Add runtime table self-healing for catch-all/plus/pattern email features and make upgrade SQL idempotent on existing latin1 installations by avoiding failing FK creation while preserving forwarding compatibility.
Integrates webmail and emailDelivery apps, mail-server and install/upgrade
paths, cyberpanel_ols 2.7.0-style binaries, and v2.4.5 UI patterns while
preserving v2.5.5-dev behavior (SnappyMail/PUBLIC_ROOT, childPath in
launchChild, hardened downloads and SSH activity modal).
- Fix command injection in relay config: use shlex.quote() on all
subprocess arguments passed to mailUtilities.py
- Fix XSS in email reply/forward: html.escape() on From/To/Date/Subject
headers before embedding in quoted HTML
- Fix attachment filename traversal: use os.path.basename() and strip
null bytes from attachment filenames
- Fix Sieve script name injection: sanitize names to alphanumeric chars
- Fix SSRF in image proxy: resolve hostname to IP and check against
ipaddress.is_private/is_loopback/is_link_local/is_reserved
- Remove internal error details from user-facing responses
- Update Access Webmail link from /snappymail/ to /webmail/
- Added new model `CatchAllEmail` to store catch-all email configurations per domain.
- Implemented views for fetching, saving, and deleting catch-all email configurations, enhancing email management capabilities.
- Updated URL routing to include endpoints for catch-all email operations.
- Enhanced error handling and permission checks for email forwarding actions.
These changes improve the flexibility and user experience of email management within CyberPanel.
Features:
- Catch-All Email: Forward unmatched emails for a domain to a single address
- Plus-Addressing: Enable user+tag@domain.com delivery with configurable delimiter
- Pattern Forwarding: Wildcard and regex-based email forwarding rules
Implementation:
- New database models: CatchAllEmail, EmailServerSettings, PlusAddressingOverride, PatternForwarding
- New UI pages with AngularJS controllers
- Backend methods in mailserverManager.py with ACL permission checks
- Auto-generates /etc/postfix/virtual_regexp for pattern rules
- Menu items added under Email section
- Changed PHP symlink from version 8.0 to 8.3 in various scripts to ensure compatibility with the latest PHP version.
- Updated documentation links in the FAQ to point to the new community support page.
- Added checks and fixes for MariaDB installation issues specific to AlmaLinux 9.
- Enhanced the installation script to support additional PHP versions and improve overall installation reliability.
- Introduced a new `cosmetic_context` processor to provide custom CSS data to templates.
- Updated `settings.py` to include the new context processor.
- Modified multiple HTML templates to utilize the `cosmetic` variable for dynamic CSS styling.
- Enhanced user interface elements with improved styling and accessibility features, including ARIA labels for form controls.
- Updated multiple HTML templates to include rel="noopener" on links that open in a new tab, improving security by preventing potential reverse tabnabbing attacks.
- This change affects various templates across the backup, base, file manager, mail server, and website functions sections.
