From 04a2cdab2f44a61b939c330ccb31832a5558ea33 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 1 Apr 2023 11:33:02 +0200 Subject: [PATCH 01/10] Only account for distinct attempts in rate limits --- core/admin/mailu/configuration.py | 2 +- core/admin/mailu/internal/nginx.py | 3 +++ core/admin/mailu/internal/views/auth.py | 2 +- core/admin/mailu/limiter.py | 6 +++++- core/admin/mailu/sso/views/base.py | 2 +- docs/configuration.rst | 7 ++++--- setup/templates/steps/config.html | 2 +- towncrier/newsfragments/2726.misc | 1 + 8 files changed, 17 insertions(+), 8 deletions(-) create mode 100644 towncrier/newsfragments/2726.misc diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index 3adf9a6c..2603bf38 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -44,7 +44,7 @@ DEFAULT_CONFIG = { 'AUTH_RATELIMIT_IP': '5/hour', 'AUTH_RATELIMIT_IP_V4_MASK': 24, 'AUTH_RATELIMIT_IP_V6_MASK': 48, - 'AUTH_RATELIMIT_USER': '100/day', + 'AUTH_RATELIMIT_USER': '50/day', 'AUTH_RATELIMIT_EXEMPTION': '', 'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400, 'DISABLE_STATISTICS': False, diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py index 577e5a44..d0d11052 100644 --- a/core/admin/mailu/internal/nginx.py +++ b/core/admin/mailu/internal/nginx.py @@ -85,6 +85,7 @@ def handle_authentication(headers): raw_user_email = urllib.parse.unquote(headers["Auth-User"]) raw_password = urllib.parse.unquote(headers["Auth-Pass"]) user_email = 'invalid' + password = 'invalid' try: user_email = raw_user_email.encode("iso8859-1").decode("utf8") password = raw_password.encode("iso8859-1").decode("utf8") @@ -107,6 +108,7 @@ def handle_authentication(headers): "Auth-Server": server, "Auth-User": user_email, "Auth-User-Exists": is_valid_user, + "Auth-Password": password, "Auth-Port": port } status, code = get_status(protocol, "authentication") @@ -115,6 +117,7 @@ def handle_authentication(headers): "Auth-Error-Code": code, "Auth-User": user_email, "Auth-User-Exists": is_valid_user, + "Auth-Password": password, "Auth-Wait": 0 } # Unexpected diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py index 27e8861c..01d1562f 100644 --- a/core/admin/mailu/internal/views/auth.py +++ b/core/admin/mailu/internal/views/auth.py @@ -48,7 +48,7 @@ def nginx_authentication(): if headers.get("Auth-Status") == "OK": utils.limiter.exempt_ip_from_ratelimits(client_ip) elif is_valid_user: - utils.limiter.rate_limit_user(username, client_ip) + utils.limiter.rate_limit_user(username, client_ip, password=response.headers.get('Auth-Password', None)) elif not is_from_webmail: utils.limiter.rate_limit_ip(client_ip, username) return response diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py index d8b36111..f8e90101 100644 --- a/core/admin/mailu/limiter.py +++ b/core/admin/mailu/limiter.py @@ -68,9 +68,13 @@ class LimitWraperFactory(object): app.logger.warn(f'Authentication attempt from {ip} for {username} has been rate-limited.') return is_rate_limited - def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None): + def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None, password=None): limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user') if self.is_subject_to_rate_limits(ip): + truncated_password = hmac.new(bytearray(username, 'utf-8'), bytearray(password, 'utf-8'), 'sha256').hexdigest()[-6:] + if password and self.storage.get(f'dedup2-{username}-{truncated_password}') > 0: + return + self.storage.incr(f'dedup2-{username}-{truncated_password}', limits.parse(app.config['AUTH_RATELIMIT_USER']).GRANULARITY.seconds, True) limiter.hit(device_cookie if device_cookie_name == username else username) """ Device cookies as described on: diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py index 43237c75..42175f05 100644 --- a/core/admin/mailu/sso/views/base.py +++ b/core/admin/mailu/sso/views/base.py @@ -59,7 +59,7 @@ def login(): flask.flash(msg, "error") return response else: - utils.limiter.rate_limit_user(username, client_ip, device_cookie, device_cookie_username) if models.User.get(username) else utils.limiter.rate_limit_ip(client_ip, username) + utils.limiter.rate_limit_user(username, client_ip, device_cookie, device_cookie_username, form.pw.data) if models.User.get(username) else utils.limiter.rate_limit_ip(client_ip, username) flask.current_app.logger.warn(f'Login failed for {username} from {client_ip}.') flask.flash('Wrong e-mail or password', 'error') return flask.render_template('login.html', form=form, fields=fields) diff --git a/docs/configuration.rst b/docs/configuration.rst index e4bac5ff..56801ec8 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -47,10 +47,11 @@ accounts for a specific IP subnet as defined in ``AUTH_RATELIMIT_IP_V4_MASK`` (default: /24) and ``AUTH_RATELIMIT_IP_V6_MASK`` (default: /48). -The ``AUTH_RATELIMIT_USER`` (default: 100/day) holds a security setting for fighting +The ``AUTH_RATELIMIT_USER`` (default: 50/day) holds a security setting for fighting attackers that attempt to guess a user's password (typically using a password -bruteforce attack). The value defines the limit of authentication attempts allowed -for any given account within a specific timeframe. +bruteforce attack). The value defines the limit of distinct authentication attempts +allowed for any given account within a specific timeframe. Multiple attempts for the +same account with the same password only counts for one. The ``AUTH_RATELIMIT_EXEMPTION_LENGTH`` (default: 86400) is the number of seconds after a successful login for which a specific IP address is exempted from rate limits. diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html index b3b5fe87..025a2a2c 100644 --- a/setup/templates/steps/config.html +++ b/setup/templates/steps/config.html @@ -47,7 +47,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post

/ day + value="50" required > / day

diff --git a/towncrier/newsfragments/2726.misc b/towncrier/newsfragments/2726.misc new file mode 100644 index 00000000..f7eb41e3 --- /dev/null +++ b/towncrier/newsfragments/2726.misc @@ -0,0 +1 @@ +Change the behaviour of AUTH_RATELIMIT_USER and only account for distinct attempts. Same username and same password is now a only accounted once per period. From 795a7bafa23cd3d5a8f3e976a47b59cd868d8e07 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 1 Apr 2023 12:22:44 +0200 Subject: [PATCH 02/10] should never happen but heh --- core/admin/mailu/limiter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py index f8e90101..47658ba4 100644 --- a/core/admin/mailu/limiter.py +++ b/core/admin/mailu/limiter.py @@ -68,7 +68,7 @@ class LimitWraperFactory(object): app.logger.warn(f'Authentication attempt from {ip} for {username} has been rate-limited.') return is_rate_limited - def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None, password=None): + def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None, password=''): limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user') if self.is_subject_to_rate_limits(ip): truncated_password = hmac.new(bytearray(username, 'utf-8'), bytearray(password, 'utf-8'), 'sha256').hexdigest()[-6:] From 616e4a773436ac70d587ccb8b3ee089abb05b0a2 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 2 Apr 2023 16:35:15 +0200 Subject: [PATCH 03/10] Ensure we always ask for the existing password before allowing a change --- core/admin/mailu/ui/forms.py | 6 ++++++ core/admin/mailu/ui/templates/sidebar.html | 2 +- core/admin/mailu/ui/views/users.py | 21 ++++++++++++++------- towncrier/newsfragments/2733.misc | 1 + 4 files changed, 22 insertions(+), 8 deletions(-) create mode 100644 towncrier/newsfragments/2733.misc diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py index 79c76450..c9bbb251 100644 --- a/core/admin/mailu/ui/forms.py +++ b/core/admin/mailu/ui/forms.py @@ -128,6 +128,12 @@ class UserPasswordForm(flask_wtf.FlaskForm): pwned = fields.HiddenField(label='', default=-1) submit = fields.SubmitField(_('Update password')) +class UserPasswordChangeForm(flask_wtf.FlaskForm): + current_pw = fields.PasswordField(_('Current password'), [validators.DataRequired()]) + pw = fields.PasswordField(_('Password'), [validators.DataRequired()]) + pw2 = fields.PasswordField(_('Password check'), [validators.DataRequired()]) + pwned = fields.HiddenField(label='', default=-1) + submit = fields.SubmitField(_('Update password')) class UserReplyForm(flask_wtf.FlaskForm): reply_enabled = fields.BooleanField(_('Enable automatic reply')) diff --git a/core/admin/mailu/ui/templates/sidebar.html b/core/admin/mailu/ui/templates/sidebar.html index 526b5908..3fd22f0e 100644 --- a/core/admin/mailu/ui/templates/sidebar.html +++ b/core/admin/mailu/ui/templates/sidebar.html @@ -20,7 +20,7 @@
  • - +

    {% trans %}Update password{% endtrans %}

     diff --git a/core/admin/mailu/ui/views/users.py b/core/admin/mailu/ui/views/users.py index 7f7e0ab3..3e16a250 100644 --- a/core/admin/mailu/ui/views/users.py +++ b/core/admin/mailu/ui/views/users.py @@ -99,18 +99,14 @@ def user_settings(user_email): flask.url_for('.user_list', domain_name=user.domain.name)) return flask.render_template('user/settings.html', form=form, user=user) - -@ui.route('/user/password', methods=['GET', 'POST'], defaults={'user_email': None}) -@ui.route('/user/password/', methods=['GET', 'POST']) -@access.owner(models.User, 'user_email') -def user_password(user_email): +def _process_password_change(form, user_email): user_email_or_current = user_email or flask_login.current_user.email user = models.User.query.get(user_email_or_current) or flask.abort(404) - form = forms.UserPasswordForm() + form = forms.UserPasswordChangeForm() if form.validate_on_submit(): if form.pw.data != form.pw2.data: flask.flash('Passwords do not match', 'error') - else: + elif models.User.login(user_email_or_current, form.current_pw.data): if msg := utils.isBadOrPwned(form): flask.flash(msg, "error") return flask.render_template('user/password.html', form=form, user=user) @@ -121,8 +117,19 @@ def user_password(user_email): if user_email: return flask.redirect(flask.url_for('.user_list', domain_name=user.domain.name)) + else: + flask.flash('Wrong current password', 'error') return flask.render_template('user/password.html', form=form, user=user) +@ui.route('/user/password', methods=['GET', 'POST'], defaults={'user_email': None}) +@access.owner(models.User, 'user_email') +def user_password_change(user_email): + return _process_password_change(forms.UserPasswordChangeForm(), user_email) + +@ui.route('/user/password/', methods=['GET', 'POST']) +@access.domain_admin(models.User, 'user_email') +def user_password(user_email): + return _process_password_change(forms.UserPasswordForm(), user_email) @ui.route('/user/reply', methods=['GET', 'POST'], defaults={'user_email': None}) @ui.route('/user/reply/', methods=['GET', 'POST']) diff --git a/towncrier/newsfragments/2733.misc b/towncrier/newsfragments/2733.misc new file mode 100644 index 00000000..8bc7777c --- /dev/null +++ b/towncrier/newsfragments/2733.misc @@ -0,0 +1 @@ +Ensure we ask for the existing password before processing a password change request. From 52de10a5e53f0c4f4602296f9914ce272ee12222 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 2 Apr 2023 16:41:12 +0200 Subject: [PATCH 04/10] resets don't need the current password --- core/admin/mailu/ui/views/users.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/admin/mailu/ui/views/users.py b/core/admin/mailu/ui/views/users.py index 3e16a250..7ef863f2 100644 --- a/core/admin/mailu/ui/views/users.py +++ b/core/admin/mailu/ui/views/users.py @@ -106,7 +106,7 @@ def _process_password_change(form, user_email): if form.validate_on_submit(): if form.pw.data != form.pw2.data: flask.flash('Passwords do not match', 'error') - elif models.User.login(user_email_or_current, form.current_pw.data): + elif user_email or models.User.login(user_email_or_current, form.current_pw.data): if msg := utils.isBadOrPwned(form): flask.flash(msg, "error") return flask.render_template('user/password.html', form=form, user=user) From f9939eef94f92bc58a791a826c30e943e9543673 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 2 Apr 2023 17:01:25 +0200 Subject: [PATCH 05/10] This won't work --- setup/flavors/compose/docker-compose.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index 7d39b929..5e171130 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -38,8 +38,12 @@ services: {% endfor %} networks: - default +{% if webmail_type != 'none' %} - webmail +{% endif %} +{% if webdav_enabled %} - radicale +{% endif %} volumes: - "{{ root }}/certs:/certs" - "{{ root }}/overrides/nginx:/overrides:ro" From 920f817009df0c4ba7bd2d29f41173d85f993241 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 2 Apr 2023 17:08:30 +0200 Subject: [PATCH 06/10] LOG_DRIVER just doesn't work --- docs/compose/.env | 6 ------ docs/compose/docker-compose.yml | 20 +++++++++++++++++++- docs/compose/traefik/docker-compose.yml | 2 -- docs/faq.rst | 3 +-- setup/flavors/compose/docker-compose.yml | 20 +++++++++++++++++++- setup/flavors/compose/mailu.env | 6 ------ towncrier/newsfragments/2734.misc | 2 ++ 7 files changed, 41 insertions(+), 18 deletions(-) create mode 100644 towncrier/newsfragments/2734.misc diff --git a/docs/compose/.env b/docs/compose/.env index e5e1edbf..10bf03eb 100644 --- a/docs/compose/.env +++ b/docs/compose/.env @@ -135,12 +135,6 @@ WEBSITE=https://mailu.io # Advanced settings ################################### -# Log driver for front service. Possible values: -# json-file (default) -# journald (On systemd platforms, useful for Fail2Ban integration) -# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker compose log` for front!) -LOG_DRIVER=json-file - # Docker-compose project name, this will prepended to containers names. COMPOSE_PROJECT_NAME=mailu diff --git a/docs/compose/docker-compose.yml b/docs/compose/docker-compose.yml index 344ea8b2..5bd62bad 100644 --- a/docs/compose/docker-compose.yml +++ b/docs/compose/docker-compose.yml @@ -9,7 +9,9 @@ services: restart: always env_file: .env logging: - driver: $LOG_DRIVER + driver: journald + options: + tag: docker-front ports: - "$BIND_ADDRESS4:80:80" - "$BIND_ADDRESS4:443:443" @@ -43,6 +45,10 @@ services: image: mailu/dovecot:$VERSION restart: always env_file: .env + logging: + driver: journald + options: + tag: docker-imap volumes: - "$ROOT/mail:/mail" - "$ROOT/overrides/dovecot:/overrides:ro" @@ -53,6 +59,10 @@ services: image: mailu/postfix:$VERSION restart: always env_file: .env + logging: + driver: journald + options: + tag: docker-smtp volumes: - "$ROOT/mailqueue:/queue" - "$ROOT/overrides/postfix:/overrides:ro" @@ -63,6 +73,10 @@ services: image: mailu/rspamd:$VERSION restart: always env_file: .env + logging: + driver: journald + options: + tag: docker-antispam volumes: - "$ROOT/filter:/var/lib/rspamd" - "$ROOT/dkim:/dkim:ro" @@ -88,6 +102,10 @@ services: image: mailu/admin:$VERSION restart: always env_file: .env + logging: + driver: journald + options: + tag: docker-admin volumes: - "$ROOT/data:/data" - "$ROOT/dkim:/dkim" diff --git a/docs/compose/traefik/docker-compose.yml b/docs/compose/traefik/docker-compose.yml index 25f341df..37e89827 100644 --- a/docs/compose/traefik/docker-compose.yml +++ b/docs/compose/traefik/docker-compose.yml @@ -35,8 +35,6 @@ services: image: mailu/nginx:$VERSION restart: always env_file: .env - logging: - driver: $LOG_DRIVER labels: # Traefik labels for simple reverse-proxying - "traefik.enable=true" - "traefik.port=80" diff --git a/docs/faq.rst b/docs/faq.rst index c7d9e3dc..4c9ea348 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -579,8 +579,7 @@ down brute force attacks. The same applies to login attempts via the single sign We *do* provide a possibility to export the logs from the ``front`` service and ``Admin`` service to the host. The ``front`` container logs failed logon attempts on SMTP, IMAP and POP3. The ``Admin`` container logs failed logon attempt on the single sign on page. -For this you need to set ``LOG_DRIVER=journald`` or ``syslog``, depending on the log -manager of the host. You will need to setup the proper Regex in the Fail2Ban configuration. +You will need to setup the proper Regex in the Fail2Ban configuration. Below an example how to do so. If you use a reverse proxy in front of Mailu, it is vital to set the environment variables REAL_IP_HEADER and REAL_IP_FROM. diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index 5e171130..a46879ef 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -26,7 +26,9 @@ services: restart: always env_file: {{ env }} logging: - driver: {{ log_driver or 'json-file' }} + driver: journald + options: + tag: docker-front ports: {% for port in (80, 443, 25, 465, 587, 110, 995, 143, 993) %} {% if bind4 %} @@ -66,6 +68,10 @@ services: image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-{{ version }}} restart: always env_file: {{ env }} + logging: + driver: journald + options: + tag: docker-admin {% if not admin_enabled %} ports: - 127.0.0.1:8080:80 @@ -85,6 +91,10 @@ services: image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}} restart: always env_file: {{ env }} + logging: + driver: journald + options: + tag: docker-imap volumes: - "{{ root }}/mail:/mail" - "{{ root }}/overrides/dovecot:/overrides:ro" @@ -100,6 +110,10 @@ services: image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}} restart: always env_file: {{ env }} + logging: + driver: journald + options: + tag: docker-smtp volumes: - "{{ root }}/mailqueue:/queue" - "{{ root }}/overrides/postfix:/overrides:ro" @@ -131,6 +145,10 @@ services: hostname: antispam restart: always env_file: {{ env }} + logging: + driver: journald + options: + tag: docker-antispam {% if oletools_enabled %} networks: - default diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env index dce1cb27..090f4d3a 100644 --- a/setup/flavors/compose/mailu.env +++ b/setup/flavors/compose/mailu.env @@ -158,12 +158,6 @@ DOMAIN_REGISTRATION=true # Advanced settings ################################### -# Log driver for front service. Possible values: -# json-file (default) -# journald (On systemd platforms, useful for Fail2Ban integration) -# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker compose log` for front!) -# LOG_DRIVER={{ log_driver or 'json-file' }} - # Docker-compose project name, this will prepended to containers names. COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }} diff --git a/towncrier/newsfragments/2734.misc b/towncrier/newsfragments/2734.misc new file mode 100644 index 00000000..b81098b6 --- /dev/null +++ b/towncrier/newsfragments/2734.misc @@ -0,0 +1,2 @@ +Remove LOG_DRIVER which never worked and replace it with journald by default +Fix a bug where front may get attached to networks that don't exist From 7dc29127702de3fca1c94c013b7ba2a765a93946 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 2 Apr 2023 17:11:16 +0200 Subject: [PATCH 07/10] Update core/admin/mailu/limiter.py Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com> --- core/admin/mailu/limiter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py index 47658ba4..f02b1662 100644 --- a/core/admin/mailu/limiter.py +++ b/core/admin/mailu/limiter.py @@ -72,7 +72,7 @@ class LimitWraperFactory(object): limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user') if self.is_subject_to_rate_limits(ip): truncated_password = hmac.new(bytearray(username, 'utf-8'), bytearray(password, 'utf-8'), 'sha256').hexdigest()[-6:] - if password and self.storage.get(f'dedup2-{username}-{truncated_password}') > 0: + if password and (self.storage.get(f'dedup2-{username}-{truncated_password}') > 0): return self.storage.incr(f'dedup2-{username}-{truncated_password}', limits.parse(app.config['AUTH_RATELIMIT_USER']).GRANULARITY.seconds, True) limiter.hit(device_cookie if device_cookie_name == username else username) From 3b6e1a0304ec896bef6286b69420d78dda980b59 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 2 Apr 2023 17:24:34 +0200 Subject: [PATCH 08/10] s/docker-/mailu-/g --- setup/flavors/compose/docker-compose.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index a46879ef..c83ff29e 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -28,7 +28,7 @@ services: logging: driver: journald options: - tag: docker-front + tag: mailu-front ports: {% for port in (80, 443, 25, 465, 587, 110, 995, 143, 993) %} {% if bind4 %} @@ -71,7 +71,7 @@ services: logging: driver: journald options: - tag: docker-admin + tag: mailu-admin {% if not admin_enabled %} ports: - 127.0.0.1:8080:80 @@ -94,7 +94,7 @@ services: logging: driver: journald options: - tag: docker-imap + tag: mailu-imap volumes: - "{{ root }}/mail:/mail" - "{{ root }}/overrides/dovecot:/overrides:ro" @@ -113,7 +113,7 @@ services: logging: driver: journald options: - tag: docker-smtp + tag: mailu-smtp volumes: - "{{ root }}/mailqueue:/queue" - "{{ root }}/overrides/postfix:/overrides:ro" @@ -148,7 +148,7 @@ services: logging: driver: journald options: - tag: docker-antispam + tag: mailu-antispam {% if oletools_enabled %} networks: - default From c0f1f58f5535d0c822f947d6cbcf53011f124c3f Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 2 Apr 2023 18:03:44 +0200 Subject: [PATCH 09/10] No need for that --- core/admin/mailu/ui/views/users.py | 1 - 1 file changed, 1 deletion(-) diff --git a/core/admin/mailu/ui/views/users.py b/core/admin/mailu/ui/views/users.py index 7ef863f2..eef0457c 100644 --- a/core/admin/mailu/ui/views/users.py +++ b/core/admin/mailu/ui/views/users.py @@ -102,7 +102,6 @@ def user_settings(user_email): def _process_password_change(form, user_email): user_email_or_current = user_email or flask_login.current_user.email user = models.User.query.get(user_email_or_current) or flask.abort(404) - form = forms.UserPasswordChangeForm() if form.validate_on_submit(): if form.pw.data != form.pw2.data: flask.flash('Passwords do not match', 'error') From 2ac8ba24b62e8fbccfbaa497df63d65e03e07e38 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Mon, 3 Apr 2023 17:27:30 +0000 Subject: [PATCH 10/10] Make the journald container tag changes consistent --- docs/compose/docker-compose.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/compose/docker-compose.yml b/docs/compose/docker-compose.yml index 5bd62bad..3b964449 100644 --- a/docs/compose/docker-compose.yml +++ b/docs/compose/docker-compose.yml @@ -11,7 +11,7 @@ services: logging: driver: journald options: - tag: docker-front + tag: mailu-front ports: - "$BIND_ADDRESS4:80:80" - "$BIND_ADDRESS4:443:443" @@ -48,7 +48,7 @@ services: logging: driver: journald options: - tag: docker-imap + tag: mailu-imap volumes: - "$ROOT/mail:/mail" - "$ROOT/overrides/dovecot:/overrides:ro" @@ -62,7 +62,7 @@ services: logging: driver: journald options: - tag: docker-smtp + tag: mailu-smtp volumes: - "$ROOT/mailqueue:/queue" - "$ROOT/overrides/postfix:/overrides:ro" @@ -76,7 +76,7 @@ services: logging: driver: journald options: - tag: docker-antispam + tag: mailu-antispam volumes: - "$ROOT/filter:/var/lib/rspamd" - "$ROOT/dkim:/dkim:ro" @@ -105,7 +105,7 @@ services: logging: driver: journald options: - tag: docker-admin + tag: mailu-admin volumes: - "$ROOT/data:/data" - "$ROOT/dkim:/dkim"