Merge branch 'master' into contributors-readme-action--Jon2R3FWl
This commit is contained in:
commit
723e7a55c3
|
@ -55,7 +55,7 @@ jobs:
|
|||
context: 'Deploy Preview (pull_request => workflow_run)'
|
||||
|
||||
- name: 'Send preview build to Netlify'
|
||||
uses: nwtgck/actions-netlify@v2.1
|
||||
uses: nwtgck/actions-netlify@v3.0
|
||||
id: preview
|
||||
timeout-minutes: 1
|
||||
env:
|
||||
|
|
|
@ -83,7 +83,7 @@ jobs:
|
|||
|
||||
# NOTE: AMD64 can build within 2 minutes
|
||||
- name: 'Build images'
|
||||
uses: docker/build-push-action@v5.1.0
|
||||
uses: docker/build-push-action@v5.2.0
|
||||
with:
|
||||
context: .
|
||||
# Build at least the AMD64 image (which runs against the test suite).
|
||||
|
|
|
@ -67,7 +67,7 @@ jobs:
|
|||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: 'Build and publish images'
|
||||
uses: docker/build-push-action@v5.1.0
|
||||
uses: docker/build-push-action@v5.2.0
|
||||
with:
|
||||
context: .
|
||||
build-args: |
|
||||
|
|
|
@ -43,7 +43,7 @@ jobs:
|
|||
# Importing from the cache should create the image within approx 30 seconds:
|
||||
# NOTE: `qemu` step is not needed as we only test for AMD64.
|
||||
- name: 'Build AMD64 image from cache'
|
||||
uses: docker/build-push-action@v5.1.0
|
||||
uses: docker/build-push-action@v5.2.0
|
||||
with:
|
||||
context: .
|
||||
tags: mailserver-testing:ci
|
||||
|
|
|
@ -42,7 +42,7 @@ jobs:
|
|||
# Importing from the cache should create the image within approx 30 seconds:
|
||||
# NOTE: `qemu` step is not needed as we only test for AMD64.
|
||||
- name: 'Build AMD64 image from cache'
|
||||
uses: docker/build-push-action@v5.1.0
|
||||
uses: docker/build-push-action@v5.2.0
|
||||
with:
|
||||
context: .
|
||||
tags: mailserver-testing:ci
|
||||
|
|
|
@ -107,3 +107,37 @@ div.md-content article.md-content__inner a.toclink code {
|
|||
.md-nav__item--nested > .md-nav__link {
|
||||
font-weight: 700;
|
||||
}
|
||||
|
||||
/* ============================================================================================================= */
|
||||
|
||||
/*
|
||||
TaskList style for a pro/con list. Presently only used for this type of list in the kubernetes docs.
|
||||
Uses a custom icon for the unchecked (con) state: :octicons-x-circle-fill-24:
|
||||
https://github.com/squidfunk/mkdocs-material/discussions/6811#discussioncomment-8700795
|
||||
|
||||
TODO: Can better scope the style under a class name when migrating to block extension syntax:
|
||||
https://github.com/facelessuser/pymdown-extensions/discussions/1973
|
||||
*/
|
||||
|
||||
:root {
|
||||
--md-tasklist-icon--failed: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M1 12C1 5.925 5.925 1 12 1s11 4.925 11 11-4.925 11-11 11S1 18.075 1 12Zm8.036-4.024a.751.751 0 0 0-1.042.018.751.751 0 0 0-.018 1.042L10.939 12l-2.963 2.963a.749.749 0 0 0 .326 1.275.749.749 0 0 0 .734-.215L12 13.06l2.963 2.964a.75.75 0 0 0 1.061-1.06L13.061 12l2.963-2.964a.749.749 0 0 0-.326-1.275.749.749 0 0 0-.734.215L12 10.939Z"/></svg>');
|
||||
}
|
||||
|
||||
.md-typeset [type="checkbox"] + .task-list-indicator::before {
|
||||
background-color: rgb(216, 87, 48);
|
||||
-webkit-mask-image: var(--md-tasklist-icon--failed);
|
||||
mask-image: var(--md-tasklist-icon--failed);
|
||||
}
|
||||
|
||||
/* More suitable shade of green */
|
||||
.md-typeset [type=checkbox]:checked+.task-list-indicator:before {
|
||||
background-color: rgb(97, 216, 42);
|
||||
}
|
||||
|
||||
/* Tiny layout shift */
|
||||
[dir=ltr] .md-typeset .task-list-indicator:before {
|
||||
left: -1.6em;
|
||||
top: 1px;
|
||||
}
|
||||
|
||||
/* ============================================================================================================= */
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -14,6 +14,8 @@ This reduces many of the benefits for why you might use a reverse proxy, but the
|
|||
|
||||
Some deployments may require a service to route traffic (kubernetes) when deploying, in which case the below advice is important to understand well.
|
||||
|
||||
The guide here has also been adapted for [our Kubernetes docs][docs::kubernetes].
|
||||
|
||||
## What can go wrong?
|
||||
|
||||
Without a reverse proxy involved, a service is typically aware of the client IP for a connection.
|
||||
|
@ -354,9 +356,8 @@ Software on the receiving end of the connection often supports configuring an IP
|
|||
[`postscreen_access_list`][postfix-docs::settings::postscreen_access_list] (_or [`smtpd_client_restrictions`][postfix-docs::settings::smtpd_client_restrictions] with [`check_client_access`][postfix-docs::settings::check_client_access] for ports 587/465_) can both restrict access by IP via a [CIDR lookup table][postfix-docs::config-table::cidr], however the client IP is already rewritten at this point via PROXY protocol.
|
||||
|
||||
Thus those settings cannot be used for restricting access to only trusted proxies, only to the actual clients.
|
||||
|
||||
A similar setting [`mynetworks`][postfix-docs::settings::mynetworks] / [`PERMIT_DOCKER`][docs::env::permit_docker] manages elevated trust for bypassing security restrictions. While it is intended for trusted clients, it has no relevance to trusting proxies for the same reasons.
|
||||
|
||||
A similar setting [`mynetworks`][postfix-docs::settings::mynetworks] / [`PERMIT_DOCKER`][docs::env::permit_docker] manages elevated trust for bypassing security restrictions. While it is intended for trusted clients, it has no relevance to trusting proxies for the same reasons.
|
||||
|
||||
### Monitoring
|
||||
|
||||
|
@ -373,6 +374,8 @@ While PROXY protocol works well with the reverse proxy, you may have some contai
|
|||
|
||||
You should adjust configuration of these monitoring services to monitor for auth failures from those services directly instead, adding an exclusion for that service IP from any DMS logs monitored (_but be mindful of PROXY header forgery risks_).
|
||||
|
||||
[docs::kubernetes]: ../../config/advanced/kubernetes.md#using-the-proxy-protocol
|
||||
|
||||
[docs::overrides::dovecot]: ../../config/advanced/override-defaults/dovecot.md
|
||||
[docs::overrides::postfix]: ../../config/advanced/override-defaults/postfix.md
|
||||
[docs::overrides::user-patches]: ../../config/advanced/override-defaults/user-patches.md
|
||||
|
|
|
@ -82,6 +82,11 @@ markdown_extensions:
|
|||
format: !!python/name:pymdownx.superfences.fence_code_format
|
||||
- pymdownx.tabbed:
|
||||
alternate_style: true
|
||||
slugify: !!python/object/apply:pymdownx.slugs.slugify
|
||||
kwds:
|
||||
case: lower
|
||||
- pymdownx.tasklist:
|
||||
custom_checkbox: true
|
||||
- pymdownx.magiclink
|
||||
- pymdownx.inlinehilite
|
||||
- pymdownx.tilde
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
echo "enable_test_patterns = true;" >>/etc/rspamd/local.d/options.inc
|
||||
|
||||
# We want Dovecot to be very detailed about what it is doing,
|
||||
# specificially for Sieve because we need to check whether the
|
||||
# specifically for Sieve because we need to check whether the
|
||||
# Sieve scripts are executed so Rspamd is trained when using
|
||||
# `RSPAMD_LEARN=1`.
|
||||
echo 'mail_debug = yes' >>/etc/dovecot/dovecot.conf
|
||||
|
|
Loading…
Reference in New Issue