1342 Commits (5b9c2e5336fa08f8c77cf4ac861617b1453999c3)

Author SHA1 Message Date
lub 5b9c2e5336 keep key during certificate renewal 2 years ago
bors[bot] e600f20762
Merge #2468
2468: Ensure that Mailu keeps working even if it can't obtain a certificate from LE r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES

Without this TLS configuration would fail and Mailu would operate without TLS completely.

I haven't tested it but thought this used to work previously... maybe certbot has changed something

### Related issue(s)
- closes #2467

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere 1630a18dd8 Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES 2 years ago
bors[bot] 1cdc4e76b4
Merge #2455
2455: Fix/missing tanslations r=mergify[bot] a=DjVinnii

## What type of PR?

Fix/Enhancement

## What does this PR do?
Add missing Dutch translation, as well as the German translation for `Start of vacation`

### Related issue(s)
- closes #2217

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Vincent Kling <v.kling@vinniict.nl>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2 years ago
bors[bot] b5e7cad2d3
Merge #2448
2448: Give a chance to rspamd's bayes classifier r=mergify[bot] a=nextgens

## What type of PR?

bug-fix + documentation

## What does this PR do?

As pointed out in #2442, the bayesian filter of rspamd doesn't get any chance to run as ``min_learns`` is set to 200 and we never teach it any HAM.

This PR enables rspamd's autolearn feature, that will "reinforce" good/bad by learning from the scoring of other modules. It ensures both that we will eventually reach the 200 mark but also that the data stays fresh.

I've also taken this opportunity to update the documentation & FAQ accordingly, to ensure that users teach their HAM & SPAM to both the fuzzy and bayes classifiers.

Thank you to [woj-tek](https://github.com/woj-tek) for doing the ground work on this.

### Related issue(s)
- closes #2442

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Dimitri Huisman 5b21fae968 Add missing Dutch translation 2 years ago
Alexander Graf 7682b4fa7f
Fix typo and translate Website with Webseite 2 years ago
Alexander Graf ffa7d6c565
Updated german translation 2 years ago
Vincent Kling a02a2c26a7 Fix typo 2 years ago
Vincent Kling 486dd06ca8 Add missing German translation for Start of vacation 2 years ago
Vincent Kling 84f60116ea Add missing Dutch translations 2 years ago
Florent Daigniere 85a2aafcdf ghostwheel42's suggestions 2 years ago
Florent Daigniere 6a0e881522 Introduce TLS_PERMISSIVE for port 25
This new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so.
2 years ago
Florent Daigniere 5d09390147 enable rspamd's autolearn feature 2 years ago
Vincent Kling bab3f0f5a4 Remove POD_ADDRESS_RANGE 2 years ago
bors[bot] 7ed1da5bf1
Merge #2440
2440: The ARM wheels don't work r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Remove piwheels to ensure we always rebuild on ARM

### Related issue(s)
- closes #2439
- #1200


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere 35a794cfd6 The ARM wheels don't work 2 years ago
Florent Daigniere 355589a23c Apparently SQLAlchemy needs to be told explictely 2 years ago
Florent Daigniere 30b3a3771e Prevent signups with accounts where an alias exists 2 years ago
Florent Daigniere 6fb554bc2e Do the same for the postfix container 2 years ago
Florent Daigniere 1500936232 Some people will need this at runtime 2 years ago
Florent Daigniere bd5fd9536d doh 2 years ago
Florent Daigniere e0643cf45c Disable the cache; don't upgrade pip if not req 2 years ago
Florent Daigniere f760024812 These are required for the healthcheck 2 years ago
Florent Daigniere 19eda03a49 Build wheels only if we have to. 2 years ago
Alexander Graf 822abc9136
Put ipv6 resolver address in square brackets 2 years ago
bors[bot] 53de7b7d60
Merge #2403
2403: Feature: switch CI/CD from build to buildx r=mergify[bot] a=Diman0

## What type of PR?

Feature and enhancement

## What does this PR do?

Switch from docker build to buildx for CI/CD.
    - The main workflow file has been optimised and simplified.
    - Images are built in parallel when building locally resulting in much faster build times.
    - The github action workflow is about 50% faster.
    - Arm images are built as well. These images are not tested due to restrictions of github actions (no arm runners). The tags of the images have -arm appended to it. The arm images are built on merge on master and release branch (x.y). They do not influence the normal CI/CD workflow used for bors (for PR) and real releases (merge on master and branch x.y for x86_64). 
    - Arm images (and normal x86_64 images) can also be built locally.
    - Reusable workflow is introduced for building, testing and deploying the images. This allows the workflow to be reused for other purposes in the future.
    - Workflow can be manually triggered. This allows forked Mailu projects to also use the workflow for building images.

The main workflow makes use of github actions cache to store the cache layer. This layer is used to quickly rebuilt the images in the testing step and deploy step.

Unfortunately the building the arm images fails sometimes due to timeouts. Sometimes the connection to github actions cache is very slow. Restarting the workflow from the last failed step resolves this. I have not observed this with the normal build.

Just as previous time, you can use a forked project for testing the changes (https://github.com/Diman0/Mailu_Fork). You should still have owner access. I have created branch 1.11 for testing. You can see I already push 4 times to branch 1.11 (current version is 1.11.3).

### Related issue(s)
- Mention an issue like: #001
- closes #2383 
- closes #1830
- closes #1200

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2 years ago
bors[bot] 3327500f96
Merge #2221
2221: Add support for custom NGINX config r=mergify[bot] a=easybe

## What type of PR?

enhancement

## What does this PR do?

Add support for custom NGINX config. Including *.conf files in /etc/nginx/conf.d same as the default NGINX configuration gives the user more flexibility.

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Ezra Buehler <ezra@easyb.ch>
2 years ago
bors[bot] 1069c02bc8
Merge #2357
2357: Switch to ffdhe3072 to enable RFC 7919 r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

The idea being:
- it's a "nothing up my sleeves" group
- it may help shave off some bytes of the SSL handshake; That being said, I doubt that clients that are modern enough to support this RFC won't offer an EC kex

https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
bors[bot] bae15c0af3
Merge #2404
2404: Forwarding emails option in user settings did not support 1 letter do… r=mergify[bot] a=Diman0

…mains.

## What type of PR?

Bug-fix

## What does this PR do?

Forwarding emails option in user setting did not support 1 letter domains. The regex for checking the validity of  multiple email addresses string has been modified to allow 1 letter domains and to allow 1 letter local part.

### Related issue(s)
- closes #2402 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [n/a] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2 years ago
Dimitri Huisman 57865495d4 Forwarding emails option in user settings did not support 1 letter domains. 2 years ago
bors[bot] 51945aa316
Merge #2397
2397: Fix resolving alias addresses for postfix when target is a punycode domain r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

- fix splitting of localpart in resolve_destination
- idna-enode domain-part of email addresses before returning to postfix

### Related issue(s)
- closes #2393


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2 years ago
Dimitri Huisman 3aafecafe7 Merge branch 'master' into feat-switch-buildx 2 years ago
Dimitri Huisman f6de2b2938 Switch from docker build to buildx for CI/CD.
- The main workflow file has been optimised and simplified.
- Images are built in parallel when building locally resulting in faster build times.
- The github action workflow is about 50% faster.
- Arm images are built as well. These images are not tested due to restrictions of github actions (no arm runners). The tags of the images have -arm appended to it.
- Arm images can also be built locally.
- Reusable workflow is introduced for building, testing and deploying the images.
  This allows the workflow to be reused for other purposes in the future.
- Workflow can be manually triggered. This allows forked Mailu projects to also use the workflow for building images.
2 years ago
Alexander Graf c478e26d68
Encode domain part of email addresses before returning. 2 years ago
Alexander Graf 5179cf0618
Fix localpart splitting and make code more readable. 2 years ago
Dimitri Huisman ee78a34da4 Process code review feedback
Remove unneeded IF statement in /admin block in nginx.conf of front.
Fix contributions made to Dockerfile, add missing trailing \ and add back curl
Change healthcheck to monitoring page of fpm. Now we check nginx and fpm.
2 years ago
Dimitri Huisman d19208d3d1 Merge branch 'master' of github.com:Mailu/Mailu into feature-switch-snappymail 2 years ago
Dimitri Huisman 4b491d9de5 Re-enable the built-in nginx resolver for traffic going through the mail plugin.
This is required for passing rDNS/ptr information to postfix.
The mail proxy uses the resolver info for passing XCLIENT info.
See http://nginx.org/en/docs/mail/ngx_mail_proxy_module.html#xclient
Without this info rspamd will flag all messages with DHFILTER_HOSTNAME_UNKNOWN due to the missing rDNS/ptr info.
2 years ago
bors[bot] c2d85ecc32
Merge #2325
2325: postfix: wrap IPv6 CIDRs in square brackets for RELAYNETS r=mergify[bot] a=pommi

## What type of PR?

bug-fix

## What does this PR do?

This PR wraps IPv6 CIDRs in the `RELAYNETS` environment variable in square brackets for the postfix configuration.

The `RELAYNETS` environment variable is used for configuring both postfix `mynetworks` and rspamd `local_networks`. Postfix requires IPv6 addresses to be wrapped in square brackets (eg. `[2001:db8::]/64`).

When an IPv6 address is not wrapped in square brackets in the postfix configuration for `mynetworks` it results in this error while processing an incoming email from an IPv6 sender:
```
postfix/smtpd[340]: warning: 2001:db8::/64 is unavailable. unsupported dictionary type: 2001
postfix/smtpd[340]: warning: smtpd_client_event_limit_exceptions: 2001:db8::/64: table lookup problem
```

The sender sees an error and the incoming email is refused:
```
451 4.3.0 <unknown[2001:xxx:xxx:xxx:xxx:xxx:xxx:xxx]>: Temporary lookup failure
```

I tried to work around this issue by wrapping the IPv6 CIDR in square brackets in the `RELAYNETS` environment variable, but it segfaults rspamd, because it can't deal with this non-standard IPv6 notation used by postfix:
```
kernel: [4305632.603704] rspamd[1954299]: segfault at 0 ip 00007fb848983871 sp 00007ffe02cc6d1
8 error 4 in ld-musl-x86_64.so.1[7fb848948000+48000]
```

### Related issue(s)
- #2293
- #2272

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

**No changelog or documentation necessary for this minor change.**

Co-authored-by: Pim van den Berg <pim@nethuis.nl>
3 years ago
Pim van den Berg d495052b52 postfix: wrap IPv6 CIDRs in square brackets for RELAYNETS
The RELAYNETS environment variable is used for configuring both postfix
`mynetworks` and rspamd `local_networks`. Postfix requires IPv6
addresses to be wrapped in square brackets (eg. [2001:db8::]/64).
3 years ago
Alexander Graf e75201bb34
Add default to column spam_mark_as_read 3 years ago
Florent Daigniere 74c5e92628 Switch to ffdhe3072 to enable RFC 7919
The idea being:
- it's a "nothing up my sleeves" group
- it may help shave off some bytes of the SSL handshake; That being
said, I doubt that clients that are modern enough to support this RFC
won't offer an EC kex

https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem
3 years ago
Florent Daigniere 04b7ddfffd Merge remote-tracking branch 'upstream/master' into Riscue-master 3 years ago
Florent Daigniere d2aa647a9f l10n 3 years ago
bors[bot] e519ec9ae6
Merge #2310
2310: Update deprecated rspamd config option r=mergify[bot] a=henniaufmrenni

## What type of PR?

Configuration update

## What does this PR do?

This is just a small config update to get rid of the following warning message:
`lua; antivirus.lua:109: CLAM_VIRUS [clamav]: Using attachments_only is deprecated. Please use scan_mime_parts = true instead`

As per the rspamd documentation https://rspamd.com/doc/modules/antivirus.html
> attachments_only = true; # Before 1.8.1
> scan_mime_parts = true; # After 1.8.1

The currently used version of rspamd is 3.1.

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: henniaufmrenni <henniaufmrenni@keinvergessen.org>
3 years ago
bors[bot] e92c67b118
Merge #2338
2338: Update X-XSS-Protection to current recommendation r=mergify[bot] a=AvverbioPronome

See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection

## What type of PR?

Slight enhancement

## What does this PR do?

This PR turns off the XSS auditor in the few browsers that still have one.

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ?] In case of feature or enhancement: documentation updated accordingly
- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Giuseppe C <1191978+AvverbioPronome@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
3 years ago
Florent Daigniere cb656fc9fd Silence some errors in nginx
"could not be resolved (3: Host not found) while in resolving client
address, client:"
3 years ago
Your Name f7a3ecee2c remove X-XSS-Protection header from nginx.conf 3 years ago
Giuseppe C 389438d18b
Update X-XSS-Protection to current recommendation
See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
3 years ago