Merge #3103 #3104

3103: Prevent SMTP smuggling (backport #3102) r=mergify[bot] a=mergify[bot] This is an automatic backport of pull request #3102 done by [Mergify](https://mergify.com). --- <details> <summary>Mergify commands and options</summary> <br /> More conditions and actions can be found in the [documentation](https://docs.mergify.com/). You can also trigger Mergify actions by commenting on this pull request: - ``@Mergifyio` refresh` will re-evaluate the rules - ``@Mergifyio` rebase` will rebase this PR on its base branch - ``@Mergifyio` update` will merge the base branch into this PR - ``@Mergifyio` backport <destination>` will backport this PR on `<destination>` branch Additionally, on Mergify [dashboard](https://dashboard.mergify.com) you can: - look at your merge queues - generate the Mergify configuration with the config editor. Finally, you can contact us on https://mergify.com </details> 3104: Do not block webmail when we have a valid SSO session (backport #3100) r=mergify[bot] a=mergify[bot] This is an automatic backport of pull request #3100 done by [Mergify](https://mergify.com). --- <details> <summary>Mergify commands and options</summary> <br /> More conditions and actions can be found in the [documentation](https://docs.mergify.com/). You can also trigger Mergify actions by commenting on this pull request: - ``@Mergifyio` refresh` will re-evaluate the rules - ``@Mergifyio` rebase` will rebase this PR on its base branch - ``@Mergifyio` update` will merge the base branch into this PR - ``@Mergifyio` backport <destination>` will backport this PR on `<destination>` branch Additionally, on Mergify [dashboard](https://dashboard.mergify.com) you can: - look at your merge queues - generate the Mergify configuration with the config editor. Finally, you can contact us on https://mergify.com </details> Co-authored-by: Florent Daigniere <[email protected]>
Mailu · Dec 22, 2023 · d89b454 · d89b454
3 parents c49c923 + cab3e29 + 258951b
commit d89b454
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 1 deletion.
diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
@@ -39,7 +39,7 @@ def nginx_authentication():
  is_valid_user = False
  username = response.headers.get('Auth-User', None)
  if response.headers.get("Auth-User-Exists") == "True":
- if not is_app_token and utils.limiter.should_rate_limit_user(username, client_ip):
+ if not is_from_webmail and not is_app_token and utils.limiter.should_rate_limit_user(username, client_ip):
  # FIXME could be done before handle_authentication()
  status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
  response = flask.Response()

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
@@ -25,6 +25,8 @@ podop = socketmap:unix:/tmp/podop.socket:
 
 postscreen_upstream_proxy_protocol = haproxy
 compatibility_level=3.6
+# see https://www.mail-archive.com/[email protected]/msg100901.html
+smtpd_forbid_unauth_pipelining=yes
 
 # Only accept virtual emails
 mydestination =

diff --git a/towncrier/newsfragments/3094.bugfix b/towncrier/newsfragments/3094.bugfix
@@ -0,0 +1 @@
+Ensure we do not block logins from webmails when there is a valid SSO session
diff --git a/towncrier/newsfragments/3101.bugfix b/towncrier/newsfragments/3101.bugfix
@@ -0,0 +1 @@
+Prevent SMTP smuggling; see https://www.mail-archive.com/[email protected]/msg100901.html