Commit Graph

1293 Commits (e519ec9ae6221f18e2a6dd813d2ebf74949814cc)

Author SHA1 Message Date
Florent Daigniere 068170c0ff Use app instead of flask.current_app where possible
Florent Daigniere 57b0dd490c Initialize user_email in all cases
qy117121 b1425015ef
Update messages.po
Fix wrong text
bors[bot] afffe4063e
Merge
2018: show dmarc record for report domain in domain details r=mergify[bot] a=ghostwheel42

## What type of PR?

documentation

## What does this PR do?

show dmarc record for report domain in domain details

### Related issue(s)

closes 

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] 9f2aa0aadc
Merge
1986: Document how to setup client autoconfig r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Document how to setup autoconfig. This works with most open-source MUAs (thunderbird, evolution, ...)

We could go further than that by providing dynamic configuration (issue an auth token for each MUA request)... but it won't work unless a new DNS entry (and matching certificate) is created.

### Related issue(s)
- 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


2014: Update Chinese translation r=mergify[bot] a=qy117121

## What type of PR?

translation

## What does this PR do?

Update Chinese translation. Use `zh` instead of `zh_CN`.

### Related issue(s)

none

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: qy117121 <mixuan121@gmail.com>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf 7fe15ea9cf added dmarc record for report domain
bors[bot] a5b1d36171
Merge
2017: rspamd: get dkim keys via REST API instead of filesystem r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement

## What does this PR do?

rspamd now uses hashicorp's vault api v1 to get dkim keys and selectors for a domain.
this allows future enhancement (multiple keys) without reconfiguring and restarting rspamd.
it also makes mounting the /dkim volume into the rspamd container unnecessary.

### Related issue(s)

- improves and closes  
- allows to implement key rotation using multiple selectors (see )
- allows to implement dkim for alternate domains (see )
- fixes and closes  (selector transmitted by admin container is used)
- closes  (no keys on disk)
- allows to implement key rotation from the outside (ie. via a helper script talking to some dns provider's api) (see )

## Prerequisites

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf 7b0c5935a8 only support GET method in vault
Alexander Graf 303fae00fb cleanup modules. use dkim selector from config
Alexander Graf dc9f970a91 removed zh_CN and updated locale-map for datatables
Alexander Graf 893705169e PoC rspamd use dkimkeys from admin using vault api
Florent Daigniere 632ce663ee Prevent logins with no password
qy117121 866f784d06
Create messages.po
Update the translation
qy117121 251eea5553
Update messages.po
Updated translation
Florent Daigniere 7277e0b4e4
Merge branch 'master' into ratelimits
bors[bot] 8c8c1b2015
Merge
1997: Prevent traceback when using non-email in login r=mergify[bot] a=ghostwheel42

There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('`@',` 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "`@")`
```

## What type of PR?

enhancement

## What does this PR do?

replace traceback (ERROR) with error message (WARNING)

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] 9b01e663b2
Merge
2007: allow sending emails as user+detail@domain.tld r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix or enhancement

## What does this PR do?

Allows sending emails with an added "+detail" in the local part.
 
### Related issue(s)

closes 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: root <ghostwheel42@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 14360f8926 RECIPIENT_DELIMITER can have several characters
root 8c59f35697 use RECIPIENT_DELIMITER for splitting
Alexander Graf 1d571dedfc split localpart into user and tag
Florent Daigniere d131d863ba The if needs to be inside the block
Alexander Graf aaf3ddd002 moved javascript to app.js
Florent Daigniere b48779ea70 SESSION_COOKIE_SECURE and HTTP won't work
Florent Daigniere 502affbe66 Use the regexp engine since we have one
Florent Daigniere a349190e52 simplify
Florent Daigniere 10d78a888b Derive a new subkey for SRS
Florent Daigniere 995ce8d437 Remove OUTCLEAN_ADDRESS
I believe that this isn't relevant anymore as we don't use OpenDKIM
anymore

Background on:
https://bofhskull.wordpress.com/2014/03/25/postfix-opendkim-and-missing-from-header/
Alexander Graf 65133a960a Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
Diman0 41f5b43b38 Set nginx logging to level info again.
Diman0 f4cde61148 Make header translatable. More finishing touches.
Florent Daigniere 7d56ed3b70 Merge branch 'master' of https://github.com/Mailu/Mailu into ratelimits
Diman0 fbe0a446b9 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929
Florent Daigniere 1e07b85fa1 doh
Diman0 9894b49cbd Merge/Update with changes from master
Florent Daigniere 24aadf2f52 ensure we log when the rate limiter hits
Florent Daigniere 64bc7972cc Make AUTH_RATELIMIT_IP 60/hour as discussed
Florent Daigniere cab0ce2017 doh
Florent Daigniere a9340e61f5 Log auth attempts on /admin
Florent Daigniere 89ea51d570 Implement rate-limits
Diman0 bf0aad9820 Merge branch 'master' of github.com:Mailu/Mailu into fix-sso-1929
bors[bot] 4c5c6c3b5f
Merge
1966: AdminLTE3 optimizations & compression and caching r=mergify[bot] a=ghostwheel42

## What type of PR?

enhancement, bugfix

## What does this PR do?

Optimization and cleanup of styles and javascript code for AdminLTE 3
Adds caching headers, gzip and robots.txt to nginx.

### Related issue(s)

Makes  even better. Thanks to `@DjVinnii` and `@Diman0` for the good work.
Closes 

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
bors[bot] b329971b87
Merge
1971: Updated Polish translation. r=mergify[bot] a=ghostwheel42

## What type of PR?

translation

## What does this PR do?

Update polish translation. Used `pl/LC_MESSAGES/messages.po` from PR  created by `@martys71`
Part of Discussion of 1.9 roadmap 

### Related issue(s)

closes  

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] 72e8ec53b7
Merge
1975: Replace traceback with error message when creating initial admin user r=mergify[bot] a=ghostwheel42

## What type of PR?

small enhancement

## What does this PR do?

when creating the admin user via cli a traceback is shown when this user is already present in the database.
This is confusing users. I've replaced the traceback with an error message.

### Related issue(s)



## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf 25cf8b5358 better help formatting
Alexander Graf b63081cb48 display error (not exception) when creating admin
repleace misleading python exception (mailu broken)
with error message stating that the admin user is
already present
Alexander Graf 065215d4d1 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes
Alexander Graf 7bec8029a4 strip not necessary anymore
Alexander Graf 05c79b0e3c copy (and not parse) mta sts override config
Alexander Graf b02ceab72f handle DEFER_ON_TLS_ERROR as bool
use /conf/mta-sts-daemon.yml when override is missing
Alexander Graf 1e8b41f731 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes
Alexander Graf b883e3c4a6 duh.
Alexander Graf bb40ccc4b0 normalize HOSTNAMES
should be moved to python lib and normalized in start.py
Alexander Graf 45a2be3766 Updated Polish translation.
Used pl/LC_MESSAGES/messages.po from PR#1751 created by martys71
bors[bot] d464187477
Merge
1964: Alpine3.14.2 r=mergify[bot] a=nextgens

Upgrade to alpine 3.14.2, retry upgrading unbound & switch back to libressl

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Alexander Graf a319ecde29 also precompress static txt files
Alexander Graf b445d9ddd1 set expire headers only for mailu content
also moved robots.txt from config to static folder.
Alexander Graf 698ee4e521 added tiff and webp to list of cached content
Alexander Graf 0094268410 allow to change logo. default color for flash msg
- two new environment variables allow to change logo background color
  and graphic
- flash messages are now green (not cyan)
Alexander Graf d8b4a016af use blue color from https://mailu.io/
bors[bot] 6fe265b548
Merge
1968: optimize handle_authentication r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

catch utf-8 decoding errors and log a warning in handle_authentication instead of writing a traceback into the log.

### Related issue(s)

closes 

## Prerequistes

Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] d8dc765f04
Merge
1967: fix 1789: ensure that nginx resolves ipv4 addresses r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

This fixes ipv6 enabled setup by disabling it. If you were using SUBNET6 in your configuration, odds are it's broken since gunicorn isn't bound on an on an ipv6 enabled socket.

Should we backport this?

### Related issue(s)
- close 
- close 


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Alexander Graf 90c96bdddc optimize handle_authentication
- catch decoding of nginx headers (utf-8 exception)
- re-ordered function
Florent Daigniere 7aa403573d no with here
Florent Daigniere 0ee52ba65b Doh
Florent Daigniere 0f0459e9b2 suggestions from @ghostwheel42
Florent Daigniere 9888efe55d Document as suggested on #mailu-dev
Alexander Graf 7bede55fce more verbose cleaning message
Florent Daigniere a9a1b3e55e Reduce the EDNS0 size to 1232
@see
https://github.com/dns-violations/dnsflagday/issues/125
Florent Daigniere 72ba5ca3f9 fix 1789: ensure that nginx resolves ipv4 addresses
Alexander Graf 7fd605cc21 fixed brand link target for normal users
Diman0 b148e41d9b Fix nginx config
Florent Daigniere d8c22db547 Merge remote-tracking branch 'upstream/master' into policyd-mta-sts
Alexander Graf 8cdd7e911d duh. removed debug
Alexander Graf 2ba0d552e0 Merge remote-tracking branch 'upstream/master' into passlib
Alexander Graf 34df8b3168 AdminLTE3 optimizations & compression and caching
- fixed copy of qemu-arm-static for alpine
- added 'set -eu' safeguard
- silenced npm update notification
- added color to webpack call
- changed Admin-LTE default blue
  (core/admin/Dockerfile)

- AdminLTE 3 style tweaks
  (core/admin/assets/app.css)
  (core/admin/mailu/ui/templates/base.html)
  (core/admin/mailu/ui/templates/sidebar.html)

- localized datatables
  (core/admin/Dockerfile)
  (core/admin/assets/app.js)
  (core/admin/package.json)

- moved external javascript code to vendor.js
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/webpack.config.js)

- added mailu logo
  (core/admin/assets/app.js)
  (core/admin/assets/app.css)
  (core/admin/assets/mailu.png)

- moved all inline javascript to app.js
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/domain/create.html)
  (core/admin/mailu/ui/templates/user/create.html)

- added iframe display of rspamd page
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/views/base.py)
  (core/admin/mailu/ui/templates/sidebar.html)
  (core/admin/mailu/ui/templates/antispam.html)

- updated language-selector to display full language names and use post
  (core/admin/assets/app.js)
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/utils.py)
  (core/admin/mailu/ui/views/languages.py)

- added fieldset to group and en/disable input fields
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/user/settings.html)
  (core/admin/mailu/ui/templates/user/reply.html)

- added clipboard copy buttons
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/domain/details.html)

- cleaned external javascript imports
  (core/admin/assets/vendor.js)

- pre-split first hostname for further use
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/client.html)
  (core/admin/mailu/ui/templates/domain/signup.html)

- cache dns_* properties of domain object (immutable during runtime)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/domain/details.html)

- fixed and splitted dns_dkim property of domain object (space missing)
- added autoconfig and tlsa properties to domain object
  (core/admin/mailu/models.py)

- suppressed extra vertical spacing in jinja2 templates
- improved accessibility for screen reader
  (core/admin/mailu/ui/templates/**.html)

- deleted unused/broken /user/forward route
  (core/admin/mailu/ui/templates/user/forward.html)
  (core/admin/mailu/ui/views/users.py)

- updated gunicorn to 20.1.0 to get rid of buffering error at startup
  (core/admin/requirements-prod.txt)

- switched webpack to production mode
  (core/admin/webpack.config.js)

- added css and javascript minimization
- added pre-compression of assets (gzip)
  (core/admin/webpack.config.js)
  (core/admin/package.json)

- removed obsolte dependencies
- switched from node-sass to dart-sass
  (core/admin/package.json)

- changed startup cleaning message from error to info
  (core/admin/mailu/utils.py)

- move client config to "my account" section when logged in
  (core/admin/mailu/ui/templates/sidebar.html)
Alexander Graf f4e7ce0990 enabled caching, gzip and robots.txt
Alexander Graf 103918ba57 pre-compress assets (*.ico for now)
Alexander Graf 39d7a5c504 pngcrushed images
Diman0 960033525d configure sso in nginx
Diman0 8868aec0dc Merge master. Make sso login working for admin.
Diman0 1cfc9ee1c4 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929
Diman0 9fac3d7ad3 Initial implementation for standalone sso page
bors[bot] 71cc8b0a81
Merge
1800: AdminLTE 3 r=mergify[bot] a=DjVinnii

## What type of PR?

Enhancement

## What does this PR do?

This PR implements AdminLTE 3 for the admin interface. It also includes the implementation of DataTables and a language selector.

### Related issue(s)
- closes: 
- closes:  

## Prerequistes

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Vincent Kling <vincentkling@msn.com>
Co-authored-by: DjVinnii <vincentkling@msn.com>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Tim Foerster 9ec9d4d4fb
postfix/tls_policy: Use lmdb map instead of hash
The alpine postfix package seems to have removed support for btree and hash map type.  
The tls_policy.map stuff has been introduced in  and it has been merged without fixing this before (https://github.com/Mailu/Mailu/pull/1902/#issuecomment-902108080)
Florent Daigniere d7c2b510c7 Give alpine 3.14.2 a shot
Florent Daigniere fe186afb6f Revert "Switch to openssl to workaround alpine #12763"
This reverts commit f8362d04e4.
Florent Daigniere 4abf49edf4 indent
Florent Daigniere c1d94bb725 Ensure that postfix will be able to use the TLSA records
see https://www.huque.com/dane/testsite/ for the testcases
Florent Daigniere ef5f82362c Merge remote-tracking branch 'upstream/master' into policyd-mta-sts
Florent Daigniere 489520f067 forgot about alpine/lmdb
Florent Daigniere 9f66e2672b Use DEFER_ON_TLS_ERROR here too
We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
Florent Daigniere a1da4daa4c Implement the DANE-only lookup policyd
https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67 for
context
Dimitri Huisman 5f18860669 Remove workaround. Remove deprecated url-loader.
Dimitri Huisman 60be06e298 Temporary workaround to get FontAwesome icons working.
Dimitri Huisman 5da7a06675 Resolve webpack.config.js error
Florent Daigniere 67db72d774 Behave like documented
Florent Daigniere 05b57c972e remove the static policy as it will override MTA-STS and DANE
Florent Daigniere a8142dabbe Introduce DEFER_ON_TLS_ERROR
This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
Florent Daigniere 52d3a33875 Remove the domains that have a valid MTA-STS policy
gmail.com
comcast.net
mail.ru
googlemail.com
wp.pl
Florent Daigniere 4f96e99144 MTA-STS (use rather than publish policies)
Dimitri Huisman 00276d8b70
Merge branch 'master' into AdminLTE-3
Florent Daigniere 394c2fe22c Document REAL_IP_HEADER and REAL_IP_FROM
Fix a security vulnerability whereby we were not clearing other headers
Florent Daigniere 6bba0cecfc Strip the Forwarded header since nothing is compatible with it yet
bors[bot] 6e32092abd
Merge
1873: Completed Hebrew translation r=mergify[bot] a=yarons

The Hebrew translation is incomplete so I've completed it.

Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com>
Dimitri Huisman 169a540692 Use punycode for HTTP header for radicale and create changelog
Dimitri Huisman 4f5cb0974e Make sure HTTP header only contains ASCII
bors[bot] ecaaf25dcb
Merge
1939: Ensure that we don't do multiple DNS lookups in the sieve script r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It ensures that DNS lookups don't introduce inconsistent state. We may want to go further and actually check the return codes of rspamc too.

I haven't tested it but it should work.

### Related issue(s)
- 



Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere 368b40b4fd doh
Florent Daigniere 3e676e232a fix
Florent Daigniere ae8db08bdf Ensure that we don't do multiple DNS lookups in the sieve script
Florent Daigniere 65a27b1c7f add additional options to make DANE easier
Florent Daigniere fb8d52ceb2 Merge branch 'master' of https://github.com/Mailu/Mailu into tls_policy_map
Florent Daigniere b4102ba464 doh
Florent Daigniere 9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders
Florent Daigniere 7252a73e11 WILDCARD_SENDERS can have spaces
bors[bot] b57df78dac
Merge
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

A conflict-free version of  implementing per-user sender limits

### Related issue(s)
- close  
- close 
- close  

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Dimitri Huisman e5972bd9ec Set default message rate limit to 200/day
Jack Murray dd127f8f06 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
Florent Daigniere 6704cb869a Switch to 3072bits dhparam (instead of 4096bits)
We aim for 128bits of security here
Jack Murray e304c352a1 Change letsencrypt timer from 1h --> 1 day
There's no need to be calling certbot so frequently
Florent Daigniere facc4b6427 Allow specific users to send email from any address
Florent Daigniere ee54a615c1 Alpine has removed support for btree and hash
David Fairbrother 24747e33de Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
Florent Daigniere 0b16291153 doh
Florent Daigniere 1db08018da Ensure that we get certificate validation on top90
I have found a list of the top100 email destinations online and ran them
through a script to ensure that all of their MX servers had valid
configuration... this is the result
Florent Daigniere b066a5e2ac add a default tls_policy_map
Florent Daigniere 1df79f8132 give PFS a chance
Florent Daigniere 925105075c this is required in fact
Diman0 5afbf37292 Resolve build issues
Dimitri Huisman df64601b28
Merge branch 'master' into AdminLTE-3
Florent Daigniere 772e5efb7d Disable pipelining to prevent bypass
Florent Daigniere c76a76c0b0 make it optional, add a knob
Florent Daigniere 109a8aa000 Ensure that we always have CERT+INTERMEDIARY CA
Let's encrypt may change things up in the future...
Florent Daigniere dccd8afd51 Thanks @Diman0!
ENEEDSLEEP
Florent Daigniere 974bcba5ab Restore LOGIN as tests assume it's there
Florent Daigniere 2b05e72ce4 Revert "maybe fix the tests"
This reverts commit f971b47fb9.
Florent Daigniere f971b47fb9 maybe fix the tests
Florent Daigniere 4a871c0905 this causes trouble with the test
Florent Daigniere 12c842c4b9 In fact in fullchain we want all but the last
Florent Daigniere 24f9bf1064 format certs for nginx
Florent Daigniere 98b903fe13 don't send the rootcert
Florent Daigniere 92ec446c20 doh
Florent Daigniere f05cc99dc0 Add ECC certs for modern clients
Florent Daigniere cb68cb312b Reduce the size of the RSA key to 3072bits
This is already generous for certificates that have a 3month validity!

We rekey every single time.
Florent Daigniere 5e7d5adf17 AUTH shouldn't happen on port 25
Florent Daigniere 55cdb1a534 be explicit about what we support
Florent Daigniere ecadf46ac6 fix PFS
Florent Daigniere 7285c6bfd9 admin won't understand LOGIN
Florent Daigniere de3620da4a Don't send credentials in clear ever
Florent Daigniere 4535c42e70 This isn't required
Florent Daigniere 1101e401e8 Apply the restriction on the right port
Florent Daigniere 6d244222da better error message
Florent Daigniere d6ce5d0c06 Remove a warning: limits don't apply to trusted hosts
Florent Daigniere bcdc137677 Alpine has removed support for btree and hash
Florent Daigniere 1438253a06 Ratelimit outgoing emails per user
bors[bot] 48f3b1fd49
Merge
1656: Add ability to set no WEBROOT_REDIRECT to Nginx r=mergify[bot] a=DavidFair

## What type of PR?

Enhancement / Documentation

## What does this PR do?

From commit:

---

Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.

---

I've also added bullet points to break up a long flowing sentence in `configuration.rst` - it should be a bit easier to read now

### Related issue(s)
No Related Issue - I just jumped to a PR

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly

@ Maintainers - Is this worthy of the changelog, it's useful to know about but I imagine the number of people it affects is equally minimal?
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
Diman0 588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value.
Florent Daigniere defea3258d update arm builds too
Florent Daigniere d44608ed04 Merge remote-tracking branch 'upstream/master' into upgrade-alpine
Florent Daigniere f8362d04e4 Switch to openssl to workaround alpine
bors[bot] 6ea4e3217a
Merge
1901: treat localpart case insensitive again r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

fixes error introduced by  where the localpart of an email address was handled case sensitive.
this screwed things up at various other places.
 
### Related issue(s)

closes 
closes 

Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf 6856c2c80f treat localpart case insensitive again
by lowercasing it where necessary
bors[bot] 656cf22126
Merge
1856: update asset builder dependencies r=mergify[bot] a=ghostwheel42

## What type of PR?

update asset builder dependencies

## What does this PR do?

only include needed dependencies to build mailu assets with nodejs v8

### Related issue(s)

update dependencies as discussed in 


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] 9289fa6420
Merge
1896: save dkim key after creation r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

saves generated dkim key after creation vi web ui.
after the model change the domain object needs to be added and flushed via sqlalchemy.

### Related issue(s)

closes 


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] 9a4c6385e5
Merge
1888: Use threads in gunicorn rather than workers/processes r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Alexander Graf 54b46a13c6 save dkim key after creation
bors[bot] bf65a1248f
Merge
1885: fix 1884: always lookup a FQDN r=mergify[bot] a=nextgens

## What type of PR?

bugfix

## What does this PR do?

Fix bug . Ensure that we avoid the musl resolver bug by always looking up a FQDN

### Related issue(s)
- closes 

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Alexander Graf c2c3030a2f rephrased comments
bors[bot] bace7ba6e3
Merge
1890: fix Email class in model.py r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

fixes class Email - keep email, localpart and domain in sync.

### Related issue(s)

closes 


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf ad1b036f20 fix Email class
Florent Daigniere 8d9f3214cc Use threads in gunicorn rather than processes
This ensures that we share the auth-cache... will enable memory savings
and may improve performances when a higher number of cores is available

"smarter default"
Florent Daigniere fa915d7862 Fix 1294 ensure podop's socket is owned by postfix
Florent Daigniere 9d2629a04e fix 1884: always lookup a FQDN
Yaron Shahrabani e0bf75ae17
Completed Hebrew translation
Florent Daigniere 1d65529c94 The lookup could fail; ensure we set something
Florent Daigniere 8bc1d6c08b Replace PUBLIC_HOSTNAME/IP in Received headers
This will ensure that we don't get spam points for not respecting the
RFC
bors[bot] c5ff72d657
Merge
1857: disable startdate when autoreply is disabled r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

disable the reply startdate field when autoreply is disabled


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Florent Daigniere a0dcd46483 fix : Handle colons in passwords
Alexander Graf 180026bd77 also disable startdate
Alexander Graf 56cfcf8b64 converted tabs to spaces
Alexander Graf 6377ccb2cb re-add jquery and select2 used in app.js
Alexander Graf 3c8a8aa8f0 use less v3 to make less-loader happy
Alexander Graf 1bb059f4c1 switched to newest possible versions for nodejs v8
Alexander Graf 858312a5cb remove explicit jQuery dependency
Alexander Graf 3f91dcb7af compile scheme list using a generator
Alexander Graf 3bb0d68ead add cargo to build cryptography
Alexander Graf 9790dcdabe updated dependencies
Florent Daigniere 72735ab320 remove cyrus-sasl-plain
Florent Daigniere 420afa53f8 Upgrade to alpine 3.14
bors[bot] 4a5f6b1f92
Merge
1791: Enhanced session handling r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix

## What does this PR do?

- replaces flask_kvsession and simplekv with a mailu-specific session store
- call cleanup_sessions before first request and not on startup.
  this allows to run cmdline actions without redis (and makes it faster)
- allow running without redis for debugging purposes by setting MEMORY_SESSIONS to True
- don't sign session id, as it has plenty of entropy (as suggested by nextgens)
- adds method to prune a user's sessions

### Related issue(s)
- enhances and close 


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Alexander Graf 8b71a92219 use fixed msg for key derivation
Alexander Graf 92896ae646 fix bugs in model and schema introduced by
Alexander Graf 6740c77e43 small bugfix for exception
Alexander Graf fab3168c23 Merge remote-tracking branch 'upstream/master' into kvsession
Alexander Graf fbd945390d cleaned imports and fixed datetime and passlib use
Dimitri Huisman 6dc1a19390
Merge branch 'master' into import-export
bors[bot] fc1a663da2
Merge
1754: centralize Webmail authentication behind the admin panel (SSO) r=mergify[bot] a=nextgens

## What type of PR?

Enhancement: it centralizes the authentication of webmails to the admin interface.

## What does this PR do?

It implements the glue required for webmails to do SSO using the admin interface.
One of the main advantages of centralizing things this way is that it reduces significantly the attack surface available to an unauthenticated attacker (no webmail access until there is a valid Flask session).

Others include the ability to implement 2FA down the line and rate-limit things as required.

### Related issue(s)
- 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
bors[bot] 4ff90683ca
Merge
1758: Implement a simpler credential cache (alternative to ) r=mergify[bot] a=nextgens

## What type of PR?

Feature: it implements a credential cache to speedup authentication requests.

## What does this PR do?

Credentials are stored in cold-storage using a slow, salted/iterated hash function to prevent offline bruteforce attacks. This creates a performance bottleneck for no valid reason (see the
rationale/long version on https://github.com/Mailu/Mailu/issues/1194#issuecomment-762115549).

The new credential cache makes things fast again.

This is the simpler version of  (with no new dependencies)

### Related issue(s)
- close 
- close  
- close 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1776: optimize generation of transport nexthop r=mergify[bot] a=ghostwheel42

## What type of PR?

bug-fix and enhancement.

## What does this PR do?

Possibly there should be more input validation when editing a relay, but for now this tries to make the best out of the existing "smtp" attribute while maintaining backwards compatibility. When relay is empty, the transport's nexthop is the MX of the relayed domain to fix  

```
RELAY			NEXTHOP						TRANSPORT
empty			use MX of relay domain				smtp:domain
:port			use MX of relay domain and use port	smtp:domain:port
target			resolve A/AAAA of target			smtp:[target]
target:port		resolve A/AAAA of target and use port	smtp:[target]:port
mx:target		resolve MX of target				smtp:target
mx:target:port	resolve MX of target and use port	smtp:target:port
lmtp:target		resolve A/AAAA of target			lmtp:target
lmtp:target:port	resolve A/AAAA of target and use port	lmtp:target:port

target can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: [2001:DB8::]).
```

When there is proper input validation and existing database entries are migrated this function can be made much shorter again.

### Related issue(s)
- closes  
- closes  

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
bors[bot] d9da8e4bb2
Merge
1746: DNS records for client autoconfiguration (RFC6186) r=Diman0 a=nextgens

## What type of PR?

Feature

## What does this PR do?

Add instructions on how to configure rfc6186 DNS records for client autoconfiguration

### Related issue(s)
- 
- 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
bors[bot] 5d1264e381
Merge
1694: update compression algorithms for current dovecot r=nextgens a=lub

## What type of PR?

enhancement

## What does this PR do?

This adds additional compression algorithms in accordance with
https://doc.dovecot.org/configuration_manual/zlib_plugin/

### Related issue(s)

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
bors[bot] a1345114bc
Merge
1649: Update docs/reverse.rst with Traefik v2+ info r=mergify[bot] a=patryk-tech

## What type of PR?

Documentation

## What does this PR do?

Adds information about using Traefik v2+ as a reverse proxy.

### Related issue(s)
Closes  

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


1673: Remove rspamd unused env var from start script r=mergify[bot] a=cbachert

## What type of PR?
Cleanup

## What does this PR do?
Remove unused environment variable FRONT_ADDRESS in rspamd. FRONT_ADDRESS references were removed with commit 8172f3e in PR  like mentioned in chat https://matrix.to/#/!MINuyJjJSrfowljYCK:tedomum.net/$160401946364NGNmI:imninja.net?via=huisman.xyz&via=matrix.org&via=imninja.net
```
Mailu$ grep -r "FRONT_ADDRESS" core/rspamd/
core/rspamd/start.py:os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT", "front")
```

### Related issue(s)
N/A

## Prerequistes
- [x] Documentation updated accordingly: No documentation to update
- [x] Add to changelog: Minor change

Co-authored-by: Patryk Tech <git@patryk.tech>
Co-authored-by: cbachert <cbachert@users.noreply.github.com>
Alexander Graf 3f23e199f6 modified generation of session key and added refresh
- the session key is now generated using
  - a hash of the uid seeded by the apps secret_key (size: SESSION_KEY_BITS)
  - a random token (size: 128 bits)
  - the session's creation time (size: 32 bits)

- redis server side sessions are now refreshed after 1/2 the session lifetime
  even if not modified
- the cookie is also updated if necessary
Alexander Graf 9ef8aaf698 removed double confiog and fixed shaker
Alexander Graf a1fd44fced added lmtp: prefix and documentation
lub 40ad3ca032 only load zlib when compression is used
lub 2316ef1162 update compression algorithms for dovecot 3.3.14
xz is deprecated; lz4 and zstd were not present in our configs before
Florent Daigniere 875308d405 Revert "In fact it could be global"
This reverts commit f52984e4c3.
Florent Daigniere f52984e4c3 In fact it could be global
Florent Daigniere ae9206e968 Implement a simple credential cache
DjVinnii 419fed5e6e Add language selector
Alexander Graf 731ce8ede9 fix permanent sessions. hash uid using SECRET_KEY
clean session in redis only once when starting
Alexander Graf 4b8bbf760b default to 128 bits
Alexander Graf 4b71bd56c4 replace flask_kvsession with mailu's own storage
DjVinnii 7dafa22762 Add /language/<language> route for changing the locale using a session variable
DjVinnii f30cca1263 Do imports based on AdminLTE plugins
DjVinnii a4bb42faeb Remove extra space between 'AdminLTE' and 'on' in footer
DjVinnii b2498e8c8f Refactor box macro to card
DjVinnii 5ddea07c9a Fix form input append class
DjVinnii 1db0a870f3 Fix log in icon in sidebar
DjVinnii 51346c4860 Fix pre- and append styling
DjVinnii e963e7495d Create datatable based on dataTable class instead of table class
DjVinnii 0984173504 Change label to badge
DjVinnii 8246497d16 Add card header to tables
DjVinnii 49d68fa6d1 Fix horizontal scrollbar in sidebar
DjVinnii 7d3c9d412d Change tables to datatables
DjVinnii cdfa94c243 Make main action float right
DjVinnii 0c5fda3fca Change macros.box to macros.card
DjVinnii deca6e0c4a update user/settings
DjVinnii 6b3170cb4c Update side menu
DjVinnii c97728289b Update node version for building the image (AdminLTE requires node 10 or higher)
DjVinnii e46d9e1fc9 Update admin-lte version in package.json
Vincent Kling c6d0ef229f
Update messages.po
Alexander Graf f0f79b23a3 Allow cleanup of sessions by key&value in data
This can be used to delete all sessions belonging to a user/login.
For no it just iterates over all sessions.
This could be enhanced by using a prefix for and deleting by prefix.
Alexander Graf 83b1fbb9d6 Lazy loading of KVSessionExtension
- call cleanup_sessions on first kvstore access
  this allows to run cmdline actions without redis (and makes it faster)
- Allow development using DictStore by setting REDIS_ADDRESS to the empty string in env
- don't sign 64bit random session id as suggested by nextgens
Alexander Graf 8bc4445572 Sync update of localpart, domain_name and email
Alexander Graf 0c38128c4e Add pygments to requirements
Alexander Graf 9cb6962335 Moved MyYamlLexer into logger
now cmdline runs without pygments
Alexander Graf ce9a9ec572 always init Logger first
Alexander Graf c17bfae240 correct rfc3339 datetime serialization
now using correct timezone
Alexander Graf dc5464f254 Merge remote-tracking branch 'upstream/master' into import-export
Alexander Graf e90d5548a6 use RFC3339 for last_check
fixed to UTC for now
Florent Daigniere dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso
bors[bot] 9c57f2ac39
Merge
1785: Fix bug  (don't replace nested headers) r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Don't replace nested headers (typically in forwarded/attached emails). This will ensure we don't break cryptographic signatures.

### Related issue(s)
- close 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
bors[bot] 25e8910b89
Merge
1783: Switch to server-side sessions r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
bors[bot] 327884e07c
Merge
1610: add option to enforce inbound starttls r=mergify[bot] a=lub

## What type of PR?

Feature

## What does this PR do?
It implements a check in the auth_http handler to check for Auth-SSL == on and otherwise returns a 530 starttls error.
If INBOUND_TLS_ENFORCE is not set the behaviour is still the same as before, so existing installations should be unaffected.

Although there is a small difference to e.g. smtpd_tls_security_level of Postfix.

Postfix already throws a 530 after mail from, but this solution only throws it after rcpt to. auth_http is only the request after rcpt to, so it's not possible to do it earlier.

### Related issue(s)
 is kinda related, although this PR doesn't solve the issue that the headers will still display ESMTP instead of ESMTPS

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
bors[bot] 7469bb7087
Merge
1638: Remove the username from the milter_headers r=mergify[bot] a=githtz

Rspamd adds the name of the authenticated user by default. Setting add_smtp_user to false prevents the login to be leaked.

## What type of PR?
Enhancement

## What does this PR do?
This PR prevents the user login to be leaked in sent emails (for example using an alias)

### Related issue(s)
Closes https://github.com/Mailu/Mailu/issues/1465

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: anrc <15327800+githtz@users.noreply.github.com>
lub f3f0a4d86d
Merge branch 'master' into enforce-tls-admin
Florent Daigniere 513d2a4c5e Fix bug : nested headers shouldn't be touched
Florent Daigniere 64d757582d Disable anti-csrf on the login form
The rationale is that the attacker doesn't have the password...
and that doing it this way we avoid creating useless sessions
Florent Daigniere 481cb67392 cleanup old sessions on startup
Florent Daigniere b9becd8649 make sessions expire
Florent Daigniere a1d32568d6 Regenerate session-ids to prevent session fixation
Florent Daigniere d459c37432 make session IDs 128bits
Florent Daigniere 22af5b8432 Switch to server-side sessions in redis
Alexander Graf dd2e218375 Merge remote-tracking branch 'upstream/master' into import-export
Florent Daigniere 96ae54d04d CryptContext should be a singleton
Florent Daigniere 5f05fee8b3 Don't need regexps anymore
Florent Daigniere 1c5b58cba4 Remove scheme_dict
Florent Daigniere df230cb482 Refactor auth under nginx.check_credentials()
Florent Daigniere f9ed517b39 Be specific token length
Florent Daigniere d0b34f8e24 Move CREDENTIAL_ROUNDS to advanced settings
Florent Daigniere fda758e2b4 remove merge artifact
Florent Daigniere 57a6abaf50 Remove {scheme} from the DB if mailu has set it
Florent Daigniere 7137ba6ff1 Misc improvements to PASSWORD_SCHEME
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see : ldap_salted_sha512 support)
Florent Daigniere 00b001f76b Improve the token storage format
shortcomings of the previous format included:
- 1000x slower than it should be (no point in adding rounds since there
 is enough entropy: they are not bruteforceable)
- vulnerable to DoS as explained in
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha256_crypt.html#security-issues
Florent Daigniere eb7895bd1c Don't do more work than necessary (/webdav)
This is also fixing tokens on /webdav/
Florent Daigniere 58b2cdc428 Don't do more work than necessary
bors[bot] 464e46b02b
Merge
1765: Set sensible cookie flags on the admin app r=mergify[bot] a=nextgens

## What type of PR?

Bugfix

## What does this PR do?

It sets the right flags on the session cookie issued by the admin app.
This should probably be backported as the lack of secure flag on TLS-enabled setup is a high risk vulnerability.

SameSite is hardening / helps against CSRF on modern browsers
HTTPOnly is hardening / helps reduce the impact of XSS

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
bors[bot] 47d6c697d0
Merge
1763: show flash messages again r=mergify[bot] a=lub

## What type of PR?

bug-fix

## What does this PR do?
This basically restores the behaviour, that got removed in
ecdf0c25b3 during refactoring.

### Related issue(s)
- noticed it while reviewing 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [-] In case of feature or enhancement: documentation updated accordingly
- [-] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
bors[bot] ce0c93a681
Merge
1618: add OCSP stapling to nginx.conf r=mergify[bot] a=lub

It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.

## What type of PR?

enhancement

## What does this PR do?

It enables OCSP stapling for the http server. OCSP stapling reduces roundtrips for the client and reduces load on OCSP responders.

### Related issue(s)
- fixes  

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
bors[bot] cca4b50915
Merge
1607: _FILE variables for Docker swarm secrets r=mergify[bot] a=lub

## What type of PR?

enhancement

## What does this PR do?

This PR enables usage of DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY to load these values from files instead of supplying them directly. That way it's possible to use Docker secrets.

### Related issue(s)


## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
Florent Daigniere 0dcc059cd6 Add a new knob as discussed on matrix with lub
Jaume Barber 5bb67dfcbb Translated using Weblate (Basque)
Currently translated at 100.0% (151 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/eu/
Jaume Barber a49b9d7974 Translated using Weblate (Catalan)
Currently translated at 99.3% (150 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ca/
Jaume Barber cd9992f79c Translated using Weblate (Swedish)
Currently translated at 74.2% (121 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/sv/
Jaume Barber afae5d1c24 Translated using Weblate (Russian)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ru/
Jaume Barber 7a01a63389 Translated using Weblate (Portuguese)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/pt/
Jaume Barber 480ec29d3d Translated using Weblate (Italian)
Currently translated at 91.4% (149 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/it/
Jaume Barber 5e96a4bfcf Translated using Weblate (Spanish)
Currently translated at 91.4% (149 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/es/
Jaume Barber 6143d66eb8 Translated using Weblate (English)
Currently translated at 39.2% (64 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
Anonymous 6da5978870 Translated using Weblate (German)
Currently translated at 88.3% (144 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/de/
Anonymous 58c22fd2c6 Translated using Weblate (English)
Currently translated at 38.6% (63 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
Jaume Barber 0dc8817f32 Translated using Weblate (English)
Currently translated at 38.6% (63 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
Anonymous 3d17000ceb Translated using Weblate (English)
Currently translated at 29.4% (48 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
Jaume Barber a2933d00f3 Translated using Weblate (English)
Currently translated at 29.4% (48 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
Jaume Barber 7c0158c5f8 Translated using Weblate (English)
Currently translated at 17.7% (29 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
Anonymous 7de94275a0 Translated using Weblate (English)
Currently translated at 17.7% (29 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
Jaume Barber 43133d8515 Added translation using Weblate (Basque)
Jaume Barber 5e0aa65c8d Translated using Weblate (Italian)
Currently translated at 96.3% (157 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/it/
Jaume Barber 725cdc270c Translated using Weblate (Spanish)
Currently translated at 100.0% (163 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/es/
Weblate a571704a9d Merge branch 'origin/master' into Weblate.
Jaume Barber b9c2dc1a79 Translated using Weblate (Catalan)
Currently translated at 98.6% (149 of 151 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/ca/
Anonymous 3a9a133226 Translated using Weblate (English)
Currently translated at 11.0% (18 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
Jaume Barber af251216b0 Translated using Weblate (English)
Currently translated at 11.0% (18 of 163 strings)

Translation: Mailu/admin
Translate-URL: https://translate.tedomum.net/projects/mailu/admin/en/
Alexander Graf b55b53b781 optimize generation of transport nexthop
Alexander Graf 0a9f732faa added docstring to Logger. use generators.
Dario Ernst b6716f0d74 Remove "CHUNKING" capability from nginx-smtp
With `CHUNKING`set as a capability, nginx advertises this capability to
clients at a stage where the SMTP dialog does not seem to be forwarded
to the proxy-target (postfix) yet. Nginx' SMTP parser itself does not
support the `BDAT` command issued as part of a chunke-d dialog. This makes
Nginx respond with a `250 2.0.0 OK` and close the connection, after the
mail-data got sent by the client — without forwarding this to the
proxy-target.

With this, users mail can be lost.

Furthermore, when a user uses a sieve filter to forward mail, dovecot
sometimes chunks the forwarded mail when sending it through `front`.
These forwards then fail.

Removing `CHUNKING` from the capabilities fixes this behavior.
Alexander Graf bde7a2b6c4 moved import logging to schema
- yaml-import is now logged via schema.Logger
- iremoved relative imports - not used in other mailu modules
- removed develepment comments
- added Mailconfig.check method to check for duplicate domain names
- converted .format() to .format_map() where possible
- switched to yaml multiline dump for dkim_key
- converted dkim_key import from regex to string functions
- automatically unhide/unexclude explicitly specified attributes on dump
- use field order when loading to stabilize import
- fail when using 'hash_password' without 'password'
- fixed logging of dkim_key
- fixed pruning and deleting of lists
- modified error messages
- added debug flag and two verbosity levels
Florent Daigniere aa8cb98906 Set sensible cookie options
Alexander Graf e4c83e162d fixed colorize auto detection