245 Commits (ae7061c5613539320d07ab386876c3cc0db02e90)

Author SHA1 Message Date
Alexander Graf 842be9b7c3
Skip listen to v6 when SUBNET6 is not set 2 years ago
Florent Daigniere 926570f1ca Need this too 2 years ago
Florent Daigniere 9803c51d55 Use a hostname 2 years ago
Florent Daigniere 6533f41f48 Trust the IP address from the local subnet
This will only work when SUBNET autodetection is merged
2 years ago
Florent Daigniere 760ec301e3 harden the trusted hosts 2 years ago
Florent Daigniere 9d2046f43f Upgrade webmails 2 years ago
bors[bot] 7e60ba4e98
Merge #2613
2613: Enhance network segregation r=nextgens a=nextgens

## What type of PR?

enhancement

## What does this PR do?

- put radicale and webmail on their own network: this is done for security: that way they have no privileged access anywhere (no access to redis, no access to XCLIENT, ...)
- remove the EXPOSE statements from the dockerfiles. These ports are for internal comms and are not meant to be exposed in any way to the outside world.

### Related issue(s)
- #2611

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere 052f8e41ba Upgrade to snuffleupagus 0.9.0 2 years ago
Florent Daigniere 9d555b0eec Don't expose any port (suggestion from ghost) 2 years ago
Florent Daigniere e85a2a7e99 Step1: expose managesieve, make the webmails use it 2 years ago
Florent Daigniere 92c0016e32 Fix snappymail 2 years ago
Florent Daigniere bf0c345bb9 Fix snappymail 2 years ago
Florent Daigniere 108958cabb drop privs better 2 years ago
Alexander Graf 15ba442477
Duh #2 2 years ago
Alexander Graf 5a99ab316d
Duh 2 years ago
Alexander Graf 373488148b
Remove useless style for larry skin 2 years ago
Alexander Graf c38e6aae4e
Add button to mailu-admin in roundcube task menu 2 years ago
bors[bot] 4315227215
Merge #2587
2587: fix roundcube/sieve r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Without this snuffleupagus is throwing a tantrum on ini_get(), when saving a sieve filter from roundcube.

```
[17-Dec-2022 13:44:08] WARNING: [pool php] child 21853 said into stderr: "NOTICE: PHP message: PHP Fatal error:  [snuffleupagus][0.0.0.0][disabled_function][drop] Ab
orted execution on call of the function 'ini_get', because its argument '$option' content (suhosin.request.max_vars) matched a rule in /var/www/roundcube/plugins/man
agesieve/lib/Roundcube/rcube_sieve_engine.php on line 532"
```

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
bors[bot] 251db0b1af
Merge #2562
2562: Dynamic address resolution everywhere r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Use dynamic address resolution everywhere.
Derive a new key for admin/SECRET_KEY
Cleanup the environment

This should allow restarting containers.

### Related issue(s)
- closes #1341
- closes #1013
- closes #1430

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago
Florent Daigniere 170b12baf0 fix sieve 2 years ago
fastlorenzo 2fa8dcb51d
Fixed roundcube carddav module
Signed-off-by: fastlorenzo <git@bernardi.be>
2 years ago
Florent Daigniere 4e3874b0c1 Enable dynamic resolution of hostnames 2 years ago
Florent Daigniere 8150ca77b2 this isn't required anymore either 2 years ago
Florent Daigniere e927426dfa Turns out that php81-ctype is required by roundcube
see https://github.com/roundcube/roundcubemail/issues/7049
2 years ago
Florent Daigniere c4595fddca Change perms first 2 years ago
Florent Daigniere 9566c297d9 Don't do it as root 2 years ago
Florent Daigniere 63a12d9857 changes requested by ghost 2 years ago
Florent Daigniere 9fa3a3e0c7 doc 2 years ago
Florent Daigniere 9e61a33cb2 Merge branch 'master' of https://github.com/Mailu/Mailu into webmail-hardening 2 years ago
Florent Daigniere ab852772f9 Bump snappymail to 2.21.3 2 years ago
Florent Daigniere 28d720bbc9 As requested 2 years ago
Florent Daigniere 840b2bd9df block o:0:{} too 2 years ago
Florent Daigniere 017ea5298e typo 2 years ago
Florent Daigniere 2a4f6836cf protect unserialize() 2 years ago
Florent Daigniere e5ab9821f9 Add snuffleupagus
This seems to work in my limited testing.
2 years ago
Florent Daigniere 56a106ad60 Only one labs section in the conf file 2 years ago
Florent Daigniere 071ad15a97 Better snappymail defaults 2 years ago
Florent Daigniere 6b2cb95a7d This is not required anymore 2 years ago
Florent Daigniere a508eeaafb Use /dev/shm for tmp 2 years ago
Florent Daigniere f2f430af5d Redirect the logs where they belong 2 years ago
Florent Daigniere 06c0c78956 Hardening: run the http and php as different users 2 years ago
Florent Daigniere 7ebac75045 fix tests 2 years ago
Florent Daigniere f3a91d1a18 enable APCu 2 years ago
Florent Daigniere 225322fe88 More hardening 2 years ago
Florent Daigniere ad17b10c8e redirects should be HTTP/302 2 years ago
Florent Daigniere 1379a58352 Basic hardening 2 years ago
Florent Daigniere 7e722cd0c3 fix #2250: ensure rainloop uses _ADDRESS 2 years ago
Florent Daigniere 224f2f4508 This isn't used anymore
The healthcheck is now done by fpm
2 years ago
Florent Daigniere a8d405cb48 Verify the gpg signature of webmails 2 years ago
Florent Daigniere 1edef755f1 Fix bug #2466 2 years ago