Postfixadmin 4.0.1

• Add TOTP (Time based One Time Password) support (with IP based exceptions) for mailboxes, along with Application Specific Passwords ( see #753 )
• Remove (most) requirements for using 'doveadm pw' for password hashing ( see #491 )
• Add OpenDKIM domain key handling ( see #631 )
• Add content security policy http headers and improve PHP session cookie security ( #903 and #905 )
• Updates various libraries, and moves to use 'composer' for their management (see composer.json)
• Improve unit test coverage + updates github actions build
• Various vacation.pl script improvements ( #648, #784, #482, #483 and #495 )
• Dark theme support ( see #569 )
• Documentation improvements
• Remove support for the MySQL ENCRYPT hashing backend (no longer supported by MySQL after 5.7)
• Various code improvements (PHP type hints, cleanups)
• Improves setup.php output (warnings/errors)
• Fix up DB migration and try to ensure MySQL tables have been migrated to InnoDB before running upgrade 1848
• Moves minimum PHP version to 7.4

There was a 4.0 release, but it somehow didn't get out of draft before @cboltz found a few minor issues, so 4.0.1 is the first v4 release.

Thank you to everyone who has contributed.

• Correct PHP requirement to >= 7.2 - it seems we've managed to lose support for PHP 7.0 somehow (Smarty,PHPUnit), possibly related to #541.
• Make PHP session cookies more secure (add samesite, httponly and perhaps secure flags) - see #903, thanks @gitblacker
• Upgrade moment.js library used by bootstrap - includes fix for Regex DoS issues - see #902, thanks @gitblacker
• Add (lax) Content-Security-Policy HTTP header (see common.php) - see #905, thanks @gitblacker
• Add sqlite3 to Debian control dependency list - see #909, thanks @marner2
• Exclude the "ALL" domain from the Postfix SQL queries - see #916, thanks @Ramalama2

• Tidy up some documentation
• Remove support for the MySQL ENCRYPT hashing backend (no longer supported by MySQL after 5.7)
• Fix documentation for smtpd_sender_login_maps (referenced in docs)
• Remove some dead code, add some PHP type hints
• Improve install.sh a little (supports system wide 'composer' as well)
• Fix database table prefix support for app password/totp secret stuff
• Attempt to improve warnings/info output from setup.php (try not to moan about db extensions that are missing and we're not trying to use)
• Fix up DB migration and try to ensure MySQL tables have been migrated to InnoDB before running upgrade 1848

Thanks to @cboltz for testing/feedback on IRC.

In preparation for a 4.0 release ..... here's an initial beta.

• Add TOTP (Time based One Time Password) support for mailboxes, along with application specific passwords and exceptions (ip addresses). ( see #753 )
• Remove (most) requirements for using 'doveadm pw' for password hashing ( see #491 )
• Add OpenDKIM domain key handling ( see #631 )
• Add content security policy http headers and improve PHP session cookie security ( #903 and #905 )
• Update libraries (smarty etc)
• Installation now requires use of 'composer' - see install.sh
• Improve unit test coverage + github actions build
• Various vacation.pl script improvements ( #648, #784, #482, #483 and #495 )
• Dark theme support ( see #569 )

• Add postfixadmin-cli man page (thanks @delgh1)
• Update smarty (to v4.5.5, see https://github.com/smarty-php/smarty/releases/tag/v4.5.5, PHP 8.4 support)
• Fix smarty/htmlentities issue - probably triggers PHP warning messages within the UI (see #872)

• Update bundled smarty (4.5.4); PostfixAdmin should not be vulnerable to CVE-2024-35226 mentioned in the release etc.
• Improve the layout of the vacation form (#834 ; thanks to @ariabamdad)
• Updates to vacation.pl (around $no_vacation_pattern) (see #826)
• Update jQuery (used for datetime widget when setting vacation etc) (see #734 - thanks @tibor-banfalvi)
• Fix issue with password validation check (see #697 - thanks @bmatthewshea)
• Fix undefined quota ( see #870 and #853)
• Remember to bump version number ;-) (see #694)

Fixes :

• #690
• #687 ( thanks @stefanomarty )

Which were from some MySQL collation changes missing from the 3.3 branch and a related fix for what was MariaDB only syntax (now ought to work for MySQL too) (related to the collation fixes).

See also postfixadmin-3.3.12...postfixadmin-3.3.13

• psalm and phpcs formatting fixes
• Update smarty (4.3.0)
  • (this includes a smarty security fix that ought not affect PostfixAdmin).
  • includes fixes for PHP 8.1 and also #541
• fixes #632 (passing a null value into htmlentities)

• Improve PHP 8 compatability (crypt())
• Support $CONF['database_port'] when connecting to MySQL

• Merge password expiration fixes from #493
• Remove html readonly attribute from user's vacation page to/from selectors.
• vacation.pl - allow smtp helo to be specified (see #495)
• Security fix - ClickJacking protection (thanks @huntr-helper / @ranjit-git) (see #523)
• Security fix (low risk) - Improve randomness with PFA_token for CSRF protection (thanks @michaellrowley)
• Fix viewlog to allow admins to see all domains (thanks @pgimalac, #516)
• Disable password autocompletion in edit forms (thanks @gabrielfin, see #510)

(a previous 3.3.10 release didn't include a change to the version number in config.inc.php ... sorry)