From 8ea66c219a67ccde842ad4d3b7ec12097366c941 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 15 Aug 2025 20:46:11 +0200 Subject: [PATCH] fix snappymail --- towncrier/newsfragments/3896.misc | 1 + webmails/nginx-webmail.conf | 60 ++++++++++++++------- webmails/snappymail/defaults/default.json | 65 +++++++++++++++++++---- webmails/snuffleupagus.rules | 10 ++-- 4 files changed, 101 insertions(+), 35 deletions(-) create mode 100644 towncrier/newsfragments/3896.misc diff --git a/towncrier/newsfragments/3896.misc b/towncrier/newsfragments/3896.misc new file mode 100644 index 00000000..0e7420d1 --- /dev/null +++ b/towncrier/newsfragments/3896.misc @@ -0,0 +1 @@ +Fix Snappymail diff --git a/webmails/nginx-webmail.conf b/webmails/nginx-webmail.conf index d403eea4..c96f0d38 100644 --- a/webmails/nginx-webmail.conf +++ b/webmails/nginx-webmail.conf @@ -36,35 +36,55 @@ server { try_files $uri $uri/ /index.php$args; } - location ~ \.php$ { + location ~ ^(.+\.php)(.*)$ { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } - include /etc/nginx/fastcgi_params; + include /etc/nginx/fastcgi_params; - fastcgi_intercept_errors on; - fastcgi_index index.php; + fastcgi_intercept_errors on; + fastcgi_index index.php; - fastcgi_keep_conn on; + fastcgi_keep_conn on; - fastcgi_pass unix:/var/run/php8-fpm.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - {% if WEB_WEBMAIL == '/' %} - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - {% else %} - fastcgi_param SCRIPT_NAME {{WEB_WEBMAIL}}/$fastcgi_script_name; - {% endif %} + fastcgi_pass unix:/var/run/php8-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + {% if WEB_WEBMAIL == '/' %} + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + {% else %} + fastcgi_param SCRIPT_NAME {{WEB_WEBMAIL}}/$fastcgi_script_name; + {% endif %} + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + fastcgi_param PATH_INFO $fastcgi_path_info; - # fastcgi buffers for php-fpm # - fastcgi_buffers 16 32k; - fastcgi_buffer_size 64k; - fastcgi_busy_buffers_size 64k; + fastcgi_request_buffering off; - # nginx buffers # - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; + # nginx buffers # + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + } + + # Assets cache control + # -------------------------------------- + location ~* \.(?:html|xml|json)$ { + expires -1; + } + + location ~* \.(?:css|js)$ { + expires 7d; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~* \.(?:gif|jpe?g|png|ico|otf|eot|svg|ttf|woff|woff2)$ { + expires 30d; + log_not_found off; + add_header Pragma public; + add_header Cache-Control "public"; } location ~ (^|/)\. { diff --git a/webmails/snappymail/defaults/default.json b/webmails/snappymail/defaults/default.json index dee93332..c3f50db6 100644 --- a/webmails/snappymail/defaults/default.json +++ b/webmails/snappymail/defaults/default.json @@ -1,10 +1,20 @@ { - "name": "*", "IMAP": { "host": "{{ FRONT_ADDRESS }}", "port": 10143, - "secure": 3, + "type": 2, + "timeout": 300, "shortLogin": false, + "lowerLogin": true, + "stripLogin": "", + "sasl": [ + "SCRAM-SHA3-512", + "SCRAM-SHA-512", + "SCRAM-SHA-256", + "SCRAM-SHA-1", + "PLAIN", + "LOGIN" + ], "ssl": { "verify_peer": false, "verify_peer_name": false, @@ -13,15 +23,37 @@ "disable_compression": true, "security_level": 1 }, - {% if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] %} - "fast_simple_search": "false" - {% endif %} + "use_expunge_all_on_delete": false, + "fast_simple_search": {% if (FULL_TEXT_SEARCH or '').lower() not in ['off', 'false', '0'] %}true{% else %}false{% endif %}, + "force_select": false, + "message_all_headers": false, + "message_list_limit": 10000, + "search_filter": "", + "spam_headers": "", + "virus_headers": "", + "disabled_capabilities": [ + "METADATA", + "OBJECTID", + "PREVIEW", + "STATUS=SIZE" + ] }, "SMTP": { "host": "{{ FRONT_ADDRESS }}", "port": 10025, - "secure": 3, + "type": 2, + "timeout": 60, "shortLogin": false, + "lowerLogin": true, + "stripLogin": "", + "sasl": [ + "SCRAM-SHA3-512", + "SCRAM-SHA-512", + "SCRAM-SHA-256", + "SCRAM-SHA-1", + "PLAIN", + "LOGIN" + ], "ssl": { "verify_peer": false, "verify_peer_name": false, @@ -32,22 +64,35 @@ }, "useAuth": true, "setSender": false, - "usePhpMail": false + "usePhpMail": false, + "authPlainLine": false }, "Sieve": { "host": "{{ FRONT_ADDRESS }}", "port": 14190, - "type": 3, + "type": 2, + "timeout": 10, "shortLogin": false, + "lowerLogin": true, + "stripLogin": "", + "sasl": [ + "SCRAM-SHA3-512", + "SCRAM-SHA-512", + "SCRAM-SHA-256", + "SCRAM-SHA-1", + "PLAIN", + "LOGIN" + ], "ssl": { "verify_peer": false, "verify_peer_name": false, - "allow_self_signed": true, + "allow_self_signed": false, "SNI_enabled": true, "disable_compression": true, "security_level": 1 }, - "enabled": true + "enabled": true, + "authLiteral": true }, "whiteList": "" } diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules index 90601207..18c335c8 100644 --- a/webmails/snuffleupagus.rules +++ b/webmails/snuffleupagus.rules @@ -141,11 +141,11 @@ sp.disable_function.function("ini_set").param("option").value_r("display_errors" sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop(); # Classic webshells patterns -sp.disable_function.function("system>base64_decode").drop(); -sp.disable_function.function("shell_exec>base64_decode").drop(); -sp.disable_function.function("exec>base64_decode").drop(); -sp.disable_function.function("passthru>base64_decode").drop(); -sp.disable_function.function("proc_open>base64_decode").drop(); +#sp.disable_function.function("system>base64_decode").drop(); +#sp.disable_function.function("shell_exec>base64_decode").drop(); +#sp.disable_function.function("exec>base64_decode").drop(); +#sp.disable_function.function("passthru>base64_decode").drop(); +#sp.disable_function.function("proc_open>base64_decode").drop(); # TODO: enable this for real sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open").simulation();