mirror of
https://github.com/stalwartlabs/mail-server.git
synced 2025-10-06 18:45:45 +08:00
This commit is contained in:
mdecimus
parent
881d4497ce
commit
33a59cd8ef
2 changed files with 60 additions and 0 deletions
|
|
@ -10,6 +10,7 @@ To upgrade replace the `stalwart-mail` binary and then upgrade to the latest web
|
||||||
- AI-powered Spam filtering and Sieve scripting (Enterprise feature).
|
- AI-powered Spam filtering and Sieve scripting (Enterprise feature).
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
- The untrusted Sieve interpreter now has the `vnd.stalwart.expressions` extension enabled by default. This allows Sieve users to use the `eval` function to evaluate expressions in their scripts. If you would like to disable this extension, you can do so by adding `vnd.stalwart.expressions` to `sieve.untrusted.disabled-capabilities`.
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- S3-compatible backends: Retry on `5xx` errors.
|
- S3-compatible backends: Retry on `5xx` errors.
|
||||||
|
|
|
||||||
59
resources/apparmor.d/stalwart-mail
Normal file
59
resources/apparmor.d/stalwart-mail
Normal file
|
|
@ -0,0 +1,59 @@
|
||||||
|
#include <tunables/global>
|
||||||
|
|
||||||
|
profile stalwart-mail flags=(attach_disconnected) {
|
||||||
|
#include <abstractions/base>
|
||||||
|
#include <abstractions/nameservice>
|
||||||
|
#include <abstractions/openssl>
|
||||||
|
|
||||||
|
# Allow network access
|
||||||
|
network inet stream,
|
||||||
|
network inet6 stream,
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
|
||||||
|
# Outgoing access to port 25 and 443
|
||||||
|
network tcp,
|
||||||
|
network udp,
|
||||||
|
owner /proc/*/net/if_inet6 r,
|
||||||
|
owner /proc/*/net/ipv6_route r,
|
||||||
|
|
||||||
|
# Full write access to /opt/stalwart-mail
|
||||||
|
/opt/stalwart-mail/** rwk,
|
||||||
|
|
||||||
|
# Allow creating directories under /tmp
|
||||||
|
/tmp/ r,
|
||||||
|
/tmp/** rwk,
|
||||||
|
|
||||||
|
# Allow binding to specific ports
|
||||||
|
network inet stream bind port 25,
|
||||||
|
network inet stream bind port 587,
|
||||||
|
network inet stream bind port 465,
|
||||||
|
network inet stream bind port 143,
|
||||||
|
network inet stream bind port 993,
|
||||||
|
network inet stream bind port 110,
|
||||||
|
network inet stream bind port 995,
|
||||||
|
network inet stream bind port 4190,
|
||||||
|
network inet stream bind port 443,
|
||||||
|
network inet stream bind port 8080,
|
||||||
|
network inet6 stream bind port 25,
|
||||||
|
network inet6 stream bind port 587,
|
||||||
|
network inet6 stream bind port 465,
|
||||||
|
network inet6 stream bind port 143,
|
||||||
|
network inet6 stream bind port 993,
|
||||||
|
network inet6 stream bind port 110,
|
||||||
|
network inet6 stream bind port 995,
|
||||||
|
network inet6 stream bind port 4190,
|
||||||
|
network inet6 stream bind port 443,
|
||||||
|
network inet6 stream bind port 8080,
|
||||||
|
|
||||||
|
# Allow UDP port 7911
|
||||||
|
network inet dgram bind port 7911,
|
||||||
|
network inet6 dgram bind port 7911,
|
||||||
|
|
||||||
|
# Basic system access
|
||||||
|
/usr/bin/stalwart-mail rix,
|
||||||
|
/etc/stalwart-mail/** r,
|
||||||
|
/var/log/stalwart-mail/** w,
|
||||||
|
|
||||||
|
# Additional permissions might be needed depending on specific requirements
|
||||||
|
}
|
||||||
Loading…
Add table
Reference in a new issue