186 Commits (98d2d6f21289db4c61d5555127171192db7f5cc9)

Author SHA1 Message Date
Diman0 8868aec0dc Merge master. Make sso login working for admin. 3 years ago
Florent Daigniere d7c2b510c7 Give alpine 3.14.2 a shot 3 years ago
Florent Daigniere 394c2fe22c Document REAL_IP_HEADER and REAL_IP_FROM
Fix a security vulnerability whereby we were not clearing other headers
3 years ago
Florent Daigniere 6bba0cecfc Strip the Forwarded header since nothing is compatible with it yet 3 years ago
Florent Daigniere 3e676e232a fix #1270 3 years ago
Jack Murray dd127f8f06 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
3 years ago
Florent Daigniere 6704cb869a Switch to 3072bits dhparam (instead of 4096bits)
We aim for 128bits of security here
3 years ago
Jack Murray e304c352a1 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
3 years ago
Florent Daigniere c76a76c0b0 make it optional, add a knob 3 years ago
Florent Daigniere 109a8aa000 Ensure that we always have CERT+INTERMEDIARY CA
Let's encrypt may change things up in the future...
3 years ago
Florent Daigniere 974bcba5ab Restore LOGIN as tests assume it's there 3 years ago
Florent Daigniere 12c842c4b9 In fact in fullchain we want all but the last 3 years ago
Florent Daigniere 24f9bf1064 format certs for nginx 3 years ago
Florent Daigniere 98b903fe13 don't send the rootcert 3 years ago
Florent Daigniere 92ec446c20 doh 3 years ago
Florent Daigniere f05cc99dc0 Add ECC certs for modern clients 3 years ago
Florent Daigniere cb68cb312b Reduce the size of the RSA key to 3072bits
This is already generous for certificates that have a 3month validity!

We rekey every single time.
3 years ago
Florent Daigniere 5e7d5adf17 AUTH shouldn't happen on port 25 3 years ago
Florent Daigniere 7285c6bfd9 admin won't understand LOGIN 3 years ago
bors[bot] 48f3b1fd49
Merge #1656
1656: Add ability to set no WEBROOT_REDIRECT to Nginx r=mergify[bot] a=DavidFair

## What type of PR?

Enhancement / Documentation

## What does this PR do?

From commit:

---

Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.

---

I've also added bullet points to break up a long flowing sentence in `configuration.rst` - it should be a bit easier to read now

### Related issue(s)
No Related Issue - I just jumped to a PR

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly

@ Maintainers - Is this worthy of the changelog, it's useful to know about but I imagine the number of people it affects is equally minimal?
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
3 years ago
Florent Daigniere 420afa53f8 Upgrade to alpine 3.14 3 years ago
Florent Daigniere dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso 4 years ago
bors[bot] ce0c93a681
Merge #1618
1618: add OCSP stapling to nginx.conf r=mergify[bot] a=lub

It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.

## What type of PR?

enhancement

## What does this PR do?

It enables OCSP stapling for the http server. OCSP stapling reduces roundtrips for the client and reduces load on OCSP responders.

### Related issue(s)
- fixes  #1616

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
4 years ago
Dario Ernst b6716f0d74 Remove "CHUNKING" capability from nginx-smtp
With `CHUNKING`set as a capability, nginx advertises this capability to
clients at a stage where the SMTP dialog does not seem to be forwarded
to the proxy-target (postfix) yet. Nginx' SMTP parser itself does not
support the `BDAT` command issued as part of a chunke-d dialog. This makes
Nginx respond with a `250 2.0.0 OK` and close the connection, after the
mail-data got sent by the client — without forwarding this to the
proxy-target.

With this, users mail can be lost.

Furthermore, when a user uses a sieve filter to forward mail, dovecot
sometimes chunks the forwarded mail when sending it through `front`.
These forwards then fail.

Removing `CHUNKING` from the capabilities fixes this behavior.
4 years ago
Florent Daigniere 80f939cf1a Revert to the old behaviour when ADMIN=false 4 years ago
Florent Daigniere 906a051925 Make rainloop use internal auth 4 years ago
ofthesun9 d32e73c5bc Fix letsencrypt access to certbot for the mail-letsencrypt flavour 4 years ago
David Fairbrother e7caff9811 Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
4 years ago
bors[bot] 5c36dc4f54
Merge #1611
1611: Adds own server on port 80 for letsencrypt and redirect r=mergify[bot] a=elektro-wolle

## What type of PR?

Bugfix

## What does this PR do?

Handle letsencrypt route to `.well-known` by own server configuration within nginx.

### Related issue(s)
closes #1564

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Wolfgang Jung <w.jung@polyas.de>
4 years ago
lub 66db1f8fd0 add OCSP stapling to nginx.conf
It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.
4 years ago
lub 0cb0a26d95 relax TLS settings on port 25
Because basically every MTA out there uses opportunistic TLS _in
the best case_, it's actually counter productive to use such strict
settings.

The alternative to a handshake error is often an unencrypted submission,
which is basically the opposite of what strict ssl_protocols and
ssl_ciphers tries to achieve.

Even big and established providers like Amazon SES are incompatible with the current
settings.

This reverts commit 2ddf46ad2b.
4 years ago
Wolfgang Jung 1f4e9165fa Disables unencrypted http on TLS_ERROR 4 years ago
Wolfgang Jung f999e3de08 Adds own server on port 80 for letsencrypt and redirect 4 years ago
ofthesun9 cff2e76269 Switching to alpine:3.12 4 years ago
bors[bot] 8844dc67fa
Merge #1392
1392: Use environment variables for cert paths/names in nginx certwatcher r=mergify[bot] a=Nebukadneza

## What type of PR?
bug-fix

## What does this PR do?
Previously, nginx certwatcher would only react to the hardcoded paths. It should have
honored the enviroment variables that are used by config.py too for this.
 
### Related issue(s)
closes #903

## Prerequistes
- [x] no feature or enhancement
- [x] minor/internal change


Co-authored-by: Dario Ernst <github@kanojo.de>
5 years ago
bladeswords 2ddf46ad2b
Update crypto to be modern and inline with tls.conf
Updated to match tls.conf and be aligned to more modern cryptographic standards and only use currently secure protocols and ciphers.
5 years ago
Dario Ernst 09024c8008 Use environment variables for cert paths/names in nginx certwatcher
Previously, nginx certwatcher would only react to the hardcoded paths. It should have
honored the enviroment variables that are used by config.py too for this.

closes #903
5 years ago
Tom Radtke 4f973f63e6
Upgrading nginx TLS configuration 5 years ago
Michael Wyraz ace475d23c Certwatcher: Use polling observer to workaround some symlink limitations 5 years ago
Michael Wyraz 09ee3ce95c Install py3-multidict from repository before installing socrate to avoid the need of gcc during build 5 years ago
bors[bot] 0417c791ff
Merge #985
985: Permit raspberry pi (and other architectures) builds r=mergify[bot] a=abondis

## What type of PR?

Enhancement

## What does this PR do?

Add an option to select base images and permit building for different CPU architectures.

### Related issue(s)
N/A

## Prerequistes

- [X] documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Aurélien Bondis <aurelien.bondis@gmail.com>
Co-authored-by: Aurelien <aurelien.bondis@gmail.com>
5 years ago
bors[bot] dcda412b99
Merge #1211
1211: Split HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI r=mergify[bot] a=micw

## What type of PR?

bug-fix

## What does this PR do?

Fixes #1190 by separating HOST_ANTISPAM into HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI

### Related issue(s)
- closes #1190
- closes #1150

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Michael Wyraz <michael@wyraz.de>
5 years ago
bors[bot] b668eccc17
Merge #1181
1181: Update to address issue #1178 (HTTP headers) r=muhlemmer a=bladeswords

This change should remove the duplicate `x-xss-protection` header and also the `x-powered-by` header.  Hopefully a pull request to main is appropriate, but may be worth back porting to 1.7.

Tested config by modifying live 1.7 nginx config and reloading.  Has had the desired outcome of removing the headers.

```/etc/nginx # nginx -t -c /etc/nginx/nginx.conf 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/nginx # nginx -s reload
```

These steps were based on:
- https://serverfault.com/questions/928912/how-do-i-remove-a-server-added-header-from-proxied-location
- https://serverfault.com/questions/929571/overwrite-http-headers-comming-back-from-a-web-application-server-proxied-in-ngi
- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header

## What type of PR?

Enhancement

## What does this PR do?
Removes duplicate and unneeded headers.  See issue #1178 

### Related issue(s)
- issue: #1178 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ X ] In case of feature or enhancement: documentation updated accordingly
- [ X ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: bladeswords <bladeswords@users.noreply.github.com>
5 years ago
Michael Wyraz a907fe4cac Split HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI 5 years ago
Michael Wyraz c20976f071 Allow smtp auth login for TLS port (similar to SSL port) 5 years ago
bors[bot] 20e00ac0c4
Merge #1158
1158: Use nginx for kubernetes ingress r=kaiyou a=micw

## What type of PR?

enhancement

## What does this PR do?

Currently, kubernetes uses a complex ingress setting which is not portable across different ingress controllers. This PR simplifies the ingress and delegates everythins special to Mailu to the front container,

### Related issue(s)
- closes #1121
- closes #1117
- closes #1021
- closes #1045

## Prerequistes

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog]

Co-authored-by: Michael Wyraz <michael@wyraz.de>
5 years ago
bladeswords b13d143b34
Update to address issue #1178 (HTTP headers)
This change should remove the duplicate `x-xss-protection` header and also the `x-powered-by` header.  Hopefully a pull request to main is appropriate, but may be worth back porting to 1.7.

Tested config by modifying live 1.7 nginx config and reloading.  Has had the desired outcome of removing the headers.

```/etc/nginx # nginx -t -c /etc/nginx/nginx.conf 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/nginx # nginx -s reload
```

These steps were based on:
- https://serverfault.com/questions/928912/how-do-i-remove-a-server-added-header-from-proxied-location
- https://serverfault.com/questions/929571/overwrite-http-headers-comming-back-from-a-web-application-server-proxied-in-ngi
- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
5 years ago
bors[bot] e46153c0b1
Merge #1114
1114: Resolve HOST to ADDRESS only if ADDRESS is not already set r=mergify[bot] a=micw

## What type of PR?

bug-fix

## What does this PR do?

~Makes the rsolving from hosts to ips at startup configurable~

I rewrote the pull request after #940 was merged. Now it resolves HOSTs to ADDRESSes only of ADDRESSes are not already set. So on kubernetes we can jsut set the address and have working service discovery.

### Related issue(s)
- closes #1113

## Prerequistes

~Minor change, backward compatible~
Changelog will be added

Co-authored-by: Michael Wyraz <michael@wyraz.de>
5 years ago
Thomas Sänger 5fa87fbdf7
front: advertise real capabilites of mail-backends 5 years ago
Michael Wyraz 92645bcd4a Use nginx for kubernetes ingress 5 years ago
Michael Wyraz de2f166bd1 Resolve HOST_* to *_ADDRESS only if *_ADDRESS is not already set 5 years ago
kaiyou 4afbc09d6e Remove unnecessary host variable assignments 5 years ago
Tim Möhlmann ed0fb77a01
Catch empty WEBMAIL and WEBDAV address 5 years ago
Ionut Filip 075417bf90 Merged master and fixed conflicts 5 years ago
Aurélien Bondis 124b1d4c71 rebase and update for 3.10, avoid adding qemu file to x86 images 5 years ago
hoellen 9de5dc2592 Use python package socrate instead of Mailustart 5 years ago
Dario Ernst 1dbda71401 Adapt shared layer conf to now really-missing mailustart in admin (after merging webpack) 5 years ago
Dario Ernst 0306be1eed Re-add missing MailuStar in admin
It turns out we were all blind and admin *does* use MailuStart
5 years ago
Dario Ernst ce0c24e076 Merge branch 'master' into HorayNarea-feat-upgrade-alpine 5 years ago
Dario Ernst 53f754f5ac Remove MailuStart from admin and correct layer-sharing comments 5 years ago
Thomas Sänger 2c7d1d2f71
use HTTP/1.1 for proxyied connections 5 years ago
Dario Ernst bb2edb6eb6 Revert "Move alpine version definition out to variable"
This reverts commit c787e4bdbd.
5 years ago
Dario Ernst c787e4bdbd Move alpine version definition out to variable 5 years ago
Dario Ernst a253ca47fe Use official Mailu/MailuStart 5 years ago
Dario Ernst d1f80cca99 Update Dockerfiles to most recent alpine 3.10 5 years ago
Thomas Sänger ef3c6c407a upgrade alpine base-image 5 years ago
Ionut Filip 4c25c83419 HOST_* and *_ADDRESS variables cleanup 6 years ago
Abel Alfonso Fírvida Donéstevez 39444c794e Install bash in alpine based images.
This fix https://github.com/Mailu/Mailu/issues/918

Bash shell is used by default in Kubernetes' dashboard console, which is very
useful for admins.
6 years ago
Ionut Filip f8dffe5a19
Resolve hosts in admin 6 years ago
Ionut Filip 004a431e97
Change to mailustart functions 6 years ago
Tim Möhlmann 049ca9941f
Cleanup syntax and fix typo 6 years ago
Tim Möhlmann 71cda7983e
Merge branch 'master' into feat-logging 6 years ago
Tim Möhlmann 7d01bb2a4d
LOG_LEVEL docs and changelog entry 6 years ago
Tim Möhlmann b04a9d1c28
Implement debug logging for template rendering 6 years ago
Tim Möhlmann 5636e7f5a7
Remove to avoid matching webroot 6 years ago
Tim Möhlmann 4f93e09028
Implement favicon package
Credit to:
- https://stackoverflow.com/a/19590415/1816774
- https://realfavicongenerator.net/
6 years ago
Tim Möhlmann 24828615cf
Webmail on root, fixes #757 6 years ago
Tim Möhlmann c7dcfee882
Merge pull request #713 from pgeorgi/extend-nginx
nginx: Allow extending config with overrides
6 years ago
Tim Möhlmann 6ca8ed437d
Merge pull request #732 from Nebukadneza/add_front_certificate_reload
Add certificate watcher for external certs to reload nginx
6 years ago
Dario Ernst 1aa97c9914 Add certificate watcher for external certs to reload nginx
In case of TLS_FLAVOR=[mail,cert], the user supplies their own certificates.
However, since nginx is not aware of changes to these files, it cannot
reload itself e.g. when the certs get renewed.

To solve this, let’s add a small daemon in the place of
`letsencrypt.py`, which uses a flexible file-watching framework and
reloads nginx in the case the certificates change ….
6 years ago
Tim Möhlmann c00910ca4b
Merge remote-tracking branch 'upstream/master' into extend-nginx 6 years ago
Tim Möhlmann 97d338e68a
Rectify 'endif' placement 6 years ago
Tim Möhlmann 425cdd5e77
Fix syntax errors 6 years ago
Tim Möhlmann 20f1faf6d0
Send 404 when nothing server at '/'
Prevents Nginx welcome screen
6 years ago
Tim Möhlmann 2de4995fec
Don't redirect when webmail is served on '/' 6 years ago
Tim Möhlmann 9dd447e23b
Add login method to smtp_auth under ssl
Fixes #704
6 years ago
Patrick Georgi eac4d553a9 nginx: Allow extending config with overrides
To facilitate this, the default redirect at / can be disabled, even if
the default remains at redirecting to the webmailer.

The extensions are within the host scope and are read from
$ROOT/overrides/nginx/*.conf.
6 years ago
Tim Möhlmann 42e2dbe35d
Standarize image by using shared / similair layers 6 years ago
Thomas Sänger 603b6e7390
Merge pull request #2 from usrpro/fix-nginx-healthcheck
Fix nginx healthcheck
6 years ago
Tim Möhlmann 81b24f61e8
Merge branch 'master' into feat-healthchecks 6 years ago
Tim Möhlmann c3e89967fb
Fix front health checking
- Specified seperated /health path in order to allow for healthcheck even if webmail and admin are not seletectd. This also allows healthchecking fom external services like DNS load balancers;
- Make curl not to fail on TLS because localhost is not included in the certificates.
6 years ago
mergify[bot] bce1487338
Merge pull request #576 from hacor/master
Kubernetes fixed for production
6 years ago
Paul Williams 78bd5aea1c enable http2, because it's that easy 6 years ago
hoellen d4f32c3e7d remove rewrite if webmail is on root 6 years ago
Hans Cornelis 3098343360 Merged conflicts 6 years ago
hacor 4ea12deae7 Added kubernetes to Mailu 6 years ago
Thomas Sänger 39272ab05c
add healthcheck for http services 6 years ago
Tim Möhlmann de43060ef8
Move to Alpine:3.8 and fixing #522 6 years ago
kaiyou 2cba045013 Explicitely declare required volumes, fixes #568 6 years ago
Pierre Jaury 3dca1a834c Pin alpine 3.7 until we fix the certbot issue, see #522 6 years ago