1505 Commits (6a22c82c022ccf7b8c4e8b0355590db8e4f34cef)

Author SHA1 Message Date
enginefeeder101 82860d0f80
Moved parsing environment variable to global application config dictionary
Per requested changes added the ``DEFAULT_SPAM_THRESHOLD`` to the main
application configuration dictionary in ``configuration.py`` and updated
``models.py`` accordingly.
No error handling is added, as that was not required.
3 years ago
enginefeeder101 6c83d25312
Configurable default spam threshold used for new users
This commit adds functionality to set a custom default spam threshold
for new users. The environment variable ``DEFAULT_SPAM_THRESHOLD`` can
be used for this purpose. When not set, it defaults back to 80%, as the
default value was before
If ``DEFAULT_SPAM_THRESHOLD`` is set to a value that Python cannot
parse as an integer, a ValueError is thrown. There is no error handling
for that case built-in.
3 years ago
bors[bot] c2d85ecc32
Merge #2325
2325: postfix: wrap IPv6 CIDRs in square brackets for RELAYNETS r=mergify[bot] a=pommi

## What type of PR?

bug-fix

## What does this PR do?

This PR wraps IPv6 CIDRs in the `RELAYNETS` environment variable in square brackets for the postfix configuration.

The `RELAYNETS` environment variable is used for configuring both postfix `mynetworks` and rspamd `local_networks`. Postfix requires IPv6 addresses to be wrapped in square brackets (eg. `[2001:db8::]/64`).

When an IPv6 address is not wrapped in square brackets in the postfix configuration for `mynetworks` it results in this error while processing an incoming email from an IPv6 sender:
```
postfix/smtpd[340]: warning: 2001:db8::/64 is unavailable. unsupported dictionary type: 2001
postfix/smtpd[340]: warning: smtpd_client_event_limit_exceptions: 2001:db8::/64: table lookup problem
```

The sender sees an error and the incoming email is refused:
```
451 4.3.0 <unknown[2001:xxx:xxx:xxx:xxx:xxx:xxx:xxx]>: Temporary lookup failure
```

I tried to work around this issue by wrapping the IPv6 CIDR in square brackets in the `RELAYNETS` environment variable, but it segfaults rspamd, because it can't deal with this non-standard IPv6 notation used by postfix:
```
kernel: [4305632.603704] rspamd[1954299]: segfault at 0 ip 00007fb848983871 sp 00007ffe02cc6d1
8 error 4 in ld-musl-x86_64.so.1[7fb848948000+48000]
```

### Related issue(s)
- #2293
- #2272

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

**No changelog or documentation necessary for this minor change.**

Co-authored-by: Pim van den Berg <pim@nethuis.nl>
3 years ago
Pim van den Berg d495052b52 postfix: wrap IPv6 CIDRs in square brackets for RELAYNETS
The RELAYNETS environment variable is used for configuring both postfix
`mynetworks` and rspamd `local_networks`. Postfix requires IPv6
addresses to be wrapped in square brackets (eg. [2001:db8::]/64).
3 years ago
Alexander Graf e75201bb34
Add default to column spam_mark_as_read 3 years ago
Florent Daigniere 74c5e92628 Switch to ffdhe3072 to enable RFC 7919
The idea being:
- it's a "nothing up my sleeves" group
- it may help shave off some bytes of the SSL handshake; That being
said, I doubt that clients that are modern enough to support this RFC
won't offer an EC kex

https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem
3 years ago
Florent Daigniere 04b7ddfffd Merge remote-tracking branch 'upstream/master' into Riscue-master 3 years ago
Florent Daigniere d2aa647a9f l10n 3 years ago
bors[bot] e519ec9ae6
Merge #2310
2310: Update deprecated rspamd config option r=mergify[bot] a=henniaufmrenni

## What type of PR?

Configuration update

## What does this PR do?

This is just a small config update to get rid of the following warning message:
`lua; antivirus.lua:109: CLAM_VIRUS [clamav]: Using attachments_only is deprecated. Please use scan_mime_parts = true instead`

As per the rspamd documentation https://rspamd.com/doc/modules/antivirus.html
> attachments_only = true; # Before 1.8.1
> scan_mime_parts = true; # After 1.8.1

The currently used version of rspamd is 3.1.

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: henniaufmrenni <henniaufmrenni@keinvergessen.org>
3 years ago
bors[bot] e92c67b118
Merge #2338
2338: Update X-XSS-Protection to current recommendation r=mergify[bot] a=AvverbioPronome

See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection

## What type of PR?

Slight enhancement

## What does this PR do?

This PR turns off the XSS auditor in the few browsers that still have one.

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ?] In case of feature or enhancement: documentation updated accordingly
- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Giuseppe C <1191978+AvverbioPronome@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
3 years ago
Florent Daigniere cb656fc9fd Silence some errors in nginx
"could not be resolved (3: Host not found) while in resolving client
address, client:"
3 years ago
Your Name f7a3ecee2c remove X-XSS-Protection header from nginx.conf 3 years ago
Giuseppe C 389438d18b
Update X-XSS-Protection to current recommendation
See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection and
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
3 years ago
bors[bot] c09253ede3
Merge #2323
2323: Fix Postfix FileExistsError on startup r=mergify[bot] a=Pumba98

## What type of PR?

bug-fix

## What does this PR do?

I'm running mailu with the mailu helm-chart on kubernetes. Sometimes when a Pod restarts I get the following error during startup:
```
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python3.9/multiprocessing/process.py", line 315, in _bootstrap
self.run()
File "/usr/lib/python3.9/multiprocessing/process.py", line 108, in run
self._target(*self._args, **self._kwargs)
File "/start.py", line 18, in start_podop
os.mkdir('/dev/shm/postfix',mode=0o700)
FileExistsError: [Errno 17] File exists: '/dev/shm/postfix'
INFO:MAIN:MTA-STS daemon starting...
```

But that does not prevent the container startup. When mails arrive it will fail with something like:

```
postfix/trivial-rewrite[94979]: warning: connect to /tmp/podop.socket: No such file or directory
postfix/trivial-rewrite[94979]: warning: table socketmap:unix:/tmp/podop.socket:transport lookup error: No such file or directory
postfix/trivial-rewrite[94979]: warning: socketmap:unix:/tmp/podop.socket:transport lookup error for "*"
```

I'm running this quick fix now since almost two months without problems. Maybe you got a better approach how to solve this, but this works fine for me.

### Related issue(s)
- none

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

<!--
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
--->

**No changelog or documentation necessary for this minor change.**


Co-authored-by: Pumba98 <mail@pumba98.de>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
3 years ago
Florent Daigniere 193d835abe
Use os.makedirs instead 3 years ago
henniaufmrenni 8eb8cb1f48 Update deprecated rspamd config option
This gets rid of the following error message:
lua; antivirus.lua:109: CLAM_VIRUS [clamav]: Using attachments_only is deprecated. Please use scan_mime_parts = true instead

As per the rspamd documentation https://rspamd.com/doc/modules/antivirus.html
attachments_only = true; # Before 1.8.1
scan_mime_parts = true; # After 1.8.1

The currently used version is rspamd 3.1.
3 years ago
bors[bot] 6f89209f9f
Merge #2302
2302: Update alpine-linux to 3.14.5 - Zlib security FIX r=mergify[bot] a=willofr

## What type of PR?
Security fix

## What does this PR do?
Update alpine docker image to alpine-3.14.5

- closes #2291

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Will <will@packer-output-c8fcfb40-3d93-4475-8f87-e14a9dd683b6>
3 years ago
Will a54a784168 Update alpine-linux to 3.14.5 - Zlib security FIX 3 years ago
hitech95 fc8926493c admin: graceful fail on user fetch in basic auth
Signed-off-by: hitech95 <nicveronese@gmail.com>
3 years ago
Dimitri Huisman f2f859280c Merge remote-tracking branch 'origin/master' into feature-switch-snappymail 3 years ago
Dimitri Huisman 9519d07ba2 Switch from RainLoop to SnappyMail 3 years ago
bors[bot] c15e4e6015
Merge #2276
2276: Autoconfig of email clients r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

It provides auto-configuration templates for email clients and encourages them to use implicit TLS (see https://nostarttls.secvuln.info/)

There are numerous caveats:
- it will only work if suitable DNS records are created and certificates obtained (autoconfig, autodiscover, ...)
- the mobileconfig file isn't signed
- the credentials will be prompted... we could/should provision a token on each request instead
- it currently doesn't advertise caldav
- it's IMAP only

### Related issue(s)
- close #224 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 9b952da6c2 Allow nginx to lookup IPv6 addresses
It creates issues with RSPAMD/HFILTER_HOSTNAME_UNKNOWN on v6 enabled
setups see
https://github.com/Mailu/Mailu/issues/2260#issuecomment-1066797661
3 years ago
bors[bot] 8cc91bad75
Merge #2281 #2285 #2286 #2287
2281: Update alpine-linux to 3.14.4 - OpenSSL security FIX r=mergify[bot] a=willofr

## What type of PR?
Security fix

## What does this PR do?
Update Dockerfiles to use alpine-linux 3.14.4 which contains a security fix for openssl
https://alpinelinux.org/posts/Alpine-3.12.10-3.13.8-3.14.4-released.html

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


2285: Update names of language json files r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

language json files of datatables i18n have been renamed
this updates the mappings to the current names


2286: Fix typo in Traefik reverse proxy docs r=mergify[bot] a=ghostwheel42

Slight typo in the Traefik reverse proxy docs. Found through running into the issue on my own instance.

## What type of PR?

documentation

## What does this PR do?

Adds  #2282 to master


2287: Fix typo in docs: cert not certs r=mergify[bot] a=ghostwheel42

## What type of PR?

documentation

## What does this PR do?

just a typo

Co-authored-by: Will <will@packer-output-c8fcfb40-3d93-4475-8f87-e14a9dd683b6>
Co-authored-by: willofr <willofr@users.noreply.github.com>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: DAHPr0gram3r <cbillwork02@gmail.com>
3 years ago
bors[bot] a7149b83d4
Merge #2284
2284: Fixing AUTH_RATELIMIT_IP not working on imap/pop3/smtp r=mergify[bot] a=fischerscode

#2283

## What type of PR?

bug-fix

## What does this PR do?
This fixes AUTH_RATELIMIT_IP not working on imap/pop3/smtp.

### Related issue(s)
closes #2283

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.

Co-authored-by: Maximilian Fischer <github@maaeps.de>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
bors[bot] 68d3d67b8c
Merge #2255
2255: Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly

### Related issue(s)
- closes #2213

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Alexander Graf d70596d431
Update names of language json files 3 years ago
Alexander Graf 64ad6931e9
Move 'is_valid_user = user is not None' into else 3 years ago
Alexander Graf 630a4e9b5e
Update auth.py
Add spaces
3 years ago
Maximilian Fischer 8775dc5b15 Fixing AUTH_RATELIMIT_IP not working on imap/pop3/smtp
#2283
3 years ago
Will d02296c3bc Update alpine-linux to 3.14.4 - OpenSSL security FIX 3 years ago
Florent Daigniere ce9dc3a335 ghostwheel42's suggestion 3 years ago
Florent Daigniere 83140322e0 ghostwheel42's suggestion 3 years ago
Florent Daigniere 3aa735cc2d ghostwheel42's suggestion 3 years ago
Florent Daigniere 6d80eea649 ghostwheel42's suggestion 3 years ago
Florent Daigniere 9bc963f19b don't think the escaping is required but it was there 3 years ago
Florent Daigniere 3e6f3a95a4 Reflect the data from the POST 3 years ago
Florent Daigniere 14931c4acd doh 3 years ago
Florent Daigniere c6c444cfa7 simplify 3 years ago
Florent Daigniere 373e6d2161 doh 3 years ago
Florent Daigniere 184c9bc566 Add json redirect 3 years ago
Florent Daigniere 9a2d8d63a3 Search and replace wasn't a good idea 3 years ago
Florent Daigniere c50750054b Allow POST 3 years ago
Florent Daigniere 71897f4ff0 Doh 3 years ago
Florent Daigniere d677c465a7 Handle spaces too 3 years ago
Florent Daigniere 6fc1273b58 Add a link to autoconfigure apple devices 3 years ago
Florent Daigniere 0bccb5045c STARTTLS is a bad idea 3 years ago
Florent Daigniere 3a56525e21 As discussed on #mailu-dev
Don't attempt to guess what the user wants
3 years ago
Florent Daigniere 81b592f3cb try to get LE certs for the new names 3 years ago
Florent Daigniere a3f9e2beee Use priorities instead 3 years ago
Florent Daigniere 2b62a6327a Do explicit TLS where possible 3 years ago
Florent Daigniere c817eaf608 Add the SRV record for autodiscover 3 years ago
Florent Daigniere cdc92aa65b Mobileconfig apple style 3 years ago
Florent Daigniere ccd2cad4f1 Autodiscovery microsoft style 3 years ago
Florent Daigniere 523cee1680 Autoconfig mozilla-style 3 years ago
bors[bot] 0b25854de0
Merge #2210
2210: Add input validation for domain creation r=mergify[bot] a=0pc0deFR

## What type of PR?

bug-fix

## What does this PR do?

This patch add the input validation for domain creation.

### Related issue(s)
- Mention an issue like: #1817
- Auto close an issue like: closes #1817


Co-authored-by: Kevin Falcoz <0pc0defr@gmail.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
İbrahim Akyel f65e2fc469 Feature: Marking "Read" spam mails 3 years ago
Florent Daigniere a7f9a35fa1
Merge branch 'master' into fix2274 3 years ago
Florent Daigniere a4ed464170 doh 3 years ago
Florent Daigniere 0bfbb3bcd4
doh 3 years ago
Florent Daigniere cd3eee4c51 ghostwheel42's suggestion 3 years ago
Florent Daigniere d723326b8e style 3 years ago
Florent Daigniere f01d8cd9b9 improve 3 years ago
Florent Daigniere 7b9c4e01f7 improve 3 years ago
Florent Daigniere 91de20c49c Fix exception in logs
This was occuring when you had square brackets in the domain part
3 years ago
Florent Daigniere 8cf76afbab Catch the ValueError instead 3 years ago
Florent Daigniere 08aa32a5df Revert "Don't bother running the query without an address"
This reverts commit dc81979550.
3 years ago
Florent Daigniere 7ce7f2096b belt, braces and suspenders 3 years ago
Florent Daigniere dc81979550 Don't bother running the query without an address
This should solve the following in admin logs:
"WARNING in nginx: Invalid user 'xxxx': (builtins.ValueError)
invalid email address (no "@")"
3 years ago
Pumba98 f1952d0e97
Update start.py 3 years ago
bors[bot] 2e9b14d536
Merge #2254
2254: Send ISRG_X1 on port 25, make DANE pin that r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Ensure we send ISRG_X1 in the handshake on port 25 (non-interactive, size doesn't really matter).

Update the DANE pin to reflect the change.

I am not sure whether we will need to add --preferred-chain= in the future; This may be the case when letsencrypt decides to use X2/the ECDSA chain

This needs to be tested on a letsencrypt account that isn't mine (I'm opted in for the alternate cert chains)

### Related issue(s)
- closes #2138

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

There's already a towncrier news for it

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere f9869b1d79 ghostwheel42's suggestions 3 years ago
Dimitri Huisman c40a0f4b80 Change link in warning to master. Master is always available. 1.9 will be unavaiable in the future. 3 years ago
Florent Daigniere ab35492589 the first time the loop runs we don't have the second cert 3 years ago
Florent Daigniere 0816cb9497 simplify as per ghostwheel42's suggestion 3 years ago
Florent Daigniere 7166e7d2b2 Implement #2213: slow transports 3 years ago
Florent Daigniere e4a32b55f5 Send ISRG_X1 on port 25, make DANE pin that 3 years ago
Florent Daigniere d3e7ea5389 spell it out 3 years ago
Florent Daigniere a8dc20962a workaround a bug in coredns 3 years ago
Dimitri Huisman 55a601de5a Add missing import for validators, improve behaviour when an error occurs. 3 years ago
Dimitri Huisman 7d801c560c Improve if statement 3 years ago
Florent Daigniere 9466ad4131 fix #2220 3 years ago
Ezra Buehler 5d6b295013 Add support for custom NGINX config
Including *.conf files in /etc/nginx/conf.d same as the default NGINX
configuration gives the user more flexibility.
3 years ago
bors[bot] 855f3b065b
Merge #2211
2211: Ensure we use IMAP IDLE like it's supposed to work r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Increase IMAP IDLE time from 2min to 29mins: this should massively help reduce network traffic & increase battery life of clients

See https://peterkieser.com/2011/03/25/androids-k-9-mail-battery-life-and-dovecots-push-imap/

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
3 years ago
Florent Daigniere 224880822f
remove space 3 years ago
Florent Daigniere 3d7b9fe194 Ensure we use IMAP IDLE like it's supposed to work
imap_idle_notify_interval = 2 mins -> 29 mins

See https://peterkieser.com/2011/03/25/androids-k-9-mail-battery-life-and-dovecots-push-imap/
3 years ago
Kevin Falcoz 278d74ce6f
Add title attribute on user-panel div 3 years ago
Kevin Falcoz 3fe1dbe881
Add input validation for domain creation 3 years ago
Kevin Falcoz c69f886a73 Update code with ghostwheel42 comments 3 years ago
Kevin Falcoz 3e394faf92
Patch function "Display Name" into admin page 3 years ago
Florent Daigniere f6ebf9fda2
Update tls.conf 3 years ago
Florent Daigniere 68ff6c8337
Use ISRG_ROOT_X1 as DST_ROOT is not available 3 years ago
Sebastian Klemke a6b4b9ae52 Removed ssl_trusted_certificate configuration setting from nginx.
Resolves an nginx startup issue when letsencrypt or
mail-letsencrypt is enabled.

Fixes #2199
3 years ago
Sebastian Klemke 89a86e9dda disabled rsyslogd pidfile 3 years ago
Florent Daigniere b9e614145f there too 3 years ago
Florent Daigniere b7fb8c661a switch to new API 3 years ago
Billy Chan 90394d7d8c 🎨 use resolver.resolve 3 years ago
shing6326 32446f03e7
Update start.py
fix missing leading . for the resolver test
3 years ago
bors[bot] 1e53530164
Merge #2144
2144: Enable unbound by default, warn if the DNS resolver doesn't work r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Enable unbound by default, warn if the DNS resolver doesn't work

### Related issue(s)
- close #2135

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
3 years ago
Florent Daigniere a9da0c084a
syntax error 3 years ago
Florent Daigniere a2f6243382
remove the error variable 3 years ago
Florent Daigniere b12616b93f
Make the recommendation clearer 3 years ago
Alexander Graf f809be39bf
supply missing fields argument 3 years ago
bors[bot] e3e3700187
Merge #2150
2150: fix 2145: exceptions may be thrown when login is invalid or rate-limits exceeded r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Exceptions may be thrown when login is invalid or rate-limits exceeded for those running very recent builds of 1.9

For some reason I haven't caught it while testing #2130... that's when it was introduced.

### Related issue(s)
- close #2145
- close #2146
- #2130



Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 7bd1fd3489 fix 2145 3 years ago
Florent Daigniere 6425f440d3 fix 2147 3 years ago
Florent Daigniere 379fe18f7a test dns resolvers at startup 3 years ago
Florent Daigniere 98973223fd
reduce TTL to 1d 3 years ago
Florent Daigniere 792893caae change TTL to 1y 3 years ago
Florent Daigniere 671f3e382a Fix 2138: Pin DANE with the full cert 3 years ago
Florent Daigniere 7f89a29790 Fix 2125
Make the caller responsible to know whether the rate-limit code should
be called or not
3 years ago
bors[bot] 65d905fe62
Merge #2099
2099: update Dockerfile to alpine 3.14.3 r=mergify[bot] a=willofr

## What type of PR?
Security fix

## What does this PR do?
Updated the Dockerfile to use the latest alpine version 3.14.3 where several CVEs have been fixed: https://alpinelinux.org/posts/Alpine-3.14.3-released.html
New images successfully built on my test env.

### Related issue(s)
None

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Will <will@packer-output-c8fcfb40-3d93-4475-8f87-e14a9dd683b6>
Co-authored-by: willofr <willofr@users.noreply.github.com>
3 years ago
bors[bot] 3eca813182
Merge #2116
2116: fix 2114: redirect old path r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Old paths may still be cached in browsers, it's easy enough to redirect them

### Related issue(s)
- close #2114


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere c4675e6e75 fix 2114: redirect old path 3 years ago
Dimitri Huisman b4d3d4b3c9 Preparations for 1.9 release. 3 years ago
Erriez 4b0694705c Fix build dependencies pycares 3 years ago
Dimitri Huisman 51d94b8d14 Fix issue 2102 3 years ago
Will b2abbc8856 update Dockerfile to alpine 3.14.3 3 years ago
Florent Daigniere bee6e980e3 doh 3 years ago
Florent Daigniere 58d0faff7f ensure we clear the token on delete() 3 years ago
Florent Daigniere 2b29cfb3f0 fix cleanup_sessions() 3 years ago
Florent Daigniere f0247a2faf Use self where appropriate 3 years ago
Florent Daigniere c161a2c987 syntax 3 years ago
bors[bot] 18865bf03b
Merge #2094
2094: Sessions tweaks r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

- Make all sessions permanent, introduce SESSION_TIMEOUT and PERMANENT_SESSION_LIFETIME.
- Prevent the creation of a session before there is a login attempt
- Ensure that webmail tokens are in sync with sessions

### Related issue(s)
- close #2080 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
Dimitri Huisman d40be05117 Fix missing edit buttons in alias, relay and fetchmail lists in admin. 3 years ago
Florent Daigniere a28c7f903e do it once 3 years ago
Dimitri Huisman f88daa1e77 Add missing cast to int 3 years ago
Florent Daigniere 5f313310d4 regenerate() shouldn't extend lifetime 3 years ago
Florent Daigniere fe18cf9743 Fix 2080
Ensure that webmail tokens are in sync with sessions
3 years ago
Florent Daigniere 02c93c44f2 Tweak sessions
simplify:
- make all sessions permanent by default
- update the TTL of sessions on access (save always)
- fix session-expiry, modulo 8byte precision
3 years ago
Florent Daigniere ea96a68eb4 don't create a session if we don't have to 3 years ago
bors[bot] 7c03878347
Merge #1441 #2090
1441: Rsyslog logging for postfix r=mergify[bot] a=micw


## What type of PR?

enhancement

## What does this PR do?
Changes postfix logging from stdout to rsyslog:
* stdout logging still enabled
* internal test request log messages are filtered out by rsyslog
* optional logging to file via POSTFIX_LOG_FILE env variable

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


2090: fix 2086 r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Fix a bug I've introduced in ae8db08bd

### Related issue(s)
- close #2086

Co-authored-by: Michael Wyraz <michael@wyraz.de>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 346ace5fb3 Make webmail the default action 3 years ago
bors[bot] 634318adba
Merge #2072
2072: use dovecot-fts-xapian from alpine package r=mergify[bot] a=willofr

## What type of PR?

enhancement

## What does this PR do?
use dovecot-fts-xapian from alpine packages repository (newer) instead of compiling an older version from source
see https://pkgs.alpinelinux.org/package/edge/community/x86/dovecot-fts-xapian

### Related issue(s)
No

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: willofr <willofr@users.noreply.github.com>
3 years ago
Florent Daigniere 09926702d6 fix 2086 3 years ago
bors[bot] e7f77875e2
Merge #2084
2084: Fix #2078 (login to webmail did not work when WEB_WEBMAIL=/ was set) r=mergify[bot] a=Diman0

## What type of PR?

bug-fix

## What does this PR do?
It fixes #2078. Login from SSO page to webmail did not work if WEB_WEBMAIL=/ was set in mailu.env.

I tested that it works with
- WEB_WEBMAIL=/webmail
- WEB_WEBMAIL=/

### Related issue(s)
- closes #2078 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] n/a In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
3 years ago
Florent Daigniere d7a8235b89
Simplify 3 years ago
bors[bot] 08be233607
Merge #2058
2058: Implement versioning for CI/CD workflow. r=mergify[bot] a=Diman0

## What type of PR?

Feature!

## What does this PR do?
This PR introduces 3 things
- Add versioning (tagging) for branch x.y (1.8). E.g. 1.8.0, 1.8.1 etc.
  - docker repo will contain x.y (latest) and x.y.z (pinned version) images.
  - The X.Y.Z tag is incremented automatically. E.g. if 1.8.0 already exists, then the next merge on 1.8 will result in the new tag 1.8.1 being used.
- Make the version available in the image.
  -  For X.Y and X.Y.Z write the version (X.Y.Z) into /version on the image and add a label with version=X.Y.Z
	  -  This means that the latest X.Y image shows the pinned version (X.Y.Z e.g. 1.8.1) it was based on. Via the tag X.Y.Z you can see the commit hash that triggered the built.
  -  For master write the commit hash into /version on the image and add a label with version={commit hash}
-  Automatic releases. For x.y triggered builts (e.g. merge on 1.9) do a new github release for the pinned x.y.z (e.g. 1.9.2). 
  -  Release shows a static message (see RELEASE_TEMPLATE.md) that explains how to reach the newsfragments folder and change the branch to the tag (x.y.z) mentioned in the release. Now you can get the changelog by reading all newsfragment files in this folder.

This PR does not change anything to our workflow (what we (human persons) do). Our processes are still exactly the same. The above introduced logic is automatic. When we backport to X.Y all the magic for creating the pinned version X.Y.Z is handled by the CI/CD workflow.

### Related issue(s)
- closes #1182

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.

## Testing
Suggested testing steps. This should cover all situations including BORS. It does require that you use your own docker repo or temporarily create a new one.
Suggested testing steps.
1. Create new github repo.
2. Add the required docker secrets to the project (see beginning of CI.yml for the secret names), DOCKER_UN, DOCKER_PW, DOCKER_ORG, DOCKER_ORG_TESTS.
3. Clone the project.
4. Copy the contents of the PR to the cloned project.
5. Push to your new github repo.
6. Now master images are built. Check that images with tag master are pushed to your docker repo
7. Check with docker inspect nginx:master that it has the label version={commit hash}.
8. Run an image, run `docker-compose exec <name> cat /version`. Note that /version also contains the pinned version. For master the pinned version is the commit hash.
9. Create branch 1.8. 
10. Push branch 1.8 to repo.
11. Note that tags 1.8 and 1.8.0 are built and pushed to docker repo
12. Inspect label and /version. Note that 1.8 and 1.8.0 both show version 1.8.0.
13. Push another commit to branch 1.8.
14. Note that tags 1.8 and 1.8.1 are built and pushed to docker repo
15. Inspect label and /version. Note that 1.8 and 1.8.1 both show version 1.8.1.
16. Let's check BORS stuff.
17. Create branch testing.
18. Push the commit with the exact commit text (IMPORTANT!!): `Try #1234:`'.
19. Note that images are built and pushed for tag `pr-1234`.
20. Inspect label and /version. Note that the version is `pr-1234`.
20. Create branch staging.
21. Push the commit with commit text: `Merge #1234`.
22. Note that this image is not pushed to docker (as expected).

but you could also check the GH repo and docker repo I used:
https://github.com/Diman0/Mailu_Fork
https://hub.docker.com/r/diman/rainloop/tags

Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
bors[bot] d2a2a3a8bf
Merge #2076
2076: fix the default for DEFER_ON_TLS_ERROR r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

The default wasn't set anywhere

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Dimitri Huisman fdb10cfb85 Start crond when POSTFIX_LOG_FILE is set 3 years ago
Dimitri Huisman 5bedcc1cb1 Fix #2078 3 years ago
Dimitri Huisman d76773b1df Also check the SMTP port for webmail/token 3 years ago
Dimitri Huisman f26fa8da84 Fix Webmail token check. Fix Auth-Port for Webmail. #2079 3 years ago
Florent Daigniere 593e3ac5a4 fix DEFER_ON_TLS_ERROR 3 years ago
willofr 841b29e794
revert back to alpine 3.14.2 as requested 3 years ago
willofr 73f5291cdb
Merge branch 'Mailu:master' into patch-1 3 years ago
Dimitri Huisman 53975684b8 Using Syslog is the new standard. It is not optional anymore. 3 years ago
willofr 84af3a3e50
use dovecot-fts-xapian from alpine package
I suggest using the dovecot-fts-xapian package from the alpine repository (newer) instead of compiling an older version from source:
see https://pkgs.alpinelinux.org/package/edge/community/x86/dovecot-fts-xapian
3 years ago
Florent Daigniere 4fffdd95e9 Reduce logging level 3 years ago
Dimitri Huisman d5896fb2c6 Add log rotation (if logging to file). Make rsyslog the default. 3 years ago
Florent Daigniere 89a7a8ac13 Fix score of RCVD_NO_TLS_LAST 3 years ago
Florent Daigniere 1925b2e0fb Upgrade rspamd 3 years ago
Dimitri Huisman 567b5ef172
Merge branch 'master' into postfix-logging 3 years ago
Dimitri Huisman 0de2ec77c6 Process code review remarks #1441 3 years ago
Dimitri Huisman f7677543c6 Process code review remarks
- Moved run to bottom of Dockerfile to allow using unmodified / cached states.
- Simplified bash code in deploy.sh.
- Improved the large bash one-liner in CI.yml. It could not handle >9 for 1.x.
3 years ago
Dimitri Huisman 56dd70cf4a Implement versioning for CI/CD workflow (see #1182). 3 years ago
Alexander Graf aa1d605665
Merge remote-tracking branch 'upstream/master' into passlib 3 years ago
Alexander Graf 84a5514a97
fixed auto reply form 3 years ago
Alexander Graf cf7914d050
fixed field iteration 3 years ago
Alexander Graf fd5bdc8650
added localized date output 3 years ago
Alexander Graf 0315ed78d9
Merge remote-tracking branch 'upstream/master' into update_deps 3 years ago
Till Skrodzki c48e00ee26 Do not call .split() on RELAYNETS if not specified 3 years ago
bors[bot] 56cbc56df7
Merge #2044
2044: Vault/rspamd: don't return any key for relayed domains r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR 

Don't return any key for relayed domains. We may want to revisit this (ARC signing)... but in the meantime it saves from a scary message in rspamd.
    
```signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...```


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
bors[bot] 78dd13a217
Merge #2042
2042: Add MESSAGE_RATELIMIT_EXEMPTION r=mergify[bot] a=nextgens

## What type of PR?

Enhancement

## What does this PR do?

Add a new knob called ```MESSAGE_RATELIMIT_EXEMPTION```.

### Related issue(s)
- #1774

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 6bf1a178b9 Go with ghostwheel42's suggestion 3 years ago
Florent Daigniere b68033eb43 only parse it once 3 years ago
Alexander Graf 82e14f1292
Merge branch 'master' into update_deps 3 years ago
bors[bot] f0188d9623
Merge #2034
2034: Add timezone to containers r=mergify[bot] a=DjVinnii

## What type of PR?

Enhancement

## What does this PR do?
This PR adds the tzdata package so that the environment variable `TZ` can be used to set the timezone of containers.

### Related issue(s)
- closes #1154 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: DjVinnii <vincentkling@msn.com>
3 years ago
Florent Daigniere dc6e970a7f handle HTTP too 3 years ago
Florent Daigniere bbef4bee27 Don't return any key for relayed domains
We may want to revisit this (ARC signing)... but in the meantime
it saves from a scary message in rspamd

signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...
3 years ago
Florent Daigniere 6c6b0b161c Set the right flags on the rate_limit cookie 3 years ago
Florent Daigniere f9373eacab Merge remote-tracking branch 'upstream/master' into misc 3 years ago
Florent Daigniere 5714b4f4b0 introduce MESSAGE_RATELIMIT_EXEMPTION 3 years ago
DjVinnii 30d7e72765 Move TZ to Advanced settings 3 years ago
DjVinnii 225160610b Set default TZ in Dockerfiles 3 years ago
DjVinnii 81e33d3679 Add default TZ to config manager 3 years ago
Alexander Graf 97e79a973f fix sso login button spacing again 3 years ago
Alexander Graf 73ab4327c2 updated database libraries (sqlalchemy etc.)
this is working fine, but introduces a sqlalchemy warning
when using config-import:

  /app/mailu/schemas.py:822:
    SAWarning: Identity map already had an identity for (...),
    replacing it with newly flushed object.
    Are there load operations occurring inside of an event handler
    within the flush?
3 years ago
Alexander Graf 4669374b9e use python wheels 3 years ago
Alexander Graf 85d86d4156 some more libs updated 3 years ago
Alexander Graf ffd99c3fa8 updated flask
ConfigManager should not replace app.config - this is causing trouble
with some other flask modules (swagger).
Updated ConfigManager to only modify app.config and not replace it.
3 years ago
Alexander Graf 87884213c4 update misc helper libs 3 years ago
Alexander Graf 56f65d724d update babel 3 years ago
Alexander Graf 5238b00f0b update alembic 3 years ago
Alexander Graf f613205fe1 update tenacity 3 years ago
Alexander Graf 833ccb5544 reload page using GET when selecting language 3 years ago
Alexander Graf 8b15820b01 fix sso login button spacing 3 years ago
Alexander Graf 26fb108a3f updated Flask-Login 3 years ago
Alexander Graf abc4112242 updated Werkzeug, Click and Flask-Migrate 3 years ago
Alexander Graf f1d7bedd1b fix display of range inputs (again) 3 years ago
Alexander Graf 13e6793c9f Merge remote-tracking branch 'upstream/master' into update_deps 3 years ago
Alexander Graf aca1e13648 update socrate - will be removed later 3 years ago
Alexander Graf 866741bcbe updated WTForms-Components deps 3 years ago
Alexander Graf ef19869cde updated redis 3 years ago
Alexander Graf d8efd3057c updated idna 3 years ago
Alexander Graf 8ad8cde0e2 removed some obsolete requirements 3 years ago
Alexander Graf 3ac1b3d86c update pyyaml and pygments 3 years ago
Alexander Graf 40cdff4911 updated dnspython 3 years ago
Alexander Graf dcbe55f062 updated crypto 3 years ago
Alexander Graf 771b2d1112 duh 3 years ago
Alexander Graf 23d0cd0466 update tabluate. fix audit.py and include in container 3 years ago
Alexander Graf 8d90a74624 update werkzeug to 1.x 3 years ago
bors[bot] 5e212ea46d
Merge #2036
2036: round display of range inputs to 2 decimals r=mergify[bot] a=ghostwheel42

## What type of PR?

small fix

## What does this PR do?

rounds display of range inputs to 2 decimals 

### Related issue(s)

- small fix to #1966

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
Alexander Graf 80be3506da upgrade pip. completed reqs via pip freeze 3 years ago
Alexander Graf 598b2df5a0 update wtforms 3 years ago
Alexander Graf e8b5f1a185 round display of range inputs to 2 decimals 3 years ago
DjVinnii 1d6809193b Add tzdata to core 3 years ago
Florent Daigniere 74b31dc407 Ensure that RCVD_NO_TLS_LAST doesn't add spam points 3 years ago
bors[bot] 11bbceb9cc
Merge #2032
2032: doh r=mergify[bot] a=nextgens

This should have been part of #2030

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 8dad40f67c doh 3 years ago
bors[bot] e52a3de1b0
Merge #2027 #2030
2027: Make logs more quiet r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

It silences various useless log messages in front, specifically:
```
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/1.1" 301 162 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:11:04 +0000] "GET /health HTTP/2.0" 204 0 "-" "curl/7.78.0"
Oct 30 03:11:04 instance-20210109-1612 docker-front[1963]: 2021/10/30 03:11:04 [info] 476302#476302: *2622679 client 127.0.0.1 closed keepalive connection
Oct 30 03:13:02 instance-20210109-1612 docker-front[1963]: 127.0.0.1 - - [30/Oct/2021:03:13:02 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
```

`@micw` has requested it for k8s

2030: Fix RELAYNETS r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

RELAYNETS should be comma separated like everything else; rspamd should also be aware of what is considered "trusted".

I am not sure whether ```local_networks``` is the right configuration option for it though

- close #360

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 2170e07731 Tell rspamd about RELAYNETS 3 years ago
Florent Daigniere 9d474f32a6 RELAYNETS is comma separated! 3 years ago
Florent Daigniere f3c93212c6 The Rate-limiter should run after the deny 3 years ago
Florent Daigniere 53a0363b9e Deal with the noisy keepalive messages
We don't particularly care about HTTP... and that's what's noisy.
3 years ago
Florent Daigniere 80a85c27a9 Silent healthchecks in logs 3 years ago
Alexander Graf 9bc685c30b removed some more whitespace 3 years ago
Alexander Graf 8c31699baf fixed locale selector for no_NB 3 years ago
Alexander Graf 882a27f87c simplified if's and added external link icon 3 years ago
Alexander Graf 3141ffe791 removed some whitespace 3 years ago
Dimitri Huisman 6b16756d92 Fix acessing antispam via sidebar. 3 years ago
Dimitri Huisman 3449b67c86 Process code review remarks PR2023 3 years ago
Dimitri Huisman 8784971b7f Merge rate limiting and failed login logging 3 years ago
Dimitri Huisman 503044ef6e Reintroduce ProxyFix. Use two buttons for logging in. 3 years ago
Dimitri Huisman c42ad8e71e Forgot to include changes for url_for of base.html 3 years ago
Dimitri Huisman fb0f005343 Get rid of complicated prefix logic. Further simplify /static handling and nginx config. 3 years ago
Dimitri Huisman da788ddee3 Merge branch 'fix-sso-1929' of github.com:Diman0/Mailu into fix-sso-1929 3 years ago
Dimitri Huisman bdcc183165 Redirect to configured ENV VAR for Admin/Webmail, further simplify nginx config. 3 years ago
Dimitri Huisman f1a60aa6ea Remove unneeded auth_request_set 3 years ago
Florent Daigniere fee13e6c4b Save a redirect 3 years ago
Florent Daigniere d3f07a0882 Simplify the handling of /static 3 years ago
Florent Daigniere aee089f3b1 Ensure that static assets are readable 3 years ago
Dimitri Huisman a47afec4ee Make logic more readable. 3 years ago
Dimitri Huisman 48764f0400 Ensure all requests from the page sso go through the page sso. 3 years ago
Dimitri Huisman 5232bd38fd Simplify webmail logout. 3 years ago
Dimitri Huisman aab258d284 Move handling of logging out in admin, to sso logout page. 3 years ago
Dimitri Huisman 615743b331 Improve indendation of conditions. 3 years ago
Dimitri Huisman 5d81846c5d Introduce the shared stub /static for providing all static files 3 years ago
Dimitri Huisman eb74a72a52 Moved locations to correct area in nginx.conf. 3 years ago
Dimitri Huisman aa7380ffba Doh! 3 years ago
Dimitri Huisman 44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting. 3 years ago
Dimitri Huisman f9eee0cbaf Adapt HEALTHCHECK to new URL 3 years ago
Dimitri Huisman ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 3 years ago
Dimitri Huisman 913a6304a7 Finishing touches. Introduce /static stub for handling all static files. 3 years ago
bors[bot] a1192d8039
Merge #1987
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Turn the rate-limiters into something useful (that won't fire for no reason).

- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.

Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)

### Related issue(s)
- close #1926
- close #1745 
- close #1915


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
3 years ago
Florent Daigniere 693b578bbb The second strip isn't necessary 3 years ago
Florent Daigniere 1c6165213c better that way 3 years ago
Florent Daigniere 34497cff20 doh 3 years ago
Florent Daigniere e8871dd77f doh 3 years ago
Florent Daigniere 5b72c32251 Doh 3 years ago