Add two sieve scripts for spam/ham learning. When the user moves a mail
from anywhere to junk, or from junk to anywhere (except for trash) the
mail is piped into the respective rspamc learn_spam/learn_ham command.
The rspamc command is run as the mail user and the command requires that
the user can connect to localhost:11334. Because of that, add the mail
user to the allowed users that can access protected services.
The sievec compilation of the new scripts requre the dovecot-antispam
package, so install it and increment the email version number.
Closes: #2487
Imroves: #56
Tests done:
1. Apply the patches on an existing install
2. Confirm the firewall and the email app get updated
3. Move a mail from inbox to junk and confirm that rspamd statistics for
"Learned" mails increment by one.
4. Move back the mail from junk to inbox and confirm the number
increments again.
5. Move the mail to trash and confirm the script doesn't execute.
6. Repeat steps 3-5 with mail_debug = yes in /etc/dovecot/dovecot.conf
and confirm the script esxecution further by reading the debug logs.
[Sunil]
- Split the configuration file 90-freedombox-sieve.conf into
90-freedombox-imap.conf and merge the remaining with 95-freedombox-sieve.conf.
- These changes do not need dovecot-anitspam package. Remove it from packages
list for the app.
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Create new policy that allows forwarding between zones.
See: https://bugzilla.redhat.com/show_bug.cgi?id=2016864#c8
- Increment version to perform setup on upgrade.
Closes: #2355
Tests:
- Build freedombox package, and install on top of Bookworm VM The
firewall setup is performed. firewall-cmd lists the fbx_int_to_ext_fwd
policy, masquerade on external zone, and forward on internal zone.
Not tested:
- I did not test forwarding traffic from external to internal zone.
However, several users have reported following these instructions on
the forum, and that it solved the issue for them.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Minor refactors for readability]
[sunil: Ensure that operation is idempotent]
[sunil: Reload instead of restarting firewalld]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Helps: #2410.
- Ensure that diagnostics methods and parameters are type checked so that we can
catch any potential issues.
- Move plinth/modules/diagnostics/check.py to plinth/diagnostic_check.py to
avoid many circular dependencies created. This is due to
plinth.modules.diagnostics automatically imported when
plinth.modules.diagnostics.check is imported. Also app.py is already (type)
dependent on diagnostic_check due to diagnose() method. To make the Check
classes independent of diagnostic module is okay.
Tests:
- Run make check-type.
- Run full diagnostics with following apps installed: torproxy, tor.
- Test to netcat to 9051 in tor works.
- Test 'port available for internal/external networks' in firewall works.
- Test 'Package is latest' works.
- Test 'Access url with proxy' in privoxy works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[jvalleroy: Also move tests for diagnostic_check]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Check that there are at least 12 direct passthroughs.
Tests:
- The diagnostic is passed.
- Manually remove a direct passthrough. The diagnostic is failed.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Change the backend to iptables, and restart firewalld. The diagnostic
is failed.
- Change the backend back to nftables, and restart firewalld. The
diagnostic is passed.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Use augeas transform operation]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Change the firewalld default zone to public, and restart firewalld.
The diagnostic is failed.
- Change the default zone back to external, and restart firewalld. The
diagnostic is passed.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- On a fresh container, run FreedomBox service. Notice that firewall app setup
succeeds. Base setup rules are inserted into the nftables as checked with 'nft
list ruleset ip' and 'nft list ruleset ipv6'.
- When firewalld is restarted or reloaded, the rules are still present.
- When machine is restarted, the rules are still present.
- Without the patch, setup a container. Then apply patches and restart
FreedomBox service. App setup runs again however, duplicate rules are listed in
nftables as checked with 'nft list ruleset ip' and 'nft list ruleset ipv6'.
- Increment setup version of the firewall app manually and repeat the test.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- If a daemon is not-running, we already show an error message to the user. Use
that mechanism instead of the custom one.
Tests:
- Functional tests work.
- Initial setup for firewall on first boot works.
- Default zone of the firewalld is set to external in /etc/firewalld.conf
- Status of various apps is shown properly in the app page
- If firewalld is not running, the app page is still displayed properly and
message that firewalld is not running is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
