From ddcdf8b82adf7d05c612338c1dd3f09af2b84c73 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Thu, 6 Apr 2023 07:46:28 +0000 Subject: [PATCH 1/4] Fix tag-release step in workflow which prevented github releases from being created automatically. Cause was that a specific method is required for assigning multi-line strings in github workflow files: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings --- .github/workflows/build_test_deploy.yml | 5 ++++- towncrier/newsfragments/2744.misc | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 towncrier/newsfragments/2744.misc diff --git a/.github/workflows/build_test_deploy.yml b/.github/workflows/build_test_deploy.yml index 7a9b9371..e5a8ecac 100644 --- a/.github/workflows/build_test_deploy.yml +++ b/.github/workflows/build_test_deploy.yml @@ -416,8 +416,11 @@ jobs: id: changelog shell: bash run: | + delimiter="$RANDOM" pushd . && cd towncrier/newsfragments && ls -Art | tail -n 1 | cut -d. -f1 | xargs -0I % echo "issue=%" >> $GITHUB_OUTPUT && popd - pushd . && cd towncrier/newsfragments && ls -Art | tail -n 1 | xargs cat | xargs -0I % echo "content=%" >> $GITHUB_OUTPUT && popd + echo "content<<${delimiter}" >> "${GITHUB_OUTPUT}" + pushd . && cd towncrier/newsfragments && ls -Art | tail -n 1 | xargs cat | xargs -0I % echo "%" >> "${GITHUB_OUTPUT}" && popd + echo "${delimiter}" >> "${GITHUB_OUTPUT}" - name: Construct message for release shell: bash env: diff --git a/towncrier/newsfragments/2744.misc b/towncrier/newsfragments/2744.misc new file mode 100644 index 00000000..2d792a50 --- /dev/null +++ b/towncrier/newsfragments/2744.misc @@ -0,0 +1,3 @@ +Fix tag-release step in workflow which prevented github releases from being created automatically. +Cause was that a specific method is required for assigning multi-line strings in github workflow files: +https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings From 0faae50302b6ea48f4ea58eeaf11b26db5a030e8 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Thu, 6 Apr 2023 09:04:04 +0000 Subject: [PATCH 2/4] Improve releases.rst. Add extra links to relevant sections in documentation. Add example of using the new override location for rspamd. Add clarification in rspamd section for rspamd override change and new autoconfig.* endpoint --- docs/api.rst | 2 ++ docs/configuration.rst | 1 + docs/releases.rst | 29 ++++++++++++++++++++++++++--- towncrier/newsfragments/2744.misc | 2 ++ 4 files changed, 31 insertions(+), 3 deletions(-) diff --git a/docs/api.rst b/docs/api.rst index e5a18a03..f1c01b85 100644 --- a/docs/api.rst +++ b/docs/api.rst @@ -1,3 +1,5 @@ +.. _mailu_restful_api: + Mailu RESTful API ================= diff --git a/docs/configuration.rst b/docs/configuration.rst index 952469cd..2e9f8ef5 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -382,6 +382,7 @@ When ``POSTFIX_LOG_FILE`` is enabled, the logrotate program will automatically r logs every week and keep 52 logs. To override the logrotate configuration, create the file logrotate.conf with the desired configuration in the :ref:`Postfix overrides folder`. +.. _header_authentication: Header authentication using an external proxy --------------------------------------------- diff --git a/docs/releases.rst b/docs/releases.rst index 9cbc02c6..8ff58b0e 100644 --- a/docs/releases.rst +++ b/docs/releases.rst @@ -49,7 +49,7 @@ Configuring a new domain or add new users can be fully automated now. The current API makes use of a single API token for authentication. In a future release this will likely be re-visited. -For more information refer to the `Mailu RESTful API` page. +For more information refer to the :ref:`Mailu RESTful API ` page. Header authentication support (use external identity providers) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -57,7 +57,7 @@ Header authentication support (use external identity providers) It is now possible to use different authentication systems (such as keycloak, authentik, vouch-proxy) to handle the authentication of Mailu users. This can be used to enable Single Sign On from other IDentity Providers via protocols such as OIDC or SAML2. -For more information see `Header authentication using an external proxy` in the configuration reference. +For more information see :ref:`Header authentication using an external proxy ` in the configuration reference. Better anti-spoofing protection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -131,6 +131,20 @@ The override system for Rspamd has been overhauled. While the config files were Now overrides are placed in the location (in the Rspamd/Antispam container) /overrides. If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file. +For example when overriding multimap.conf that use a custom \*.map file: + +.. code-block:: bash + + #multimap.conf + LOCAL_BL_DOMAIN { + type = "from"; + filter = "email:domain"; + map = "/override/blacklist.map"; + score = 15; + description = "Senders domain part is on the local blacklist"; + group = "local_bl"; + } + It works as following. * If the override file overrides a Mailu defined config file, @@ -292,10 +306,19 @@ Upgrading ````````` Upgrade should run fine as long as you generate a new compose & mailu.env and then reapply custom config settings to mailu.env. +Carefully read the :ref:`configuration page ` to check what old settings have been removed. If a setting is not listed anymore +on the :ref:`configuration page `, then this setting has been removed. -If you use Fail2Ban, then the Fail2Ban intructions have been improved. It is mandatory to remove your Fail2Ban config and re-apply it using the instructions from :ref:`updated Fail2Ban documentation `. +If you use Fail2Ban, then the Fail2Ban intructions have been improved. It is **mandatory** to remove your Fail2Ban config +and re-apply it using the instructions from :ref:`updated Fail2Ban documentation `. + +If you use overrides for Rspamd, then please note that overrides are now placed in the location `/overrides` in the rspamd container. +If you use your own map files, change the location to /override/myMapFile.map in the corresponding rspamd conf file. To use the new autoconfig endpoint and Mailu RESTFul API, you may need to update your reverse proxy config. +If you use ``TLS_FLAVOR=letsencrypt``, add autoconfig.myhostname.com to the setting ``HOSTNAMES=`` in mailu.env to generate a certifficate for the autoconfig endpoint as well. +After starting your Mailu deployment, please refer to the section `DNS client auto-configuration entries` on the domain details page +in the web administration interface for the exact name of the autoconfig endpoint (https://test.mailu.io/admin/domain/details/test.mailu.io). Mailu 1.9 - 2021-12-29 diff --git a/towncrier/newsfragments/2744.misc b/towncrier/newsfragments/2744.misc index 2d792a50..3b49fcf6 100644 --- a/towncrier/newsfragments/2744.misc +++ b/towncrier/newsfragments/2744.misc @@ -1,3 +1,5 @@ Fix tag-release step in workflow which prevented github releases from being created automatically. Cause was that a specific method is required for assigning multi-line strings in github workflow files: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings + +Add some extra clarifications to release.rst. Upgrade section did not mention you need to check your rspamd overrides. From a15566a30364a53aa0376c238b5c28f4840f7a93 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 6 Apr 2023 11:31:42 +0200 Subject: [PATCH 3/4] Update releases.rst --- docs/releases.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/releases.rst b/docs/releases.rst index 8ff58b0e..af20404e 100644 --- a/docs/releases.rst +++ b/docs/releases.rst @@ -68,7 +68,7 @@ It won't let any email which pretends to be for any of the local domains through Implement a password policy ^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In line with security best practices from `NIST (Special Publication 800-63B) `_, we have introduced password policy. +In line with security best practices from `NIST (Special Publication 800-63B) `_, we have introduced a password policy. Passwords now need to: @@ -86,7 +86,7 @@ Now the rate limiter will only take distinct attempts into account. We have two We have also implemented state-of-the-art features such as `Device Cookies `_ and IP-whitelisting post-authentication to ensure we don't lock genuine users out. -Rate-limiters have a bad name because they are often misunderstood. If you used Mailu's rate-limiter in the past and had a bad experience please consider giving it another try after upgrading. +Rate-limiters have a bad name because they are often misunderstood. If you have used Mailu's rate-limiter in the past and had a bad experience please consider giving it another try after upgrading. Remember the login URL ^^^^^^^^^^^^^^^^^^^^^^ @@ -130,8 +130,8 @@ New override system for Rspamd The override system for Rspamd has been overhauled. While the config files were first completely overridden, they are now merged. Now overrides are placed in the location (in the Rspamd/Antispam container) /overrides. -If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file. -For example when overriding multimap.conf that use a custom \*.map file: +If you use your own map files, change the location to ``/overrides/myMapFile.map`` in the corresponding conf file. +For example when overriding multimap.conf that use a custom ``.map`` file: .. code-block:: bash @@ -139,7 +139,7 @@ For example when overriding multimap.conf that use a custom \*.map file: LOCAL_BL_DOMAIN { type = "from"; filter = "email:domain"; - map = "/override/blacklist.map"; + map = "/overrides/blacklist.map"; score = 15; description = "Senders domain part is on the local blacklist"; group = "local_bl"; @@ -260,7 +260,7 @@ Security hardening We have gone further than ever. Now Mailu containers drop their privileges and communicate on separate networks. They also share the same base image where on x86 `a Hardened memory allocator `_ is configured. -Webmails which are running PHP make use of `Snuffleupagus `_. +Webmails relying on PHP now make use of `Snuffleupagus `_. New Functionality & Improvements @@ -312,8 +312,8 @@ on the :ref:`configuration page `, then this setting has been remove If you use Fail2Ban, then the Fail2Ban intructions have been improved. It is **mandatory** to remove your Fail2Ban config and re-apply it using the instructions from :ref:`updated Fail2Ban documentation `. -If you use overrides for Rspamd, then please note that overrides are now placed in the location `/overrides` in the rspamd container. -If you use your own map files, change the location to /override/myMapFile.map in the corresponding rspamd conf file. +If you use overrides for Rspamd, then please note that overrides are now placed in the location ``/overrides`` in the rspamd container. +If you use your own map files, change the location to ``/overrides/myMapFile.map`` in the corresponding rspamd conf file. To use the new autoconfig endpoint and Mailu RESTFul API, you may need to update your reverse proxy config. If you use ``TLS_FLAVOR=letsencrypt``, add autoconfig.myhostname.com to the setting ``HOSTNAMES=`` in mailu.env to generate a certifficate for the autoconfig endpoint as well. From 410e1d3ec43bee4c13a15098c5792474dfa3c882 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Thu, 6 Apr 2023 10:01:27 +0000 Subject: [PATCH 4/4] Add reminder to configure mta-sts --- docs/faq.rst | 2 ++ docs/releases.rst | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 4c9ea348..150091e4 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -362,6 +362,8 @@ How do I use webdav (radicale)? .. _`575`: https://github.com/Mailu/Mailu/issues/575 .. _`1591`: https://github.com/Mailu/Mailu/issues/1591 +.. _mta-sts: + How do I setup a MTA-STS policy? ```````````````````````````````` diff --git a/docs/releases.rst b/docs/releases.rst index af20404e..b290d639 100644 --- a/docs/releases.rst +++ b/docs/releases.rst @@ -316,10 +316,12 @@ If you use overrides for Rspamd, then please note that overrides are now placed If you use your own map files, change the location to ``/overrides/myMapFile.map`` in the corresponding rspamd conf file. To use the new autoconfig endpoint and Mailu RESTFul API, you may need to update your reverse proxy config. -If you use ``TLS_FLAVOR=letsencrypt``, add autoconfig.myhostname.com to the setting ``HOSTNAMES=`` in mailu.env to generate a certifficate for the autoconfig endpoint as well. +If you use ``TLS_FLAVOR=letsencrypt``, add autoconfig.myhostname.com to the setting ``HOSTNAMES=`` in mailu.env to generate a certificate for the autoconfig endpoint as well. After starting your Mailu deployment, please refer to the section `DNS client auto-configuration entries` on the domain details page in the web administration interface for the exact name of the autoconfig endpoint (https://test.mailu.io/admin/domain/details/test.mailu.io). +It is also recommended to have a look at :ref:`mta-sts `. +When mta-sts is enabled, modern email servers will immediately use TLS for delivering emails to Mailu. Mailu 1.9 - 2021-12-29 ----------------------