- Fix command injection in relay config: use shlex.quote() on all
subprocess arguments passed to mailUtilities.py
- Fix XSS in email reply/forward: html.escape() on From/To/Date/Subject
headers before embedding in quoted HTML
- Fix attachment filename traversal: use os.path.basename() and strip
null bytes from attachment filenames
- Fix Sieve script name injection: sanitize names to alphanumeric chars
- Fix SSRF in image proxy: resolve hostname to IP and check against
ipaddress.is_private/is_loopback/is_link_local/is_reserved
- Remove internal error details from user-facing responses
- Update Access Webmail link from /snappymail/ to /webmail/
The page was missing sidebar menu, ACL data, and cosmetic config because
home() used Django's plain render() instead of httpProc.render() which
loads all context data needed by the base template.
Install setupWebmail() now creates /etc/cyberpanel dir if missing,
patches dovecot.conf with master passdb block if absent, and skips
gracefully when already configured. Prevents webmail auth failures
on fresh installs where the directory didn't exist yet.
Also adds cybermail_accounts and cybermail_domains CREATE TABLE
statements to upgrade.py applyLoginSystemMigrations() for the
emailDelivery app on existing installs.
On Ubuntu, the install creates /etc/pki/dovecot/ directories but never
populates them with certs. Postfix main.cf references these paths for
STARTTLS. Without them, inbound STARTTLS fails and external mail servers
(Gmail etc.) drop the connection, preventing mail delivery.
Security fixes:
- Escape plain text body to prevent XSS via trustAsHtml
- Add SSRF protection to image proxy (block private IPs, require auth)
- Sanitize Content-Disposition filename to prevent header injection
- Escape Sieve script values to prevent script injection
- Escape IMAP search query to prevent search injection
Install/upgrade fixes:
- Move setupWebmail() call to after Dovecot is installed (was running
before doveadm existed, silently failing on every fresh install)
- Make setupWebmail() a static method callable from install.py
- Fix upgrade idempotency: always run dovecot.conf patching and
migrations even if webmail.conf already exists (partial failure recovery)
Frontend fixes:
- Fix search being a no-op (was ignoring results and just reloading)
- Fix loading spinner stuck forever on API errors (add errback)
- Fix unread count decrementing on already-read messages
- Fix draft auto-save timer leak when navigating away from compose
- Fix composeToContact missing signature and auto-save
- Fix null subject crash in reply/forward
- Clear stale data when switching accounts
- Fix attachment part_id mismatch between parser and downloader
Backend fixes:
- Fix Sieve _read_response infinite loop on connection drop
- Add login check to apiSaveDraft
- Fix apiSSO() resetting selected account to first one on every call,
now preserves previously selected account if still valid
- Fix webmail.conf ownership to use cyberpanel:cyberpanel (Django runs
as cyberpanel user, not nobody)
- Add error notifications when SSO or folder loading fails
Adds master passdb config to dovecot.conf templates, setupWebmail() to
the installer and upgrade paths to generate credentials and create
/etc/dovecot/master-users and /etc/cyberpanel/webmail.conf automatically.
The upgrade path is idempotent and patches existing dovecot.conf if needed.
- Use correct Dovecot namespace (separator='.', prefix='INBOX.'):
folders are INBOX.Sent, INBOX.Drafts, INBOX.Deleted Items, etc.
- Quote IMAP folder names with spaces (e.g. "INBOX.Deleted Items")
- Add display_name and folder_type to folder list API response
- Fix SMTP for SSO: use local relay on port 25 (permit_mynetworks)
since Dovecot has no auth_master_user_separator for port 587
- Fix Sieve SASL PLAIN auth to use clean RFC 4616 format
- Handle ManageSieve unavailability gracefully with helpful logging
- Update frontend to show clean folder names and correct icons
- Auto-prefix new folder names with INBOX. namespace
Replace SnappyMail link with a custom Django webmail app that provides:
- Full IMAP/SMTP integration (Dovecot + Postfix) with master user SSO
- 3-column responsive UI matching CyberPanel design system
- Compose with rich text editor, attachments, reply/forward
- Contact management with auto-collect from sent messages
- Sieve mail filter rules with ManageSieve protocol support
- Standalone login page for direct webmail access
- Account switcher for admins managing multiple email accounts
- HTML email sanitization (whitelist-based, external image proxy)
- Draft auto-save and per-user settings
Rebuilt module fixes NULL pointer dereference in apply_headers() when
OLS generates error responses (4xx/5xx). The get_req_var_by_id() call
for DOC_ROOT crashed because request variables aren't initialized
during error response generation. Fix adds status code guard to skip
header processing for error responses.
New hashes for all 3 platforms after fixing the bug where VHosts with
SSL context but missing listener map entries served the wrong cert.
rhel9: 04921afbad94e7ee69bc93a73985e318df93f28b2b0d578447b0ef43dc6e3818
ubuntu: ae2564742f362d3e34ea814dff37edeb8f8b73ae9ca1484ba78e2453a3987429
rhel8: 855b6bccb4a7893914506a07185cffd834bd31a7f7c080b5b4190283def7fa3e
The previous string replace only matched 'adminEmails root@localhost'
exactly. On fresh OLS installs where adminEmails may have a different value
or different spacing, the replace would silently fail and Auto-SSL config
would never be injected. Use re.sub to match the adminEmails line regardless
of its value.
The string replace matched only 'adminEmails' keyword instead of the
full existing line 'adminEmails root@localhost', causing
the remaining ' root@localhost' to trail onto the acmeEmail
line and break ACME account registration.
Universal binaries with all features config-driven (PHPConfig API, Origin
Header Forwarding, ReadApacheConf with Portmap, Auto-SSL ACME v2,
ModSecurity ABI compatibility). Updates install, upgrade, and modSec paths.
- Changed from incorrect URI splitting to proper request.GET.get() method
- Added proper URL decoding with unquote()
- Fixed both downloadFile and RootDownloadFile functions
- Preserved existing security checks (symlink detection, path traversal prevention)
- Added path normalization for additional security
- Improved error messages to match reported error format
This fixes the 'Unauthorized access: Not a valid file' error when downloading files from the file manager.
- Updated pluginHolder/urls.py to use path() instead of url()
- Added new API routes for plugin installation, uninstallation, enable, and disable
- Compatible with Django 4.x (url() was removed in Django 4.0)
Ref: PR 1644
- Update cyberpanel_ols module URLs to use /binaries/ path structure
- Update SHA256 checksums for all platforms (rhel8, rhel9, ubuntu)
- Enable RHEL 8 module support (was previously disabled)
- Module version 2.2.0 with Phase 2 features
