WIP: In-Rest encryption per user, mailing lists

Hi,

FYI: these two features are planned to be implemented over the next months. 🙂

A users key can be regenerated from within the UI. Admins will have _no_ access to mails of a user. We will use highly secure encryption for this. Emails will be lost whenever a key changes.

A mailing list is probably the bigger challenge. We will start to collect/brainstorm on GH and create a milestone for this.

Best
André

ACL and ‘;–have i been pwned?

Hi,

I would love to get some feedback on the ACL implementation. If you find bugs etc., please let us know @ GitHub.

There is some info in the docs => https://mailcow.github.io/mailcow-dockerized-docs/model-acl/ – they still need more updates.

One improvement I see is to hide the divs completely and/or deny access to the functions ‘get’ methods. Let us know on Freenode, #mailcow.

Thanks for the idea to integrate haveibeenpwned.com, I like it! Sorry to haveibeenpwned.com for playing with it and trying a bunch of old passwords, I hope I didn’t hammer your API too much. 🙂

For your information: Your password is never sent to their API!
We only query the API with the first 5 characters of the SHA1 hash of the current input fields value (generated in your browser, not server-side) and check the response for matches of the full hash, still stored in your browser.

André

Updates and two important fixes

We just fixed SOGo theme switching again. There is a chance we did it, I promise…

Knight1 made us aware of a critical bug, that led to mailcow accepting custom X-FORWARDED-FOR headers. This bug was introduced with the last update.

Important change: We disabled “any” and “all authenticated” ACL settings in Dovecot and removed the box in SOGos ACL editor (big thanks to the SOGo devs, please help them, buy a subscription!).
You can find information about how to re-enable it here.

We will add an easy way to enable your SOGo subscription soon.

Please don’t forget to support mailcow. 🙂

Updates!

Learning methods for bayes and fuzzy hashes (new) changed on todays update, I recommend to run…

bash helper-scripts/reset-learns.sh

…to start over with a clean hash database.

Spam/ham is no more auto-learned, please move mails into/out of the junk folder to train the filter or use the new spam/ham alias target.The logging method changed slightly, some more changes will follow.

A new section “mailcow UI” was added to the logs panel. IPs are logged but anonymized by default, please see ANONYMIZE_IPS in “vars.inc.php”.
Users now see their last login.

Redis logs are now trimmed by a cronjob in “dovecot-mailcow”, that will move to “watchdog-mailcow” in the future => much less hammering.

SYSCTL_IPV6_DISABLED was removed, please see the docs about how to disable IPv6.

Sync jobs are now unlocked when the job was abruptly interrupted.
Sync jobs in mailcow UI can now contain custom parameters.
Some previously hard-coded parameters were removed!
“subscribeall”, “timeout1” and “timeout2” can now be defined in the job details.
“buffersize”, “split1”, “split2”, “fastio1”, “fastio2” were removed and can be used in custom parameters.

The SOGo theme switching bug is hopefully fixed. I will probably find a better way to fix it than using “sed” to replace the hard-coded colors.

PS: If you like to, please consider supporting us. 🙂