Dimitri Huisman

`There is also another topic. Multiple (or maybe even many) users have admin NOT exposed to the internet. For all these users we are introducing a broken 'back to the...

> > Ignore this. If the administrator blocked access, then it is the administrators problem. > > Adding `if ({{ ADMIN }})` in front of the `rcmail.addEventListener()` in mailu.js would...

It looks good to me. But I will first run some tests with admin disabled/enabled and a non-standard site name. There are always many different scenario's to consider. Even with...

Thank you for reaching out to us. We indeed have no security policy and no procedure for this. We will create a security.md file with details via what email address...

@nextgens I arranged we got an email address for the mailu domain that could be used. It is security at mailu.io. I can configure email forwarding for this email address....

This is not possible within Mailu. This would require changes to the code that handles authentication. I will mark it as an enhancement request.

If you have the need to have this information logged. You can enable postfix logging. See this link for more info https://mailu.io/1.9/configuration.html#mail-log-settings. Postfix also logs the rspamd result (for sending...

It would be nice to check the password with https://haveIbeenpowned.com. Unfortunately the API nowadays is a paid service. https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/

That is nice. Then I also support your suggestion. Set a hard limit to 8 characters minimum from the password. Optionally globally enabled via mailu.env, check ihavebeenpowned (https://haveibeenpwned.com/API/v3#PwnedPasswords).

What I would also like to discuss - implement bug fix template (most reported issue are very low quality) - enabling github wiki for purpose of creating internal documentation on...