* Fix#1997 (allow the use of an external file for the email blacklist)
* Change config key names for blacklist (compatibility break)
* Accept globs rather than regexes for blacklist by default
* Blacklist comparison is now case-insensitive
* Makefile: Add dependencies between targets
* Implement draft/message-redaction for channels
Permission to use REDACT mirrors permission for 'HistServ DELETE'
* Error when the given targetmsg does not exist
* gofmt
* Add CanDelete enum type
* gofmt
* Add support for PMs
* Fix documentation of allow-individual-delete.
* Remove 'TODO: add configurable fallback'
slingamn says it's probably not desirable, and I'm on the fence.
Out of laziness, let's omit it for now, as it's not a regression
compared to '/msg HistServ DELETE'.
* Revert "Makefile: Add dependencies between targets"
This reverts commit 2182b1da69.
---------
Co-authored-by: Val Lorentz <progval+git+ergo@progval.net>
* Add email-based password reset
Fixes#734
* rename SETPASS to RESETPASS
* review fixes
* abuse mitigations
* SENDPASS and RESETPASS should both touch the client login throttle
* Produce a logline and a sno on SENDPASS (since it actually sends an email)
* don't re-retrieve the settings value
* add email confirmation for NS SET EMAIL
* smtp: if require-tls is disabled, don't validate server cert
* review fixes
* remove cooldown for NS SET EMAIL
If you accidentally set the wrong address, the cooldown would prevent you
from fixing your mistake. Since we touch the registration throttle anyway,
this shouldn't present more of an abuse concern than registration itself.
1. Fix auth bypass in the default configuration with the addition of
server.password (the REGISTER command was allowed before connection
registration, allowing unauthenticated users to REGISTER and then
take advantage of skip-server-password)
2. Caution operators against the use of require-sasl without disabling
user-initiated account registration. (Such a configuration is still valid
in the case of a public server that requires everyone to register.)
Two objectives:
1. Reduce thundering-herd effects on server restart (a cost of 4 should be
approximately 1 millisecond of CPU time per reconnecting client)
2. Speed up mobile reattach as much as possible (see also #1420)
Whenever CIDR is mentioned in the config, it's in combination with IP so
talking about addressese in these points gives wrong impression that a
domain name would be valid as those are often thought as addresses.
