diff --git a/README.md b/README.md index 75be263..ac6e0ab 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Simple, modern, lightweight & fast web-based email client. The drastically upgraded & secured fork of RainLoop Webmail Community edition. -**Shipped version:** 2.28.4~ynh1 +**Shipped version:** 2.28.4~ynh2 **Demo:** https://snappymail.eu/demo/ diff --git a/README_fr.md b/README_fr.md index 189979f..4a10d89 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po Client de messagerie Web simple, moderne, léger et rapide. Snappymail est un fork considérablement amélioré et sécurisé de l'édition RainLoop Webmail Community. -**Version incluse :** 2.28.4~ynh1 +**Version incluse :** 2.28.4~ynh2 **Démo :** https://snappymail.eu/demo/ diff --git a/conf/application.ini b/conf/application.ini index e6b4af9..41a9ddf 100644 --- a/conf/application.ini +++ b/conf/application.ini @@ -8,76 +8,115 @@ title = "SnappyMail Webmail" ; Text displayed on startup loading_description = "SnappyMail" favicon_url = "" +app_path = "" ; Theme used by default -theme = "Clear" +theme = "Default" ; Allow theme selection on settings screen allow_themes = On allow_user_background = Off ; Language used by default -language = "__LANGUAGE__" +language = "en" ; Admin Panel interface language -language_admin = "__LANGUAGE__" +language_admin = "en" ; Allow language selection on settings screen allow_languages_on_settings = On allow_additional_accounts = On allow_additional_identities = On -; Number of messages displayed on page by default +; Number of messages displayed on page by default messages_per_page = 20 +; Mark message read after N seconds +message_read_delay = 5 + ; File size limit (MB) for file upload on compose screen ; 0 for unlimited. attachment_size_limit = 25 +; brotli or gzip compress the output. +; Warning: only enable when server does not do this, else double compression errors occur +compress_output = Off + [interface] show_attachment_thumbnail = On -new_move_to_folder_button = on [contacts] ; Enable contacts enable = On -allow_sharing = On allow_sync = On sync_interval = 20 type = "mysql" pdo_dsn = "mysql:host=127.0.0.1;port=3306;dbname=__DB_NAME__" pdo_user = "__DB_USER__" pdo_password = "__DB_PWD__" -suggestions_limit = 30 + +; PEM format certificate +mysql_ssl_ca = "" +mysql_ssl_verify = On + +; HIGH +mysql_ssl_ciphers = "" +suggestions_limit = 20 [security] -; Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery) -csrf_protection = On custom_server_signature = "SnappyMail" -x_frame_options_header = "DENY" x_xss_protection_header = "1; mode=block" openpgp = Off -; Login and password for web admin panel -admin_login = "admin" -admin_password = "12345" -admin_totp = "" - ; Access settings allow_admin_panel = On -hide_x_mailer_header = On + +; Login and password for web admin panel +admin_login = "admin" +admin_password = "" +admin_totp = "" admin_panel_host = "" admin_panel_key = "admin" +force_https = Off +hide_x_mailer_header = On + +; https://en.m.wikipedia.org/wiki/Load_(computing) +max_sys_getloadavg = 0 + +; For example to allow all images use "img-src https:". More info at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives content_security_policy = "" + +; Report CSP errors to PHP and/or SnappyMail Log csp_report = Off + +; A valid cipher method from https://php.net/openssl_get_cipher_methods encrypt_cipher = "aes-256-cbc-hmac-sha1" +; Strict, Lax or None +cookie_samesite = "Strict" + +; Additional allowed Sec-Fetch combinations separated by ";". +; For example: +; * Allow iframe on same domain in any mode: dest=iframe,site=same-origin +; * Allow navigate to iframe on same domain: mode=navigate,dest=iframe,site=same-origin +; * Allow navigate to iframe on (sub)domain: mode=navigate,dest=iframe,site=same-site +; * Allow navigate to iframe from any domain: mode=navigate,dest=iframe,site=cross-site +; +; Default is "site=same-origin;site=none" +secfetch_allow = "" + +[admin_panel] +allow_update = Off + [ssl] ; Require verification of SSL certificate used. -verify_certificate = Off +verify_certificate = On ; Allow self-signed certificates. Requires verify_certificate. -allow_self_signed = On +allow_self_signed = Off + +; https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html +security_level = 1 ; Location of Certificate Authority file on local filesystem (/etc/ssl/certs/ca-certificates.crt) cafile = "" @@ -85,23 +124,40 @@ cafile = "" ; capath must be a correctly hashed certificate directory. (/etc/ssl/certs/) capath = "" +; Location of client certificate file (pem format with private key) on local filesystem +local_cert = "" + +; This can help mitigate the CRIME attack vector. +disable_compression = On + [capa] contacts = On quota = On help = On search = On search_adv = On +; Allow clear folder and delete messages without moving to trash dangerous_actions = On + +; Allow download attachments as Zip (and optionally others) attachments_actions = On [login] +; If someone logs in without "@domain.tld", this value will be used +; When this value is HTTP_HOST, the $_SERVER["HTTP_HOST"] value is used. +; When this value is SERVER_NAME, the $_SERVER["SERVER_NAME"] value is used. +; When this value is gethostname, the gethostname() value is used. +; default_domain = "__DOMAIN__" ; Allow language selection on webmail login screen allow_languages_on_login = On + +; Detect language from browser header `Accept-Language` determine_user_language = On + +; Like default_domain but then HTTP_HOST/SERVER_NAME without www. determine_user_domain = Off -hide_submit_button = On login_lowercase = On ; This option allows webmail to remember the logged in user @@ -117,11 +173,11 @@ sign_me_auto = "DefaultOff" ; Enable plugin support enable = On -; List of enabled plugins +; Comma-separated list of enabled plugins enabled_list = "ldap-identities" [defaults] -; Editor mode used by default (Plain, Html, HtmlForced or PlainForced) +; Editor mode used by default (Plain, Html) view_editor_type = "Html" ; layout: 0 - no preview, 1 - side preview, 2 - bottom preview @@ -139,22 +195,24 @@ mail_reply_same_folder = Off ; Enable logging enable = Off +; Path where log files will be stored +path = "" + +; Log messages of set RFC 5424 section 6.2.1 Severity level and higher (0 = highest, 7 = lowest). +; 0 = Emergency +; 1 = Alert +; 2 = Critical +; 3 = Error +; 4 = Warning +; 5 = Notice +; 6 = Informational +; 7 = Debug level = 4 -; Logs entire request only if error occured (php requred) -write_on_error_only = Off - -; Logs entire request only if php error occured -write_on_php_error_only = Off - -; Logs entire request only if request timeout (in seconds) occured. -write_on_timeout_only = 0 - ; Required for development purposes only. ; Disabling this option is not recommended. hide_passwords = On -time_offset = __TIMEZONE__ -session_filter = "" +time_zone = "__TIMEZONE__" ; Log filename. ; For security reasons, some characters are removed from filename. @@ -182,16 +240,23 @@ session_filter = "" ; filename = "log-{date:Y-m-d}.txt" ; filename = "{date:Y-m-d}/{user:domain}/{user:email}_{user:uid}.log" ; filename = "{user:email}-{date:Y-m-d}.txt" +; filename = "syslog" +; filename = "stderr" filename = "log-{date:Y-m-d}.txt" ; Enable auth logging in a separate file (for fail2ban) auth_logging = On -auth_logging_filename = "fail2ban/auth-fail.log" -auth_logging_format = "[{date:Y-m-d H:i:s T}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}" +auth_logging_filename = "fail2ban/auth-{date:Y-m-d}.txt" +auth_logging_format = "[{date:Y-m-d H:i:s}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}" + +; Enable auth logging to syslog for fail2ban +auth_syslog = Off [debug] ; Special option required for development purposes enable = Off +javascript = Off +css = Off [cache] ; The section controls caching of the entire application. @@ -199,10 +264,13 @@ enable = Off ; Enables caching in the system enable = On +; Path where cache files will be stored +path = "" + ; Additional caching key. If changed, cache is purged index = "v1" -; Can be: files, APC, memcache +; Can be: files, APCU, memcache, redis (beta) fast_cache_driver = "files" ; Additional caching key. If changed, fast cache is purged @@ -216,58 +284,39 @@ http_expires = 3600 ; Caching message UIDs when searching and sorting (threading) server_uids = On +system_data = On + +[imap] +use_force_selection = Off +use_expunge_all_on_delete = Off +message_list_fast_simple_search = On +message_list_permanent_filter = "" +message_all_headers = Off +show_login_alert = On +fetch_new_messages = On [labs] -allow_prefetch = Off -cache_system_data = On +; Display message RFC 2822 date and time header, instead of the arrival internal date. date_from_headers = On -autocreate_system_folders = Off allow_message_append = Off -login_fault_delay = 1 + +; When login fails, wait N seconds before responding +login_fault_delay = 5 log_ajax_response_write_limit = 300 -allow_html_editor_source_button = Off -allow_ctrl_enter_on_compose = On -try_to_detect_hidden_images = Off -use_app_debug_js = Off -use_mobile_version_for_tablets = Off -use_app_debug_css = Off -use_imap_sort = On -use_imap_force_selection = Off -use_imap_thread = On -use_imap_move = Off -use_imap_expunge_all_on_delete = Off -imap_forwarded_flag = "$Forwarded" -imap_read_receipt_flag = "$ReadReceipt" -imap_body_text_limit = 555000 -imap_message_list_fast_simple_search = On -imap_message_list_count_limit_trigger = 0 -imap_message_list_date_filter = 0 -imap_message_list_permanent_filter = "" -imap_message_all_headers = Off -imap_large_thread_limit = 50 -imap_folder_list_limit = 200 -imap_show_login_alert = On -imap_use_list_status = On -imap_timeout = 300 smtp_show_server_errors = Off -smtp_timeout = 60 sieve_auth_plain_initial = On -sieve_allow_fileinfo_inbox = Off -sieve__timeout = 10 -sasl_allow_plain = On -sasl_allow_scram_sha = Off -sasl_allow_cram_md5 = Off +sieve_allow_fileinto_inbox = Off + +; PHP mail() remove To and Subject headers mail_func_clear_headers = On + +; PHP mail() set -f emailaddress mail_func_additional_parameters = Off -favicon_status = On folders_spec_limit = 50 curl_proxy = "" curl_proxy_auth = "" -in_iframe = Off -force_https = Off -custom_login_link = "" -custom_logout_link = "" -allow_external_login = Off +custom_login_link='' +custom_logout_link='https://__MAIN_DOMAIN__/yunohost/sso/?action=logout' http_client_ip_check_proxy = Off fast_cache_memcache_host = "127.0.0.1" fast_cache_memcache_port = 11211 @@ -277,13 +326,11 @@ use_local_proxy_for_external_images = On image_exif_auto_rotate = Off cookie_default_path = "" cookie_default_secure = Off -check _new_messages = On replace_env_in_configuration = "" boundary_prefix = "" -kolab_enabled = Off dev_email = "" dev_password = "" [version] -current = "2.15.0" -saved = "Thu, 21 Apr 2022 15:18:08 +0000" +current = "2.28.1" +saved = "Wed, 21 Jun 2023 06:38:05 +0000" diff --git a/conf/sso.php b/conf/sso.php new file mode 100644 index 0000000..1013197 --- /dev/null +++ b/conf/sso.php @@ -0,0 +1,17 @@ + Domains > __DOMAIN__ > SMTP > Check "Use authentication" diff --git a/doc/ADMIN_fr.md b/doc/ADMIN_fr.md index 3f87d9e..f07b1c0 100644 --- a/doc/ADMIN_fr.md +++ b/doc/ADMIN_fr.md @@ -2,6 +2,6 @@ Le fichier de mot de passe est créé après la première ouverture de l'interfa Assurez-vous de changer immédiatement le mot de passe par défaut ! -Ouvrez l'interface d'administration de Snappy `https://__DOMAIN____PATH__/?admin` pour configurer les paramètres de votre serveur de messagerie. Connectez-vous avec l'utilisateur "admin" et le mot de passe du fichier `__INSTALL_DIR__/data/_data_/_default_/admin_password.txt`. +Ouvrez l'interface d'administration de Snappy `https://__DOMAIN____PATH__/app/?admin` pour configurer les paramètres de votre serveur de messagerie. Connectez-vous avec l'utilisateur "admin" et le mot de passe du fichier `__INSTALL_DIR__/data/_data_/_default_/admin_password.txt`. En particulier, pour pouvoir envoyer des mails, il vous faut aller dans l'interface d'admin de Snappy > Domaines > __DOMAIN__ > SMTP > Coche "Use authentication" diff --git a/manifest.toml b/manifest.toml index 33a2b83..09e3e6f 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "SnappyMail" description.en = "Simple, modern, lightweight & fast web-based e-mail client" description.fr = "Client de messagerie Web simple, moderne, léger et rapide" -version = "2.28.4~ynh1" +version = "2.28.4~ynh2" maintainers = ["eric_G"] @@ -23,7 +23,7 @@ multi_instance = true ldap = false sso = false disk = "50M" -ram.build = "50M" +ram.build = "100M" ram.runtime = "50M" [install] @@ -56,4 +56,8 @@ ram.runtime = "50M" main.url = "/" [resources.apt] - packages = "php8.2-sqlite3 php8.2-tidy php8.2-dom php8.2-intl php8.2-mysql php8.2-curl php8.2-gd php8.2-cli php8.2-xml php8.2-mbstring" + packages = "mariadb-server php8.2-sqlite3 php8.2-tidy php8.2-dom php8.2-intl php8.2-mysql php8.2-curl php8.2-gd php8.2-cli php8.2-xml php8.2-mbstring" + + [resources.database] + type = "mysql" + \ No newline at end of file diff --git a/scripts/_common.sh b/scripts/_common.sh index 944a65e..7e974aa 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,6 +4,9 @@ # COMMON VARIABLES #================================================= +main_domain=$(cat /etc/yunohost/current_host) +timezone=$(cat /etc/timezone) + #================================================= # PERSONAL HELPERS #================================================= diff --git a/scripts/change_url b/scripts/change_url index ab2d658..20ecf75 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -6,8 +6,26 @@ # IMPORT GENERIC HELPERS #================================================= +source _common.sh source /usr/share/yunohost/helpers +#================================================= +# UPDATE A CONFIG FILE +#================================================= +ynh_script_progression --message="Updating a configuration file..." --weight=1 + +ynh_add_config --template="application.ini" --destination="$install_dir/app/data/_data_/_default_/configs/application.ini" + +chmod 400 "$install_dir/app/data/_data_/_default_/configs/application.ini" +chown $app:$app "$install_dir/app/data/_data_/_default_/configs/application.ini" + +#================================================= +# SETUP SSO +#================================================= +ynh_script_progression --message="Applying SSO patch..." --weight=1 + +ynh_add_config --template="../conf/sso.php" --destination="$install_dir/index.php" + #================================================= # MODIFY URL IN NGINX CONF #================================================= diff --git a/scripts/install b/scripts/install index e975d1d..e5da137 100755 --- a/scripts/install +++ b/scripts/install @@ -31,7 +31,7 @@ ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage ynh_script_progression --message="Setting up source files..." --weight=3 # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir="$install_dir" +ynh_setup_source --dest_dir="$install_dir/app" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" @@ -50,6 +50,28 @@ ynh_add_nginx_config # Use logrotate to manage application logfile(s) ynh_use_logrotate +#================================================= +# APP INITIAL CONFIGURATION +#================================================= +# ADD A CONFIGURATION +#================================================= +ynh_script_progression --message="Adding a configuration file..." --weight=1 + +mkdir -p "$install_dir/app/data/_data_/_default_/configs" +chown $app:$app -R "$install_dir/app/data/_data_" + +ynh_add_config --template="application.ini" --destination="$install_dir/app/data/_data_/_default_/configs/application.ini" + +chmod 400 "$install_dir/app/data/_data_/_default_/configs/application.ini" +chown $app:$app "$install_dir/app/data/_data_/_default_/configs/application.ini" + +#================================================= +# SETUP SSO +#================================================= +ynh_script_progression --message="Applying SSO patch..." --weight=1 + +ynh_add_config --template="../conf/sso.php" --destination="$install_dir/index.php" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 2b3636a..d39fa9f 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -38,6 +38,17 @@ if [ -z "${fpm_usage:-}" ]; then ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage fi +# Do something when upgrading from 2.3.2~ynh1 or lower +if ynh_compare_current_package_version --comparison le --version 2.28.4~ynh1 +then + # Move everything inside a $install_dir/app/ subfolder + # This allows to have a $install_dir/index.php handling the SSO + mkdir -p $install_dir/app + # Ugly way to not return an error when moving everything to a subfolter of the same folder https://stackoverflow.com/a/43262922 + find $install_dir -maxdepth 1 -mindepth 1 -not -name app -exec mv -t $install_dir/app {} + + chown $app:root $install_dir/app/ +fi + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -47,7 +58,7 @@ then ynh_script_progression --message="Upgrading source files..." --weight=5 # Download, check integrity, uncompress and patch the source from app.src - ynh_setup_source --dest_dir="$install_dir" --keep="data/_data_/_default_/configs/application.ini" + ynh_setup_source --dest_dir="$install_dir/app" --keep="data/_data_/_default_/configs/application.ini" fi chmod -R o-rwx "$install_dir" @@ -67,6 +78,25 @@ ynh_add_nginx_config # Use logrotate to manage app-specific logfile(s) ynh_use_logrotate --non-append +#================================================= +# RECONFIGURE THE APP (UPDATE CONF, APPLY MIGRATIONS...) +#================================================= +# UPDATE A CONFIG FILE +#================================================= +ynh_script_progression --message="Updating a configuration file..." --weight=1 + +ynh_add_config --template="application.ini" --destination="$install_dir/app/data/_data_/_default_/configs/application.ini" + +chmod 400 "$install_dir/app/data/_data_/_default_/configs/application.ini" +chown $app:$app "$install_dir/app/data/_data_/_default_/configs/application.ini" + +#================================================= +# SETUP SSO +#================================================= +ynh_script_progression --message="Applying SSO patch..." --weight=1 + +ynh_add_config --template="../conf/sso.php" --destination="$install_dir/index.php" + #================================================= # END OF SCRIPT #=================================================