Commit Graph

1151 Commits (5bedcc1cb1a0e2e3922136102b730f3681577486)

Author SHA1 Message Date
bors[bot] 5e212ea46d
Merge
2036: round display of range inputs to 2 decimals r=mergify[bot] a=ghostwheel42

## What type of PR?

small fix

## What does this PR do?

rounds display of range inputs to 2 decimals 

### Related issue(s)

- small fix to 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf 80be3506da upgrade pip. completed reqs via pip freeze
Alexander Graf 598b2df5a0 update wtforms
Alexander Graf e8b5f1a185 round display of range inputs to 2 decimals
DjVinnii 1d6809193b Add tzdata to core
Florent Daigniere 74b31dc407 Ensure that RCVD_NO_TLS_LAST doesn't add spam points
bors[bot] 11bbceb9cc
Merge
2032: doh r=mergify[bot] a=nextgens

This should have been part of 

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 8dad40f67c doh
bors[bot] e52a3de1b0
Merge
2027: Make logs more quiet r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

It silences various useless log messages in front, specifically:
```
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/1.1" 301 162 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/2.0" 204 0 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 2021/10/30 03:11:04 [info] 476302#476302: *2622679 client 127.0.0.1 closed keepalive connection
Oct 30 03:13:02 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:13:02 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
```

`@micw` has requested it for k8s

2030: Fix RELAYNETS r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

RELAYNETS should be comma separated like everything else; rspamd should also be aware of what is considered "trusted".

I am not sure whether ```local_networks``` is the right configuration option for it though

- close 

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 2170e07731 Tell rspamd about RELAYNETS
Florent Daigniere 9d474f32a6 RELAYNETS is comma separated!
Florent Daigniere f3c93212c6 The Rate-limiter should run after the deny
Florent Daigniere 53a0363b9e Deal with the noisy keepalive messages
We don't particularly care about HTTP... and that's what's noisy.
Florent Daigniere 80a85c27a9 Silent healthchecks in logs
Alexander Graf 9bc685c30b removed some more whitespace
Alexander Graf 8c31699baf fixed locale selector for no_NB
Alexander Graf 882a27f87c simplified if's and added external link icon
Alexander Graf 3141ffe791 removed some whitespace
Dimitri Huisman 6b16756d92 Fix acessing antispam via sidebar.
Dimitri Huisman 3449b67c86 Process code review remarks PR2023
Dimitri Huisman 8784971b7f Merge rate limiting and failed login logging
Dimitri Huisman 503044ef6e Reintroduce ProxyFix. Use two buttons for logging in.
Dimitri Huisman c42ad8e71e Forgot to include changes for url_for of base.html
Dimitri Huisman fb0f005343 Get rid of complicated prefix logic. Further simplify /static handling and nginx config.
Dimitri Huisman da788ddee3 Merge branch 'fix-sso-1929' of github.com:Diman0/Mailu into fix-sso-1929
Dimitri Huisman bdcc183165 Redirect to configured ENV VAR for Admin/Webmail, further simplify nginx config.
Dimitri Huisman f1a60aa6ea Remove unneeded auth_request_set
Florent Daigniere fee13e6c4b Save a redirect
Florent Daigniere d3f07a0882 Simplify the handling of /static
Florent Daigniere aee089f3b1 Ensure that static assets are readable
Dimitri Huisman a47afec4ee Make logic more readable.
Dimitri Huisman 48764f0400 Ensure all requests from the page sso go through the page sso.
Dimitri Huisman 5232bd38fd Simplify webmail logout.
Dimitri Huisman aab258d284 Move handling of logging out in admin, to sso logout page.
Dimitri Huisman 615743b331 Improve indendation of conditions.
Dimitri Huisman 5d81846c5d Introduce the shared stub /static for providing all static files
Dimitri Huisman eb74a72a52 Moved locations to correct area in nginx.conf.
Dimitri Huisman aa7380ffba Doh!
Dimitri Huisman 44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting.
Dimitri Huisman f9eee0cbaf Adapt HEALTHCHECK to new URL
Dimitri Huisman ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929
Dimitri Huisman 913a6304a7 Finishing touches. Introduce /static stub for handling all static files.
bors[bot] a1192d8039
Merge
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Turn the rate-limiters into something useful (that won't fire for no reason).

- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.

Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)

### Related issue(s)
- close 
- close  
- close 


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
Florent Daigniere 693b578bbb The second strip isn't necessary
Florent Daigniere 1c6165213c better that way
Florent Daigniere 34497cff20 doh
Florent Daigniere e8871dd77f doh
Florent Daigniere 5b72c32251 Doh
Florent Daigniere 19b784b198 Parse the network configuration only once
thanks @ghostwheel42
Florent Daigniere 98742268e6 Make it more readable
Florent Daigniere 94bbed9746 Ensure we have the right IP
Florent Daigniere c5bd82650f doh
Florent Daigniere 99c81c20a7 Introduce AUTH_RATELIMIT_EXEMPTION
This disables rate limiting on specific CIDRs
Florent Daigniere c674f1567a Merge branch 'ratelimits' of https://github.com/nextgens/Mailu into ratelimits
Florent Daigniere 8414dd5cf0 Merge remote-tracking branch 'upstream/master' into ratelimits
Florent Daigniere e14d2e7c03 Error out explictely if Auth-Port isn't set
Florent Daigniere abaa2e8cc3 simplify client_ip
Florent Daigniere de276a6822 Simplify extract_network_from_ip
Florent Daigniere 3bda8368e4 simplify the Auth-Status check
Florent Daigniere 2dd9ea1506 simplify
Florent Daigniere 068170c0ff Use app instead of flask.current_app where possible
Florent Daigniere 57b0dd490c Initialize user_email in all cases
qy117121 b1425015ef
Update messages.po
Fix wrong text
bors[bot] afffe4063e
Merge
2018: show dmarc record for report domain in domain details r=mergify[bot] a=ghostwheel42

## What type of PR?

documentation

## What does this PR do?

show dmarc record for report domain in domain details

### Related issue(s)

closes 

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] 9f2aa0aadc
Merge
1986: Document how to setup client autoconfig r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Document how to setup autoconfig. This works with most open-source MUAs (thunderbird, evolution, ...)

We could go further than that by providing dynamic configuration (issue an auth token for each MUA request)... but it won't work unless a new DNS entry (and matching certificate) is created.

### Related issue(s)
- 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


2014: Update Chinese translation r=mergify[bot] a=qy117121

## What type of PR?

translation

## What does this PR do?

Update Chinese translation. Use `zh` instead of `zh_CN`.

### Related issue(s)

none

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: qy117121 <mixuan121@gmail.com>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf 7fe15ea9cf added dmarc record for report domain
bors[bot] a5b1d36171
Merge
2017: rspamd: get dkim keys via REST API instead of filesystem r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement

## What does this PR do?

rspamd now uses hashicorp's vault api v1 to get dkim keys and selectors for a domain.
this allows future enhancement (multiple keys) without reconfiguring and restarting rspamd.
it also makes mounting the /dkim volume into the rspamd container unnecessary.

### Related issue(s)

- improves and closes  
- allows to implement key rotation using multiple selectors (see )
- allows to implement dkim for alternate domains (see )
- fixes and closes  (selector transmitted by admin container is used)
- closes  (no keys on disk)
- allows to implement key rotation from the outside (ie. via a helper script talking to some dns provider's api) (see )

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf 7b0c5935a8 only support GET method in vault
Alexander Graf 303fae00fb cleanup modules. use dkim selector from config
Alexander Graf dc9f970a91 removed zh_CN and updated locale-map for datatables
Alexander Graf 893705169e PoC rspamd use dkimkeys from admin using vault api
Florent Daigniere 632ce663ee Prevent logins with no password
qy117121 866f784d06
Create messages.po
Update the translation
qy117121 251eea5553
Update messages.po
Updated translation
Florent Daigniere 7277e0b4e4
Merge branch 'master' into ratelimits
bors[bot] 8c8c1b2015
Merge
1997: Prevent traceback when using non-email in login r=mergify[bot] a=ghostwheel42

There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('`@',` 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "`@")`
```

## What type of PR?

enhancement

## What does this PR do?

replace traceback (ERROR) with error message (WARNING)

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] 9b01e663b2
Merge
2007: allow sending emails as user+detail@domain.tld r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix or enhancement

## What does this PR do?

Allows sending emails with an added "+detail" in the local part.
 
### Related issue(s)

closes 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: root <ghostwheel42@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 14360f8926 RECIPIENT_DELIMITER can have several characters
root 8c59f35697 use RECIPIENT_DELIMITER for splitting
Alexander Graf 1d571dedfc split localpart into user and tag
Florent Daigniere d131d863ba The if needs to be inside the block
Alexander Graf aaf3ddd002 moved javascript to app.js
Florent Daigniere b48779ea70 SESSION_COOKIE_SECURE and HTTP won't work
Florent Daigniere 502affbe66 Use the regexp engine since we have one
Florent Daigniere a349190e52 simplify
Florent Daigniere 10d78a888b Derive a new subkey for SRS
Florent Daigniere 995ce8d437 Remove OUTCLEAN_ADDRESS
I believe that this isn't relevant anymore as we don't use OpenDKIM
anymore

Background on:
https://bofhskull.wordpress.com/2014/03/25/postfix-opendkim-and-missing-from-header/
Alexander Graf 65133a960a Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
Diman0 41f5b43b38 Set nginx logging to level info again.
Diman0 f4cde61148 Make header translatable. More finishing touches.
Florent Daigniere 7d56ed3b70 Merge branch 'master' of https://github.com/Mailu/Mailu into ratelimits
Diman0 fbe0a446b9 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929
Florent Daigniere 1e07b85fa1 doh
Diman0 9894b49cbd Merge/Update with changes from master
Florent Daigniere 24aadf2f52 ensure we log when the rate limiter hits
Florent Daigniere 64bc7972cc Make AUTH_RATELIMIT_IP 60/hour as discussed
Florent Daigniere cab0ce2017 doh
Florent Daigniere a9340e61f5 Log auth attempts on /admin
Florent Daigniere 89ea51d570 Implement rate-limits
Diman0 bf0aad9820 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929