545e7a52e4
Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost
2020-10-31 10:23:43 -04:00
ac9ecc3bd3
Rename tools/mail.py to management/cli.py
2020-10-29 15:41:54 -04:00
1f0e493b8c
Exclude mru_token in user key hash
2020-09-30 12:34:26 +02:00
ada2167d08
Only update mru_token for matched mfa row
2020-09-29 20:05:58 +02:00
be5032ffbe
Don't expose mru_token and secret for enabled mfas over HTTP
2020-09-29 19:46:02 +02:00
00b3a3b0a9
Remove unique key constraint on foreign key user_id in mfa table
2020-09-29 19:39:40 +02:00
6d82c0035a
Update openAPI docs
2020-09-28 21:27:24 +02:00
4dced10a3f
Fix handling of bad input when enabling mfa
2020-09-28 21:06:59 +02:00
b80f225691
Reorganize MFA front-end and add label column
2020-09-27 08:31:23 -04:00
a8ea456b49
Reorganize the MFA backend methods
2020-09-26 09:58:25 -04:00
7d6427904f
Typo
2020-09-12 16:38:44 +02:00
dcb93d071c
Add TOTP secret to user_key hash
...
thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`
2020-09-12 16:34:06 +02:00
2ea97f0643
Do not log failed login attempts for MissingToken errors
...
* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.
2020-09-06 13:08:44 +02:00
4791c2fc62
Safeguard against empty mru_token column
...
* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
* Currently, this cannot happen but we might not want to store `mru_token` during setup
2020-09-06 13:03:54 +02:00
49c333221a
Use hmac.compare_digest() to compare mru_token
2020-09-06 12:54:45 +02:00
481a333dc0
Address review feedback, thanks @hija
2020-09-04 20:28:15 +02:00
b0df35eba0
conn.close() if mru_token update can't .commit()
2020-09-03 20:39:03 +02:00
08ae3d2b7f
Rename internal validate_two_factor_secret => validate_two_factor_secret
2020-09-03 19:48:54 +02:00
7c4eb0fb70
Add sqlite migration
2020-09-03 19:39:29 +02:00
ee01eae55e
Decouple totp from users table by moving to totp_credentials table
...
* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level
2020-09-03 19:07:21 +02:00
89b301afc7
Update OpenApi docs, rename /2fa/ => /mfa/
2020-09-03 13:54:28 +02:00
ce70f44c58
Extract TOTPStrategy class to totp.py
...
* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`
2020-09-03 11:19:19 +02:00
6594e19a1f
Autofocus otp input when logging in, update layout
2020-09-02 20:30:08 +02:00
8597646a12
Update API route naming, update setup page
...
* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types
2020-09-02 19:41:06 +02:00
f205c48564
Use pyotp for validating TOTP codes
...
* also implements resynchronisation support via `pyotp`'s `valid_window option
2020-09-02 19:12:15 +02:00
3c3683429b
implement two factor check during login
2020-09-02 17:23:32 +02:00
a7a66929aa
add user interface for managing 2fa
...
* update user schema with 2fa columns
2020-09-02 16:48:23 +02:00
0d72566c99
Merge v0.48 point release branch
2020-08-26 14:11:56 -04:00
62db58eaaf
v0.48
2020-08-26 14:11:01 -04:00
891de8d6c3
Upgrade Roundcube to 1.4.8
...
Merges #1809
2020-08-26 14:10:04 -04:00
62b9b1f15f
Add OpenAPI HTTP spec ( #1804 )
2020-08-22 15:44:19 -04:00
94da7bb088
status_checks.py: Properly terminate the process pools ( #1795 )
...
* Only spawn a thread pool when strictly needed
For --check-primary-hostname, the pool is not used.
When exiting, the other processes are left alive and will hang.
* Acquire pools with the 'with' statement
2020-08-09 11:42:39 -04:00
65983b8ac7
Merge v0.47 point release branch
2020-07-29 10:27:06 -04:00
56d0289ed9
v0.47
2020-07-29 10:24:56 -04:00
f253c40012
[backport] Add rate limiting of SSH in the firewall ( #1770 )
...
See #1767 . Backport of cfc8fb484c
2020-07-29 10:24:23 -04:00
4bbe4af377
Update CHANGELOG
2020-07-29 10:23:02 -04:00
2c34a6df2b
Update roundcube to 1.4.7
2020-07-29 10:15:12 -04:00
1098e2b48e
Add noindex to www_default meta tags ( #1791 )
2020-07-29 10:03:33 -04:00
c50170b816
Update "Remove Alias" modal title ( #1800 )
2020-07-29 10:01:20 -04:00
cd518e6820
Raise Dovecot per user connection limit ( #1799 )
2020-07-27 06:37:52 -04:00
967409b157
Drop requirement for passwords to have no spaces ( #1789 )
2020-07-16 07:23:11 -04:00
1b2711fc42
Add 'always' modifier to the HSTS add_header directive ( #1790 )
...
This will make it so that the HSTS header is sent regardless of the request status code (until this point it would only be sent if "the response code equals 200, 201, 206, 301, 302, 303, 307, or 308." - according to thttp://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header )
2020-07-16 07:21:14 -04:00
e6102eacfb
AXFR Transfers (for secondary DNS servers): Allow IPv6 addresses ( #1787 )
2020-07-08 18:26:47 -04:00
6fd3195275
Fix MTA-STS policy id so it does not have invalid characters, fixes #1779
2020-06-12 13:09:11 -04:00
224242dfde
Merge v0.46 point release branch
2020-06-11 12:25:49 -04:00
049bfb6f7f
v0.46
2020-06-11 12:23:18 -04:00
12d60d102b
Update Roundcube to 1.4.6
...
Fixes #1776
2020-06-11 12:21:17 -04:00
9db2fc7f05
In web proxies, add X-{Forwarded-{Host,Proto},Real-IP} and 'proxy_set_header Host' when there is a flag
...
Merges #1432 , more or less.
2020-06-11 12:20:17 -04:00
e03a6541ce
Don't make autoconfig/autodiscover subdomains and SRV records when the parent domain has no user accounts
...
These subdomains/records are for automatic configuration of mail clients, but if there are no user accounts on a domain, there is no need to publish a DNS record, provision a TLS certificate, or create an nginx server config block.
2020-06-11 12:20:17 -04:00
41642f2f59
[backport] Fix roundcube error log file path in setup script ( #1775 )
2020-06-11 12:16:53 -04:00
Joshua Tauberer
Felix Spöttel
Richard Willis
David Duque
hija
Marcus Bointon
Hilko
Faye Duxovni