Commit Graph

246 Commits (9ef96e9c1eac01af54c65af18350a91b688c2253)

Author SHA1 Message Date
Alexander Graf 3c9c01f8eb
Add style for responsive design
Alexander Graf 842be9b7c3
Skip listen to v6 when SUBNET6 is not set
Florent Daigniere 926570f1ca Need this too
Florent Daigniere 9803c51d55 Use a hostname
Florent Daigniere 6533f41f48 Trust the IP address from the local subnet
This will only work when SUBNET autodetection is merged
Florent Daigniere 760ec301e3 harden the trusted hosts
Florent Daigniere 9d2046f43f Upgrade webmails
bors[bot] 7e60ba4e98
Merge
2613: Enhance network segregation r=nextgens a=nextgens

## What type of PR?

enhancement

## What does this PR do?

- put radicale and webmail on their own network: this is done for security: that way they have no privileged access anywhere (no access to redis, no access to XCLIENT, ...)
- remove the EXPOSE statements from the dockerfiles. These ports are for internal comms and are not meant to be exposed in any way to the outside world.

### Related issue(s)
- 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 052f8e41ba Upgrade to snuffleupagus 0.9.0
Florent Daigniere 9d555b0eec Don't expose any port (suggestion from ghost)
Florent Daigniere e85a2a7e99 Step1: expose managesieve, make the webmails use it
Florent Daigniere 92c0016e32 Fix snappymail
Florent Daigniere bf0c345bb9 Fix snappymail
Florent Daigniere 108958cabb drop privs better
Alexander Graf 15ba442477
Duh
Alexander Graf 5a99ab316d
Duh
Alexander Graf 373488148b
Remove useless style for larry skin
Alexander Graf c38e6aae4e
Add button to mailu-admin in roundcube task menu
bors[bot] 4315227215
Merge
2587: fix roundcube/sieve r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Without this snuffleupagus is throwing a tantrum on ini_get(), when saving a sieve filter from roundcube.

```
[17-Dec-2022 13:44:08] WARNING: [pool php] child 21853 said into stderr: "NOTICE: PHP message: PHP Fatal error:  [snuffleupagus][0.0.0.0][disabled_function][drop] Ab
orted execution on call of the function 'ini_get', because its argument '$option' content (suhosin.request.max_vars) matched a rule in /var/www/roundcube/plugins/man
agesieve/lib/Roundcube/rcube_sieve_engine.php on line 532"
```

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
bors[bot] 251db0b1af
Merge
2562: Dynamic address resolution everywhere r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Use dynamic address resolution everywhere.
Derive a new key for admin/SECRET_KEY
Cleanup the environment

This should allow restarting containers.

### Related issue(s)
- closes 
- closes 
- closes 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 170b12baf0 fix sieve
fastlorenzo 2fa8dcb51d
Fixed roundcube carddav module
Signed-off-by: fastlorenzo <git@bernardi.be>
Florent Daigniere 4e3874b0c1 Enable dynamic resolution of hostnames
Florent Daigniere 8150ca77b2 this isn't required anymore either
Florent Daigniere e927426dfa Turns out that php81-ctype is required by roundcube
see https://github.com/roundcube/roundcubemail/issues/7049
Florent Daigniere c4595fddca Change perms first
Florent Daigniere 9566c297d9 Don't do it as root
Florent Daigniere 63a12d9857 changes requested by ghost
Florent Daigniere 9fa3a3e0c7 doc
Florent Daigniere 9e61a33cb2 Merge branch 'master' of https://github.com/Mailu/Mailu into webmail-hardening
Florent Daigniere ab852772f9 Bump snappymail to 2.21.3
Florent Daigniere 28d720bbc9 As requested
Florent Daigniere 840b2bd9df block o:0:{} too
Florent Daigniere 017ea5298e typo
Florent Daigniere 2a4f6836cf protect unserialize()
Florent Daigniere e5ab9821f9 Add snuffleupagus
This seems to work in my limited testing.
Florent Daigniere 56a106ad60 Only one labs section in the conf file
Florent Daigniere 071ad15a97 Better snappymail defaults
Florent Daigniere 6b2cb95a7d This is not required anymore
Florent Daigniere a508eeaafb Use /dev/shm for tmp
Florent Daigniere f2f430af5d Redirect the logs where they belong
Florent Daigniere 06c0c78956 Hardening: run the http and php as different users
Florent Daigniere 7ebac75045 fix tests
Florent Daigniere f3a91d1a18 enable APCu
Florent Daigniere 225322fe88 More hardening
Florent Daigniere ad17b10c8e redirects should be HTTP/302
Florent Daigniere 1379a58352 Basic hardening
Florent Daigniere 7e722cd0c3 fix : ensure rainloop uses _ADDRESS
Florent Daigniere 224f2f4508 This isn't used anymore
The healthcheck is now done by fpm
Florent Daigniere a8d405cb48 Verify the gpg signature of webmails