diff --git a/.github/workflows/build_test_deploy.yml b/.github/workflows/build_test_deploy.yml index 7a9b9371..e5a8ecac 100644 --- a/.github/workflows/build_test_deploy.yml +++ b/.github/workflows/build_test_deploy.yml @@ -416,8 +416,11 @@ jobs: id: changelog shell: bash run: | + delimiter="$RANDOM" pushd . && cd towncrier/newsfragments && ls -Art | tail -n 1 | cut -d. -f1 | xargs -0I % echo "issue=%" >> $GITHUB_OUTPUT && popd - pushd . && cd towncrier/newsfragments && ls -Art | tail -n 1 | xargs cat | xargs -0I % echo "content=%" >> $GITHUB_OUTPUT && popd + echo "content<<${delimiter}" >> "${GITHUB_OUTPUT}" + pushd . && cd towncrier/newsfragments && ls -Art | tail -n 1 | xargs cat | xargs -0I % echo "%" >> "${GITHUB_OUTPUT}" && popd + echo "${delimiter}" >> "${GITHUB_OUTPUT}" - name: Construct message for release shell: bash env: diff --git a/docs/api.rst b/docs/api.rst index e5a18a03..f1c01b85 100644 --- a/docs/api.rst +++ b/docs/api.rst @@ -1,3 +1,5 @@ +.. _mailu_restful_api: + Mailu RESTful API ================= diff --git a/docs/configuration.rst b/docs/configuration.rst index 952469cd..2e9f8ef5 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -382,6 +382,7 @@ When ``POSTFIX_LOG_FILE`` is enabled, the logrotate program will automatically r logs every week and keep 52 logs. To override the logrotate configuration, create the file logrotate.conf with the desired configuration in the :ref:`Postfix overrides folder`. +.. _header_authentication: Header authentication using an external proxy --------------------------------------------- diff --git a/docs/faq.rst b/docs/faq.rst index 4c9ea348..150091e4 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -362,6 +362,8 @@ How do I use webdav (radicale)? .. _`575`: https://github.com/Mailu/Mailu/issues/575 .. _`1591`: https://github.com/Mailu/Mailu/issues/1591 +.. _mta-sts: + How do I setup a MTA-STS policy? ```````````````````````````````` diff --git a/docs/releases.rst b/docs/releases.rst index 9cbc02c6..b290d639 100644 --- a/docs/releases.rst +++ b/docs/releases.rst @@ -49,7 +49,7 @@ Configuring a new domain or add new users can be fully automated now. The current API makes use of a single API token for authentication. In a future release this will likely be re-visited. -For more information refer to the `Mailu RESTful API` page. +For more information refer to the :ref:`Mailu RESTful API ` page. Header authentication support (use external identity providers) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -57,7 +57,7 @@ Header authentication support (use external identity providers) It is now possible to use different authentication systems (such as keycloak, authentik, vouch-proxy) to handle the authentication of Mailu users. This can be used to enable Single Sign On from other IDentity Providers via protocols such as OIDC or SAML2. -For more information see `Header authentication using an external proxy` in the configuration reference. +For more information see :ref:`Header authentication using an external proxy ` in the configuration reference. Better anti-spoofing protection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -68,7 +68,7 @@ It won't let any email which pretends to be for any of the local domains through Implement a password policy ^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In line with security best practices from `NIST (Special Publication 800-63B) `_, we have introduced password policy. +In line with security best practices from `NIST (Special Publication 800-63B) `_, we have introduced a password policy. Passwords now need to: @@ -86,7 +86,7 @@ Now the rate limiter will only take distinct attempts into account. We have two We have also implemented state-of-the-art features such as `Device Cookies `_ and IP-whitelisting post-authentication to ensure we don't lock genuine users out. -Rate-limiters have a bad name because they are often misunderstood. If you used Mailu's rate-limiter in the past and had a bad experience please consider giving it another try after upgrading. +Rate-limiters have a bad name because they are often misunderstood. If you have used Mailu's rate-limiter in the past and had a bad experience please consider giving it another try after upgrading. Remember the login URL ^^^^^^^^^^^^^^^^^^^^^^ @@ -130,7 +130,21 @@ New override system for Rspamd The override system for Rspamd has been overhauled. While the config files were first completely overridden, they are now merged. Now overrides are placed in the location (in the Rspamd/Antispam container) /overrides. -If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file. +If you use your own map files, change the location to ``/overrides/myMapFile.map`` in the corresponding conf file. +For example when overriding multimap.conf that use a custom ``.map`` file: + +.. code-block:: bash + + #multimap.conf + LOCAL_BL_DOMAIN { + type = "from"; + filter = "email:domain"; + map = "/overrides/blacklist.map"; + score = 15; + description = "Senders domain part is on the local blacklist"; + group = "local_bl"; + } + It works as following. * If the override file overrides a Mailu defined config file, @@ -246,7 +260,7 @@ Security hardening We have gone further than ever. Now Mailu containers drop their privileges and communicate on separate networks. They also share the same base image where on x86 `a Hardened memory allocator `_ is configured. -Webmails which are running PHP make use of `Snuffleupagus `_. +Webmails relying on PHP now make use of `Snuffleupagus `_. New Functionality & Improvements @@ -292,11 +306,22 @@ Upgrading ````````` Upgrade should run fine as long as you generate a new compose & mailu.env and then reapply custom config settings to mailu.env. +Carefully read the :ref:`configuration page ` to check what old settings have been removed. If a setting is not listed anymore +on the :ref:`configuration page `, then this setting has been removed. -If you use Fail2Ban, then the Fail2Ban intructions have been improved. It is mandatory to remove your Fail2Ban config and re-apply it using the instructions from :ref:`updated Fail2Ban documentation `. +If you use Fail2Ban, then the Fail2Ban intructions have been improved. It is **mandatory** to remove your Fail2Ban config +and re-apply it using the instructions from :ref:`updated Fail2Ban documentation `. + +If you use overrides for Rspamd, then please note that overrides are now placed in the location ``/overrides`` in the rspamd container. +If you use your own map files, change the location to ``/overrides/myMapFile.map`` in the corresponding rspamd conf file. To use the new autoconfig endpoint and Mailu RESTFul API, you may need to update your reverse proxy config. +If you use ``TLS_FLAVOR=letsencrypt``, add autoconfig.myhostname.com to the setting ``HOSTNAMES=`` in mailu.env to generate a certificate for the autoconfig endpoint as well. +After starting your Mailu deployment, please refer to the section `DNS client auto-configuration entries` on the domain details page +in the web administration interface for the exact name of the autoconfig endpoint (https://test.mailu.io/admin/domain/details/test.mailu.io). +It is also recommended to have a look at :ref:`mta-sts `. +When mta-sts is enabled, modern email servers will immediately use TLS for delivering emails to Mailu. Mailu 1.9 - 2021-12-29 ---------------------- diff --git a/towncrier/newsfragments/2744.misc b/towncrier/newsfragments/2744.misc new file mode 100644 index 00000000..3b49fcf6 --- /dev/null +++ b/towncrier/newsfragments/2744.misc @@ -0,0 +1,5 @@ +Fix tag-release step in workflow which prevented github releases from being created automatically. +Cause was that a specific method is required for assigning multi-line strings in github workflow files: +https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings + +Add some extra clarifications to release.rst. Upgrade section did not mention you need to check your rspamd overrides.