Merge pull request #5979 from mailcow/staging

2024-07

data/conf/postfix/master.cf

@@ -4,7 +4,6 @@ smtp       inet  n       -       n       -       1       postscreen
   -o postscreen_upstream_proxy_protocol=haproxy
   -o syslog_name=haproxy
 smtpd      pass  -       -       n       -       -       smtpd
-  -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
   -o smtpd_sasl_auth_enable=no
   -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain
 

data/conf/postfix/postscreen_access.cidr

@@ -1,6 +1,6 @@
-# Whitelist generated by Postwhite v3.4 on Mon Jul  1 00:16:55 UTC 2024
+# Whitelist generated by Postwhite v3.4 on Thu Aug  1 00:16:45 UTC 2024
 # https://github.com/stevejenkins/postwhite/
-# 1993 total rules
+# 1954 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:8000::/50	permit
@@ -19,11 +19,8 @@
 8.20.114.31	permit
 8.25.194.0/23	permit
 8.25.196.0/23	permit
-8.39.54.0/23	permit
-8.40.222.0/23	permit
 10.162.0.0/16	permit
 12.130.86.238	permit
-13.72.50.45	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
@@ -44,6 +41,7 @@
 18.198.96.88	permit
 18.208.124.128/25	permit
 18.216.232.154	permit
+18.235.27.253	permit
 18.236.40.242	permit
 18.236.56.161	permit
 20.51.6.32/30	permit
@@ -66,7 +64,6 @@
 20.112.250.133	permit
 20.118.139.208/30	permit
 20.141.10.196	permit
-20.185.213.0/24	permit
 20.185.214.0/27	permit
 20.185.214.32/27	permit
 20.185.214.64/27	permit
@@ -112,13 +109,13 @@
 37.218.249.47	permit
 37.218.251.62	permit
 39.156.163.64/29	permit
-40.71.187.0/24	permit
 40.92.0.0/15	permit
 40.92.0.0/16	permit
 40.107.0.0/16	permit
 40.112.65.63	permit
 43.228.184.0/22	permit
 44.206.138.57	permit
+44.217.45.156	permit
 44.236.56.93	permit
 44.238.220.251	permit
 46.19.170.16	permit
@@ -181,6 +178,7 @@
 50.18.125.237	permit
 50.18.126.162	permit
 50.31.32.0/19	permit
+50.31.36.205	permit
 50.56.130.220/30	permit
 52.1.14.157	permit
 52.5.230.59	permit
@@ -202,7 +200,6 @@
 52.96.91.34	permit
 52.96.111.82	permit
 52.96.172.98	permit
-52.96.214.50	permit
 52.96.222.194	permit
 52.96.222.226	permit
 52.96.223.2	permit
@@ -223,10 +220,6 @@
 52.234.172.96/28	permit
 52.235.253.128	permit
 52.236.28.240/28	permit
-52.244.206.214	permit
-52.247.53.144	permit
-52.250.107.196	permit
-52.250.126.174	permit
 54.90.148.255	permit
 54.165.19.38	permit
 54.172.97.247	permit
@@ -331,7 +324,6 @@
 65.110.161.77	permit
 65.123.29.213	permit
 65.123.29.220	permit
-65.154.166.0/24	permit
 65.212.180.36	permit
 66.102.0.0/20	permit
 66.119.150.192/26	permit
@@ -450,7 +442,6 @@
 69.171.232.0/24	permit
 69.171.244.0/23	permit
 70.37.151.128/25	permit
-70.42.149.0/24	permit
 70.42.149.35	permit
 72.14.192.0/18	permit
 72.21.192.0/19	permit
@@ -567,7 +558,6 @@
 77.238.189.142	permit
 77.238.189.146/31	permit
 77.238.189.148/30	permit
-81.7.169.128/25	permit
 81.223.46.0/27	permit
 82.165.159.2	permit
 82.165.159.3	permit
@@ -1257,6 +1247,7 @@
 106.10.244.0/24	permit
 106.39.212.64/29	permit
 106.50.16.0/28	permit
+107.20.18.111	permit
 107.20.210.250	permit
 108.174.0.0/24	permit
 108.174.0.215	permit
@@ -1292,8 +1283,6 @@
 117.120.16.0/21	permit
 119.42.242.52/31	permit
 119.42.242.156	permit
-121.244.91.48	permit
-122.15.156.182	permit
 123.126.78.64/29	permit
 124.108.96.24/31	permit
 124.108.96.28/31	permit
@@ -1349,26 +1338,14 @@
 134.170.141.64/26	permit
 134.170.143.0/24	permit
 134.170.174.0/24	permit
-135.84.80.0/24	permit
-135.84.81.0/24	permit
-135.84.82.0/24	permit
-135.84.83.0/24	permit
 135.84.216.0/22	permit
-136.143.160.0/24	permit
-136.143.161.0/24	permit
-136.143.178.49	permit
-136.143.182.0/23	permit
-136.143.184.0/24	permit
-136.143.188.0/24	permit
-136.143.190.0/23	permit
 136.147.128.0/20	permit
 136.147.135.0/24	permit
 136.147.176.0/20	permit
 136.147.176.0/24	permit
 136.147.182.0/24	permit
 136.147.224.0/20	permit
 136.179.50.206	permit
-138.91.172.26	permit
 139.60.152.0/22	permit
 139.138.35.44	permit
 139.138.46.121	permit
@@ -1419,6 +1396,7 @@
 150.230.98.160	permit
 152.67.105.195	permit
 152.69.200.236	permit
+152.70.155.126	permit
 155.248.208.51	permit
 157.55.0.192/26	permit
 157.55.1.128/26	permit
@@ -1475,7 +1453,6 @@
 163.114.134.16	permit
 163.114.135.16	permit
 164.177.132.168/30	permit
-165.173.128.0/24	permit
 166.78.68.0/22	permit
 166.78.68.221	permit
 166.78.69.169	permit
@@ -1484,6 +1461,7 @@
 167.89.0.0/17	permit
 167.89.46.159	permit
 167.89.54.103	permit
+167.89.60.95	permit
 167.89.64.9	permit
 167.89.65.0	permit
 167.89.65.53	permit
@@ -1502,11 +1480,6 @@
 168.245.12.252	permit
 168.245.46.9	permit
 168.245.127.231	permit
-169.148.129.0/24	permit
-169.148.131.0/24	permit
-169.148.142.10	permit
-169.148.144.0/25	permit
-169.148.144.10	permit
 170.10.68.0/22	permit
 170.10.128.0/24	permit
 170.10.129.0/24	permit
@@ -1661,15 +1634,7 @@
 199.16.156.0/22	permit
 199.33.145.1	permit
 199.33.145.32	permit
-199.34.22.36	permit
 199.59.148.0/22	permit
-199.67.80.2	permit
-199.67.80.20	permit
-199.67.82.2	permit
-199.67.82.20	permit
-199.67.84.0/24	permit
-199.67.86.0/24	permit
-199.67.88.0/24	permit
 199.101.161.130	permit
 199.101.162.0/25	permit
 199.122.120.0/21	permit
@@ -1726,8 +1691,6 @@
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
-204.141.32.0/23	permit
-204.141.42.0/23	permit
 204.220.160.0/20	permit
 204.232.168.0/24	permit
 205.139.110.0/24	permit
@@ -1979,8 +1942,6 @@
 2603:1030:20e:3::23c	permit
 2603:1030:b:3::152	permit
 2603:1030:c02:8::14	permit
-2607:13c0:0001:0000:0000:0000:0000:7000/116	permit
-2607:13c0:0002:0000:0000:0000:0000:1000/116	permit
 2607:f8b0:4000::/36	permit
 2620:109:c003:104::/64	permit
 2620:109:c003:104::215	permit

data/conf/rspamd/local.d/composites.conf

@@ -21,6 +21,10 @@ FREEMAIL_TO_UNDISC_RCPT {
 SOGO_CONTACT_EXCLUDE {
   expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT & !DMARC_POLICY_ALLOW";
 }
+# Remove MAILCOW_WHITE symbol for senders with broken policy recieved not from fwd hosts
+MAILCOW_WHITE_EXCLUDE {
+  expression = "^MAILCOW_WHITE & (-DMARC_POLICY_REJECT | -DMARC_POLICY_QUARANTINE | -R_SPF_PERMFAIL) & !WHITELISTED_FWD_HOST";
+}
 # Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts)
 SPOOFED_UNAUTH {
   expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies";
@@ -103,4 +107,4 @@ CLAMD_JS_MALWARE {
   expression = "CLAM_SECI_JS & !MAILCOW_WHITE";
   description = "JS malware found, Securite JS malware Flag set through ClamAV";
   score = 8;
-}
+}

data/web/inc/functions.inc.php

@@ -1560,7 +1560,7 @@ function unset_tfa_key($_data) {
 }
 function get_tfa($username = null, $id = null) {
   global $pdo;
-  if (isset($_SESSION['mailcow_cc_username'])) {
+  if (empty($username) && isset($_SESSION['mailcow_cc_username'])) {
     $username = $_SESSION['mailcow_cc_username'];
   }
   elseif (empty($username)) {

data/web/js/site/admin.js

@@ -397,7 +397,10 @@ jQuery(function($){
         {
           title: lang.host,
           data: 'hostname',
-          defaultContent: ''
+          defaultContent: '',
+          render: function (data, type) {
+            return escapeHtml(data);
+          }
         },
         {
           title: lang.username,

data/web/js/site/debug.js

@@ -325,7 +325,10 @@ jQuery(function($){
           title: 'URI',
           data: 'uri',
           defaultContent: '',
-          className: 'dtr-col-md dtr-break-all'
+          className: 'dtr-col-md dtr-break-all',
+          render: function (data, type) {
+            return escapeHtml(data);
+          }
         },
         {
           title: 'Method',