Bot releases are hidden (Show)
Published by willbrowningme about 2 years ago
Published by willbrowningme about 2 years ago
Published by willbrowningme about 2 years ago
Published by willbrowningme about 2 years ago
ANONADDY_VERSION
environment variable for Docker image, thanks @crazy-max.Published by willbrowningme about 2 years ago
Published by willbrowningme about 2 years ago
Published by willbrowningme about 2 years ago
This release migrates from Laravel Passport to Laravel Sanctum for API authentication.
Upgrading to this release will drop all Laravel Passport database tables and you will need to re-create your new Sanctum API tokens from the settings page.
After upgrading you can safely remove the following from your .env
file:
PASSPORT_PERSONAL_ACCESS_CLIENT_ID=client-id-value
PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET=unhashed-client-secret-value
Published by willbrowningme over 2 years ago
Published by willbrowningme over 2 years ago
Sender:
header being passed through which was changing the envelope from addressIf you wish to enable TLS for the local SMTP connections you can update your .env
file as follows:
# The from name to be used for outgoing email notifications from AnonAddy
MAIL_FROM_NAME=Example
# The from address to be used for outgoing email notifications from AnonAddy
[email protected]
MAIL_DRIVER=smtp
MAIL_HOST=mail.example.com
MAIL_PORT=25
MAIL_ENCRYPTION=tls
MAIL_EHLO_DOMAIN=mail.example.com
MAIL_VERIFY_PEER=true
Where MAIL_EHLO_DOMAIN
is the same value as your mail server's hostname.
Published by willbrowningme over 2 years ago
Published by willbrowningme over 2 years ago
sudo apt install php8.1-fpm php8.1-common php8.1-mysql php8.1-dev php8.1-gmp php8.1-mbstring php8.1-dom php8.1-gd php8.1-imagick php8.1-opcache php8.1-soap php8.1-zip php8.1-cli php8.1-curl php8.1-mailparse php8.1-gnupg php8.1-redis -y
You must then update the user & group in /etc/php/8.1/fpm/pool.d/www.conf
to the user that your web application is run by, in the self-hosting instructions I used a user called johndoe
:
user = johndoe
group = johndoe
listen.owner = johndoe
listen.group = johndoe
Restart php8.1-fpm to reflect the changes.
sudo service php8.1-fpm restart
You will also need to update your web application's Nginx config e.g. /etc/nginx/conf.d/example.com.conf
:
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
Changing from php8.0-fpm.sock
to php8.1-fpm.sock
. Then restart nginx:
sudo service nginx restart
Once you've done the above you can update the application by running the usual commands found at the end of the self-hosting instructions.
Published by willbrowningme over 2 years ago
Published by willbrowningme over 2 years ago
Published by willbrowningme over 2 years ago
additional_usernames
table has been renamed usernames
users
table to the usernames
table/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
user = anonaddy
password = your-database-password
hosts = 127.0.0.1
dbname = anonaddy_database
query = SELECT (SELECT 1 FROM usernames WHERE '%s' IN (CONCAT(username, '.example.com'))) AS usernames, (SELECT 1 FROM domains WHERE domain = '%s' AND domain_verified_at IS NOT NULL) AS domains LIMIT 1;
Notice the removal of the SELECT query for the users
table and the fact that the additional_usernames
table has been renamed to usernames
. You can view the difference here.
check_access
stored procedure (this can be updated from the command line sudo mysql -u root -p
)DELIMITER $$
USE `anonaddy_database`$$
DROP PROCEDURE IF EXISTS `check_access`$$
CREATE PROCEDURE `check_access`(alias_email VARCHAR(254) charset utf8)
BEGIN
DECLARE no_alias_exists int(1);
DECLARE alias_action varchar(30) charset utf8;
DECLARE username_action varchar(30) charset utf8;
DECLARE domain_action varchar(30) charset utf8;
DECLARE alias_domain varchar(254) charset utf8;
SET alias_domain = SUBSTRING_INDEX(alias_email, '@', -1);
# We only want to carry out the checks if it is a full RCPT TO address without any + extension
IF LOCATE('+',alias_email) = 0 THEN
SET no_alias_exists = CASE WHEN NOT EXISTS(SELECT NULL FROM aliases WHERE email = alias_email) THEN 1 ELSE 0 END;
# If there is an alias, check if it is deactivated or deleted
IF NOT no_alias_exists THEN
SET alias_action = (SELECT
IF(deleted_at IS NULL,
'DISCARD',
'REJECT Address does not exist')
FROM
aliases
WHERE
email = alias_email
AND (active = 0
OR deleted_at IS NOT NULL));
END IF;
# If the alias is deactivated or deleted then increment its blocked count and return the alias_action
IF alias_action IN('DISCARD','REJECT Address does not exist') THEN
UPDATE
aliases
SET
emails_blocked = emails_blocked + 1
WHERE
email = alias_email;
SELECT alias_action;
ELSE
SELECT
(
SELECT
CASE
WHEN no_alias_exists
AND catch_all = 0 THEN "REJECT Address does not exist"
WHEN active = 0 THEN "DISCARD"
ELSE NULL
END
FROM
usernames
WHERE
alias_domain IN ( CONCAT(username, '.example.com')) ),
(
SELECT
CASE
WHEN no_alias_exists
AND catch_all = 0 THEN "REJECT Address does not exist"
WHEN active = 0 THEN "DISCARD"
ELSE NULL
END
FROM
domains
WHERE
domain = alias_domain) INTO username_action, domain_action;
# If all actions are NULL then we can return 'DUNNO' which will prevent Postfix from trying substrings of the alias
IF username_action IS NULL AND domain_action IS NULL THEN
SELECT 'DUNNO';
ELSEIF username_action IN('DISCARD','REJECT Address does not exist') THEN
SELECT username_action;
ELSE
SELECT domain_action;
END IF;
END IF;
ELSE
# This means the alias must have a + extension so we will ignore it
SELECT NULL;
END IF;
END$$
DELIMITER ;
Notice again the removal of the SELECT query for the users
table and that the additional_usernames
table has been renamed to usernames
. You can view the difference here.
Published by willbrowningme over 2 years ago
Published by willbrowningme over 2 years ago
X-AnonAddy-Dmarc-Allow
header added by Rspamd custom routine (see below)If you are still running OpenDMARC / OpenDKIM and not Rspamd then this update will likely break your ability to reply/send from aliases as the above header will not be present. I recommend migrating to Rspamd if possible since it has many more features and is extremely fast.
Please update /etc/rspamd/local.d/milter_headers.conf
so that is looks like this:
use = ["authentication-results", "remove-headers", "spam-header", "add_dmarc_allow_header"];
routines {
remove-headers {
headers {
"X-Spam" = 0;
"X-Spamd-Bar" = 0;
"X-Spam-Level" = 0;
"X-Spam-Status" = 0;
"X-Spam-Flag" = 0;
}
}
authentication-results {
header = "X-AnonAddy-Authentication-Results";
remove = 0;
}
spam-header {
header = "X-AnonAddy-Spam";
value = "Yes";
remove = 0;
}
}
custom {
add_dmarc_allow_header = <<EOD
return function(task, common_meta)
if task:has_symbol('DMARC_POLICY_ALLOW') then
return nil,
{['X-AnonAddy-Dmarc-Allow'] = 'Yes'},
{['X-AnonAddy-Dmarc-Allow'] = 0},
{}
end
return nil,
{},
{['X-AnonAddy-Dmarc-Allow'] = 0},
{}
end
EOD;
}
The custom routine we've created add_dmarc_allow_header
will simply add a header to messages that have the DMARC_POLICY_ALLOW
symbol present Rspamd. We will use this to only allow replies / sends from aliases that are explicity permitted by their DMARC policy, in order to prevent anyone spoofing any of your recipient's email addresses.
The previous check just for the X-AnonAddy-Spam
header was not enough since many major email providers have a DMARC policy of p=none such as Gmail and Hotmail. This means there is a chance your recipient address could be spoofed.
Published by willbrowningme over 2 years ago
X-AnonAddy-Original-Reply-To-Header
header on forwarded emails - the original unaltered Reply-To: headerSender
header on forwarded emails - the original unaltered Sender: headerapp/Rules/VerifiedRecipientId.php
Published by willbrowningme over 2 years ago
X-AnonAddy-Authentication-Results
- this gives information on SPF, DKIM and DMARC checks for the original message. X-AnonAddy-Original-Envelope-From
- the original envelope from address. X-AnonAddy-Original-From-Header
- the original unaltered From: header.From:
header (if available) for verification on replies/sends from aliasesNow let's setup the handling of DMARC for incoming messages, create a new file /etc/rspamd/local.d/dmarc.conf
and enter the following inside:
actions = {
quarantine = "add_header";
reject = "reject";
}
Here we are telling Rspamd to add a header to any message that fails DMARC checks and has a policy of p=quarantine
and to reject any message that fails DMARC checks with a policy p=reject
. You can change reject to "add_header"; too if you would still like to see these messages.
Next we'll configure the headers to add, create a new file /etc/rspamd/local.d/milter_headers.conf
and enter the following inside:
use = ["authentication-results", "remove-headers", "spam-header"];
routines {
remove-headers {
headers {
"X-Spam" = 0;
"X-Spamd-Bar" = 0;
"X-Spam-Level" = 0;
"X-Spam-Status" = 0;
"X-Spam-Flag" = 0;
}
}
authentication-results {
header = "X-AnonAddy-Authentication-Results";
remove = 0;
}
spam-header {
header = "X-AnonAddy-Spam";
value = "Yes";
remove = 0;
}
}
The authentication results header will give information on whether the message passed SPF, DKIM and DMARC checks and the spam header will be added if it fails any of these.
Published by willbrowningme almost 3 years ago
Published by willbrowningme almost 3 years ago