mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2026-03-07 16:17:23 +01:00
Merge remote-tracking branch 'up/master'
This commit is contained in:
David Duque
@@ -136,7 +136,14 @@ function get_default_privateip {
|
||||
function ufw_allow {
|
||||
if [ -z "${DISABLE_FIREWALL:-}" ]; then
|
||||
# ufw has completely unhelpful output
|
||||
ufw allow $1 > /dev/null;
|
||||
ufw allow "$1" > /dev/null;
|
||||
fi
|
||||
}
|
||||
|
||||
function ufw_limit {
|
||||
if [ -z "${DISABLE_FIREWALL:-}" ]; then
|
||||
# ufw has completely unhelpful output
|
||||
ufw limit "$1" > /dev/null;
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@@ -50,7 +50,7 @@ hide_output $venv/bin/pip install --upgrade pip
|
||||
hide_output $venv/bin/pip install --upgrade \
|
||||
rtyaml "email_validator>=1.0.0" "exclusiveprocess" \
|
||||
flask dnspython python-dateutil \
|
||||
"idna>=2.0.0" "cryptography==2.2.2" boto psutil
|
||||
"idna>=2.0.0" "cryptography==2.2.2" boto psutil postfix-mta-sts-resolver
|
||||
|
||||
# CONFIGURATION
|
||||
|
||||
|
||||
@@ -82,9 +82,10 @@ if [ ! -f $STORAGE_ROOT/mailinabox.version ]; then
|
||||
chown $STORAGE_USER.$STORAGE_USER $STORAGE_ROOT/mailinabox.version
|
||||
fi
|
||||
|
||||
|
||||
# Save the global options in /etc/mailinabox.conf so that standalone
|
||||
# tools know where to look for data.
|
||||
# tools know where to look for data. The default MTA_STS_MODE setting
|
||||
# is blank unless set by an environment variable, but see web.sh for
|
||||
# how that is interpreted.
|
||||
cat > /etc/mailinabox.conf << EOF;
|
||||
STORAGE_USER=$STORAGE_USER
|
||||
STORAGE_ROOT=$STORAGE_ROOT
|
||||
@@ -93,6 +94,7 @@ PUBLIC_IP=$PUBLIC_IP
|
||||
PUBLIC_IPV6=$PUBLIC_IPV6
|
||||
PRIVATE_IP=$PRIVATE_IP
|
||||
PRIVATE_IPV6=$PRIVATE_IPV6
|
||||
MTA_STS_MODE=${MTA_STS_MODE-}
|
||||
EOF
|
||||
|
||||
# Start service configuration.
|
||||
|
||||
@@ -240,7 +240,7 @@ if [ -z "${DISABLE_FIREWALL:-}" ]; then
|
||||
apt_install ufw
|
||||
|
||||
# Allow incoming connections to SSH.
|
||||
ufw_allow ssh;
|
||||
ufw_limit ssh;
|
||||
|
||||
# ssh might be running on an alternate port. Use sshd -T to dump sshd's #NODOC
|
||||
# settings, find the port it is supposedly running on, and open that port #NODOC
|
||||
@@ -250,7 +250,7 @@ if [ -z "${DISABLE_FIREWALL:-}" ]; then
|
||||
if [ "$SSH_PORT" != "22" ]; then
|
||||
|
||||
echo Opening alternate SSH port $SSH_PORT. #NODOC
|
||||
ufw_allow $SSH_PORT #NODOC
|
||||
ufw_limit $SSH_PORT #NODOC
|
||||
|
||||
fi
|
||||
fi
|
||||
|
||||
18
setup/web.sh
18
setup/web.sh
@@ -19,7 +19,7 @@ fi
|
||||
|
||||
echo "Installing Nginx (web server)..."
|
||||
|
||||
apt_install nginx php-cli php-fpm
|
||||
apt_install nginx php-cli php-fpm idn2
|
||||
|
||||
rm -f /etc/nginx/sites-enabled/default
|
||||
|
||||
@@ -122,6 +122,21 @@ cat conf/mozilla-autoconfig.xml \
|
||||
> /var/lib/mailinabox/mozilla-autoconfig.xml
|
||||
chmod a+r /var/lib/mailinabox/mozilla-autoconfig.xml
|
||||
|
||||
# Create a generic mta-sts.txt file which is exposed via the
|
||||
# nginx configuration at /.well-known/mta-sts.txt
|
||||
# more documentation is available on:
|
||||
# https://www.uriports.com/blog/mta-sts-explained/
|
||||
# default mode is "enforce". Change to "testing" which means
|
||||
# "Messages will be delivered as though there was no failure
|
||||
# but a report will be sent if TLS-RPT is configured" if you
|
||||
# are not sure you want this yet. Or "none".
|
||||
PUNY_PRIMARY_HOSTNAME=$(echo "$PRIMARY_HOSTNAME" | idn2)
|
||||
cat conf/mta-sts.txt \
|
||||
| sed "s/MODE/${MTA_STS_MODE:-enforce}/" \
|
||||
| sed "s/PRIMARY_HOSTNAME/$PUNY_PRIMARY_HOSTNAME/" \
|
||||
> /var/lib/mailinabox/mta-sts.txt
|
||||
chmod a+r /var/lib/mailinabox/mta-sts.txt
|
||||
|
||||
# make a default homepage
|
||||
if [ -d $STORAGE_ROOT/www/static ]; then mv $STORAGE_ROOT/www/static $STORAGE_ROOT/www/default; fi # migration #NODOC
|
||||
mkdir -p $STORAGE_ROOT/www/default
|
||||
@@ -137,4 +152,3 @@ restart_service php$PHP_VERSION-fpm
|
||||
# Open ports.
|
||||
ufw_allow http
|
||||
ufw_allow https
|
||||
|
||||
|
||||
@@ -28,8 +28,8 @@ apt_install \
|
||||
# Install Roundcube from source if it is not already present or if it is out of date.
|
||||
# Combine the Roundcube version number with the commit hash of plugins to track
|
||||
# whether we have the latest version of everything.
|
||||
VERSION=1.4.4
|
||||
HASH=4e425263f5bec27d39c07bde524f421bda205c07
|
||||
VERSION=1.4.6
|
||||
HASH=44961ef62bb9c9875141ca34704bbc7d6f36373d
|
||||
PERSISTENT_LOGIN_VERSION=6b3fc450cae23ccb2f393d0ef67aa319e877e435
|
||||
HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5
|
||||
CARDDAV_VERSION=3.0.3
|
||||
@@ -160,7 +160,7 @@ mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundc
|
||||
chown -R www-data.www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
|
||||
|
||||
# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
|
||||
sudo -u www-data touch /var/log/roundcubemail/errors
|
||||
sudo -u www-data touch /var/log/roundcubemail/errors.log
|
||||
|
||||
# Password changing plugin settings
|
||||
# The config comes empty by default, so we need the settings
|
||||
|
||||
Reference in New Issue
Block a user