2698 Commits (e5972bd9ecdb81c22998a380311add36538caea1)
 

Author SHA1 Message Date
Linus Gasser ffa7562079
configurations changed place in 1.8 4 years ago
bors[bot] 42cefab4c2
Merge #1760
1760: Security updates to postgresql r=mergify[bot] a=WebSpider

## What type of PR?

Security update

## What does this PR do?

It fixes vulnerabilities in the sudo package in the postgresql optional container documented in
CVE-2021-23240, CVE-2021-3156 and CVE-2021-23239

### Related issue(s)

None

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Nils Vogels <n.vogels@aves-it.nl>
4 years ago
Florent Daigniere 875308d405 Revert "In fact it could be global"
This reverts commit f52984e4c3.
4 years ago
Florent Daigniere feff121a9b Merge remote-tracking branch 'upstream/master' into credential-cache-simple 4 years ago
Florent Daigniere f52984e4c3 In fact it could be global 4 years ago
Florent Daigniere ae9206e968 Implement a simple credential cache 4 years ago
Dario Ernst 4dbefe8e3a
Merge pull request #1631 from toastboy70/bug/#1536
Change unbound logfile to the empty string
4 years ago
Linus Gasser 1f2aee278c
Reflect override settings for postfix
Also added a stumbling stone when changing postfix.cf
4 years ago
Alexander Graf 731ce8ede9 fix permanent sessions. hash uid using SECRET_KEY
clean session in redis only once when starting
4 years ago
Alexander Graf 4b8bbf760b default to 128 bits 4 years ago
Alexander Graf 4b71bd56c4 replace flask_kvsession with mailu's own storage 4 years ago
Vincent Kling c6d0ef229f
Update messages.po 4 years ago
bors[bot] ff4d3f4d37
Merge #1792
1792: Update fail2ban documentation r=mergify[bot] a=ronivay

## What type of PR?

documentation

## What does this PR do?

Update fail2ban documentation. Use DOCKER-USER chain instead of FORWARD chain for fail2ban rules so that they are always processed before any other rules added by docker itself. Also add instructions how to make fail2ban start after docker to prevent fail2ban from failing because of missing DOCKER-USER chain in iptables.

### Related issue(s)
closes #1727 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.




Co-authored-by: ronivay <roni@vayrynen.info>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
4 years ago
Dimitri Huisman 0bdf84dd25
Update faq.rst
Some spelling improvements.
4 years ago
ronivay 75baa1da99 Update fail2ban documentation 4 years ago
Alexander Graf f0f79b23a3 Allow cleanup of sessions by key&value in data
This can be used to delete all sessions belonging to a user/login.
For no it just iterates over all sessions.
This could be enhanced by using a prefix for and deleting by prefix.
4 years ago
Alexander Graf 83b1fbb9d6 Lazy loading of KVSessionExtension
- call cleanup_sessions on first kvstore access
  this allows to run cmdline actions without redis (and makes it faster)
- Allow development using DictStore by setting REDIS_ADDRESS to the empty string in env
- don't sign 64bit random session id as suggested by nextgens
4 years ago
Alexander Graf 8bc4445572 Sync update of localpart, domain_name and email 4 years ago
Alexander Graf 0c38128c4e Add pygments to requirements 4 years ago
Alexander Graf 9cb6962335 Moved MyYamlLexer into logger
now cmdline runs without pygments
4 years ago
bors[bot] 1fd7a9c578
Merge #1761
1761: check for `ipv6_enabled` in the compose template r=nextgens a=lub

Checking only `ipv6` isn't sufficient, because it has a default value.

## What type of PR?

bug-fix

## What does this PR do?

### Related issue(s)
-

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [it's a minor change] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
4 years ago
Alexander Graf ce9a9ec572 always init Logger first 4 years ago
Alexander Graf c17bfae240 correct rfc3339 datetime serialization
now using correct timezone
4 years ago
Alexander Graf dc5464f254 Merge remote-tracking branch 'upstream/master' into import-export 4 years ago
Alexander Graf e90d5548a6 use RFC3339 for last_check
fixed to UTC for now
4 years ago
Florent Daigniere dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso 4 years ago
bors[bot] 9c57f2ac39
Merge #1785
1785: Fix bug #1660 (don't replace nested headers) r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Don't replace nested headers (typically in forwarded/attached emails). This will ensure we don't break cryptographic signatures.

### Related issue(s)
- close #1660

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
4 years ago
bors[bot] 25e8910b89
Merge #1783
1783: Switch to server-side sessions r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
4 years ago
bors[bot] 327884e07c
Merge #1610
1610: add option to enforce inbound starttls r=mergify[bot] a=lub

## What type of PR?

Feature

## What does this PR do?
It implements a check in the auth_http handler to check for Auth-SSL == on and otherwise returns a 530 starttls error.
If INBOUND_TLS_ENFORCE is not set the behaviour is still the same as before, so existing installations should be unaffected.

Although there is a small difference to e.g. smtpd_tls_security_level of Postfix.

Postfix already throws a 530 after mail from, but this solution only throws it after rcpt to. auth_http is only the request after rcpt to, so it's not possible to do it earlier.

### Related issue(s)
#1328 is kinda related, although this PR doesn't solve the issue that the headers will still display ESMTP instead of ESMTPS

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
4 years ago
bors[bot] 7469bb7087
Merge #1638
1638: Remove the username from the milter_headers r=mergify[bot] a=githtz

Rspamd adds the name of the authenticated user by default. Setting add_smtp_user to false prevents the login to be leaked.

## What type of PR?
Enhancement

## What does this PR do?
This PR prevents the user login to be leaked in sent emails (for example using an alias)

### Related issue(s)
Closes https://github.com/Mailu/Mailu/issues/1465

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: anrc <15327800+githtz@users.noreply.github.com>
4 years ago
lub f3f0a4d86d
Merge branch 'master' into enforce-tls-admin 4 years ago
Florent Daigniere b872b46097 towncrier 4 years ago
Florent Daigniere 97be7359fe towncrier 4 years ago
Florent Daigniere 513d2a4c5e Fix bug #1660: nested headers shouldn't be touched 4 years ago
Florent Daigniere 64d757582d Disable anti-csrf on the login form
The rationale is that the attacker doesn't have the password...
and that doing it this way we avoid creating useless sessions
4 years ago
Florent Daigniere 481cb67392 cleanup old sessions on startup 4 years ago
Florent Daigniere b9becd8649 make sessions expire 4 years ago
Florent Daigniere a1d32568d6 Regenerate session-ids to prevent session fixation 4 years ago
Florent Daigniere d459c37432 make session IDs 128bits 4 years ago
Florent Daigniere 22af5b8432 Switch to server-side sessions in redis 4 years ago
Alexander Graf dd2e218375 Merge remote-tracking branch 'upstream/master' into import-export 4 years ago
bors[bot] 7e2db9c9c3
Merge #1753
1753: Better password storage r=nextgens a=nextgens

## What type of PR?

Enhancement: optimization of the logic to speedup authentication requests, support the import of most hashes passlib supports.

## What does this PR do?

- it changes the default password cold-storage format to sha256+bcrypt
- it enhances the logic to ensure that no CPU cycles are wasted when valid credentials are found
- it fixes token authentication on /webdav/
- it lowers the number of rounds used for token storage (on the basis that they are high-entropy: not bruteforceable and speed matters)
- it introduces a new setting to set the number of rounds used by the password hashing function (CREDENTIAL_ROUNDS). The setting can be adjusted as required and existing hashes will be migrated to the new cost-factor.
- it updates the version of passlib in use and enables all supported hash types (that will be converted to the current settings on first use)
- it removes the PASSWORD_SCHEME setting

### Related issue(s)
- close #1194
- close #1662
- close #1706

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
4 years ago
Florent Daigniere 96ae54d04d CryptContext should be a singleton 4 years ago
Florent Daigniere 5f05fee8b3 Don't need regexps anymore 4 years ago
Florent Daigniere 1c5b58cba4 Remove scheme_dict 4 years ago
Florent Daigniere 45e5cb9bb3 Improve the towncrier messages 4 years ago
Florent Daigniere 20d2b621aa Improve the description of CREDENTIAL_ROUNDS 4 years ago
Florent Daigniere df230cb482 Refactor auth under nginx.check_credentials() 4 years ago
Florent Daigniere f9ed517b39 Be specific token length 4 years ago
Florent Daigniere d0b34f8e24 Move CREDENTIAL_ROUNDS to advanced settings 4 years ago