3205 Commits (b2abbc8856ae542d7f52685a274abed1ef4fd4a3)
 

Author SHA1 Message Date
Florent Daigniere 20d2b621aa Improve the description of CREDENTIAL_ROUNDS 4 years ago
Florent Daigniere df230cb482 Refactor auth under nginx.check_credentials() 4 years ago
Florent Daigniere f9ed517b39 Be specific token length 4 years ago
Florent Daigniere d0b34f8e24 Move CREDENTIAL_ROUNDS to advanced settings 4 years ago
Florent Daigniere 29306d5abb Fix the tests (again) 4 years ago
Florent Daigniere 89d88e0c19 Fix the test 4 years ago
Florent Daigniere fda758e2b4 remove merge artifact 4 years ago
Florent Daigniere 927bd2bd8e towncrier 4 years ago
Florent Daigniere 57a6abaf50 Remove {scheme} from the DB if mailu has set it 4 years ago
Florent Daigniere 7137ba6ff1 Misc improvements to PASSWORD_SCHEME
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see #1706: ldap_salted_sha512 support)
4 years ago
Florent Daigniere 00b001f76b Improve the token storage format
shortcomings of the previous format included:
- 1000x slower than it should be (no point in adding rounds since there
 is enough entropy: they are not bruteforceable)
- vulnerable to DoS as explained in
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha256_crypt.html#security-issues
4 years ago
Florent Daigniere eb7895bd1c Don't do more work than necessary (/webdav)
This is also fixing tokens on /webdav/
4 years ago
Florent Daigniere 58b2cdc428 Don't do more work than necessary 4 years ago
bors[bot] c0266ef455
Merge #1777
1777: Add mergify to the list of trusted authors r=Diman0 a=nextgens

The idea is to prevent backports from being stuck pending review for too long.

#1767 was created by a trusted author (p0) ... reviewed and merged to master relatively quickly... but it's backport got stuck for a week (#1768) as it required double the number of reviews.

This probably needs to be backported to be effective

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
4 years ago
bors[bot] 464e46b02b
Merge #1765
1765: Set sensible cookie flags on the admin app r=mergify[bot] a=nextgens

## What type of PR?

Bugfix

## What does this PR do?

It sets the right flags on the session cookie issued by the admin app.
This should probably be backported as the lack of secure flag on TLS-enabled setup is a high risk vulnerability.

SameSite is hardening / helps against CSRF on modern browsers
HTTPOnly is hardening / helps reduce the impact of XSS

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
4 years ago
bors[bot] 0f8d2077a5
Merge #1691
1691: update webmails to PHP 7.4 r=mergify[bot] a=lub

## What type of PR?

update

## What does this PR do?

### Related issue(s)

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.



I think it's a minor change, which needs no changelog.

I've tested rainloop, would be great if someone could test roundcube, because I don't use it.

Co-authored-by: lub <git@lubiland.de>
4 years ago
bors[bot] 47d6c697d0
Merge #1763
1763: show flash messages again r=mergify[bot] a=lub

## What type of PR?

bug-fix

## What does this PR do?
This basically restores the behaviour, that got removed in
ecdf0c25b3 during refactoring.

### Related issue(s)
- noticed it while reviewing #1756

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [-] In case of feature or enhancement: documentation updated accordingly
- [-] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
4 years ago
bors[bot] 81f8cbec56
Merge #1711 #1712
1711: fix typo in faq.rst r=Diman0 a=tomwojcik



1712: Add details for postfix-overrides r=mergify[bot] a=sholl

## What type of PR?

Documentation clarification

## What does this PR do?

### Related issue(s)

this clarifies the FAQ about overrides and fixes #1628 


Co-authored-by: Tomasz Wójcik <tomwojcik@users.noreply.github.com>
Co-authored-by: Stephan Holl <stephan@holl-land.de>
Co-authored-by: Stephan Holl <1610827+sholl@users.noreply.github.com>
4 years ago
bors[bot] ce0c93a681
Merge #1618
1618: add OCSP stapling to nginx.conf r=mergify[bot] a=lub

It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.

## What type of PR?

enhancement

## What does this PR do?

It enables OCSP stapling for the http server. OCSP stapling reduces roundtrips for the client and reduces load on OCSP responders.

### Related issue(s)
- fixes  #1616

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
4 years ago
bors[bot] cca4b50915
Merge #1607
1607: _FILE variables for Docker swarm secrets r=mergify[bot] a=lub

## What type of PR?

enhancement

## What does this PR do?

This PR enables usage of DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY to load these values from files instead of supplying them directly. That way it's possible to use Docker secrets.

### Related issue(s)


## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
4 years ago
Florent Daigniere 0dcc059cd6 Add a new knob as discussed on matrix with lub 4 years ago
Jaume Barber 5bb67dfcbb Translated using Weblate (Basque)
Currently translated at 100.0% (151 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/eu/
4 years ago
Jaume Barber a49b9d7974 Translated using Weblate (Catalan)
Currently translated at 99.3% (150 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ca/
4 years ago
Jaume Barber cd9992f79c Translated using Weblate (Swedish)
Currently translated at 74.2% (121 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/sv/
4 years ago
Jaume Barber afae5d1c24 Translated using Weblate (Russian)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ru/
4 years ago
Jaume Barber 7a01a63389 Translated using Weblate (Portuguese)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/pt/
4 years ago
Jaume Barber 480ec29d3d Translated using Weblate (Italian)
Currently translated at 91.4% (149 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/it/
4 years ago
Jaume Barber 5e96a4bfcf Translated using Weblate (Spanish)
Currently translated at 91.4% (149 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/es/
4 years ago
Jaume Barber 6143d66eb8 Translated using Weblate (English)
Currently translated at 39.2% (64 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
4 years ago
Anonymous 6da5978870 Translated using Weblate (German)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/de/
4 years ago
Anonymous 58c22fd2c6 Translated using Weblate (English)
Currently translated at 38.6% (63 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
4 years ago
Jaume Barber 0dc8817f32 Translated using Weblate (English)
Currently translated at 38.6% (63 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
4 years ago
Anonymous 3d17000ceb Translated using Weblate (English)
Currently translated at 29.4% (48 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
4 years ago
Jaume Barber a2933d00f3 Translated using Weblate (English)
Currently translated at 29.4% (48 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
4 years ago
Jaume Barber 7c0158c5f8 Translated using Weblate (English)
Currently translated at 17.7% (29 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
4 years ago
Anonymous 7de94275a0 Translated using Weblate (English)
Currently translated at 17.7% (29 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
4 years ago
Jaume Barber 43133d8515 Added translation using Weblate (Basque) 4 years ago
Jaume Barber 5e0aa65c8d Translated using Weblate (Italian)
Currently translated at 96.3% (157 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/it/
4 years ago
Jaume Barber 725cdc270c Translated using Weblate (Spanish)
Currently translated at 100.0% (163 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/es/
4 years ago
Weblate a571704a9d Merge branch 'origin/master' into Weblate. 4 years ago
Jaume Barber b9c2dc1a79 Translated using Weblate (Catalan)
Currently translated at 98.6% (149 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ca/
4 years ago
Anonymous 3a9a133226 Translated using Weblate (English)
Currently translated at 11.0% (18 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
4 years ago
Jaume Barber af251216b0 Translated using Weblate (English)
Currently translated at 11.0% (18 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
4 years ago
Florent Daigniere 76e5614d13 Add mergify to the list of trusted authors
The idea is to prevent backports from being stuck pending for review for
too long.
4 years ago
Alexander Graf b55b53b781 optimize generation of transport nexthop 4 years ago
Alexander Graf 0a9f732faa added docstring to Logger. use generators. 4 years ago
bors[bot] ee1301f4f8
Merge #1767
1767: Remove "CHUNKING" capability from nginx-smtp r=mergify[bot] a=Nebukadneza

## What type of PR?
bug-fix

## What does this PR do?
With `CHUNKING`set as a capability, nginx advertises this capability to
clients at a stage where the SMTP dialog does not seem to be forwarded
to the proxy-target (postfix) yet. Nginx' SMTP parser itself does not
support the `BDAT` command issued as part of a chunke-d dialog. This makes
Nginx respond with a `250 2.0.0 OK` and close the connection, after the
mail-data got sent by the client — without forwarding this to the
proxy-target.

With this, users mail can be lost.

Furthermore, when a user uses a sieve filter to forward mail, dovecot
sometimes chunks the forwarded mail when sending it through `front`.
These forwards then fail.

Removing `CHUNKING` from the capabilities fixes this behavior.

### Related issue(s)
closes #1766 

Co-authored-by: Dario Ernst <dario@kanojo.de>
4 years ago
Dario Ernst b6716f0d74 Remove "CHUNKING" capability from nginx-smtp
With `CHUNKING`set as a capability, nginx advertises this capability to
clients at a stage where the SMTP dialog does not seem to be forwarded
to the proxy-target (postfix) yet. Nginx' SMTP parser itself does not
support the `BDAT` command issued as part of a chunke-d dialog. This makes
Nginx respond with a `250 2.0.0 OK` and close the connection, after the
mail-data got sent by the client — without forwarding this to the
proxy-target.

With this, users mail can be lost.

Furthermore, when a user uses a sieve filter to forward mail, dovecot
sometimes chunks the forwarded mail when sending it through `front`.
These forwards then fail.

Removing `CHUNKING` from the capabilities fixes this behavior.
4 years ago
Alexander Graf bde7a2b6c4 moved import logging to schema
- yaml-import is now logged via schema.Logger
- iremoved relative imports - not used in other mailu modules
- removed develepment comments
- added Mailconfig.check method to check for duplicate domain names
- converted .format() to .format_map() where possible
- switched to yaml multiline dump for dkim_key
- converted dkim_key import from regex to string functions
- automatically unhide/unexclude explicitly specified attributes on dump
- use field order when loading to stabilize import
- fail when using 'hash_password' without 'password'
- fixed logging of dkim_key
- fixed pruning and deleting of lists
- modified error messages
- added debug flag and two verbosity levels
4 years ago
Florent Daigniere aa8cb98906 Set sensible cookie options 4 years ago