From 8d7737c917e8726ba7dcd26c6efd7fcfa6825fc2 Mon Sep 17 00:00:00 2001 From: Stephan Holl Date: Fri, 1 Sep 2023 19:14:57 +0200 Subject: [PATCH 01/20] Add FAQ entry for deleting IPs from rate limiter --- docs/faq.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 8529c752..22a34a2b 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -435,6 +435,25 @@ Proceed as following for deleting an user: .. _`github project`: https://github.com/Mailu/Mailu/ + +How to unblock an IP from rate limiter manually? +```````````````````````````````````````````````` + +To manually unblock an IP from the rate limiter do the following on your CLI: + +.. code-block:: bash + + # list the limited networks (this is not the IP, but only the network part according to AUTH_RATELIMIT_IP_V4_MASK + $ docker compose exec redis redis-cli -n 2 --scan --pattern 'LIMITER/auth-ip/*' + + # remove from rate limiter + $ IP=8.8.8.8; docker compose exec redis redis-cli -n 2 --scan --pattern "LIMITER/auth-ip/${IP}/*" \ + | xargs -r docker compose exec -T redis redis-cli -n 2 DEL + +*Issue reference:* `2856`_. + +.. _`2856`: https://github.com/Mailu/Mailu/issues/2856 + Changes in .env don't propagate ``````````````````````````````` From 1aa0f89a17058185b31c2f3cbf21a386a93fdef5 Mon Sep 17 00:00:00 2001 From: Stephan Holl Date: Sat, 2 Sep 2023 11:15:21 +0200 Subject: [PATCH 02/20] Add hints for token-based auth and AUTH_RATELIMIT_EXEMPTION --- docs/configuration.rst | 2 ++ docs/faq.rst | 4 ++++ docs/webadministration.rst | 2 ++ 3 files changed, 8 insertions(+) diff --git a/docs/configuration.rst b/docs/configuration.rst index 2f7e27a7..e4bd045e 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -40,6 +40,8 @@ address. The ``WILDCARD_SENDERS`` setting is a comma delimited list of user email addresses that are allowed to send emails from any existing address (spoofing the sender). +.. _AUTH Ratelimit: + The ``AUTH_RATELIMIT_IP`` (default: 5/hour) holds a security setting for fighting attackers that attempt a password spraying attack. The value defines the limit of authentication attempts that will be processed on **distinct** non-existing diff --git a/docs/faq.rst b/docs/faq.rst index 22a34a2b..27e5f6a2 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -450,6 +450,10 @@ To manually unblock an IP from the rate limiter do the following on your CLI: $ IP=8.8.8.8; docker compose exec redis redis-cli -n 2 --scan --pattern "LIMITER/auth-ip/${IP}/*" \ | xargs -r docker compose exec -T redis redis-cli -n 2 DEL +Consider to use :ref:`AUTH tokens` for your users. Ratelimiting is exempted for token-based authentication! + +Also have a look at the configuration parameter ``AUTH_RATELIMIT_EXEMPTION``. More on :ref:`Rate limiting`. + *Issue reference:* `2856`_. .. _`2856`: https://github.com/Mailu/Mailu/issues/2856 diff --git a/docs/webadministration.rst b/docs/webadministration.rst index ed75f095..6521fc2e 100644 --- a/docs/webadministration.rst +++ b/docs/webadministration.rst @@ -165,6 +165,8 @@ Click the submit button to apply settings. With the default polling interval, fe Make sure ``FETCHMAIL_ENABLED`` is set to ``true`` in ``mailu.env`` to enable fetching and showing fetchmail in the admin interface. +.. _AUTH tokens: + Authentication tokens --------------------- From c20ef3253381f584791281f0dc74cd22fe044af2 Mon Sep 17 00:00:00 2001 From: Stephan Holl <1610827+sholl@users.noreply.github.com> Date: Wed, 22 Nov 2023 20:07:55 +0100 Subject: [PATCH 03/20] Update docs/faq.rst use @nextgens suggestion Co-authored-by: Florent Daigniere --- docs/faq.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 27e5f6a2..5772978a 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -450,7 +450,7 @@ To manually unblock an IP from the rate limiter do the following on your CLI: $ IP=8.8.8.8; docker compose exec redis redis-cli -n 2 --scan --pattern "LIMITER/auth-ip/${IP}/*" \ | xargs -r docker compose exec -T redis redis-cli -n 2 DEL -Consider to use :ref:`AUTH tokens` for your users. Ratelimiting is exempted for token-based authentication! +Consider using :ref:`AUTH tokens` for your users. Token-based authentication is exempted from rate limits! Also have a look at the configuration parameter ``AUTH_RATELIMIT_EXEMPTION``. More on :ref:`Rate limiting`. From e0c6fbd92accc2bede4c671ffb4a293ffbca060e Mon Sep 17 00:00:00 2001 From: Stephan Holl Date: Wed, 22 Nov 2023 20:28:47 +0100 Subject: [PATCH 04/20] Add AUTH_REQUIRE_TOKENS referrer --- docs/faq.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 5dfc0fa1..2200cfd8 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -453,7 +453,9 @@ To manually unblock an IP from the rate limiter do the following on your CLI: Consider using :ref:`AUTH tokens` for your users. Token-based authentication is exempted from rate limits! -Also have a look at the configuration parameter ``AUTH_RATELIMIT_EXEMPTION``. More on :ref:`Rate limiting`. +Also have a look at the configuration parameters +``AUTH_RATELIMIT_EXEMPTION`` and ``AUTH_REQUIRE_TOKENS``. More on +:ref:`Rate limiting` and :ref:`advanced settings`. *Issue reference:* `2856`_. From a068a65818db2889ae30ca024caa5986321037e7 Mon Sep 17 00:00:00 2001 From: Till Skrodzki Date: Sat, 18 Jan 2025 19:02:29 +0100 Subject: [PATCH 05/20] Add DB_APPENDIX to support additional parameters With https://github.com/Mailu/Mailu/pull/3701 the remark was left to set the DB collation for MariaDB setups. However, the Helm chart has no option to overwrite the SQLAlchemy URI really. It selfs DB_USER, DB_PW, DB_NAME and DB_HOST and thus triggers the Alchemy URI to be overwritten (and it overwrites it statically as well...). This commit adds the parameter / environment variable DB_APPENDIX allowing for, e.g., '?collation=utf8mb4_unicode_ci' to be set using an environment variable which the Helm chart can then set. --- core/admin/mailu/configuration.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index e568deb9..abc9a7e4 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -25,6 +25,7 @@ DEFAULT_CONFIG = { 'DB_PW': None, 'DB_HOST': 'database', 'DB_NAME': 'mailu', + 'DB_APPENDIX': '', 'SQLITE_DATABASE_FILE': 'data/main.db', 'SQLALCHEMY_DATABASE_URI': 'sqlite:////data/main.db', 'SQLALCHEMY_DATABASE_URI_ROUNDCUBE': 'sqlite:////data/roundcube.db', @@ -102,8 +103,8 @@ class ConfigManager: DB_TEMPLATES = { 'sqlite': 'sqlite:////{SQLITE_DATABASE_FILE}', - 'postgresql': 'postgresql://{DB_USER}:{DB_PW}@{DB_HOST}/{DB_NAME}', - 'mysql': 'mysql+mysqlconnector://{DB_USER}:{DB_PW}@{DB_HOST}/{DB_NAME}', + 'postgresql': 'postgresql://{DB_USER}:{DB_PW}@{DB_HOST}/{DB_NAME}{DB_APPENDIX}', + 'mysql': 'mysql+mysqlconnector://{DB_USER}:{DB_PW}@{DB_HOST}/{DB_NAME}{DB_APPENDIX}', } def __init__(self): From da10c88a2f2142d08eb6037228c3973ef4ac3196 Mon Sep 17 00:00:00 2001 From: Till Skrodzki Date: Sat, 18 Jan 2025 19:03:31 +0100 Subject: [PATCH 06/20] Add uvloop for prod execution postfix-mta-sts-resolver can optionally use uvloop speeding up asyncio execution --- core/base/requirements-prod.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/core/base/requirements-prod.txt b/core/base/requirements-prod.txt index 40b97bc4..81f32289 100644 --- a/core/base/requirements-prod.txt +++ b/core/base/requirements-prod.txt @@ -78,6 +78,7 @@ tabulate==0.9.0 tenacity==8.2.3 typing_extensions==4.11.0 urllib3==2.2.1 +uvloop==0.21.0 validators==0.28.1 visitor==0.1.3 vobject==0.9.7 From a5cdf27534fdfefc11cbcf5a5b7da5e6825c2b3c Mon Sep 17 00:00:00 2001 From: Till Skrodzki Date: Sat, 18 Jan 2025 21:24:49 +0100 Subject: [PATCH 07/20] Update docs for DB_APPENDIX --- docs/faq.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/faq.rst b/docs/faq.rst index 5b4c153f..5caa5be9 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -992,6 +992,7 @@ Admin container fails to connect to external MariaDB database ````````````````````````````````````````````````````````````` If the admin container is `unable to connect to an external MariaDB database due to incompatible collation`_, you may need to change the ``SQLALCHEMY_DATABASE_URI`` setting to ensure the right connector is used. +Alternatively, you may set ``DB_APPENDIX`` accordingly. For example: ``?collation=utf8mb4_unicode_ci`` is appended as is just after the database name in case DB_TYPE and related values are set. MariaDB has no support for utf8mb4_0900_ai_ci which is the new default since MySQL version 8.0. From 6387713ad008bcc015c49a27318a75124403d32f Mon Sep 17 00:00:00 2001 From: Vincent PARRES-GACON Date: Thu, 6 Feb 2025 09:56:39 +0100 Subject: [PATCH 08/20] Fixed "core" Docker image to allow x86_32 building, updated documentation for SSE4.2 requirement. - "core" Docker image : Switched from uname -m architecture detection to apk --print-arch to better reflect the binary distribution architecture instead of the current Kernel architecture. This allows building a i686 linux image on a amd64 machine. - "core" Docker image : Adding rust toolchain in dependancies to allow python modules to build properly on uncommonly supported architectures (like i686) - Documentation : Updated setup requirement to mention SSE4.2 requirement - Documentation : Updated faq with the full explanation for the SSE4.2 requirement and the reference to the mailu issue. --- core/base/Dockerfile | 6 +++--- docs/faq.rst | 13 +++++++++++++ docs/setup.rst | 3 +++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/core/base/Dockerfile b/core/base/Dockerfile index 892faa9b..66462e18 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -15,7 +15,7 @@ RUN set -euxo pipefail \ ; addgroup -Sg ${MAILU_GID} mailu \ ; adduser -Sg ${MAILU_UID} -G mailu -h /app -g "mailu app" -s /bin/bash mailu \ ; apk add --no-cache bash ca-certificates curl python3 tzdata \ - ; ! [[ "$(uname -m)" == x86_64 ]] \ + ; ! [[ "$(apk --print-arch)" == x86_64 ]] \ || apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc WORKDIR /app @@ -52,10 +52,10 @@ ENV \ SNUFFLEUPAGUS_URL="https://github.com/jvoisin/snuffleupagus/archive/refs/tags/v${SNUFFLEUPAGUS_VERSION}.tar.gz" RUN set -euxo pipefail \ - ; machine="$(uname -m)" \ + ; machine="$(apk --print-arch)" \ ; deps="build-base gcc libffi-dev python3-dev mariadb-dev" \ ; [[ "${machine}" != x86_64 ]] && \ - deps="${deps} cargo git libretls-dev mariadb-connector-c-dev postgresql-dev" \ + deps="${deps} rust cargo git libretls-dev mariadb-connector-c-dev postgresql-dev" \ ; apk add --virtual .build-deps ${deps} \ ; [[ "${machine}" == armv7* ]] && \ mkdir -p /root/.cargo/registry/index && \ diff --git a/docs/faq.rst b/docs/faq.rst index 5b4c153f..d0d2703b 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -996,3 +996,16 @@ If the admin container is `unable to connect to an external MariaDB database due MariaDB has no support for utf8mb4_0900_ai_ci which is the new default since MySQL version 8.0. .. _`unable to connect to an external MariaDB database due to incompatible collation`: https://github.com/Mailu/Mailu/issues/3449 + +Why is Rspamd giving me an "Illegal instruction" error ? +````````````````````````````````````````````````````````` + +On Linux amd64 (x84_64), if the antispam container is crashing and gives you an `Illegal instruction` error, you may have a CPU that lacks support of the ``SSE4.2`` instruction set. +The more modern and FOSS ``vectorscan`` library used by rspamd superseeded the now closed source Intel ``hyperscan`` library in Alpine Linux, and since August 2024 it requires the ``SSE4.2`` instruction set to work properly. + +Pre-2013 Intel Atom CPUs (Like N2800 or D425), Intel pre-Nehalem architectures and AMD pre-Bulldozer architectures does not support ``SSE4.2``. + +A workaround to this issue is to use a x86_32 (or i686) version of rspamd, because the ``vectorscan`` library is only used on 64-bit capable systems. +Note that this may stop working in the future, as 32-bit software support is being progressively dropped. + +*Issue reference:* `3713`_. diff --git a/docs/setup.rst b/docs/setup.rst index d8df0baa..8b3d7c42 100644 --- a/docs/setup.rst +++ b/docs/setup.rst @@ -22,6 +22,9 @@ linux/arm64v8 or linux/armv7 hardware, so it should run on pretty much any cloud server as long as enough power is provided. +On x86_64, check that your processor supports the ``SSE4.2`` instruction set. +For example, pre-2013 Intel Atom CPUs lacks ``SSE4.2`` support. See :ref:`faq`. + You should also have at least a DNS hostname and a DNS name for receiving emails. Some instructions are provided on the matter in the article :ref:`dns_setup`. From 12df485d3927711784504638130b74cdf9abed8f Mon Sep 17 00:00:00 2001 From: Vincent PARRES-GACON Date: Thu, 6 Feb 2025 11:44:57 +0100 Subject: [PATCH 09/20] Fix : Forgot issue reference link in faq.rst --- docs/faq.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index d0d2703b..9a47c6ad 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -1000,7 +1000,7 @@ MariaDB has no support for utf8mb4_0900_ai_ci which is the new default since MyS Why is Rspamd giving me an "Illegal instruction" error ? ````````````````````````````````````````````````````````` -On Linux amd64 (x84_64), if the antispam container is crashing and gives you an `Illegal instruction` error, you may have a CPU that lacks support of the ``SSE4.2`` instruction set. +On Linux amd64 (x84_64), if the antispam container is crashing and gives you an ``Illegal instruction`` error, you may have a CPU that lacks support of the ``SSE4.2`` instruction set. The more modern and FOSS ``vectorscan`` library used by rspamd superseeded the now closed source Intel ``hyperscan`` library in Alpine Linux, and since August 2024 it requires the ``SSE4.2`` instruction set to work properly. Pre-2013 Intel Atom CPUs (Like N2800 or D425), Intel pre-Nehalem architectures and AMD pre-Bulldozer architectures does not support ``SSE4.2``. @@ -1009,3 +1009,5 @@ A workaround to this issue is to use a x86_32 (or i686) version of rspamd, becau Note that this may stop working in the future, as 32-bit software support is being progressively dropped. *Issue reference:* `3713`_. + +.. _`3713`: https://github.com/Mailu/Mailu/issues/3713 From 45c4dd12a934f3901bc917b13e74ae5bae6971d5 Mon Sep 17 00:00:00 2001 From: Vincent PARRES-GACON Date: Mon, 10 Feb 2025 10:44:53 +0100 Subject: [PATCH 10/20] FAQ : Add a one liner command to help checking if platform is SSE4.2 capable --- docs/faq.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 9a47c6ad..423cfc80 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -1003,7 +1003,10 @@ Why is Rspamd giving me an "Illegal instruction" error ? On Linux amd64 (x84_64), if the antispam container is crashing and gives you an ``Illegal instruction`` error, you may have a CPU that lacks support of the ``SSE4.2`` instruction set. The more modern and FOSS ``vectorscan`` library used by rspamd superseeded the now closed source Intel ``hyperscan`` library in Alpine Linux, and since August 2024 it requires the ``SSE4.2`` instruction set to work properly. -Pre-2013 Intel Atom CPUs (Like N2800 or D425), Intel pre-Nehalem architectures and AMD pre-Bulldozer architectures does not support ``SSE4.2``. +Pre-2013 Intel Atom CPUs (Like N2800 or D425), Intel pre-Nehalem architectures and AMD pre-Bulldozer architectures do not support ``SSE4.2``. +To check if your CPU supports ``SSE4.2`` you can use this one liner command: + +``if grep -q sse4_2 /proc/cpuinfo; then echo "CPU is SSE4.2 Capable"; else echo "CPU is NOT SSE4.2 capable"; fi`` A workaround to this issue is to use a x86_32 (or i686) version of rspamd, because the ``vectorscan`` library is only used on 64-bit capable systems. Note that this may stop working in the future, as 32-bit software support is being progressively dropped. From d48cc06c59f37aed9b2b61abd2fd00b84af8516c Mon Sep 17 00:00:00 2001 From: ctrl-i <1422608+ctrl-i@users.noreply.github.com> Date: Thu, 13 Feb 2025 08:25:10 +0000 Subject: [PATCH 11/20] Upgrade to the latest version of roundcube - 1.6.10 Upgrade to the latest version of roundcube --- webmails/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webmails/Dockerfile b/webmails/Dockerfile index 95d4a374..0408c3af 100644 --- a/webmails/Dockerfile +++ b/webmails/Dockerfile @@ -28,7 +28,7 @@ RUN set -euxo pipefail \ ; mkdir -p /run/nginx /conf # roundcube -ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.6.9/roundcubemail-1.6.9-complete.tar.gz +ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.6.10/roundcubemail-1.6.10-complete.tar.gz ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v5.1.0/carddav-v5.1.0.tar.gz RUN set -euxo pipefail \ From 651ca984d9f4758fbf3cdd6ca775b2e77801a18b Mon Sep 17 00:00:00 2001 From: ctrl-i <1422608+ctrl-i@users.noreply.github.com> Date: Thu, 13 Feb 2025 08:26:53 +0000 Subject: [PATCH 12/20] Update roundcube to 1.6.10 --- towncrier/newsfragments/3753.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/3753.misc diff --git a/towncrier/newsfragments/3753.misc b/towncrier/newsfragments/3753.misc new file mode 100644 index 00000000..cd2f867c --- /dev/null +++ b/towncrier/newsfragments/3753.misc @@ -0,0 +1 @@ +Update roundcube to 1.6.10 From 35ffcb070da133648e7e7bc087dcea2a4c005fb5 Mon Sep 17 00:00:00 2001 From: Jumper78 <52802286+Jumper78@users.noreply.github.com> Date: Fri, 14 Feb 2025 16:19:20 +0000 Subject: [PATCH 13/20] added idna function to perform puny encoding on IDN domains --- core/admin/mailu/internal/views/rspamd.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/admin/mailu/internal/views/rspamd.py b/core/admin/mailu/internal/views/rspamd.py index 4b17297a..a513a113 100644 --- a/core/admin/mailu/internal/views/rspamd.py +++ b/core/admin/mailu/internal/views/rspamd.py @@ -2,6 +2,7 @@ from mailu import models from mailu.internal import internal import flask +import idna def vault_error(*messages, status=404): return flask.make_response(flask.jsonify({'errors':messages}), status) @@ -19,7 +20,7 @@ def rspamd_dkim_key(domain_name): if key := domain.dkim_key: selectors.append( { - 'domain' : domain.name, + 'domain' : idna.encode(domain.name.lower()).decode('ascii'), 'key' : key.decode('utf8'), 'selector': flask.current_app.config.get('DKIM_SELECTOR', 'dkim'), } @@ -28,7 +29,7 @@ def rspamd_dkim_key(domain_name): if key := domain.domain.dkim_key: selectors.append( { - 'domain' : domain.name, + 'domain' : idna.encode(domain.name.lower()).decode('ascii'), 'key' : key.decode('utf8'), 'selector': flask.current_app.config.get('DKIM_SELECTOR', 'dkim'), } From 7baea8578349b0df767f5d4c41a33f420c8125ed Mon Sep 17 00:00:00 2001 From: Jumper78 <52802286+Jumper78@users.noreply.github.com> Date: Fri, 14 Feb 2025 20:50:14 +0100 Subject: [PATCH 14/20] Create 3758.bugfix --- towncrier/newsfragments/3758.bugfix | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/3758.bugfix diff --git a/towncrier/newsfragments/3758.bugfix b/towncrier/newsfragments/3758.bugfix new file mode 100644 index 00000000..5d38b191 --- /dev/null +++ b/towncrier/newsfragments/3758.bugfix @@ -0,0 +1 @@ +domain name of an IDN domain in the DKIM signature needs to follow RFC6376; puny encoding the domain name when rspamd accesses the vault; From 0ff1d4858eccad05c50176a0d97d6c1589043cfb Mon Sep 17 00:00:00 2001 From: Till Skrodzki Date: Sun, 16 Feb 2025 23:13:12 +0100 Subject: [PATCH 15/20] Add uvloop to requirements-dev.txt --- core/base/requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/base/requirements-dev.txt b/core/base/requirements-dev.txt index 3d2495fb..9b27a124 100644 --- a/core/base/requirements-dev.txt +++ b/core/base/requirements-dev.txt @@ -46,6 +46,7 @@ watchdog # core/postfix postfix-mta-sts-resolver +uvloop # core/oletools python-magic @@ -56,4 +57,3 @@ requests # optional/radicale radicale - From ebd3459738ff280ed9813b61fa2eca6caf850628 Mon Sep 17 00:00:00 2001 From: Till Skrodzki Date: Mon, 24 Feb 2025 21:05:38 +0100 Subject: [PATCH 16/20] Add towncrier entry for PR #3729 --- towncrier/newsfragments/3729.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/3729.misc diff --git a/towncrier/newsfragments/3729.misc b/towncrier/newsfragments/3729.misc new file mode 100644 index 00000000..492d4998 --- /dev/null +++ b/towncrier/newsfragments/3729.misc @@ -0,0 +1 @@ +Add optional DB_APPENDIX configuration parameter which is appended as is to the postgresql or mysql URI \ No newline at end of file From 29f42ed4eb44937ac99b9f422a258fb28ec7d85c Mon Sep 17 00:00:00 2001 From: Vincent Kling Date: Fri, 14 Mar 2025 08:49:58 +0100 Subject: [PATCH 17/20] Replace missing with load_default --- core/admin/mailu/schemas.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/admin/mailu/schemas.py b/core/admin/mailu/schemas.py index 3a6c0da1..694e96f7 100644 --- a/core/admin/mailu/schemas.py +++ b/core/admin/mailu/schemas.py @@ -1148,7 +1148,7 @@ class TokenSchema(BaseSchema): sibling = True password = PasswordField(required=True, metadata={'model': models.User}) - hash_password = fields.Boolean(load_only=True, missing=False) + hash_password = fields.Boolean(load_only=True, load_default=False) @mapped @@ -1193,7 +1193,7 @@ class UserSchema(BaseSchema): fetches = fields.Nested(FetchSchema, many=True) password = PasswordField(required=True, metadata={'model': models.User}) - hash_password = fields.Boolean(load_only=True, missing=False) + hash_password = fields.Boolean(load_only=True, load_default=False) @mapped From 8c2420d8cb7610c341c90b9cb70a9f67ff07318a Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 8 May 2025 13:54:56 +0200 Subject: [PATCH 18/20] fix #3836: healthcheck of clamav --- setup/flavors/compose/docker-compose.yml | 6 ------ towncrier/newsfragments/3836.misc | 1 + 2 files changed, 1 insertion(+), 6 deletions(-) create mode 100644 towncrier/newsfragments/3836.misc diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index 709b708d..3fd2729d 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -227,12 +227,6 @@ services: - clamav volumes: - "{{ root }}/clamav:/var/lib/clamav" - healthcheck: - test: ["CMD-SHELL", "kill -0 `cat /tmp/clamd.pid` && kill -0 `cat /tmp/freshclam.pid`"] - interval: 10s - timeout: 5s - retries: 3 - start_period: 10s {% endif %} {% if webdav_enabled %} diff --git a/towncrier/newsfragments/3836.misc b/towncrier/newsfragments/3836.misc new file mode 100644 index 00000000..1cf2dcd3 --- /dev/null +++ b/towncrier/newsfragments/3836.misc @@ -0,0 +1 @@ +Remove the healthcheck section of clamav: use upstream's From 2df7d8683108416e868a6e2ba6796a761b08f6b3 Mon Sep 17 00:00:00 2001 From: ctrl-i <1422608+ctrl-i@users.noreply.github.com> Date: Sun, 1 Jun 2025 09:33:08 +0100 Subject: [PATCH 19/20] Update Dockerfile to contain latest roundcube version Due to security update --- webmails/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webmails/Dockerfile b/webmails/Dockerfile index 0408c3af..fb3df84b 100644 --- a/webmails/Dockerfile +++ b/webmails/Dockerfile @@ -28,7 +28,7 @@ RUN set -euxo pipefail \ ; mkdir -p /run/nginx /conf # roundcube -ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.6.10/roundcubemail-1.6.10-complete.tar.gz +ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.6.11/roundcubemail-1.6.11-complete.tar.gz ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v5.1.0/carddav-v5.1.0.tar.gz RUN set -euxo pipefail \ From e21f2f388db79992a8b21a73bb30b669c0635222 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 10 Jun 2025 17:26:49 +0200 Subject: [PATCH 20/20] towncrier --- towncrier/newsfragments/3851.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/3851.misc diff --git a/towncrier/newsfragments/3851.misc b/towncrier/newsfragments/3851.misc new file mode 100644 index 00000000..61f3eb9a --- /dev/null +++ b/towncrier/newsfragments/3851.misc @@ -0,0 +1 @@ +Upgrade roundcube to 1.6.11. For the record, Mailu is not vulnerable to CVE-2025-49113, thanks to Snuffleupagus (see https://snuffleupagus.readthedocs.io/config.html#unserialize-noclass)