2550: Webmail hardening r=mergify[bot] a=nextgens
## What type of PR?
enhancement
## What does this PR do?
Add [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/) (a modern Suhosin replacement) to protect webmails.
It may be possible to harden further, by encrypting some of the cookies and auditing the usage of gpg more closely.
This seems to work for me.
### Related issue(s)
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2543: Fix#2231: make public announcements work r=nextgens a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Ensure public announcements bypass filters.
They can still time-out... but this is already a big improvement that we should be able to backport.
### Related issue(s)
- closes#2231
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2529: Improve fetchmail r=mergify[bot] a=nextgens
## What type of PR?
enhancement
## What does this PR do?
Improve fetchmail:
- allow delivery via LMTP (faster, bypassing the filters)
- allow several folders to be retrieved
- run fetchmail as non-root
- tweak the compose file to ensure we have all the dependencies
### Related issue(s)
- closes#1231
- closes#2246
- closes#711
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
2547: Disable libhardened-malloc for non x86. r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Support is going to be a nightmare if RPI4 is not working; We can always reintroduce it later.
### Related issue(s)
- closes#2541
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2538: Fix the ARM build again r=mergify[bot] a=nextgens
I have double-checked from the builder and this works.
gcc -v from the alpine image tells me that we have ``--enable-default-pie``
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2537: Fix the armv7 build (again)! r=mergify[bot] a=nextgens
Revert "simplify": ghostwheel42's approach was right
This reverts commit 04f6bd2633.
Without the build still errors-out because of ``set -euxo pipefail``
see https://github.com/Mailu/Mailu/actions/runs/3479399158/jobs/5817902589
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2483: Introduce FETCHMAIL_ENABLED r=mergify[bot] a=DjVinnii
## What type of PR?
Enhancement
## What does this PR do?
Add `FETCHMAIL_ENABLED` to enable/disable the Fetchmail functionality in the Admin UI.
### Related issue(s)
- closes#2127
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
2535: fix the linux/arm/v7 build r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
The arm builder is running aarch64 ... and there is no package for arm/v7
Co-authored-by: Vincent Kling <v.kling@vinniict.nl>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2525: Switch to GrapheneOS's hardened_malloc r=mergify[bot] a=nextgens
## What type of PR?
Feature
## What does this PR do?
Switch to GrapheneOS's hardened_malloc
This was suggested during the dev meeting of the 18/09/22.
It may break things and it may make things unbearably slow... but it should also make the exploitation of memory corruption bugs a lot harder.
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
2534: Close#2533: document SQLALCHEMY_DATABASE_URI r=mergify[bot] a=nextgens
## What type of PR?
documentation
## What does this PR do?
document SQLALCHEMY_DATABASE_URI
### Related issue(s)
- closes#2533
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2530: disable SESSION_COOKIE_SECURE when TLS_FLAVOR=notls r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
People are unlikely to proxy everything
### Related issue(s)
- closes#2527
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2514: Update deps r=mergify[bot] a=ghostwheel42
## What type of PR?
update python dependencies
## What does this PR do?
Update python deps in base image
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2523: fix JS error r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
It fixes a bug whereby one may have to click twice on the submit button depending on timing.
e.trigger() will error out on most browsers.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2479: Rework the anti-spoofing rule r=mergify[bot] a=nextgens
## What type of PR?
Feature
## What does this PR do?
We shouldn't assume that Mailu is the only MTA allowed to send emails on behalf of the domains it hosts.
We should also ensure that it's non-trivial for email-spoofing of hosted domains to happen
Previously we were preventing any spoofing of the envelope from; Now we are preventing spoofing of both the envelope from and the header from unless some form of authentication passes (is a RELAYHOST, SPF, DKIM, ARC)
### Related issue(s)
- close#2475
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2498: Implement ITERATE in podop r=mergify[bot] a=nextgens
## What type of PR?
Feature
## What does this PR do?
This makes ``doveadm -A`` work.
The easiest way to try it out is:
```
doveadm dict iter proxy:/tmp/podop.socket:auth shared/userdb
or
doveadm user '*'
```
The protocol is described at https://doc.dovecot.org/developer_manual/design/dict_protocol/
The current version of dovecot is not using flags... so there's little gain in implementing them.
### Related issue(s)
- close#2499
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2502: Resolve using socrate function r=mergify[bot] a=ghostwheel42
## What type of PR?
enhancement
## What does this PR do?
nginx.py had a copy of the socrate function resolve_hostname.
This removes the duplicated code and uses the socrate function.
The socrate functions does the same but prefers ipv4 addresses when resolving.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2497: Upgrade to alpine 3.16.2 r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
This may fix the build issues on arm (troubles building cryptography)
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2328: Feature: Configurable default spam threshold used for new users r=mergify[bot] a=enginefeeder101
## What type of PR?
Feature
## What does this PR do?
This PR adds functionality to set a custom default spam threshold
for new users. The environment variable ``DEFAULT_SPAM_THRESHOLD`` is
used for this purpose. When not set, it defaults back to 80%, as the
default value was before.
If ``DEFAULT_SPAM_THRESHOLD`` is set to a value that Python cannot
parse as an integer, a ValueError is thrown. There is no error handling
for that case built-in. Should that be done?
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: enginefeeder101 <enginefeeder101@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2458: Fix: Don't update updated_at on quota_bytes_used change r=mergify[bot] a=DjVinnii
## What type of PR?
bug-fix
## What does this PR do?
This PR makes sure that the `updated_at` field is not updated when `quota_bytes_used` is updated. All other updates to the `User` model still updates the `updated_at` field.
This is done by explicitly using an method in the `Base` class triggering [`flag_modified`][url-flag-modified].
### Related issue(s)
- closes#1363
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
<!-- LINKS-->
[url-flag-modified]: https://docs.sqlalchemy.org/en/14/orm/session_api.html#sqlalchemy.orm.attributes.flag_modified
Co-authored-by: Vincent Kling <v.kling@vinniict.nl>
2460: Switch to a base image containing base tools and the podop and socrate libs r=mergify[bot] a=ghostwheel42
## What type of PR?
enhancement of build process
## What does this PR do?
Changes build.hcl to build core images using a base image.
Also adds a "assets" base image for the admin container.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Pierre Jaury <pierre@jaury.eu>
Co-authored-by: kaiyou <pierre@jaury.eu>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>