIZE_LIMIT in webmail container also
The webmail container should use the same value as the front container.
3 years ago
mnival 5695bbb0f6 Configuring pwstore_scheme in carddav plugin with des_key because Mailu is incompatible with encrypted 3 years ago
Eric d9ea9f7009
Update php.ini
matching rainloop php to roundcube's: timezone is a parameter in mailu.env
3 years ago
mnival 4b9781210f Add /overrides directory in include 3 years ago
Alexander Graf 37855153b8
fixed plugin path 3 years ago
willofr 93a94d33ce
update roundcube to 1.5.2 (security fix)
New roundcube release (1.5.2) where a XSS is addressed: https://roundcube.net/news/2021/12/30/update-1.5.2-released
3 years ago
bkraul d494dd7d2a Fixes #2131 3 years ago
Dimitri Huisman b248026933 Fix #2117. Gpg-agent package was missing for roundcube image. 3 years ago
Florent Daigniere 6d5926ef29 prettify 3 years ago
Dimitri Huisman 385cb28bf2 Correctly calculate and set SESSION_TIMEOUT in roundcube 3 years ago
Dimitri Huisman ab80316df6 Fix error in roundcube config 3 years ago
Florent Daigniere 3a46ee073c Make roundcube use SESSION_TIMEOUT 3 years ago
Alexander Graf 1a41657f90
add documentation, allow overrides, clean plugins 3 years ago
Alexander Graf b3d48cc20f
fixed health check 3 years ago
Alexander Graf e7e283663d
Merge remote-tracking branch 'upstream/master' into update_roundcube 3 years ago
Alexander Graf 64acfacc73
duh. typo 3 years ago
Alexander Graf 547ad253e1
added plugin selection, derive key, clean env 3 years ago
Alexander Graf 7c2c2dc65a
updated to carddav 4.3.0 3 years ago
Alexander Graf 1ebdb26979
updated to rc 1.5.1 3 years ago
Dimitri Huisman f7677543c6 Process code review remarks
- Moved run to bottom of Dockerfile to allow using unmodified / cached states.
- Simplified bash code in deploy.sh.
- Improved the large bash one-liner in CI.yml. It could not handle >9 for 1.x.
3 years ago
Dimitri Huisman 56dd70cf4a Implement versioning for CI/CD workflow (see #1182). 3 years ago
Alexander Graf 423b8a6b9b
Merge branch 'master' into update_roundcube 3 years ago
DjVinnii a6beb234ff Set timezone in roundcube.ini 3 years ago
DjVinnii 225160610b Set default TZ in Dockerfiles 3 years ago
Alexander Graf 6003e11533 duh. add timezone (again) 3 years ago
Alexander Graf 949efcf537 prevent endless redirect loop on nginx failure 3 years ago
Alexander Graf c89045ed03 duh 3 years ago
Alexander Graf 920ac4cd21 updated to php8. fixed login. fixed max_filesize. 3 years ago
Alexander Graf 46d27e48ff Merge remote-tracking branch 'upstream/master' into update_roundcube 3 years ago
DjVinnii a1f0c20583 Add tzdata to webmails 3 years ago
Alexander Graf ee45475567 updated roundcube. added cleanup run at startup 3 years ago
Dimitri Huisman 5232bd38fd Simplify webmail logout. 3 years ago
Dimitri Huisman 44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting. 3 years ago
Alexander Graf ef9e1ac279 remove health check from log 3 years ago
Alexander Graf 7380b248cf direct logging of php errors to stderr 3 years ago
Alexander Graf cd17aa0c43 repair failing health-check 3 years ago
Alexander Graf 16691e83ad re-enable mod_rewrite in roundcube
moved chown/mkdir/symlink from start.py to Dockerfile
3 years ago
Diman0 7083b3f7c6 Fix roundcube sso header issue
Removed apache rewrite module.
3 years ago
Alexander Graf 6c510e2e86 enabled caching via .htaccess 3 years ago
Erriez 6cecacb6da Add catch_workers_output to php-rainloop.conf 3 years ago
Erriez 6437540704 Change error_log to warn 3 years ago
Erriez 5adc4f08f6 Restore curl 3 years ago
Erriez 10f2c17979 Restore Roundcube PHP files 3 years ago
Erriez 5a1d89aaac Restore Rainloop Dockerfile HEALTHCHECK 3 years ago
Erriez 556a5897d1 Install php7-pdo and php7-pdo_sqlite for contacts 3 years ago
Erriez d0a0ba6727 Optimize PHP pm setting to ondemand
The ondemand setting results in lower memory consumption in idle.
3 years ago
Erriez 0fd97124f7 Process review feedback 3 years ago
Erriez d472900efa Optimize Rainloop to NGINX
- Reduce build time.
- Reduce image size.
- Faster user response using CGI.
3 years ago
Florent Daigniere defea3258d update arm builds too 3 years ago
bors[bot] 66ea28b50a
Merge #1845
1845: Update rainloop to 1.16.0 r=mergify[bot] a=nextgens

## What type of PR?

Security-update for rainloop.

## What does this PR do?

Upgrade to rainloop v1.16

### Related issue(s)
- #1829

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere d75c8469d3 Update rainloop to 1.16.0 3 years ago
Alexander Graf 14bdeb5e1e Update version of roundcube webmail and carddav plugin.
This is a security update.

- roundcube 1.4.11
- carddav 4.1.2
3 years ago
bors[bot] fc1a663da2
Merge #1754
1754: centralize Webmail authentication behind the admin panel (SSO) r=mergify[bot] a=nextgens

## What type of PR?

Enhancement: it centralizes the authentication of webmails to the admin interface.

## What does this PR do?

It implements the glue required for webmails to do SSO using the admin interface.
One of the main advantages of centralizing things this way is that it reduces significantly the attack surface available to an unauthenticated attacker (no webmail access until there is a valid Flask session).

Others include the ability to implement 2FA down the line and rate-limit things as required.

### Related issue(s)
- #783

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
parisni a9548e4cbd Remove mailu/roundcube shared host 3 years ago
parisni 5386e33af3 Reformat python 3 years ago
parisni 49c5c0eba6 Split mailu / roundcube db config
There is no reason to share the flavor since at least the dbname shall be different.
3 years ago
Florent Daigniere dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso 4 years ago
bors[bot] 0f8d2077a5
Merge #1691
1691: update webmails to PHP 7.4 r=mergify[bot] a=lub

## What type of PR?

update

## What does this PR do?

### Related issue(s)

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.



I think it's a minor change, which needs no changelog.

I've tested rainloop, would be great if someone could test roundcube, because I don't use it.

Co-authored-by: lub <git@lubiland.de>
4 years ago
bors[bot] cca4b50915
Merge #1607
1607: _FILE variables for Docker swarm secrets r=mergify[bot] a=lub

## What type of PR?

enhancement

## What does this PR do?

This PR enables usage of DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY to load these values from files instead of supplying them directly. That way it's possible to use Docker secrets.

### Related issue(s)


## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
4 years ago
Florent Daigniere e8f70c12dc avoid a warning 4 years ago
Florent Daigniere 80f939cf1a Revert to the old behaviour when ADMIN=false 4 years ago
Florent Daigniere 2cdee8d18e Make roundcube use internal auth 4 years ago