Merge branch 'dev' into add_rfkill_diagnosis

conf/postfix/main.cf

@@ -211,3 +211,11 @@ smtp_sasl_security_options = noanonymous
 # where to find sasl_passwd
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 {% endif %}
+
+{% if backup_mx_domains != "" %}
+# Backup MX (secondary MX)
+relay_domains = $mydestination {{backup_mx_domains}}
+relay_recipient_maps = hash:/etc/postfix/relay_recipients
+maximal_queue_lifetime = 20d
+{% endif %}
+

conf/ssh/sshd_config

@@ -84,7 +84,7 @@ Subsystem sftp internal-sftp
 
 # Apply following instructions to user with sftp perm only
 Match Group sftp.main,!ssh.main
-    ForceCommand internal-sftp
+    ForceCommand internal-sftp -u 0002
     # We can't restrict to /home/%u because the chroot base must be owned by root
     # So we chroot only on /home
     # See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component
@@ -97,7 +97,7 @@ Match Group sftp.main,!ssh.main
     PermitUserRC no
 
 Match Group sftp.app,!ssh.app
-    ForceCommand internal-sftp
+    ForceCommand internal-sftp -u 0002
     ChrootDirectory %h
     AllowTcpForwarding no
     AllowStreamLocalForwarding no

hooks/conf_regen/19-postfix

@@ -45,6 +45,21 @@ do_pre_regen() {
 
         cat <<<"[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" >${postfix_dir}/sasl_passwd
     fi
+
+    # Use this postfix server as a backup MX
+    export backup_mx_domains="$(yunohost settings get 'email.smtp.smtp_backup_mx_domains' | sed "s/,/ /g")"
+    export backup_mx_emails="$(yunohost settings get 'email.smtp.smtp_backup_mx_emails_whitelisted' | sed "s/,/ /g")"
+    rm -f ${postfix_dir}/relay_recipients
+    touch ${postfix_dir}/relay_recipients
+    if [ -n "${backup_mx_domains}" ] && [ -n "${backup_mx_emails}" ]
+    then
+        for mail in ${backup_mx_emails}
+        do
+            echo "$mail OK" >> ${postfix_dir}/relay_recipients
+        done
+        postmap ${postfix_dir}/relay_recipients
+    fi
+
     export main_domain
     export domain_list="$(yunohost domain list --features mail_in mail_out --output-as json | jq -r ".domains[]" | tr '\n' ' ')"
     ynh_render_template "main.cf" "${postfix_dir}/main.cf"
@@ -78,6 +93,11 @@ do_post_regen() {
         postmap /etc/postfix/sasl_passwd
     fi
 
+    if [ -e /etc/postfix/relay_recipients ]; then
+        chmod 750 /etc/postfix/relay_recipients*
+        chown postfix:root /etc/postfix/relay_recipients*
+    fi
+
     postmap -F hash:/etc/postfix/sni
 
     python3 -c 'from yunohost.app import regen_mail_app_user_config_for_dovecot_and_postfix as r; r(only="postfix")'

locales/en.json

@@ -456,6 +456,10 @@
     "global_settings_setting_security_experimental_enabled_help": "Enable experimental security features (don't enable this if you don't know what you're doing!)",
     "global_settings_setting_smtp_allow_ipv6": "Allow IPv6",
     "global_settings_setting_smtp_allow_ipv6_help": "Allow the use of IPv6 to receive and send mail",
+    "global_settings_setting_smtp_backup_mx_domains": "Domains to act as secondary MX for",
+    "global_settings_setting_smtp_backup_mx_domains_help": "Allow this server to act as a backup *secondary* MX domain for the listed domain. This means that if the main MX for the domain is not reachable (for example because of an outage), mails will still be sent to this server, which will keep them during a maximum of 20 days and try to relay them to the real destination once it goes back up. Several domains can be provided, separated by commas.",
+    "global_settings_setting_smtp_backup_mx_emails_whitelisted": "SMTP backup MX emails whitelist",
+    "global_settings_setting_smtp_backup_mx_emails_whitelisted_help": "When acting as a secondary MX, the exhaustive list of allowed recipient's email addresses must be provided (otherwise mails will be refused and discarded). Several entries can be provided, separated by commas.",
     "global_settings_setting_smtp_relay_enabled": "Enable SMTP relay",
     "global_settings_setting_smtp_relay_enabled_help": "Enable the SMTP relay to use in order to send mail instead of this yunohost instance. Useful if you are in one of this situation: your 25 port is blocked by your ISP or VPS provider, you have a residential IP listed on DUHL, you are not able to configure reverse DNS or this server is not directly exposed on the internet and you want use an other one to send mails.",
     "global_settings_setting_smtp_relay_host": "SMTP relay host",

locales/eu.json

@@ -804,4 +804,4 @@
     "migration_0027_modified_files": "Ondorengo fitxategiak eskuz moldatu direla antzeman da eta litekeena da bertsio-berritzeak gainean idaztea: {manually_modified_files}",
     "migration_0027_not_enough_free_space": "/var/-en erabilgarri dagoen espazioa oso txikia da! Gutxienez GB 1 izan beharko zenuke erabilgarri migrazioari ekiteko.",
     "migration_0027_patching_sources_list": "sources.lists fitxategia petatxatzen…"
-}
+}

locales/fr.json

@@ -806,4 +806,4 @@
     "migration_0027_still_on_bullseye_after_main_upgrade": "Quelque chose s'est mal passé lors de la mise à jour du système, il semble que celui-ci soit toujours sous Debian Bullseye.",
     "migration_0027_system_not_fully_up_to_date": "Votre système n'est pas complètement à jour. Veuillez effectuer une mise à jour classique avant de procéder à la migration vers Bookworm.",
     "migration_0027_yunohost_upgrade": "Démarrage de la mise à jour du cœur de YunoHost…"
-}
+}

locales/gl.json

@@ -804,4 +804,4 @@
     "migration_0027_not_enough_free_space": "Hai moi pouco espazo en /var/! Deberías ter polo menos 1GB libre para realizar a migración.",
     "migration_0027_patch_yunohost_conflicts": "Aplicando a solución para resolver o problema conflictivo…",
     "migration_0027_system_not_fully_up_to_date": "O teu sistema non está totalmente actualizado. Fai unha actualización corrente antes de iniciar a migración a Bookworm."
-}
+}

locales/id.json

@@ -804,4 +804,4 @@
     "update_apt_cache_warning": "Ada yang tidak sesuai saat memperbarui cache APT (manajer paket Debian). Berikut ini adalah kumpulan baris source.list, yang mungkin membantu mengidentifikasi baris yang bermasalah:\n{sourceslist}",
     "user_import_missing_columns": "Kehilangan kolom berikut: {columns}",
     "user_import_nothing_to_do": "Tidak ada pengguna yang perlu diimpor"
-}
+}

locales/ru.json

@@ -360,4 +360,4 @@
     "apps_failed_to_upgrade": "Не удалось обновить данные приложения:{apps}",
     "apps_failed_to_upgrade_line": "\n * {app_id} (чтобы увидеть соответствующий журнал, выполните «yunohost log show {operation_logger_name}»)",
     "ask_admin_fullname": "Полное имя администратора"
-}
+}

locales/sk.json

@@ -280,4 +280,4 @@
     "domain_config_xmpp": "Krátke správy (XMPP)",
     "log_app_makedefault": "Nastaviť '{}' ako predvolenú aplikáciu",
     "domain_config_cert_renew_help": "Certifikát bude automaticky obnovený po 15 dňoch platnosti. Ak chcete, môžete ho obnoviť aj ručne. (Neodporúča sa)."
-}
+}

locales/tr.json

@@ -32,4 +32,4 @@
     "app_change_url_identical_domains": "('{domain}{path}') Eski ve yeni alan adının veya URL adresler aynı.Şu anda yapacak bir şey bulunmuyor.",
     "app_corrupt_source": "YunoHost, {app} için '{source_id}' ({url}) adresinden indirebildi, ancak varlık olması gereken yapılandırmalarla eşleşmiyor. Bu, sunucunuzda geçici bir ağ arızası meydana geldiği veya varlığın bir şekilde yayın yapılan veri sağlacıyısı (veya kötü niyetli bir kişi?) tarafından değiştirildiği ve YunoHost yapımcılarının araştırması ve belki de bu değişikliği dikkate almak için uygulama bildirimini güncellemesi gerektiği anlamına gelebilir.\n    Beklenen sha256 sağlama toplamı: {expected_sha256}\n    İndirilen sha256 sağlama toplamı: {computed_sha256}\n    İndirilen dosya boyutu: {size}",
     "app_failed_to_upgrade_but_continue": "{failed_app} uygulaması yükseltilirken başarısız oldu. Sıradaki güncellemeler devam ediyor. Konu ile ilgili hata kayıtlarını görüntülemek için 'yunohost log show {operation_logger_name}' komutunu çalıştırın"
-}
+}

share/config_global.toml

@@ -107,7 +107,7 @@ name = "Email"
         [email.pop3.pop3_enabled]
         type = "boolean"
         default = false
-    
+
     [email.smtp]
     name = "SMTP"
         [email.smtp.smtp_allow_ipv6]
@@ -117,7 +117,7 @@ name = "Email"
         [email.smtp.smtp_relay_enabled]
         type = "boolean"
         default = false
-        
+
         [email.smtp.smtp_relay_host]
         type = "string"
         default = ""
@@ -134,7 +134,7 @@ name = "Email"
         default = ""
         optional = true
         visible="smtp_relay_enabled"
-        
+
         [email.smtp.smtp_relay_password]
         type = "password"
         default = ""
@@ -142,6 +142,17 @@ name = "Email"
         visible="smtp_relay_enabled"
         help = ""  # This is empty string on purpose, otherwise the core automatically set the 'good_practice_admin_password' string here which is not relevant, because the admin is not actually "choosing" the password ...
 
+        [email.smtp.smtp_backup_mx_domains]
+        type = "string"
+        default = ""
+        optional = true
+
+        [email.smtp.smtp_backup_mx_emails_whitelisted]
+        type = "string"
+        default = ""
+        optional = true
+        visible = "smtp_backup_mx_domains"
+
 [misc]
 name = "Other"
     [misc.portal]

src/settings.py

@@ -335,6 +335,8 @@ def reconfigure_ssh_and_fail2ban(setting_name, old_value, new_value):
 @post_change_hook("smtp_relay_port")
 @post_change_hook("smtp_relay_user")
 @post_change_hook("smtp_relay_password")
+@post_change_hook("smtp_backup_mx_domains")
+@post_change_hook("smtp_backup_mx_emails_whitelisted")
 @post_change_hook("postfix_compatibility")
 def reconfigure_postfix(setting_name, old_value, new_value):
     if old_value != new_value: