Merge #3899

3899: fix snappymail r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

fix snappymail, add caching for static content, turn off fastcgi request buffering

Workaround what looks like a snuffleupagus bug by disabling the recently added config tweaks; see https://github.com/jvoisin/snuffleupagus/issues/515 for details.

### Related issue(s)
- closes #3896 
- closes #3868

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>

towncrier/newsfragments/3896.misc

@@ -0,0 +1 @@
+Fix Snappymail

webmails/nginx-webmail.conf

@@ -1,15 +1,15 @@
 server {
     listen 80 default_server;
-{% if SUBNET6 %}
+    {% if SUBNET6 %}
     listen [::]:80 default_server;
-{% endif %}
+    {% endif %}
     resolver {{ RESOLVER }} valid=30s;
 
-{% if WEBMAIL == 'roundcube' %}
+    {% if WEBMAIL == 'roundcube' %}
     root /var/www/{{ WEBMAIL }}/public_html;
-{% else %}
+    {% else %}
     root /var/www/{{ WEBMAIL }};
-{% endif %}
+    {% endif %}
 
     include /etc/nginx/mime.types;
 
@@ -36,7 +36,7 @@ server {
         try_files $uri $uri/ /index.php$args;
     }
 
-    location ~ \.php$ {
+    location ~ [^/]\.php(/|$) {
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         if (!-f $document_root$fastcgi_script_name) {
             return 404;
@@ -55,11 +55,12 @@ server {
         {% else %}
         fastcgi_param SCRIPT_NAME {{WEB_WEBMAIL}}/$fastcgi_script_name;
         {% endif %}
+        fastcgi_param REQUEST_METHOD  $request_method;
+        fastcgi_param CONTENT_TYPE    $content_type;
+        fastcgi_param CONTENT_LENGTH  $content_length;
+        fastcgi_param PATH_INFO       $fastcgi_path_info;
 
-        # fastcgi buffers for php-fpm #
-        fastcgi_buffers 16 32k;
-        fastcgi_buffer_size 64k;
-        fastcgi_busy_buffers_size 64k;
+        fastcgi_request_buffering off;
 
         # nginx buffers #
         proxy_buffer_size 128k;
@@ -67,12 +68,31 @@ server {
         proxy_busy_buffers_size 256k;
     }
 
+    # Assets cache control
+    # --------------------------------------
+    location ~* \.(?:html|xml|json)$ {
+        expires -1;
+    }
+
+    location ~* \.(?:css|js)$ {
+        expires 7d;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+    }
+
+    location ~* \.(?:gif|jpe?g|png|ico|otf|eot|svg|ttf|woff|woff2)$ {
+        expires 30d;
+        log_not_found off;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+    }
+
     location ~ (^|/)\. {
         deny all;
     }
 
     location ~* /(config|temp|logs|data) {
-       deny all;
+        deny all;
     }
 
     location = /ping {

webmails/snappymail/defaults/default.json

@@ -1,10 +1,20 @@
 {
-    "name": "*",
     "IMAP": {
         "host": "{{ FRONT_ADDRESS }}",
         "port": 10143,
-        "secure": 3,
+        "type": 0,
+        "timeout": 300,
         "shortLogin": false,
+        "lowerLogin": true,
+        "stripLogin": "",
+        "sasl": [
+            "SCRAM-SHA3-512",
+            "SCRAM-SHA-512",
+            "SCRAM-SHA-256",
+            "SCRAM-SHA-1",
+            "PLAIN",
+            "LOGIN"
+        ],
         "ssl": {
             "verify_peer": false,
             "verify_peer_name": false,
@@ -13,15 +23,37 @@
             "disable_compression": true,
             "security_level": 1
         },
-	{% if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] %}
-        "fast_simple_search": "false"
-	{% endif %}
+        "use_expunge_all_on_delete": false,
+        "fast_simple_search": {% if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] %}true{% else %}false{% endif %},
+        "force_select": false,
+        "message_all_headers": false,
+        "message_list_limit": 10000,
+        "search_filter": "",
+        "spam_headers": "",
+        "virus_headers": "",
+        "disabled_capabilities": [
+            "METADATA",
+            "OBJECTID",
+            "PREVIEW",
+            "STATUS=SIZE"
+        ]
     },
     "SMTP": {
         "host": "{{ FRONT_ADDRESS }}",
         "port": 10025,
-        "secure": 3,
+        "type": 0,
+        "timeout": 60,
         "shortLogin": false,
+        "lowerLogin": true,
+        "stripLogin": "",
+        "sasl": [
+            "SCRAM-SHA3-512",
+            "SCRAM-SHA-512",
+            "SCRAM-SHA-256",
+            "SCRAM-SHA-1",
+            "PLAIN",
+            "LOGIN"
+        ],
         "ssl": {
             "verify_peer": false,
             "verify_peer_name": false,
@@ -32,22 +64,35 @@
         },
         "useAuth": true,
         "setSender": false,
-        "usePhpMail": false
+        "usePhpMail": false,
+        "authPlainLine": false
     },
     "Sieve": {
         "host": "{{ FRONT_ADDRESS }}",
         "port": 14190,
-        "type": 3,
+        "type": 0,
+        "timeout": 10,
         "shortLogin": false,
+        "lowerLogin": true,
+        "stripLogin": "",
+        "sasl": [
+            "SCRAM-SHA3-512",
+            "SCRAM-SHA-512",
+            "SCRAM-SHA-256",
+            "SCRAM-SHA-1",
+            "PLAIN",
+            "LOGIN"
+        ],
         "ssl": {
             "verify_peer": false,
             "verify_peer_name": false,
-            "allow_self_signed": true,
+            "allow_self_signed": false,
             "SNI_enabled": true,
             "disable_compression": true,
             "security_level": 1
         },
-        "enabled": true
+        "enabled": true,
+        "authLiteral": true
     },
     "whiteList": ""
 }

webmails/snuffleupagus.rules

@@ -132,8 +132,10 @@ sp.disable_function.function("curl_init").param("url").value_r("file://").drop()
 # File upload
 sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
+sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.inc").drop();
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.inc").drop();
 
 # Logging lockdown
 sp.disable_function.function("ini_set").param("option").value_r("error_log").drop();
@@ -141,13 +143,13 @@ sp.disable_function.function("ini_set").param("option").value_r("display_errors"
 sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop();
 
 # Classic webshells patterns
-sp.disable_function.function("system>base64_decode").drop();
-sp.disable_function.function("shell_exec>base64_decode").drop();
-sp.disable_function.function("exec>base64_decode").drop();
-sp.disable_function.function("passthru>base64_decode").drop();
-sp.disable_function.function("proc_open>base64_decode").drop();
-# TODO: enable this for real
-sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open").simulation();
+# Those create SIGSEGV on arm64 for some reason
+#sp.disable_function.function("system>base64_decode").drop();
+#sp.disable_function.function("shell_exec>base64_decode").drop();
+#sp.disable_function.function("exec>base64_decode").drop();
+#sp.disable_function.function("passthru>base64_decode").drop();
+#sp.disable_function.function("proc_open>base64_decode").drop();
+sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open");
 
 sp.auto_cookie_secure.enable();
 # TODO: consider encrypting the cookies?