1965: postfix/tls_policy: Use lmdb map instead of hash r=mergify[bot] a=tonobo
## What type of PR?
bug-fix
## What does this PR do?
### Related issue(s)
#1918https://github.com/Mailu/Mailu/pull/1902/#issuecomment-902108080
Co-authored-by: Tim Foerster <timhormersdorf@googlemail.com>
1959: Ensure that we don't trust client headers r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Document how REAL_IP_FROM and REAL_IP_HEADER should be used. Ensure that we strip True-Client-IP and X-Forwarded-For if neither are set.
We should also update the documentation on reverse-proxies... but that's #1958
### Related issue(s)
- #1958
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1958: Update the documentation on reverse proxies r=mergify[bot] a=nextgens
## What type of PR?
documentation
## What does this PR do?
Update the documentation on reverse proxies; this is mostly cosmetic (fix the links, use example.com where appropriate, ...).
It also removes the last option (run Mailu without its frontend) as that won't work with SSO and is a terrible idea anyway.
I wonder if we should just get rid of that section
### Related issue(s)
- #1528
- #1422
- #1038
- #1879
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1873: Completed Hebrew translation r=mergify[bot] a=yarons
The Hebrew translation is incomplete so I've completed it.
Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com>
1957: BugFix 1952 - use punycode encoding in HTTP headers for webmail/radicale r=mergify[bot] a=Diman0
## What type of PR?
Bug fix
## What does this PR do?
Fixes a bug introduced by the SSO implementation and an already existing bug for radicale.
In auth.py we did not use punycode (ACE) encoding for the domain part of an email.
Since we pass the user name in the HTTP header to webmail/radicale, we would sometime pass non-ascii. E.g. user@exämple.io.
This is illegal. HTTP headers may only contain ASCII. The domain part of the user name therefore now uses punycode encoding.
I tested that I can log in with the form user@exämple.io and user@xn--exmple-cua.io for
- admin
- roundcube (also tested sending emails of course)
- rainloop (also tested sending emails of course)
- radicale (webdav)
- thunderbird - sending/receiving emails and accessing/modifying the webdav calendar added in radicale.
- for the calendar you can use the normal and punnycode notation
- for email you can only use punnycode. This is a limitation of thunderbird. It does not accept email addresses with non-ascii in the domain part of an email address.
### Related issue(s)
- closes #1952
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [n/a] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
1947: k8s is helm-charts only r=mergify[bot] a=nextgens
## What type of PR?
documentation
## What does this PR do?
Remove the k8s documentation templates and document that helm charts is the supported way to do it.
### Related issue(s)
- #1451
- closes#1329
- closes#1191
- closes#1823
- closes#1433
- closes#1285
and
- closes#1420
- closes#1826
- closes#1919
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1939: Ensure that we don't do multiple DNS lookups in the sieve script r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
It ensures that DNS lookups don't introduce inconsistent state. We may want to go further and actually check the return codes of rspamc too.
I haven't tested it but it should work.
### Related issue(s)
- #1938
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1941: Fix a bug whereby adding new HOSTNAMEs won't necessarily lead to certificates being renewed. r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Fix a bug whereby adding new HOSTNAMEs won't necessarily lead to certificates being renewed.
certbot's defaut behaviour has changed when --renew-with-new-domains was introduced
### Related issue(s)
- close#1270
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1902: Make smtp_tls_policy_maps easily configurable r=mergify[bot] a=nextgens
## What type of PR?
Feature
## What does this PR do?
- Make smtp_tls_policy_maps easily configurable. This is useful to force TLS verification of specific destinations (or relays).
We should probably discuss what's on the list by default. I have found a top100 list online, ran it through a script to check all the records and found 90 destinations we could use.
- disable TLS session tickets (this reduces the PFS window from 1day to 1h)
- enable system CAs by default (to allow for OUTBOUND_TLS_LEVEL above encrypt without additional overrides)
### Related issue(s)
- closes#1558
- #707
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1925: Optimize Rainloop: Change to NGINX r=mergify[bot] a=Erriez
## What type of PR?
- Reduce build time.
- Reduce image size.
- Faster user response using CGI.
## What does this PR do?
### Related issue(s)
- Mention an issue like: #1830, #1200 and #1924
- Auto close an issue like: closes#1924
## Prerequistes
Documentation updates TBD (requires some guidance):
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
## Technical details
- Image from `php:7.4-apache` to `nginx:1.21-alpine` followed by PHP7 installation.
- Move `.ini` files to directory `defaults/`.
- Move files `sso.php and include.php` to directory `login/`.
- NGINX configuration:
- `access_log off;` as this is handled by front.
- `error_log /dev/stderr err; configured to reduce output. The logging in `start.py` is useless.
- PHP configuration optimized for CGI usage and requires a config file `config/php-rainloop.conf` -> `/etc/php7/php-fpm.d/rainloop.conf`.
- `.ini` files are parsed / substituted by `socrate` Python module.
Further optimization is possible by completely removing Python. This is only used to parse the `.ini` files and can be done via Bash scripts. This saves more build time and image size can be reduced to 112MB.
## Reviewing
This PR requires multiple reviewers and extensive testing before merging into master. Data/settings are compatible with previous images.
Co-authored-by: Erriez <Erriez@users.noreply.github.com>
1904: Allow specific users to send email from any address r=mergify[bot] a=nextgens
## What type of PR?
Feature
## What does this PR do?
Allow specific users to send email from any address using the WILDCARD_SENDERS configuration variable.
### Related issue(s)
- closes#1096
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: David Fairbrother <DavidFair@users.noreply.github.com>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Co-authored-by: Erriez <Erriez@users.noreply.github.com>
1935: Fix bug #1934: logs flooded with "unbound udp connect failed: Address not available for" r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Revert back to alpine 1.12 for the resolver/unbound container. The official fix is at:
08968baec1
but alpine doesn't ship it yet:
https://pkgs.alpinelinux.org/packages?name=unbound&branch=v3.14
### Related issue(s)
- closes#1934
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens
## What type of PR?
Feature
## What does this PR do?
A conflict-free version of #1360 implementing per-user sender limits
### Related issue(s)
- close#1360
- close#1031
- close#1774
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
1922: Harden postfix's configuration r=mergify[bot] a=nextgens
## What type of PR?
enhancement
## What does this PR do?
It hardens the default configuration:
- disable AUTH commands on port 25 (nginx was not advertising the capability: normal clients wouldn't attempt it)
- fix Forward Secrecy by ensuring that we don't use session tickets and don't cache on forensically carveable mediums
- prevent clear-text credentials from being sent while authenticating to remote relays (this may break things if the relay doesn't support challenge-based authentication NOR STARTTLS - unlikely).
- switch to default RSA keysizes (2048 bits and they get rekeyed every 3 months -modern clients will do ECC)
- enable ECC certificates (much smaller than RSA keys, faster for better security margin)
- configure nginx so that it doesn't send the legacy/root CA (clients that require it are unlikely to do TLS1.2 any ways)
I don't think that any of those changes is impactful enough to warrant being documented.
### Related issue(s)
- close#1804
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Jack Murray <github@c0rporation.com>
1928: Change letsencrypt timer from 1h --> 1 day r=mergify[bot] a=jackmurray
There's no need to be calling certbot so frequently. Letsencrypt certificates last for 90 days so polling every hour is just wasteful. Once per day should be more than sufficient to catch any certificates before they even get close to expiring.
## What type of PR?
Enhancement
## What does this PR do?
Reduces unnecessary load on the Letsencrypt ACME servers.
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Jack Murray <github@c0rporation.com>