Because basically every MTA out there uses opportunistic TLS _in
the best case_, it's actually counter productive to use such strict
settings.
The alternative to a handshake error is often an unencrypted submission,
which is basically the opposite of what strict ssl_protocols and
ssl_ciphers tries to achieve.
Even big and established providers like Amazon SES are incompatible with the current
settings.
This reverts commit 2ddf46ad2b.
1211: Split HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI r=mergify[bot] a=micw
## What type of PR?
bug-fix
## What does this PR do?
Fixes#1190 by separating HOST_ANTISPAM into HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI
### Related issue(s)
- closes#1190
- closes#1150
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Michael Wyraz <michael@wyraz.de>
1181: Update to address issue #1178 (HTTP headers) r=muhlemmer a=bladeswords
This change should remove the duplicate `x-xss-protection` header and also the `x-powered-by` header. Hopefully a pull request to main is appropriate, but may be worth back porting to 1.7.
Tested config by modifying live 1.7 nginx config and reloading. Has had the desired outcome of removing the headers.
```/etc/nginx # nginx -t -c /etc/nginx/nginx.conf
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/nginx # nginx -s reload
```
These steps were based on:
- https://serverfault.com/questions/928912/how-do-i-remove-a-server-added-header-from-proxied-location
- https://serverfault.com/questions/929571/overwrite-http-headers-comming-back-from-a-web-application-server-proxied-in-ngi
- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
## What type of PR?
Enhancement
## What does this PR do?
Removes duplicate and unneeded headers. See issue #1178
### Related issue(s)
- issue: #1178
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ X ] In case of feature or enhancement: documentation updated accordingly
- [ X ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: bladeswords <bladeswords@users.noreply.github.com>
1158: Use nginx for kubernetes ingress r=kaiyou a=micw
## What type of PR?
enhancement
## What does this PR do?
Currently, kubernetes uses a complex ingress setting which is not portable across different ingress controllers. This PR simplifies the ingress and delegates everythins special to Mailu to the front container,
### Related issue(s)
- closes#1121
- closes#1117
- closes#1021
- closes#1045
## Prerequistes
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog]
Co-authored-by: Michael Wyraz <michael@wyraz.de>
To facilitate this, the default redirect at / can be disabled, even if
the default remains at redirecting to the webmailer.
The extensions are within the host scope and are read from
$ROOT/overrides/nginx/*.conf.
- Specified seperated /health path in order to allow for healthcheck even if webmail and admin are not seletectd. This also allows healthchecking fom external services like DNS load balancers;
- Make curl not to fail on TLS because localhost is not included in the certificates.
Allows to use mailu without docker-compose when hostnames are not set up
by docker itself but provided via a separate resolver.
Use case: use mailu using nomad scheduler and consul resolver instead of
docker-compose. Other servers are provided by the DNS resolver that
resolves names like admin.service.consul or webmail.service.consul.
These names needs to be configurable.
lub
Wolfgang Jung