diff --git a/src/applications/config/check/PhabricatorExtraConfigSetupCheck.php b/src/applications/config/check/PhabricatorExtraConfigSetupCheck.php index 708bbae0cb..19ced06efc 100644 --- a/src/applications/config/check/PhabricatorExtraConfigSetupCheck.php +++ b/src/applications/config/check/PhabricatorExtraConfigSetupCheck.php @@ -1,393 +1,396 @@ newIssue('config.unknown.'.$key) ->setShortName($short) ->setName($name) ->setSummary($summary); $stack = PhabricatorEnv::getConfigSourceStack(); $stack = $stack->getStack(); $found = array(); $found_local = false; $found_database = false; foreach ($stack as $source_key => $source) { $value = $source->getKeys(array($key)); if ($value) { $found[] = $source->getName(); if ($source instanceof PhabricatorConfigDatabaseSource) { $found_database = true; } if ($source instanceof PhabricatorConfigLocalSource) { $found_local = true; } } } $message = $message."\n\n".pht( 'This configuration value is defined in these %d '. 'configuration source(s): %s.', count($found), implode(', ', $found)); $issue->setMessage($message); if ($found_local) { $command = csprintf('phabricator/ $ ./bin/config delete %s', $key); $issue->addCommand($command); } if ($found_database) { $issue->addPhabricatorConfig($key); } } } /** * Return a map of deleted config options. Keys are option keys; values are * explanations of what happened to the option. */ public static function getAncientConfig() { $reason_auth = pht( 'This option has been migrated to the "Auth" application. Your old '. 'configuration is still in effect, but now stored in "Auth" instead of '. 'configuration. Going forward, you can manage authentication from '. 'the web UI.'); $auth_config = array( 'controller.oauth-registration', 'auth.password-auth-enabled', 'facebook.auth-enabled', 'facebook.registration-enabled', 'facebook.auth-permanent', 'facebook.application-id', 'facebook.application-secret', 'facebook.require-https-auth', 'github.auth-enabled', 'github.registration-enabled', 'github.auth-permanent', 'github.application-id', 'github.application-secret', 'google.auth-enabled', 'google.registration-enabled', 'google.auth-permanent', 'google.application-id', 'google.application-secret', 'ldap.auth-enabled', 'ldap.hostname', 'ldap.port', 'ldap.base_dn', 'ldap.search_attribute', 'ldap.search-first', 'ldap.username-attribute', 'ldap.real_name_attributes', 'ldap.activedirectory_domain', 'ldap.version', 'ldap.referrals', 'ldap.anonymous-user-name', 'ldap.anonymous-user-password', 'ldap.start-tls', 'disqus.auth-enabled', 'disqus.registration-enabled', 'disqus.auth-permanent', 'disqus.application-id', 'disqus.application-secret', 'phabricator.oauth-uri', 'phabricator.auth-enabled', 'phabricator.registration-enabled', 'phabricator.auth-permanent', 'phabricator.application-id', 'phabricator.application-secret', ); $ancient_config = array_fill_keys($auth_config, $reason_auth); $markup_reason = pht( 'Custom remarkup rules are now added by subclassing '. '%s or %s.', 'PhabricatorRemarkupCustomInlineRule', 'PhabricatorRemarkupCustomBlockRule'); $session_reason = pht( 'Sessions now expire and are garbage collected rather than having an '. 'arbitrary concurrency limit.'); $differential_field_reason = pht( 'All Differential fields are now managed through the configuration '. 'option "%s". Use that option to configure which fields are shown.', 'differential.fields'); $reply_domain_reason = pht( 'Individual application reply handler domains have been removed. '. 'Configure a reply domain with "%s".', 'metamta.reply-handler-domain'); $reply_handler_reason = pht( 'Reply handlers can no longer be overridden with configuration.'); $monospace_reason = pht( 'Phabricator no longer supports global customization of monospaced '. 'fonts.'); $public_mail_reason = pht( 'Inbound mail addresses are now configured for each application '. 'in the Applications tool.'); $gc_reason = pht( 'Garbage collectors are now configured with "%s".', 'bin/garbage set-policy'); $aphlict_reason = pht( 'Configuration of the notification server has changed substantially. '. 'For discussion, see T10794.'); $stale_reason = pht( 'The Differential revision list view age UI elements have been removed '. 'to simplify the interface.'); $global_settings_reason = pht( 'The "Re: Prefix" and "Vary Subjects" settings are now configured '. 'in global settings.'); $dashboard_reason = pht( 'This option has been removed, you can use Dashboards to provide '. 'homepage customization. See T11533 for more details.'); $elastic_reason = pht( 'Elasticsearch is now configured with "%s".', 'cluster.search'); $mailers_reason = pht( 'Inbound and outbound mail is now configured with "cluster.mailers".'); $ancient_config += array( 'phid.external-loaders' => pht( 'External loaders have been replaced. Extend `%s` '. 'to implement new PHID and handle types.', 'PhabricatorPHIDType'), 'maniphest.custom-task-extensions-class' => pht( 'Maniphest fields are now loaded automatically. '. 'You can configure them with `%s`.', 'maniphest.fields'), 'maniphest.custom-fields' => pht( 'Maniphest fields are now defined in `%s`. '. 'Existing definitions have been migrated.', 'maniphest.custom-field-definitions'), 'differential.custom-remarkup-rules' => $markup_reason, 'differential.custom-remarkup-block-rules' => $markup_reason, 'auth.sshkeys.enabled' => pht( 'SSH keys are now actually useful, so they are always enabled.'), 'differential.anonymous-access' => pht( 'Phabricator now has meaningful global access controls. See `%s`.', 'policy.allow-public'), 'celerity.resource-path' => pht( 'An alternate resource map is no longer supported. Instead, use '. 'multiple maps. See T4222.'), 'metamta.send-immediately' => pht( 'Mail is now always delivered by the daemons.'), 'auth.sessions.conduit' => $session_reason, 'auth.sessions.web' => $session_reason, 'tokenizer.ondemand' => pht( 'Phabricator now manages typeahead strategies automatically.'), 'differential.revision-custom-detail-renderer' => pht( 'Obsolete; use standard rendering events instead.'), 'differential.show-host-field' => $differential_field_reason, 'differential.show-test-plan-field' => $differential_field_reason, 'differential.field-selector' => $differential_field_reason, 'phabricator.show-beta-applications' => pht( 'This option has been renamed to `%s` to emphasize the '. 'unfinished nature of many prototype applications. '. 'Your existing setting has been migrated.', 'phabricator.show-prototypes'), 'notification.user' => pht( 'The notification server no longer requires root permissions. Start '. 'the server as the user you want it to run under.'), 'notification.debug' => pht( 'Notifications no longer have a dedicated debugging mode.'), 'translation.provider' => pht( 'The translation implementation has changed and providers are no '. 'longer used or supported.'), 'config.mask' => pht( 'Use `%s` instead of this option.', 'config.hide'), 'phd.start-taskmasters' => pht( 'Taskmasters now use an autoscaling pool. You can configure the '. 'pool size with `%s`.', 'phd.taskmasters'), 'storage.engine-selector' => pht( 'Phabricator now automatically discovers available storage engines '. 'at runtime.'), 'storage.upload-size-limit' => pht( 'Phabricator now supports arbitrarily large files. Consult the '. 'documentation for configuration details.'), 'security.allow-outbound-http' => pht( 'This option has been replaced with the more granular option `%s`.', 'security.outbound-blacklist'), 'metamta.reply.show-hints' => pht( 'Phabricator no longer shows reply hints in mail.'), 'metamta.differential.reply-handler-domain' => $reply_domain_reason, 'metamta.diffusion.reply-handler-domain' => $reply_domain_reason, 'metamta.macro.reply-handler-domain' => $reply_domain_reason, 'metamta.maniphest.reply-handler-domain' => $reply_domain_reason, 'metamta.pholio.reply-handler-domain' => $reply_domain_reason, 'metamta.diffusion.reply-handler' => $reply_handler_reason, 'metamta.differential.reply-handler' => $reply_handler_reason, 'metamta.maniphest.reply-handler' => $reply_handler_reason, 'metamta.package.reply-handler' => $reply_handler_reason, 'metamta.precedence-bulk' => pht( 'Phabricator now always sends transaction mail with '. '"Precedence: bulk" to improve deliverability.'), 'style.monospace' => $monospace_reason, 'style.monospace.windows' => $monospace_reason, 'search.engine-selector' => pht( 'Phabricator now automatically discovers available search engines '. 'at runtime.'), 'metamta.files.public-create-email' => $public_mail_reason, 'metamta.maniphest.public-create-email' => $public_mail_reason, 'metamta.maniphest.default-public-author' => $public_mail_reason, 'metamta.paste.public-create-email' => $public_mail_reason, 'security.allow-conduit-act-as-user' => pht( 'Impersonating users over the API is no longer supported.'), 'feed.public' => pht('The framable public feed is no longer supported.'), 'auth.login-message' => pht( 'This configuration option has been replaced with a modular '. 'handler. See T9346.'), 'gcdaemon.ttl.herald-transcripts' => $gc_reason, 'gcdaemon.ttl.daemon-logs' => $gc_reason, 'gcdaemon.ttl.differential-parse-cache' => $gc_reason, 'gcdaemon.ttl.markup-cache' => $gc_reason, 'gcdaemon.ttl.task-archive' => $gc_reason, 'gcdaemon.ttl.general-cache' => $gc_reason, 'gcdaemon.ttl.conduit-logs' => $gc_reason, 'phd.variant-config' => pht( 'This configuration is no longer relevant because daemons '. 'restart automatically on configuration changes.'), 'notification.ssl-cert' => $aphlict_reason, 'notification.ssl-key' => $aphlict_reason, 'notification.pidfile' => $aphlict_reason, 'notification.log' => $aphlict_reason, 'notification.enabled' => $aphlict_reason, 'notification.client-uri' => $aphlict_reason, 'notification.server-uri' => $aphlict_reason, 'metamta.differential.unified-comment-context' => pht( 'Inline comments are now always rendered with a limited amount '. 'of context.'), 'differential.days-fresh' => $stale_reason, 'differential.days-stale' => $stale_reason, 'metamta.re-prefix' => $global_settings_reason, 'metamta.vary-subjects' => $global_settings_reason, 'ui.custom-header' => pht( 'This option has been replaced with `ui.logo`, which provides more '. 'flexible configuration options.'), 'welcome.html' => $dashboard_reason, 'maniphest.priorities.unbreak-now' => $dashboard_reason, 'maniphest.priorities.needs-triage' => $dashboard_reason, 'mysql.implementation' => pht( 'Phabricator now automatically selects the best available '. 'MySQL implementation.'), 'mysql.configuration-provider' => pht( 'Phabricator now has application-level management of partitioning '. 'and replicas.'), 'search.elastic.host' => $elastic_reason, 'search.elastic.namespace' => $elastic_reason, 'metamta.mail-adapter' => $mailers_reason, 'amazon-ses.access-key' => $mailers_reason, 'amazon-ses.secret-key' => $mailers_reason, 'amazon-ses.endpoint' => $mailers_reason, 'mailgun.domain' => $mailers_reason, 'mailgun.api-key' => $mailers_reason, 'phpmailer.mailer' => $mailers_reason, 'phpmailer.smtp-host' => $mailers_reason, 'phpmailer.smtp-port' => $mailers_reason, 'phpmailer.smtp-protocol' => $mailers_reason, 'phpmailer.smtp-user' => $mailers_reason, 'phpmailer.smtp-password' => $mailers_reason, 'phpmailer.smtp-encoding' => $mailers_reason, 'sendgrid.api-user' => $mailers_reason, 'sendgrid.api-key' => $mailers_reason, 'celerity.resource-hash' => pht( 'This option generally did not prove useful. Resource hash keys '. 'are now managed automatically.'), 'celerity.enable-deflate' => pht( 'Resource deflation is now managed automatically.'), 'celerity.minify' => pht( 'Resource minification is now managed automatically.'), 'metamta.domain' => pht( 'Mail thread IDs are now generated automatically.'), 'metamta.placeholder-to-recipient' => pht( 'Placeholder recipients are now generated automatically.'), + + 'metamta.mail-key' => pht( + 'Mail object address hash keys are now generated automatically.'), ); return $ancient_config; } } diff --git a/src/applications/config/option/PhabricatorSecurityConfigOptions.php b/src/applications/config/option/PhabricatorSecurityConfigOptions.php index 2b511ee023..2d82cf5f0f 100644 --- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php +++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php @@ -1,350 +1,336 @@ deformat(pht(<<deformat(pht(<<newOption('security.alternate-file-domain', 'string', null) ->setLocked(true) ->setSummary(pht('Alternate domain to serve files from.')) ->setDescription( pht( 'By default, Phabricator serves files from the same domain '. 'the application is served from. This is convenient, but '. 'presents a security risk.'. "\n\n". 'You should configure a CDN or alternate file domain to mitigate '. 'this risk. Configuring a CDN will also improve performance. See '. '[[ %s | %s ]] for instructions.', $doc_href, $doc_name)) ->addExample('https://files.phabcdn.net/', pht('Valid Setting')), $this->newOption( 'security.hmac-key', 'string', '[D\t~Y7eNmnQGJ;rnH6aF;m2!vJ8@v8C=Cs:aQS\.Qw') ->setHidden(true) ->setSummary( pht('Key for HMAC digests.')) ->setDescription( pht( 'Default key for HMAC digests where the key is not important '. '(i.e., the hash itself is secret). You can change this if you '. 'want (to any other string), but doing so will break existing '. 'sessions and CSRF tokens. This option is deprecated. Newer '. 'code automatically manages HMAC keys.')), $this->newOption('security.require-https', 'bool', false) ->setLocked(true) ->setSummary( pht('Force users to connect via HTTPS instead of HTTP.')) ->setDescription( pht( "If the web server responds to both HTTP and HTTPS requests but ". "you want users to connect with only HTTPS, you can set this ". "to `true` to make Phabricator redirect HTTP requests to HTTPS.". "\n\n". "Normally, you should just configure your server not to accept ". "HTTP traffic, but this setting may be useful if you originally ". "used HTTP and have now switched to HTTPS but don't want to ". "break old links, or if your webserver sits behind a load ". "balancer which terminates HTTPS connections and you can not ". "reasonably configure more granular behavior there.". "\n\n". "IMPORTANT: Phabricator determines if a request is HTTPS or not ". "by examining the PHP `%s` variable. If you run ". "Apache/mod_php this will probably be set correctly for you ". "automatically, but if you run Phabricator as CGI/FCGI (e.g., ". "through nginx or lighttpd), you need to configure your web ". "server so that it passes the value correctly based on the ". "connection type.". "\n\n". "If you configure Phabricator in cluster mode, note that this ". "setting is ignored by intracluster requests.", "\$_SERVER['HTTPS']")) ->setBoolOptions( array( pht('Force HTTPS'), pht('Allow HTTP'), )), $this->newOption('security.require-multi-factor-auth', 'bool', false) ->setLocked(true) ->setSummary( pht('Require all users to configure multi-factor authentication.')) ->setDescription($require_mfa_description) ->setBoolOptions( array( pht('Multi-Factor Required'), pht('Multi-Factor Optional'), )), $this->newOption( 'phabricator.csrf-key', 'string', '0b7ec0592e0a2829d8b71df2fa269b2c6172eca3') ->setHidden(true) ->setSummary( pht('Hashed with other inputs to generate CSRF tokens.')) ->setDescription( pht( 'This is hashed with other inputs to generate CSRF tokens. If '. 'you want, you can change it to some other string which is '. 'unique to your install. This will make your install more secure '. 'in a vague, mostly theoretical way. But it will take you like 3 '. 'seconds of mashing on your keyboard to set it up so you might '. 'as well.')), - $this->newOption( - 'phabricator.mail-key', - 'string', - '5ce3e7e8787f6e40dfae861da315a5cdf1018f12') - ->setHidden(true) - ->setSummary( - pht('Hashed with other inputs to generate mail tokens.')) - ->setDescription( - pht( - "This is hashed with other inputs to generate mail tokens. If ". - "you want, you can change it to some other string which is ". - "unique to your install. In particular, you will want to do ". - "this if you accidentally send a bunch of mail somewhere you ". - "shouldn't have, to invalidate all old reply-to addresses.")), $this->newOption( 'uri.allowed-protocols', 'set', array( 'http' => true, 'https' => true, 'mailto' => true, )) ->setSummary( pht('Determines which URI protocols are auto-linked.')) ->setDescription( pht( "When users write comments which have URIs, they'll be ". "automatically linked if the protocol appears in this set. This ". "whitelist is primarily to prevent security issues like ". "%s URIs.", 'javascript://')) ->addExample("http\nhttps", pht('Valid Setting')) ->setLocked(true), $this->newOption( 'uri.allowed-editor-protocols', 'set', array( 'http' => true, 'https' => true, // This handler is installed by Textmate. 'txmt' => true, // This handler is for MacVim. 'mvim' => true, // Unofficial handler for Vim. 'vim' => true, // Unofficial handler for Sublime. 'subl' => true, // Unofficial handler for Emacs. 'emacs' => true, // This isn't a standard handler installed by an application, but // is a reasonable name for a user-installed handler. 'editor' => true, )) ->setSummary(pht('Whitelists editor protocols for "Open in Editor".')) ->setDescription( pht( 'Users can configure a URI pattern to open files in a text '. 'editor. The URI must use a protocol on this whitelist.')) ->setLocked(true), $this->newOption('remarkup.enable-embedded-youtube', 'bool', false) ->setBoolOptions( array( pht('Embed YouTube videos'), pht("Don't embed YouTube videos"), )) ->setSummary( pht('Determines whether or not YouTube videos get embedded.')) ->setDescription( pht( "If you enable this, linked YouTube videos will be embedded ". "inline. This has mild security implications (you'll leak ". "referrers to YouTube) and is pretty silly (but sort of ". "awesome).")), $this->newOption( 'security.outbound-blacklist', 'list', $default_address_blacklist) ->setLocked(true) ->setSummary( pht( 'Blacklist subnets to prevent user-initiated outbound '. 'requests.')) ->setDescription( pht( 'Phabricator users can make requests to other services from '. 'the Phabricator host in some circumstances (for example, by '. 'creating a repository with a remote URL or having Phabricator '. 'fetch an image from a remote server).'. "\n\n". 'This may represent a security vulnerability if services on '. 'the same subnet will accept commands or reveal private '. 'information over unauthenticated HTTP GET, based on the source '. 'IP address. In particular, all hosts in EC2 have access to '. 'such a service.'. "\n\n". 'This option defines a list of netblocks which Phabricator '. 'will decline to connect to. Generally, you should list all '. 'private IP space here.')) ->addExample(array('0.0.0.0/0'), pht('No Outbound Requests')), $this->newOption('security.strict-transport-security', 'bool', false) ->setLocked(true) ->setBoolOptions( array( pht('Use HSTS'), pht('Do Not Use HSTS'), )) ->setSummary(pht('Enable HTTP Strict Transport Security (HSTS).')) ->setDescription( pht( 'HTTP Strict Transport Security (HSTS) sends a header which '. 'instructs browsers that the site should only be accessed '. 'over HTTPS, never HTTP. This defuses an attack where an '. 'adversary gains access to your network, then proxies requests '. 'through an unsecured link.'. "\n\n". 'Do not enable this option if you serve (or plan to ever serve) '. 'unsecured content over plain HTTP. It is very difficult to '. 'undo this change once users\' browsers have accepted the '. 'setting.')), $this->newOption('keyring', $keyring_type, array()) ->setHidden(true) ->setSummary(pht('Configure master encryption keys.')) ->setDescription($keyring_description), ); } protected function didValidateOption( PhabricatorConfigOption $option, $value) { $key = $option->getKey(); if ($key == 'security.alternate-file-domain') { $uri = new PhutilURI($value); $protocol = $uri->getProtocol(); if ($protocol !== 'http' && $protocol !== 'https') { throw new PhabricatorConfigValidationException( pht( "Config option '%s' is invalid. The URI must start with ". "'%s' or '%s'.", $key, 'http://', 'https://')); } $domain = $uri->getDomain(); if (strpos($domain, '.') === false) { throw new PhabricatorConfigValidationException( pht( "Config option '%s' is invalid. The URI must contain a dot ('.'), ". "like '%s', not just a bare name like '%s'. ". "Some web browsers will not set cookies on domains with no TLD.", $key, 'http://example.com/', 'http://example/')); } $path = $uri->getPath(); if ($path !== '' && $path !== '/') { throw new PhabricatorConfigValidationException( pht( "Config option '%s' is invalid. The URI must NOT have a path, ". "e.g. '%s' is OK, but '%s' is not. Phabricator must be installed ". "on an entire domain; it can not be installed on a path.", $key, 'http://phabricator.example.com/', 'http://example.com/phabricator/')); } } } } diff --git a/src/applications/metamta/receiver/PhabricatorObjectMailReceiver.php b/src/applications/metamta/receiver/PhabricatorObjectMailReceiver.php index 801f7a8e6f..730ed6a2c5 100644 --- a/src/applications/metamta/receiver/PhabricatorObjectMailReceiver.php +++ b/src/applications/metamta/receiver/PhabricatorObjectMailReceiver.php @@ -1,209 +1,209 @@ loadObjectFromMail($mail, $sender); $mail->setRelatedPHID($object->getPHID()); $this->processReceivedObjectMail($mail, $object, $sender); return $this; } protected function processReceivedObjectMail( PhabricatorMetaMTAReceivedMail $mail, PhabricatorLiskDAO $object, PhabricatorUser $sender) { $handler = $this->getTransactionReplyHandler(); if ($handler) { return $handler ->setMailReceiver($object) ->setActor($sender) ->setExcludeMailRecipientPHIDs($mail->loadAllRecipientPHIDs()) ->processEmail($mail); } throw new PhutilMethodNotImplementedException(); } protected function getTransactionReplyHandler() { return null; } public function loadMailReceiverObject($pattern, PhabricatorUser $viewer) { return $this->loadObject($pattern, $viewer); } public function validateSender( PhabricatorMetaMTAReceivedMail $mail, PhabricatorUser $sender) { parent::validateSender($mail, $sender); $parts = $this->matchObjectAddressInMail($mail); $pattern = $parts['pattern']; try { $object = $this->loadObjectFromMail($mail, $sender); } catch (PhabricatorPolicyException $policy_exception) { throw new PhabricatorMetaMTAReceivedMailProcessingException( MetaMTAReceivedMailStatus::STATUS_POLICY_PROBLEM, pht( 'This mail is addressed to an object ("%s") you do not have '. 'permission to see: %s', $pattern, $policy_exception->getMessage())); } if (!$object) { throw new PhabricatorMetaMTAReceivedMailProcessingException( MetaMTAReceivedMailStatus::STATUS_NO_SUCH_OBJECT, pht( 'This mail is addressed to an object ("%s"), but that object '. 'does not exist.', $pattern)); } $sender_identifier = $parts['sender']; if ($sender_identifier === 'public') { if (!PhabricatorEnv::getEnvConfig('metamta.public-replies')) { throw new PhabricatorMetaMTAReceivedMailProcessingException( MetaMTAReceivedMailStatus::STATUS_NO_PUBLIC_MAIL, pht( 'This mail is addressed to the public email address of an object '. '("%s"), but public replies are not enabled on this Phabricator '. 'install. An administrator may have recently disabled this '. 'setting, or you may have replied to an old message. Try '. 'replying to a more recent message instead.', $pattern)); } $check_phid = $object->getPHID(); } else { if ($sender_identifier != $sender->getID()) { throw new PhabricatorMetaMTAReceivedMailProcessingException( MetaMTAReceivedMailStatus::STATUS_USER_MISMATCH, pht( 'This mail is addressed to the private email address of an object '. '("%s"), but you are not the user who is authorized to use the '. 'address you sent mail to. Each private address is unique to the '. 'user who received the original mail. Try replying to a message '. 'which was sent directly to you instead.', $pattern)); } $check_phid = $sender->getPHID(); } $mail_key = PhabricatorMetaMTAMailProperties::loadMailKey($object); $expect_hash = self::computeMailHash($mail_key, $check_phid); if (!phutil_hashes_are_identical($expect_hash, $parts['hash'])) { throw new PhabricatorMetaMTAReceivedMailProcessingException( MetaMTAReceivedMailStatus::STATUS_HASH_MISMATCH, pht( 'This mail is addressed to an object ("%s"), but the address is '. 'not correct (the security hash is wrong). Check that the address '. 'is correct.', $pattern)); } } final public function canAcceptMail(PhabricatorMetaMTAReceivedMail $mail) { if ($this->matchObjectAddressInMail($mail)) { return true; } return false; } private function matchObjectAddressInMail( PhabricatorMetaMTAReceivedMail $mail) { foreach ($mail->getToAddresses() as $address) { $parts = $this->matchObjectAddress($address); if ($parts) { return $parts; } } return null; } private function matchObjectAddress($address) { $regexp = $this->getAddressRegexp(); $address = self::stripMailboxPrefix($address); $local = id(new PhutilEmailAddress($address))->getLocalPart(); $matches = null; if (!preg_match($regexp, $local, $matches)) { return false; } return $matches; } private function getAddressRegexp() { $pattern = $this->getObjectPattern(); $regexp = '(^'. '(?P'.$pattern.')'. '\\+'. '(?P\w+)'. '\\+'. '(?P[a-f0-9]{16})'. '$)Ui'; return $regexp; } private function loadObjectFromMail( PhabricatorMetaMTAReceivedMail $mail, PhabricatorUser $sender) { $parts = $this->matchObjectAddressInMail($mail); return $this->loadObject( phutil_utf8_strtoupper($parts['pattern']), $sender); } public static function computeMailHash($mail_key, $phid) { - $global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key'); - - $hash = PhabricatorHash::weakDigest($mail_key.$global_mail_key.$phid); + $hash = PhabricatorHash::digestWithNamedKey( + $mail_key.$phid, + 'mail.object-address-key'); return substr($hash, 0, 16); } } diff --git a/src/docs/user/configuration/configuring_inbound_email.diviner b/src/docs/user/configuration/configuring_inbound_email.diviner index 869196e9d8..84d4fa48d1 100644 --- a/src/docs/user/configuration/configuring_inbound_email.diviner +++ b/src/docs/user/configuration/configuring_inbound_email.diviner @@ -1,234 +1,231 @@ @title Configuring Inbound Email @group config This document contains instructions for configuring inbound email, so users may interact with some Phabricator applications via email. = Preamble = This can be extremely difficult to configure correctly. This is doubly true if you use a local MTA. There are a few approaches available: | Receive Mail With | Setup | Cost | Notes | |--------|-------|------|-------| | Mailgun | Easy | Cheap | Recommended | | Postmark | Easy | Cheap | Recommended | | SendGrid | Easy | Cheap | | | Local MTA | Extremely Difficult | Free | Strongly discouraged! | The remainder of this document walks through configuring Phabricator to receive mail, and then configuring your chosen transport to deliver mail to Phabricator. = Configuring Phabricator = By default, Phabricator uses a `noreply@phabricator.example.com` email address as the 'From' (configurable with `metamta.default-address`) and sets 'Reply-To' to the user generating the email (e.g., by making a comment), if the mail was generated by a user action. This means that users can reply (or reply-all) to email to discuss changes, but the conversation won't be recorded in Phabricator and users will not be able to take actions like claiming tasks or requesting changes to revisions. To change this behavior so that users can interact with objects in Phabricator over email, change the configuration key `metamta.reply-handler-domain` to some domain you configure according to the instructions below, e.g. `phabricator.example.com`. Once you set this key, emails will use a 'Reply-To' like `T123+273+af310f9220ad@phabricator.example.com`, which -- when configured correctly, according to the instructions below -- will parse incoming email and allow users to interact with Differential revisions, Maniphest tasks, etc. over email. If you don't want Phabricator to take up an entire domain (or subdomain) you can configure a general prefix so you can use a single mailbox to receive mail on. To make use of this set `metamta.single-reply-handler-prefix` to the prefix of your choice, and Phabricator will prepend this to the 'Reply-To' mail address. This works because everything up to the first (optional) '+' character in an email-address is considered the receiver, and everything after is essentially ignored. You can also set up application email addresses to allow users to create application objects via email. For example, you could configure `bugs@phabricator.example.com` to create a Maniphest task out of any email which is sent to it. To do this, see application settings for a given application at {nav icon=home, name=Home > name=Applications > icon=cog, name=Settings} = Security = The email reply channel is "somewhat" authenticated. Each reply-to address is unique to the recipient and includes a hash of user information and a unique object ID, so it can only be used to update that object and only be used to act on behalf of the recipient. However, if an address is leaked (which is fairly easy -- for instance, forwarding an email will leak a live reply address, or a user might take a screenshot), //anyone// who can send mail to your reply-to domain may interact with the object the email relates to as the user who leaked the mail. Because the authentication around email has this weakness, some actions (like accepting revisions) are not permitted over email. This implementation is an attempt to balance utility and security, but makes some sacrifices on both sides to achieve it because of the difficulty of authenticating senders in the general case (e.g., where you are an open source project and need to interact with users whose email accounts you have no control over). -If you leak a bunch of reply-to addresses by accident, you can change -`phabricator.mail-key` in your configuration to invalidate all the old hashes. - You can also set `metamta.public-replies`, which will change how Phabricator delivers email. Instead of sending each recipient a unique mail with a personal reply-to address, it will send a single email to everyone with a public reply-to address. This decreases security because anyone who can spoof a "From" address can act as another user, but increases convenience if you use mailing lists and, practically, is a reasonable setting for many installs. The reply-to address will still contain a hash unique to the object it represents, so users who have not received an email about an object can not blindly interact with it. If you enable application email addresses, those addresses also use the weaker "From" authentication mechanism. NOTE: Phabricator does not currently attempt to verify "From" addresses because this is technically complex, seems unreasonably difficult in the general case, and no installs have had a need for it yet. If you have a specific case where a reasonable mechanism exists to provide sender verification (e.g., DKIM signatures are sufficient to authenticate the sender under your configuration, or you are willing to require all users to sign their email), file a feature request. = Testing and Debugging Inbound Email = You can use the `bin/mail` utility to test and review inbound mail. This can help you determine if mail is being delivered to Phabricator or not: phabricator/ $ ./bin/mail list-inbound # List inbound messages. phabricator/ $ ./bin/mail show-inbound # Show details about a message. You can also test receiving mail, but note that this just simulates receiving the mail and doesn't send any information over the network. It is primarily aimed at developing email handlers: it will still work properly if your inbound email configuration is incorrect or even disabled. phabricator/ $ ./bin/mail receive-test # Receive test message. Run `bin/mail help ` for detailed help on using these commands. = Mailgun Setup = To use Mailgun, you need a Mailgun account. You can sign up at . Provided you have such an account, configure it like this: - Configure a mail domain according to Mailgun's instructions. - Add a Mailgun route with a `catch_all()` rule which takes the action `forward("https://phabricator.example.com/mail/mailgun/")`. Replace the example domain with your actual domain. - Configure a mailer in `cluster.mailers` with your Mailgun API key. Postmark Setup ============== To process inbound mail from Postmark, configure this URI as your inbound webhook URI in the Postmark control panel: ``` https:///mail/postmark/ ``` See also the Postmark section in @{article:Configuring Outbound Email} for discussion of the remote address whitelist used to verify that requests this endpoint receives are authentic requests originating from Postmark. = SendGrid Setup = To use SendGrid, you need a SendGrid account with access to the "Parse API" for inbound email. Provided you have such an account, configure it like this: - Configure an MX record according to SendGrid's instructions, i.e. add `phabricator.example.com MX 10 mx.sendgrid.net.` or similar. - Go to the "Parse Incoming Emails" page on SendGrid () and add the domain as the "Hostname". - Add the URL `https://phabricator.example.com/mail/sendgrid/` as the "Url", using your domain (and HTTP instead of HTTPS if you are not configured with SSL). - If you get an error that the hostname "can't be located or verified", it means your MX record is either incorrectly configured or hasn't propagated yet. - Set `metamta.reply-handler-domain` to `phabricator.example.com`" (whatever you configured the MX record for). That's it! If everything is working properly you should be able to send email to `anything@phabricator.example.com` and it should appear in `bin/mail list-inbound` within a few seconds. = Local MTA: Installing Mailparse = If you're going to run your own MTA, you need to install the PECL mailparse extension. In theory, you can do that with: $ sudo pecl install mailparse You may run into an error like "needs mbstring". If so, try: $ sudo yum install php-mbstring # or equivalent $ sudo pecl install -n mailparse If you get a linker error like this: COUNTEREXAMPLE PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/mailparse.so' - /usr/lib64/php/modules/mailparse.so: undefined symbol: mbfl_name2no_encoding in Unknown on line 0 ...you need to edit your php.ini file so that mbstring.so is loaded **before** mailparse.so. This is not the default if you have individual files in `php.d/`. = Local MTA: Configuring Sendmail = Before you can configure Sendmail, you need to install Mailparse. See the section "Installing Mailparse" above. Sendmail is very difficult to configure. First, you need to configure it for your domain so that mail can be delivered correctly. In broad strokes, this probably means something like this: - add an MX record; - make sendmail listen on external interfaces; - open up port 25 if necessary (e.g., in your EC2 security policy); - add your host to /etc/mail/local-host-names; and - restart sendmail. Now, you can actually configure sendmail to deliver to Phabricator. In `/etc/aliases`, add an entry like this: phabricator: "| /path/to/phabricator/scripts/mail/mail_handler.php" If you use the `PHABRICATOR_ENV` environmental variable to select a configuration, you can pass the value to the script as an argument: .../path/to/mail_handler.php This is an advanced feature which is rarely used. Most installs should run without an argument. After making this change, run `sudo newaliases`. Now you likely need to symlink this script into `/etc/smrsh/`: sudo ln -s /path/to/phabricator/scripts/mail/mail_handler.php /etc/smrsh/ Finally, edit `/etc/mail/virtusertable` and add an entry like this: @yourdomain.com phabricator@localhost That will forward all mail to @yourdomain.com to the Phabricator processing script. Run `sudo /etc/mail/make` or similar and then restart sendmail with `sudo /etc/init.d/sendmail restart`.