Commit Graph

2903 Commits (cd17aa0c43f33821a36fbc6fca50bf9cd059a3ff)
 

Author SHA1 Message Date
Florent Daigniere 368b40b4fd doh
bors[bot] db0370858e
Merge
1941: Fix a bug whereby adding new HOSTNAMEs won't necessarily lead to certificates being renewed. r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Fix a bug whereby adding new HOSTNAMEs won't necessarily lead to certificates being renewed.

certbot's defaut behaviour has changed when --renew-with-new-domains was introduced

### Related issue(s)
- close 

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 3e676e232a fix
bors[bot] 7efce99769
Merge
1902: Make smtp_tls_policy_maps easily configurable r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

- Make smtp_tls_policy_maps easily configurable. This is useful to force TLS verification of specific destinations (or relays).
We should probably discuss what's on the list by default. I have found a top100 list online, ran it through a script to check all the records and found 90 destinations we could use.
- disable TLS session tickets (this reduces the PFS window from 1day to 1h)
- enable system CAs by default (to allow for OUTBOUND_TLS_LEVEL above encrypt without additional overrides)

### Related issue(s)
- closes  
- 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere ae8db08bdf Ensure that we don't do multiple DNS lookups in the sieve script
bors[bot] 53fe567d06
Merge
1925: Optimize Rainloop: Change to NGINX r=mergify[bot] a=Erriez

## What type of PR?

- Reduce build time.
- Reduce image size.
- Faster user response using CGI.

## What does this PR do?

### Related issue(s)
- Mention an issue like: ,  and 
- Auto close an issue like: closes 

## Prerequistes

Documentation updates TBD (requires some guidance):
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.

## Technical details

- Image from `php:7.4-apache` to `nginx:1.21-alpine` followed by PHP7 installation.
- Move `.ini` files to directory `defaults/`.
- Move files `sso.php and include.php` to directory `login/`.
- NGINX configuration:
  - `access_log off;` as this is handled by front.
  - `error_log /dev/stderr err; configured to reduce output. The logging in `start.py` is useless.
  - PHP configuration optimized for CGI usage and requires a config file `config/php-rainloop.conf` -> `/etc/php7/php-fpm.d/rainloop.conf`.
  - `.ini` files are parsed / substituted by `socrate` Python module.

Further optimization is possible by completely removing Python. This is only used to parse the `.ini` files and can be done via Bash scripts. This saves more build time and image size can be reduced to 112MB.

## Reviewing

This PR requires multiple reviewers and extensive testing before merging into master. Data/settings are compatible with previous images.

Co-authored-by: Erriez <Erriez@users.noreply.github.com>
Florent Daigniere 65a27b1c7f add additional options to make DANE easier
Florent Daigniere fb8d52ceb2 Merge branch 'master' of https://github.com/Mailu/Mailu into tls_policy_map
bors[bot] a461f5fa7c
Merge
1904: Allow specific users to send email from any address r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

Allow specific users to send email from any address using the WILDCARD_SENDERS configuration variable.

### Related issue(s)
- closes 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Erriez <Erriez@users.noreply.github.com>
bors[bot] 5062ee58dc
Merge
1935: Fix bug : logs flooded with "unbound udp connect failed: Address not available for" r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Revert back to alpine 1.12 for the resolver/unbound container. The official fix is at:
08968baec1
but alpine doesn't ship it yet:
https://pkgs.alpinelinux.org/packages?name=unbound&branch=v3.14

### Related issue(s)
- closes  


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere e1ddbb6eec Rollback to alpine 1.12
it ships unbound 1.10 that doesn't have the bug I think
08968baec1
Florent Daigniere b4102ba464 doh
Florent Daigniere fc5758e352 Clarify that it will only work for existing addresses
Florent Daigniere 9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders
Florent Daigniere 3d018f916c Merge branch 'wildcard_senders' of github.com:nextgens/Mailu into wildcard_senders
Florent Daigniere 7252a73e11 WILDCARD_SENDERS can have spaces
Erriez 6cecacb6da Add catch_workers_output to php-rainloop.conf
bors[bot] b57df78dac
Merge
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of  implementing per-user sender limits

### Related issue(s)
- close  
- close 
- close  

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Dimitri Huisman 4c056db4aa Added documentation for all user statuses.
Erriez 6437540704 Change error_log to warn
Dimitri Huisman e5972bd9ec Set default message rate limit to 200/day
Dimitri Huisman b7403c850a Document the new setting in webadministration.rst.
bors[bot] 34b35ca9b7
Merge
1922: Harden postfix's configuration r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

It hardens the default configuration:
- disable AUTH commands on port 25 (nginx was not advertising the capability: normal clients wouldn't attempt it)
- fix Forward Secrecy by ensuring that we don't use session tickets and don't cache on forensically carveable mediums
- prevent clear-text credentials from being sent while authenticating to remote relays (this may break things if the relay doesn't support challenge-based authentication NOR STARTTLS - unlikely).
- switch to default RSA keysizes (2048 bits and they get rekeyed every 3 months -modern clients will do ECC)
- enable ECC certificates (much smaller than RSA keys, faster for better security margin)
- configure nginx so that it doesn't send the legacy/root CA (clients that require it are unlikely to do TLS1.2 any ways)

I don't think that any of those changes is impactful enough to warrant being documented.

### Related issue(s)
- close 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Jack Murray <github@c0rporation.com>
Jack Murray dd127f8f06 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
Florent Daigniere 6704cb869a Switch to 3072bits dhparam (instead of 4096bits)
We aim for 128bits of security here
Florent Daigniere f74497d929 Merge remote-tracking branch 'upstream/master' into harden_postfix
Jack Murray e304c352a1 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
Erriez 5adc4f08f6 Restore curl
bors[bot] 966b9cb918
Merge
1928: Change letsencrypt timer from 1h --> 1 day r=mergify[bot] a=jackmurray

There's no need to be calling certbot so frequently. Letsencrypt certificates last for 90 days so polling every hour is just wasteful. Once per day should be more than sufficient to catch any certificates before they even get close to expiring.

## What type of PR?

Enhancement

## What does this PR do?

Reduces unnecessary load on the Letsencrypt ACME servers.

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Jack Murray <github@c0rporation.com>
Jack Murray 7e5a35660a
Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
Florent Daigniere facc4b6427 Allow specific users to send email from any address
Erriez a5534a34dc Update Alpine version from 3.10 to 3.14
Florent Daigniere 9e5cfaaec8 towncrier
Florent Daigniere ee54a615c1 Alpine has removed support for btree and hash
Diman0 4e16c9000b Give docker containers in each test one more minute for starting.
Diman0 146b081119 enhanced security changelog entry and added recommendation to recreate secret_key
Diman0 2132adcc38 Fixed typing error.
Diman0 e3fbf48c5a Improved changelog entry
Dimitri Huisman 9b2afbfa89 Resolve merge conflict
Diman0 b7db90b7ff Update documentation config and release notes page.
Diman0 529994c095 Update CHANGELOG.md and process towncrier newsfragments.
David Fairbrother 24747e33de Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
Florent Daigniere 0b16291153 doh
Florent Daigniere 7b847852af fix typo
Florent Daigniere 1db08018da Ensure that we get certificate validation on top90
I have found a list of the top100 email destinations online and ran them
through a script to ensure that all of their MX servers had valid
configuration... this is the result
Florent Daigniere e1a7657999 Now that postfix has CAs we can switch to secure
encrypt means "ensure we have some confidentiality" whereas secure means
"ensure we have confidentiality while talking to the right peer"
(protects against passive or/and active MITM attacks)
Florent Daigniere 6149c759f4 doc
Florent Daigniere b066a5e2ac add a default tls_policy_map
Florent Daigniere 1df79f8132 give PFS a chance
Erriez 10f2c17979 Restore Roundcube PHP files