From f33d82ffc11ed3438609d4e7a6baa78cb3305bc3 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 3 Jul 2024 15:50:17 +0200 Subject: [PATCH 1/7] [Web] use correct user to fetch TFA authenticators --- data/web/inc/functions.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 8e0ac580bd..b81bf34ff4 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1560,7 +1560,7 @@ function unset_tfa_key($_data) { } function get_tfa($username = null, $id = null) { global $pdo; - if (isset($_SESSION['mailcow_cc_username'])) { + if (empty($username) && isset($_SESSION['mailcow_cc_username'])) { $username = $_SESSION['mailcow_cc_username']; } elseif (empty($username)) { From 66aa28b5de282fc037e0d2f02fbdc84539b614a1 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 22 Jul 2024 15:04:29 +0200 Subject: [PATCH 2/7] [Web] escapeHtml in api_log table --- data/web/js/site/debug.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/data/web/js/site/debug.js b/data/web/js/site/debug.js index 512d9551e8..8229e9f661 100644 --- a/data/web/js/site/debug.js +++ b/data/web/js/site/debug.js @@ -325,7 +325,10 @@ jQuery(function($){ title: 'URI', data: 'uri', defaultContent: '', - className: 'dtr-col-md dtr-break-all' + className: 'dtr-col-md dtr-break-all', + render: function (data, type) { + return escapeHtml(data); + } }, { title: 'Method', From efb2572f0fa57628ad98a76a4ae884a10cac0a1a Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 22 Jul 2024 15:05:43 +0200 Subject: [PATCH 3/7] [Web] escapeHtml in relayhosts table --- data/web/js/site/admin.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js index 80da641678..a2c7954dc4 100644 --- a/data/web/js/site/admin.js +++ b/data/web/js/site/admin.js @@ -397,7 +397,10 @@ jQuery(function($){ { title: lang.host, data: 'hostname', - defaultContent: '' + defaultContent: '', + render: function (data, type) { + return escapeHtml(data); + } }, { title: lang.username, From 73257151c41252f08d1e6e6eb67b0846960416a5 Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 24 Jul 2024 15:29:28 +0200 Subject: [PATCH 4/7] postfix: remove forced helo restrictions from master.cf --- data/conf/postfix/master.cf | 1 - 1 file changed, 1 deletion(-) diff --git a/data/conf/postfix/master.cf b/data/conf/postfix/master.cf index 63ce875da5..df91a3900e 100644 --- a/data/conf/postfix/master.cf +++ b/data/conf/postfix/master.cf @@ -4,7 +4,6 @@ smtp inet n - n - 1 postscreen -o postscreen_upstream_proxy_protocol=haproxy -o syslog_name=haproxy smtpd pass - - n - - smtpd - -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname -o smtpd_sasl_auth_enable=no -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain From 7f7a869678293a4577eb34fa5f0de9ff72c62fc3 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sun, 28 Jul 2024 13:19:03 +0200 Subject: [PATCH 5/7] Do not add MAILCOW_WHITE on failed DMARC --- data/conf/rspamd/local.d/composites.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/data/conf/rspamd/local.d/composites.conf b/data/conf/rspamd/local.d/composites.conf index cde34b5746..9bb84424a0 100644 --- a/data/conf/rspamd/local.d/composites.conf +++ b/data/conf/rspamd/local.d/composites.conf @@ -21,6 +21,10 @@ FREEMAIL_TO_UNDISC_RCPT { SOGO_CONTACT_EXCLUDE { expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT & !DMARC_POLICY_ALLOW"; } +# Remove MAILCOW_WHITE symbol for senders with broken policy recieved not from fwd hosts +MAILCOW_WHITE_EXCLUDE { + expression = "^MAILCOW_WHITE & (-DMARC_POLICY_REJECT | -DMARC_POLICY_QUARANTINE | -R_SPF_PERMFAIL) & !WHITELISTED_FWD_HOST"; +} # Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts) SPOOFED_UNAUTH { expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies"; @@ -103,4 +107,4 @@ CLAMD_JS_MALWARE { expression = "CLAM_SECI_JS & !MAILCOW_WHITE"; description = "JS malware found, Securite JS malware Flag set through ClamAV"; score = 8; -} \ No newline at end of file +} From 8fbfd99dd6f74e20e65f9f71a1e185ab3dce27be Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sun, 28 Jul 2024 13:20:24 +0200 Subject: [PATCH 6/7] Update composites.conf From ff34eb12e2dbd9f9905aba0020fcb5921c2be7a0 Mon Sep 17 00:00:00 2001 From: milkmaker Date: Thu, 1 Aug 2024 00:16:46 +0000 Subject: [PATCH 7/7] update postscreen_access.cidr --- data/conf/postfix/postscreen_access.cidr | 55 ++++-------------------- 1 file changed, 8 insertions(+), 47 deletions(-) diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr index e24e0fa76c..78ffc3a89e 100644 --- a/data/conf/postfix/postscreen_access.cidr +++ b/data/conf/postfix/postscreen_access.cidr @@ -1,6 +1,6 @@ -# Whitelist generated by Postwhite v3.4 on Mon Jul 1 00:16:55 UTC 2024 +# Whitelist generated by Postwhite v3.4 on Thu Aug 1 00:16:45 UTC 2024 # https://github.com/stevejenkins/postwhite/ -# 1993 total rules +# 1954 total rules 2a00:1450:4000::/36 permit 2a01:111:f400::/48 permit 2a01:111:f403:8000::/50 permit @@ -19,11 +19,8 @@ 8.20.114.31 permit 8.25.194.0/23 permit 8.25.196.0/23 permit -8.39.54.0/23 permit -8.40.222.0/23 permit 10.162.0.0/16 permit 12.130.86.238 permit -13.72.50.45 permit 13.110.208.0/21 permit 13.110.209.0/24 permit 13.110.216.0/22 permit @@ -44,6 +41,7 @@ 18.198.96.88 permit 18.208.124.128/25 permit 18.216.232.154 permit +18.235.27.253 permit 18.236.40.242 permit 18.236.56.161 permit 20.51.6.32/30 permit @@ -66,7 +64,6 @@ 20.112.250.133 permit 20.118.139.208/30 permit 20.141.10.196 permit -20.185.213.0/24 permit 20.185.214.0/27 permit 20.185.214.32/27 permit 20.185.214.64/27 permit @@ -112,13 +109,13 @@ 37.218.249.47 permit 37.218.251.62 permit 39.156.163.64/29 permit -40.71.187.0/24 permit 40.92.0.0/15 permit 40.92.0.0/16 permit 40.107.0.0/16 permit 40.112.65.63 permit 43.228.184.0/22 permit 44.206.138.57 permit +44.217.45.156 permit 44.236.56.93 permit 44.238.220.251 permit 46.19.170.16 permit @@ -181,6 +178,7 @@ 50.18.125.237 permit 50.18.126.162 permit 50.31.32.0/19 permit +50.31.36.205 permit 50.56.130.220/30 permit 52.1.14.157 permit 52.5.230.59 permit @@ -202,7 +200,6 @@ 52.96.91.34 permit 52.96.111.82 permit 52.96.172.98 permit -52.96.214.50 permit 52.96.222.194 permit 52.96.222.226 permit 52.96.223.2 permit @@ -223,10 +220,6 @@ 52.234.172.96/28 permit 52.235.253.128 permit 52.236.28.240/28 permit -52.244.206.214 permit -52.247.53.144 permit -52.250.107.196 permit -52.250.126.174 permit 54.90.148.255 permit 54.165.19.38 permit 54.172.97.247 permit @@ -331,7 +324,6 @@ 65.110.161.77 permit 65.123.29.213 permit 65.123.29.220 permit -65.154.166.0/24 permit 65.212.180.36 permit 66.102.0.0/20 permit 66.119.150.192/26 permit @@ -450,7 +442,6 @@ 69.171.232.0/24 permit 69.171.244.0/23 permit 70.37.151.128/25 permit -70.42.149.0/24 permit 70.42.149.35 permit 72.14.192.0/18 permit 72.21.192.0/19 permit @@ -567,7 +558,6 @@ 77.238.189.142 permit 77.238.189.146/31 permit 77.238.189.148/30 permit -81.7.169.128/25 permit 81.223.46.0/27 permit 82.165.159.2 permit 82.165.159.3 permit @@ -1257,6 +1247,7 @@ 106.10.244.0/24 permit 106.39.212.64/29 permit 106.50.16.0/28 permit +107.20.18.111 permit 107.20.210.250 permit 108.174.0.0/24 permit 108.174.0.215 permit @@ -1292,8 +1283,6 @@ 117.120.16.0/21 permit 119.42.242.52/31 permit 119.42.242.156 permit -121.244.91.48 permit -122.15.156.182 permit 123.126.78.64/29 permit 124.108.96.24/31 permit 124.108.96.28/31 permit @@ -1349,18 +1338,7 @@ 134.170.141.64/26 permit 134.170.143.0/24 permit 134.170.174.0/24 permit -135.84.80.0/24 permit -135.84.81.0/24 permit -135.84.82.0/24 permit -135.84.83.0/24 permit 135.84.216.0/22 permit -136.143.160.0/24 permit -136.143.161.0/24 permit -136.143.178.49 permit -136.143.182.0/23 permit -136.143.184.0/24 permit -136.143.188.0/24 permit -136.143.190.0/23 permit 136.147.128.0/20 permit 136.147.135.0/24 permit 136.147.176.0/20 permit @@ -1368,7 +1346,6 @@ 136.147.182.0/24 permit 136.147.224.0/20 permit 136.179.50.206 permit -138.91.172.26 permit 139.60.152.0/22 permit 139.138.35.44 permit 139.138.46.121 permit @@ -1419,6 +1396,7 @@ 150.230.98.160 permit 152.67.105.195 permit 152.69.200.236 permit +152.70.155.126 permit 155.248.208.51 permit 157.55.0.192/26 permit 157.55.1.128/26 permit @@ -1475,7 +1453,6 @@ 163.114.134.16 permit 163.114.135.16 permit 164.177.132.168/30 permit -165.173.128.0/24 permit 166.78.68.0/22 permit 166.78.68.221 permit 166.78.69.169 permit @@ -1484,6 +1461,7 @@ 167.89.0.0/17 permit 167.89.46.159 permit 167.89.54.103 permit +167.89.60.95 permit 167.89.64.9 permit 167.89.65.0 permit 167.89.65.53 permit @@ -1502,11 +1480,6 @@ 168.245.12.252 permit 168.245.46.9 permit 168.245.127.231 permit -169.148.129.0/24 permit -169.148.131.0/24 permit -169.148.142.10 permit -169.148.144.0/25 permit -169.148.144.10 permit 170.10.68.0/22 permit 170.10.128.0/24 permit 170.10.129.0/24 permit @@ -1661,15 +1634,7 @@ 199.16.156.0/22 permit 199.33.145.1 permit 199.33.145.32 permit -199.34.22.36 permit 199.59.148.0/22 permit -199.67.80.2 permit -199.67.80.20 permit -199.67.82.2 permit -199.67.82.20 permit -199.67.84.0/24 permit -199.67.86.0/24 permit -199.67.88.0/24 permit 199.101.161.130 permit 199.101.162.0/25 permit 199.122.120.0/21 permit @@ -1726,8 +1691,6 @@ 204.92.114.187 permit 204.92.114.203 permit 204.92.114.204/31 permit -204.141.32.0/23 permit -204.141.42.0/23 permit 204.220.160.0/20 permit 204.232.168.0/24 permit 205.139.110.0/24 permit @@ -1979,8 +1942,6 @@ 2603:1030:20e:3::23c permit 2603:1030:b:3::152 permit 2603:1030:c02:8::14 permit -2607:13c0:0001:0000:0000:0000:0000:7000/116 permit -2607:13c0:0002:0000:0000:0000:0000:1000/116 permit 2607:f8b0:4000::/36 permit 2620:109:c003:104::/64 permit 2620:109:c003:104::215 permit