2858 Commits (6fe265b54832d586d7b94c1c3204bdb27a3a782d)
 

Author SHA1 Message Date
bors[bot] 6fe265b548
Merge #1968
1968: optimize handle_authentication r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

catch utf-8 decoding errors and log a warning in handle_authentication instead of writing a traceback into the log.

### Related issue(s)

closes #1361

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
bors[bot] d8dc765f04
Merge #1967
1967: fix 1789: ensure that nginx resolves ipv4 addresses r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

This fixes ipv6 enabled setup by disabling it. If you were using SUBNET6 in your configuration, odds are it's broken since gunicorn isn't bound on an on an ipv6 enabled socket.

Should we backport this?

### Related issue(s)
- close #1789
- close #1802


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
bors[bot] e38844cfcd
Merge #1961
1961: Implement MTA-STS and DANE validation r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

Implement MTA-STS: the tls_policy_map will now be auto-configured based on the policies published by the various domains. A FAQ entry has been added to document how to publish a policy using Mailu.

As configured by default there is no persistence. If we want persistence we can have either sqlite3 (with a db in the mailqueue) or redis...

This also introduces a DEFER_ON_TLS_ERROR (default: True) setting that will harden policy enforcement and defer emails that shouldn't be delivered. Turn it off if you never want to set an override.

### Related issue(s)
- closes #1798
- closes #707 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Alexander Graf 90c96bdddc optimize handle_authentication
- catch decoding of nginx headers (utf-8 exception)
- re-ordered function
3 years ago
Florent Daigniere 7aa403573d no with here 3 years ago
Florent Daigniere 0ee52ba65b Doh 3 years ago
Florent Daigniere 0f0459e9b2 suggestions from @ghostwheel42 3 years ago
Florent Daigniere 9888efe55d Document as suggested on #mailu-dev 3 years ago
Florent Daigniere a9a1b3e55e Reduce the EDNS0 size to 1232
@see
https://github.com/dns-violations/dnsflagday/issues/125
3 years ago
Florent Daigniere 72ba5ca3f9 fix 1789: ensure that nginx resolves ipv4 addresses 3 years ago
Florent Daigniere d8c22db547 Merge remote-tracking branch 'upstream/master' into policyd-mta-sts 3 years ago
bors[bot] 71cc8b0a81
Merge #1800
1800: AdminLTE 3 r=mergify[bot] a=DjVinnii

## What type of PR?

Enhancement

## What does this PR do?

This PR implements AdminLTE 3 for the admin interface. It also includes the implementation of DataTables and a language selector.

### Related issue(s)
- closes: #1567
- closes: #1764 

## Prerequistes

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Vincent Kling <vincentkling@msn.com>
Co-authored-by: DjVinnii <vincentkling@msn.com>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
bors[bot] f815075929
Merge #1965
1965: postfix/tls_policy: Use lmdb map instead of hash r=mergify[bot] a=tonobo

## What type of PR?

bug-fix

## What does this PR do?

### Related issue(s)

#1918

https://github.com/Mailu/Mailu/pull/1902/#issuecomment-902108080



Co-authored-by: Tim Foerster <timhormersdorf@googlemail.com>
3 years ago
Tim Foerster 9ec9d4d4fb
postfix/tls_policy: Use lmdb map instead of hash
The alpine postfix package seems to have removed support for btree and hash map type. #1918 
The tls_policy.map stuff has been introduced in #1902 and it has been merged without fixing this before (https://github.com/Mailu/Mailu/pull/1902/#issuecomment-902108080)
3 years ago
Florent Daigniere 4abf49edf4 indent 3 years ago
Florent Daigniere c1d94bb725 Ensure that postfix will be able to use the TLSA records
see https://www.huque.com/dane/testsite/ for the testcases
3 years ago
Florent Daigniere ef5f82362c Merge remote-tracking branch 'upstream/master' into policyd-mta-sts 3 years ago
Florent Daigniere 92cc664e82 Cosmetic change 3 years ago
Florent Daigniere 489520f067 forgot about alpine/lmdb 3 years ago
Florent Daigniere 9f66e2672b Use DEFER_ON_TLS_ERROR here too
We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
3 years ago
Florent Daigniere a1da4daa4c Implement the DANE-only lookup policyd
https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67 for
context
3 years ago
Dimitri Huisman 5f18860669 Remove workaround. Remove deprecated url-loader. 3 years ago
Dimitri Huisman 60be06e298 Temporary workaround to get FontAwesome icons working. 3 years ago
Florent Daigniere d607ba0ef2 Clarify that a restart may be required 3 years ago
Florent Daigniere fb34f53493 Do operations in the right (safe) order 3 years ago
Florent Daigniere fccb0cc57f Add a longer max_age (15days) 3 years ago
Dimitri Huisman 5da7a06675 Resolve webpack.config.js error 3 years ago
Florent Daigniere 67db72d774 Behave like documented 3 years ago
Florent Daigniere 05b57c972e remove the static policy as it will override MTA-STS and DANE 3 years ago
Florent Daigniere a8142dabbe Introduce DEFER_ON_TLS_ERROR
This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
3 years ago
bors[bot] 7e86f5cb57
Merge #1959
1959: Ensure that we don't trust client headers r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Document how REAL_IP_FROM and REAL_IP_HEADER should be used. Ensure that we strip True-Client-IP and X-Forwarded-For if neither are set.

We should also update the documentation on reverse-proxies... but that's #1958

### Related issue(s)
- #1958

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 7c5dcfa025 MTA-STS is a major feature 3 years ago
Florent Daigniere 5efe35329b doh 3 years ago
Florent Daigniere 5634354911 document how to publish an MTA-STS policy 3 years ago
Florent Daigniere a019607873 towncrier 3 years ago
Florent Daigniere 52d3a33875 Remove the domains that have a valid MTA-STS policy
gmail.com
comcast.net
mail.ru
googlemail.com
wp.pl
3 years ago
Florent Daigniere 4f96e99144 MTA-STS (use rather than publish policies) 3 years ago
Dimitri Huisman 00276d8b70
Merge branch 'master' into AdminLTE-3 3 years ago
bors[bot] 1d9850490c
Merge #1958
1958: Update the documentation on reverse proxies r=mergify[bot] a=nextgens

## What type of PR?

documentation

## What does this PR do?

Update the documentation on reverse proxies; this is mostly cosmetic (fix the links, use example.com where appropriate, ...).

It also removes the last option (run Mailu without its frontend) as that won't work with SSO and is a terrible idea anyway.

I wonder if we should just get rid of that section

### Related issue(s)
- #1528
- #1422
- #1038
- #1879

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
3 years ago
Florent Daigniere 8106892ee8 towncrier 3 years ago
Florent Daigniere 394c2fe22c Document REAL_IP_HEADER and REAL_IP_FROM
Fix a security vulnerability whereby we were not clearing other headers
3 years ago
Florent Daigniere 6bba0cecfc Strip the Forwarded header since nothing is compatible with it yet 3 years ago
Florent Daigniere 0e45bb3ae5 use example.com 3 years ago
Florent Daigniere d65993886a Fix the links 3 years ago
Florent Daigniere 9e306bf255 use example.com 3 years ago
Florent Daigniere 5ed77750f2 clarify 3 years ago
Florent Daigniere 13e0b56a0d This breaks SSO 3 years ago
bors[bot] 6e32092abd
Merge #1873
1873: Completed Hebrew translation r=mergify[bot] a=yarons

The Hebrew translation is incomplete so I've completed it.

Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com>
3 years ago
bors[bot] 4c52eb3e0e
Merge #1957
1957: BugFix 1952 - use punycode encoding in HTTP headers for webmail/radicale r=mergify[bot] a=Diman0

## What type of PR?

Bug fix

## What does this PR do?

Fixes a bug introduced by the SSO implementation and an already existing bug for radicale.
In auth.py we did not use punycode (ACE) encoding for the domain part of an email. 
Since we pass the user name in the HTTP header to webmail/radicale, we would sometime pass non-ascii. E.g. user@exämple.io.
This is illegal. HTTP headers may only contain ASCII. The domain part of the user name therefore now uses punycode encoding.

I tested that I can log in with the form user@exämple.io and user@xn--exmple-cua.io for
- admin
- roundcube (also tested sending emails of course)
- rainloop (also tested sending emails of course)
- radicale (webdav)
- thunderbird - sending/receiving emails and accessing/modifying the webdav calendar added in radicale.
  - for the calendar you can use the normal and punnycode notation
  - for email you can only use punnycode. This is a limitation of thunderbird. It does not accept email addresses with non-ascii in the domain part of an email address.

### Related issue(s)
- closes  #1952 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [n/a] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
3 years ago
Dimitri Huisman 169a540692 Use punycode for HTTP header for radicale and create changelog 3 years ago