58 Commits (f3c93212c6555432f4ae8e1f33489a41bb9f6e20)

Author SHA1 Message Date
Florent Daigniere 99c81c20a7 Introduce AUTH_RATELIMIT_EXEMPTION
This disables rate limiting on specific CIDRs
3 years ago
Florent Daigniere 8414dd5cf0 Merge remote-tracking branch 'upstream/master' into ratelimits 3 years ago
Florent Daigniere 4fff45bb30 Fix typo 3 years ago
Florent Daigniere e127e6b32f clarify the documentation 3 years ago
Florent Daigniere 64bc7972cc Make AUTH_RATELIMIT_IP 60/hour as discussed 3 years ago
Florent Daigniere 89ea51d570 Implement rate-limits 3 years ago
Alexander Graf 1e8b41f731 Merge remote-tracking branch 'upstream/master' into adminlte3_fixes 3 years ago
Dimitri Huisman 5a1e6dfb61 Added documentation for new LOGO_BACKGROUND and LOGO_URL env variables. 3 years ago
Florent Daigniere ef5f82362c Merge remote-tracking branch 'upstream/master' into policyd-mta-sts 3 years ago
Florent Daigniere 67db72d774 Behave like documented 3 years ago
Florent Daigniere a8142dabbe Introduce DEFER_ON_TLS_ERROR
This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
3 years ago
Florent Daigniere 394c2fe22c Document REAL_IP_HEADER and REAL_IP_FROM
Fix a security vulnerability whereby we were not clearing other headers
3 years ago
Florent Daigniere fb8d52ceb2 Merge branch 'master' of https://github.com/Mailu/Mailu into tls_policy_map 3 years ago
Florent Daigniere fc5758e352 Clarify that it will only work for existing addresses 3 years ago
Florent Daigniere 9ec7590171 Merge branch 'master' of https://github.com/Mailu/Mailu into wildcard_senders 3 years ago
Florent Daigniere facc4b6427 Allow specific users to send email from any address 3 years ago
David Fairbrother 24747e33de Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
3 years ago
Florent Daigniere 7b847852af fix typo 3 years ago
Florent Daigniere e1a7657999 Now that postfix has CAs we can switch to secure
encrypt means "ensure we have some confidentiality" whereas secure means
"ensure we have confidentiality while talking to the right peer"
(protects against passive or/and active MITM attacks)
3 years ago
Florent Daigniere c76a76c0b0 make it optional, add a knob 3 years ago
bors[bot] 48f3b1fd49
Merge #1656
1656: Add ability to set no WEBROOT_REDIRECT to Nginx r=mergify[bot] a=DavidFair

## What type of PR?

Enhancement / Documentation

## What does this PR do?

From commit:

---

Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.

---

I've also added bullet points to break up a long flowing sentence in `configuration.rst` - it should be a bit easier to read now

### Related issue(s)
No Related Issue - I just jumped to a PR

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly

@ Maintainers - Is this worthy of the changelog, it's useful to know about but I imagine the number of people it affects is equally minimal?
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
3 years ago
Diman0 588904078e Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value. 3 years ago
parisni 14307c83c1 Document databases variable and deprecation 3 years ago
bors[bot] 25e8910b89
Merge #1783
1783: Switch to server-side sessions r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
4 years ago
lub f3f0a4d86d
Merge branch 'master' into enforce-tls-admin 4 years ago
Florent Daigniere b9becd8649 make sessions expire 4 years ago
Florent Daigniere 20d2b621aa Improve the description of CREDENTIAL_ROUNDS 4 years ago
Florent Daigniere 7137ba6ff1 Misc improvements to PASSWORD_SCHEME
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see #1706: ldap_salted_sha512 support)
4 years ago
Florent Daigniere 0dcc059cd6 Add a new knob as discussed on matrix with lub 4 years ago
David Fairbrother e7caff9811 Add ability to set no WEBROOT_REDIRECT to Nginx
Adds a 'none' env option to WEBROOT_REDIRECT so that no `location /`
configuration is written to nginx.conf.

This is useful for setting up Mailu and Mailman where we override the
root to proxy to the mailing list server instead. Without this change
the nginx container will not start, or for 1.7 users can set their
WEBMAIL_PATH to / with no webmail to get the same results.

This fix means that future users don't have to choose between webmail
and a root override and makes the configuration intention clear.
4 years ago
lub f0f873ffe7 add option to enforce inbound starttls 4 years ago
Dimitri Huisman b3e9e1bd1a Add documentation for the web administration gui. 4 years ago
bors[bot] 535b95bca7
Merge #1538
1538: Introduce environment variable to control dovecot full-text-search r=mergify[bot] a=tremlin

## What type of PR?

Enhancement

## What does this PR do?

In #1320 a full-text-search feature was enabled in Dovecot by default. Since this can have a big impact on performance, I think it's preferable to offer an option to disable the feature if it is not needed. This PR doesn't change the default behavior (FTS on).

### Related issue(s)
- #1320

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordinagly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Thomas Rehn <thomas.rehn@initos.com>
4 years ago
Thomas Rehn ebf1f4f1b6 add bits of documentation for new environment variable 4 years ago
Michael Wyraz 6234da3786 Add doc and changelog for OUTBOUND_TLS_LEVEL 5 years ago
bors[bot] d883ba1bed
Merge #1385
1385: [docs] fix variable name for RECIPIENT_DELIMETER r=Nebukadneza a=eleith

## What type of PR?

documentation

## What does this PR do?

the variable name as referenced by postfix and dovecot and mailu.env are all `RECIPIENT_DELIMETER`

example, see: 

dcda412b99/core/postfix/conf/main.cf (L40)



Co-authored-by: eleith <eleith@users.noreply.github.com>
5 years ago
eleith 97eda85db8 fix variable name for RECIPIENT_DELIMETER
the variable name as referenced by postfix (dcda412b99/core/postfix/conf/main.cf (L40)) and others is `RECIPIENT_DELIMETER`.
5 years ago
kaiyou 8e88f1b8c3 Refactor the rate limiting code
Rate limiting was already redesigned to use Python limits. This
introduced some unexpected behavior, including the fact that only
one criteria is supported per limiter. Docs and setup utility are
updated with this in mind.

Also, the code was made more generic, so limiters can be delivered
for something else than authentication. Authentication-specific
code was moved directly to the authentication routine.
5 years ago
Michael Wyraz 70f797dbd9 Don't raise rate limit exception on hit(), only on check() 5 years ago
Michael Wyraz e857b9d659 Document default antivirus behaviour, add an option to reject viruses 5 years ago
Tim Möhlmann 4911fba4af
Docs: Fix various build warnings:
- /docs/configuration.rst:157: WARNING: Inline emphasis start-string without end-string.
- /docs/configuration.rst:159: WARNING: Inline emphasis start-string without end-string.
- /docs/configuration.rst:159: WARNING: Inline emphasis start-string without end-string.
- /docs/configuration.rst:159: WARNING: Inline emphasis start-string without end-string.
- /docs/rpi_build.rst: WARNING: document isn't included in any toctree
5 years ago
Michael Wyraz a907fe4cac Split HOST_ANTISPAM in HOST_ANTISPAM_MILTER and HOST_ANTISPAM_WEBUI 5 years ago
Michael Wyraz de2f166bd1 Resolve HOST_* to *_ADDRESS only if *_ADDRESS is not already set 5 years ago
Igor Rzegocki 6f973a2e4b
Fixed hardcoded antispam and antivirus host addresses
Fixes #978
5 years ago
bors[bot] 2785bca1f4
Merge #883
883: Admin create user enhancement r=mergify[bot] a=cr1st1p

## What type of PR?
Enhancement

## What does this PR do?
It allows the admin docker image to also create the admin user.
The idea is that in my kubernetes setup, I do not want to manually do anything, as such, I need a way for the admin user to also be created automatically without me getting inside the pod.
So I had to change the manage.py function that creates the user to allow different 'modes' (me, I'll be using 'ifmissing') and also start.py to call that functionality if appropriate environment variables are present.

So now, in my Deployment, I add 3 more environment variables and I get the admin user created, IF not already present.

### Related issue(s)
none?

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: place entry in the [changelog](CHANGELOG.md), under the latest un-released version.


Co-authored-by: cristi <cristi.posoiu@gmail.com>
Co-authored-by: cr1st1p <cristi.posoiu@gmail.com>
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
5 years ago
cristi 078082fac9 Hopefully improved documentation around initial admin account creation. 6 years ago
Daniel Huber 7dcb2eb006
Add authentication for email relays 6 years ago
Tim Möhlmann d9f8510bb6
Fix notls typo 6 years ago
Tim Möhlmann 38e754be6d
Make docs refer to the setup utility 6 years ago
Tim Möhlmann 71cda7983e
Merge branch 'master' into feat-logging 6 years ago