# Postfix Admin # # LICENSE # This source file is subject to the GPL license that is bundled with # this package in the file LICENSE.TXT. # # Further details on the project are available at http://postfixadmin.sf.net # # Last update: # $Id$ Version 3.0.2 - 2017/02/08 - SVN r1895 ------------------------------------------------- - SECURITY: don't allow to delete protected aliases (CVE-2017-5930, PR#23) - fix VacationHandler for PostgreSQL - AliasHandler: restrict mailbox subquery to allowed and specified domains to improve performance on setups with lots of mailboxes - allow switching between dovecot:* password schemes while still accepting passwords hashed using the previous dovecot:* scheme - FetchmailHandler: use a valid date as default for 'date' - fix date formatting in non-english languages when using PostgreSQL - debian packaging: improve dependencies, remove old templates_c/ files - various small fixes Version 3.0.1 - 2016/09/19 - SVN r1870 ------------------------------------------------- - add missing Smarty files to Debian package (no changes to PostfixAdmin, therefore only released as Debian packages) Version 3.0 - 2016/09/11 - SVN r1861 ------------------------------------------------- - add sqlite backend option - add configurable smtp helo (CONF["smtp_client"]) - new translation: ro (Romanian) - language update: tw, cs, de - fix escaping in gen_show_status() (could be used to DOS list-virtual by creating a mail address with special chars) - add CSRF protection for POST requests - list.tpl: base edit/editactive/delete links in list.tpl on $RAW_item to avoid double escaping, and fix some corner cases - editform.tpl: add {if} block for description column for easier customization - use smarty html_options instead of select_options() - remove advice about using SetEnv for database password - include_once(config.local.php) instead of include()ing it to prevent include loops if someone copies config.inc.php to config.local.php - vacation.pl: encode wide-chars utf8 in mail body, mime-decode original subject - fix db_quota_text() for postgresql (concat() vs. ||) - change default date for 'created' and 'updated' columns from 0000-00-00 (which causes problems with MySQL strict mode) to 2000-01-01 - allow punicode even in TLDs - update Smarty to 3.1.29 - add checks to login.php and cli to ensure database layout is up to date - whitelist '-1' as valid value for postfixadmin-cli - don't stripslashes() the password in pacrypt - various small bugfixes Version 3.0 beta3 (2.93) - 2015/09/26 - SVN r1802 ------------------------------------------------- Summary of major changes: - add list.php and list.tpl for displaying lists - based on *Handler $struct, which means list view can now be customized with $CONF[*_struct_hook] functions (columns with display_in_list and non-empty label will be displayed) - add CSV export - replaces list-domain.php, list-admin.php and fetchmail.php (including their *.tpl files) and the alias and alias domain lists in list-virtual - improved / more detailed search support by using URL parameters (list.php?search[field]=value, optionally also ?searchmode[field]=< - no pretty search form yet, limited to fields the user/admin can access) - only display search input box if search fields are specified in *handler (that effectively means no search box for admin, domain and fetchmail listings) - can also be used for users (non-admins) - add FetchmailHandler (replaces fetchmail.php and its template), which also means postfixadmin-cli can configure fetchmail jobs now - add $CONF['fetchmail_struct_hook'] - remove unused $CONF['users_domain_controle'] PFAHandler: - new field types: - enma - associative array (value => displayed value), must be specified in the "options" column - html - raw HTML, used for mailbox status markers which include HTML tags - b64p - passwords stored as base64, used by FetchmailHandler - vtxt, vnum - "virtual", read-only text/integer - quot - formatted quota ("5/10", read-only) - automatically skip quot, vtxt and vnum fields in store() - add handling of users (non-admins), including permission checks - add and use $this->label_field and $this->label for nicer messages - add $this->order_by to allow ordering by any field(s) - add getMsg() function (needed by list.php) - add $msg['can_create'] (true by default, false will hide the 'create' button) - add $is_superadmin to make admin vs. superadmin easier to handle - add $can_edit and $can_delete (only available in edit/delete mode, set by init() based on the '_can_edit' and '_can_delete' from database query) - add $searchfields[] (list of fields to search by default, $search[_]) - add $this->msg['show_simple_search'] (true if $searchfields is non-empty) - split off build_select_query() (also used for pagebrowser) from read_from_db() and add support for $search['_'] (searching in $searchfields[]) - read_from_db(), getList(): add $searchmode parameter (_before_ $limit and $offset!) to be able to use query different query modes, not only "=" - add getPagebrowser() (returns an array of pagebrowser keys) AdminHandler: - switch to using list.php (replaces list-admin.php) DomainHandler: - reduce required permissions to 'admin', restrict write operations to superadmins - add optical quota indicators for aliases, mailboxes and domain quota - fix counting of aliases for domains without any mailbox - use list.php for displaying domain list (replaces list-domain.php) MailboxHandler: - check_quota(): deny creating an unlimited mailbox if domain quota is set - storemore(): store maildir in the correct variable to fix running mailbox_postedit script (bug#342) AliasHandler: - read_from_db_postprocess(): disable _can_edit and _can_delete for default aliases if special_alias_control is off and not superadmin - add 'status' column, move gen_show_status handling for aliases from list-virtual into AliasHandler db_read_from_db_potprocess() - change getList() to work with empty $condition - add getPagebrowser() to filter out mailboxes edit.php: - Newer PHP versions (noticed with 5.6.6) don't include empty fields in $_POST, which broke changing a field to empty. Make sure all !isset() fields are set to ''. - for not-set bool values, set $values instead of the (wrong) $inp_values - add user (non-admin) mode delete.php: - allow users (non-admins) to use delete.php (not used in PostfixAdmin yet) list-virtual: - use AliasHandler, AliasdomainHandler and list.tpl for aliases and alias domains (the mailbox list still uses the old code) - replace $alias_pagebrowser_query and the create_page_browser() call with $handler->getPagebrowser() - adjust search to use ?search[_]=... - drop $check_alias_owner variable and check_alias_owner() call (replaced by the code added in AliasHandler) misc: - translation updates: cs (patch#126), pl (by marcin-github), sv (patch#128) - add CliScheme.php to display the database scheme (for usage in upgrade.php) - error_log() a warning if nameserver queries in check_domain() take more than 2 seconds in total - add functions db_quota_text() and db_quota_percent() to generate SQL queries for used quota ("x/y" and percentage) - pacol(): replace $not_in_db with $multiopt - the remaining parameters can be specified as associative array (backwards-compatible). Also add $linkto parameter - db_where_clause(): add $additional_raw_where and $searchmode parameters, split query into WHERE and HAVING - delete no longer used check_alias_owner() function - display "view log" menu entry only if logging is enabled (patch#127) - smarty.inc.php assign(): additionally provide the unsanitized values as RAW_$key - setup.php: after creating a superadmin, display a note that the setup is done and it's possible to login now - setup.php: stop relying on subversion keyword for database upgrades - explictly set session_cache_limiter to nocache (bug#347) - fetchmail.pl: honor the (newly added) active column - change fetchmail.date field to date (no auto-update) (bug#351) - several small changes and fixes at various places - too many to list them here Version 3.0 beta2 (2.92) - 2014/10/28 - SVN r1706 ------------------------------------------------- - AliasHandler: don't clean goto field when making alias inactive (bug#316) - list-virtual: display quota even if $CONF[used_quotas] == NO (bug#307) - vacation.pl: fix postgresql queries in vacation.pl (bug#315) - fix query in AliasHandler getList() which caused an empty list and breaks deletion of aliases in MariaDB (bug#313, bug#325) - fetchmail.pl: fix ssl extra options (cert check, cert path, fingerprint) - fix logging (run setup.php to fix old log entries) (bug#317) - fetchmail.php: change error_reporting() to exclude E_NOTICE (bug#322) - translation updates: fr (patch#123), nl (patch#122) - $CONF[default_aliases] can now use the new domain as alias target (patch#124) - check that vacation start/end date are not in the past (patch#122) - update vacation INSTALL.TXT with more secure locations - update Smarty to 3.1.21 Version 3.0 beta1 (2.91) - 2014/05/06 - SVN r1670 ------------------------------------------------- Summary of major changes: - new command-line interface "postfixadmin-cli" - major rewrite: - move lots of code into *Handler classes, which are used by web and command-line interface - replace various edit-*.php and create-*.php with a generic editform (edit.php/editform.tpl) - this also means it's easy to customize forms, add fields etc. (see $CONF['*_struct_hook']) - lots of code cleanup, remove/merge lots of duplicated code and templates - use smarty for templates - add ability to choose activation date, end date and reply interval for vacation message - various enhancements everywhere - redesign login page, list and edit pages (goodbye, green!) and make them wider - several new config options and changed defaults - NOTE: changes from the 2.3.x releases also apply to this version new config options: - $CONF['language_hook'] Hook function to override or add translations to $PALANG. Example hook function included (commented out). - $CONF['password_validation'] - array with regular expressions to check if a password is valid/good enough. The default configuration enforces: - minimum length 5 characters/digits/whatever - at least 2 characters - at least 2 digits - $CONF['*_struct_hook'] - make $struct in the *Handler classes customizeable - $CONF['vacation_choice_of_reply'] - list of reply interval options - $CONF['domain_quota'] - total quota per domain - $CONF['theme_custom_css'] - to add some custom CSS without editing the default CSS file - $CONF['motd_*'] - replaces motd*.txt changed config defaults (with their new default value): - $CONF['database_type'] = 'mysqli'; - $CONF['dovecotpw'] = "/usr/sbin/doveadm pw"; $CONF['new_quota_table'] = 'YES'; (for dovecot 2) - $CONF['domain_path'] = 'YES'; $CONF['domain_in_mailbox'] = 'NO'; (results in domain.tld/username/ maildirs) - $CONF['alias_control'] = 'YES'; $CONF['alias_control_admin'] = 'YES'; - $CONF['backup'] = 'NO'; - $CONF['show_status']='YES'; $CONF['show_status_key']='YES'; $CONF['show_undeliverable']='YES'; $CONF['show_popimap']='YES'; $CONF['show_undeliverable_exceptions'] - "gmail.com" removed - $CONF[*_post*_script] - add empty defaults - $CONF['admin_email'] = '' IMPORTANT: If set, this will be used as mail sender for all mails (2.3.x used the currently logged in admin's username in most cases). $CONF['admin_email'] = '' will match the 2.3.x behaviour. removed config options: - $CONF['min_password_length'] - now handled in /.{5}/ in $CONF['password_validation'] - $CONF['postfix_admin_url'] - relative paths are now used everywhere list-virtual.php: - display percentage of quota usage - display alias domains less confusing (using From/To) - list-virtual can now display only mailboxes, only aliases or only alias domains - or all in one page as in 2.3 - extreme speedup of page browser in list-virtual if a large number of mailboxes or aliases exist - include search support (replaces search.php and brings various bug fixes for free) - fix: delivery to mailbox with a recipient delimiter (mailbox+foo@domain) was marked as "forward only" - fix: don't mark mailboxes with vacation active as undeliverable - fix: undeliverable targets were not flagged if another target pointed to a domain in $CONF[show_undeliverable_exceptions] fetchmail.php, fetchmail.pl: - add sslcertck, sslcertpath, sslfingerprint fields/check (sslcertpath and sslfingerprint require $CONF[fetchmail_extra_options] because they don't have input validation) functions.inc.php - allowed_quota: if $CONF[quota] == NO, just return 0 (unlimited) - authentification_get_username() - honor POSTFIXADMIN_SETUP to avoid a redirect to login.php after creating an admin with setup.php and to get "SETUP.PHP" for db_log() - check_domain(), check_email(): instead of calling flash_error(), return string with error message - or empty string if everything is ok - check_email(): - replace $CONF[vacation_domain] only at the end of the mail address - don't trim() mail address to avoid that aliases starting with a space are allowed. This fixes http://sourceforge.net/p/postfixadmin/bugs/210/ - check_language(): remove things like ";q=0.8" before checking if a language exists - check_owner(): - escape_string() $username and $domain to prevent SQL injections - db_pgsql() - new function to replace lots of "if ($CONF[database_type] == 'pgsql')) checks - db_delete(): allow to specify additional conditions for the WHERE clause - db_get_boolean(): allow 0 and 1 as parameters, not only boolean true/false - db_log(): - allow log actions create_admin and edit_admin - add edit_admin_state and delete_admin as comment/reminder that they should also be logged - db_query(): error_log() failed query - db_where_clause($condition, $struct) - new function to create a WHERE clause (bool values are converted with db_get_boolean() based on $struct) - _flash_string(): - also accept an array of messages, not only a string - html-escape messages to fix XSS if the message contains user-supplied input - generate_password(): make generated password always 8 chars long (instead of $CONF['min_password_length']) - get_domain_properties(): use DomainHandler (function result mostly unchanged, only difference: instead of quota_sum in bytes it now returns total_quota in MB) - list_domains_for_admin(): - rewrite to work for superadmins also (will list all domains now instead of "ALL"), which means we can drop the admin vs. superadmin check at various places - pacrypt(): - no longer escape_string() the result. This fixes http://sourceforge.net/p/postfixadmin/bugs/218/ - for 'system' encryption, use full hashed password as salt https://sourceforge.net/p/postfixadmin/bugs/2/ - dovecot:*: - add support for dovecot *-CRYPT passwords (needs dovecot >= 2.1) - allow "." in dovecot method (to allow a suffix like ".b64") - Also, the {METHOD} part is no longer removed (passwords without {METHOD} still work) - remove_from_array() - new function - safesession() - new function (like safeget(), but for $_SESSION) - smtp_mail(): error_log() the error message if fsockopen() fails - table_by_key() now always prepends $CONF['database_prefix'] NOTE: If you have/had an incomplete database_tables array and use $CONF['database_prefix'], you might need to rename the affected tables manually (add the database_prefix in their name). - moved several functions to the *Handler classes - deleted no longer used functions: - admin_exist() - authentication_is_admin() - authentication_is_user() - boolconf() (moved to Config::bool()) - check_string() - create_admin() - check_alias() (moved to AliasHandler->create_allowed()) - db_boolean_to_int() - domain_exist() - get_admin_properties() - get_mailbox_properties() - get rid of global $table_* variables, use table_by_key() instead PFAHandler.php: - parent class for all *Handler classes - contains code shared between all classes AdminHandler.php: - Handler class for admins - for now, set the superadmin column and add "ALL" in domain_admins to keep the database backwards-compatible with 2.3.x AdminpasswordHandler.php: - used for the "change password" form for admins DomainHandler.php - handler class for domains - delete(): do not allow to delete a domain if it is an alias domain target AliasdomainHandler.php: - handler class for alias domains - alias domains can now be edited AliasHandler.php: - rewrite based on PFAHandler - we even get a "deliver to local mailbox" checkbox :-) - only allow @domain as target if $this->id is a catchall - remove deprecated functions: - get() - hasStoreAndForward() - update() - is_mailbox_alias() - is_vacation_address() - hasAliasRecord() MailboxHandler (previously named UserHandler in 2.3): - rewrite based on PFAHandler - drop old __construct(), view() and change_pass() - replace check of old password in change_pw() with $this->login - delete(): also cleanup fetchmail, quota and quota2 tables - always check password with validate_password() - always display correct available quota (using allowed_quota()) - do not escape the password coming from $_POST. Fixes http://sourceforge.net/p/postfixadmin/bugs/218/ VacationHandler: - rewrite based on PFAHandler (not useable yet) - add ability to choose activation date, end date and reply interval for vacation message - http://sourceforge.net/p/postfixadmin/patches/111/ vacation.pl: - allow to use original subject in vacation reply subject ("Re: $SUBJECT") http://sourceforge.net/p/postfixadmin/patches/117/ - encode subject - https://sourceforge.net/p/postfixadmin/bugs/272/ , https://sourceforge.net/p/postfixadmin/patches/119/ - add a friendly from address to vacation messages ($friendly_from) - make error handling if we cannot send the reply more robust - add $smtp_client config option to specify the helo name - added custom noreply detection ($noreply_pattern, $custom_noreply_pattern) Config.php - new class to store $CONF - also used to store $PALANG texts (Config::Lang()) - contains functions to read config entries in various ways (bool etc.) edit.php - generic edit page for everything (admins, domains, mailboxes, aliases, ...) - use ?table= parameter to decide what will be edited (basically $tableHandler) - read handler-specific configuration from $handler->webformConfig() and use it at various places - always redirect to edit.php?table=$table after adding an item to ensure correct initialization for next item - call $handler->mergeId if $id_field is editable, but not displayed in form (usecase: merge localpart + domain to address) - set $form_fields and $id_field later (after $hander->init()) - needed for AliasHandler to decide if goto_mailbox should be displayed - only set $values if a field is editable and displayed in the form editform.tpl: - generic edit form template, uses $struct to render the form - implement handling of 'list' fields (