diff --git a/CHANGELOG.md b/CHANGELOG.md index 298791ba..089aa68d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,12 +1,23 @@ CHANGELOG ========= -In Development --------------- +v0.41 (February 26, 2019) +------------------------- System: * Missing brute force login attack prevention (fail2ban) filters which stopped working on Ubuntu 18.04 were added back. +* Upgrades would fail if Mail-in-a-Box moved to a different directory in `systemctl link`. + +Mail: + +* Incoming messages addressed to more than one local user were rejected because of a bug in spampd packaged by Ubuntu 18.04. A workaround was added. + +Contacts/Calendar: + +* Upgraded Nextcloud from 13.0.6 to 14.0.6. +* Upgraded Contacts from 2.1.5 to 2.1.8. +* Upgraded Calendar from 1.6.1 to 1.6.4. v0.40 (January 12, 2019) ------------------------ diff --git a/README.md b/README.md index 300fe496..01997fd4 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ by him: $ curl -s https://keybase.io/joshdata/key.asc | gpg --import gpg: key C10BDD81: public key "Joshua Tauberer " imported - $ git verify-tag v0.40 + $ git verify-tag v0.41 gpg: Signature made ..... using RSA key ID C10BDD81 gpg: Good signature from "Joshua Tauberer " gpg: WARNING: This key is not certified with a trusted signature! @@ -71,7 +71,7 @@ and on his [personal homepage](https://razor.occams.info/). (Of course, if this Checkout the tag corresponding to the most recent release: - $ git checkout v0.40 + $ git checkout v0.41 Begin the installation. diff --git a/management/templates/aliases.html b/management/templates/aliases.html index 89af221f..e8d0cb1c 100644 --- a/management/templates/aliases.html +++ b/management/templates/aliases.html @@ -51,7 +51,7 @@
diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 3442499d..74bf5e16 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -20,7 +20,7 @@ if [ -z "$TAG" ]; then # want to display in status checks. if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then # This machine is running Ubuntu 18.04. - TAG=v0.40 + TAG=v0.41 elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then # This machine is running Ubuntu 14.04. diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 1ea64a50..36004597 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -42,7 +42,8 @@ source /etc/mailinabox.conf # load global vars # * `ca-certificates`: A trust store used to squelch postfix warnings about # untrusted opportunistically-encrypted connections. echo "Installing Postfix (SMTP server)..." -apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates +apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates \ + postfix-policyd-spf-python postsrsd # ### Basic Settings @@ -97,7 +98,9 @@ tools/editconf.py /etc/postfix/master.cf -s -w \ -o cleanup_service_name=authclean" \ "authclean=unix n - - - 0 cleanup -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters - -o nested_header_checks=" + -o nested_header_checks=" \ + "policy-spf=unix - n n - - spawn + user=nobody argv=/usr/bin/policyd-spf" # Install the `outgoing_mail_header_filters` file required by the new 'authclean' service. cp conf/postfix_outgoing_mail_header_filters /etc/postfix/outgoing_mail_header_filters @@ -173,8 +176,11 @@ tools/editconf.py /etc/postfix/main.cf \ # # In a basic setup we would pass mail directly to Dovecot by setting # virtual_transport to `lmtp:unix:private/dovecot-lmtp`. -# tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025 +# Because of a spampd bug, limit the number of recipients in each connection. +# See https://github.com/mail-in-a-box/mailinabox/issues/1523. +tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1 + # Who can send mail to us? Some basic filters. # @@ -193,13 +199,19 @@ tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025 # so these IPs get mail delivered quickly. But when an IP is not listed in the permit_dnswl_client list (i.e. it is not #NODOC # whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC -RECIPIENT_RESTRICTIONS=permit_sasl_authenticated,permit_mynetworks,\"reject_rbl_client zen.spamhaus.org\",reject_unlisted_recipient -if [ $NO_GREYLISTING != "1" ]; then - RECIPIENT_RESTRICTIONS=${RECIPIENT_RESTRICTIONS},\"check_policy_service inet:127.0.0.1:10023\" +postconf -e smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" + +RECIPIENT_RESTRICTIONS="permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org,reject_unlisted_recipient" + +if [ $GREYLISTING != 1 ]; then + RECIPIENT_RESTRICTIONS="${RECIPIENT_RESTRICTIONS},check_policy_service inet:127.0.0.1:10023" fi -tools/editconf.py /etc/postfix/main.cf \ - smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \ - smtpd_recipient_restrictions=$RECIPIENT_RESTRICTIONS + +if [ $POLICY_SPF == 1 ]; then + RECIPIENT_RESTRICTIONS="${RECIPIENT_RESTRICTIONS},check_policy_service unix:private/policy-spf" +fi + +postconf -e smtpd_recipient_restrictions="$RECIPIENT_RESTRICTIONS" # Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that # Postgrey listens on the same interface (and not IPv6, for instance). @@ -216,6 +228,29 @@ tools/editconf.py /etc/default/postgrey \ tools/editconf.py /etc/postfix/main.cf \ message_size_limit=134217728 +if [ $POSTSRSD == "1" ]; then + # Setup SRS + postconf -e \ + sender_canonical_maps=tcp:localhost:10001 \ + sender_canonical_classes=envelope_sender \ + recipient_canonical_maps=tcp:localhost:10002 \ + recipient_canonical_classes=envelope_recipient,header_recipient + + hide_output systemctl enable postsrsd + hide_output systemctl restart postsrsd + +else + postconf -e \ + sender_canonical_maps= \ + sender_canonical_classes= \ + recipient_canonical_maps= \ + recipient_canonical_classes= + + hide_output systemctl disable postsrsd + hide_output systemctl stop postsrsd +fi + + # Allow the two SMTP ports in the firewall. ufw_allow smtp diff --git a/setup/management.sh b/setup/management.sh index 9c221198..f7621a8b 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -93,7 +93,7 @@ source $venv/bin/activate exec python `pwd`/management/daemon.py EOF chmod +x $inst_dir/start -hide_output systemctl link conf/mailinabox.service +hide_output systemctl link -f conf/mailinabox.service hide_output systemctl daemon-reload hide_output systemctl enable mailinabox.service diff --git a/setup/munin.sh b/setup/munin.sh index 8a85085d..3cb1cd9d 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -64,7 +64,7 @@ mkdir -p /var/lib/munin-node/plugin-state/ # Create a systemd service for munin. ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh chmod 0744 /usr/local/lib/mailinabox/munin_start.sh -hide_output systemctl link conf/munin.service +hide_output systemctl link -f conf/munin.service hide_output systemctl daemon-reload hide_output systemctl unmask munin.service hide_output systemctl enable munin.service diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index 167c2012..9476bbf8 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -39,11 +39,11 @@ InstallNextcloud() { # their github repositories. mkdir -p /usr/local/lib/owncloud/apps - wget_verify https://github.com/nextcloud/contacts/releases/download/v2.1.5/contacts.tar.gz b7460d15f1b78d492ed502d778c0c458d503ba17 /tmp/contacts.tgz + wget_verify https://github.com/nextcloud/contacts/releases/download/v2.1.8/contacts.tar.gz b5d5bbee33f0c32b124b46cb6aaab90c695ac170 /tmp/contacts.tgz tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/contacts.tgz - wget_verify https://github.com/nextcloud/calendar/releases/download/v1.6.1/calendar.tar.gz f93a247cbd18bc624f427ba2a967d93ebb941f21 /tmp/calendar.tgz + wget_verify https://github.com/nextcloud/calendar/releases/download/v1.6.4/calendar.tar.gz d8a7950dba14803472b6c19625a8ceb23d6fd4ef /tmp/calendar.tgz tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/calendar.tgz @@ -72,11 +72,14 @@ InstallNextcloud() { sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off echo "...which seemed to work." fi + + # Add missing indices. NextCloud didn't include this in the normal upgrade because it might take some time. + sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-indices fi } -nextcloud_ver=13.0.6 -nextcloud_hash=33e41f476f0e2be5dc7cdb9d496673d9647aa3d6 +nextcloud_ver=14.0.6 +nextcloud_hash=4e43a57340f04c2da306c8eea98e30040399ae5a # Check if Nextcloud dir exist, and check if version matches nextcloud_ver (if either doesn't - install/upgrade) if [ ! -d /usr/local/lib/owncloud/ ] \ @@ -93,11 +96,11 @@ if [ ! -d /usr/local/lib/owncloud/ ] \ echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..." cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install" fi - if [ -e /home/user-data/owncloud/owncloud.db ]; then - cp /home/user-data/owncloud/owncloud.db $BACKUP_DIRECTORY + if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then + cp $STORAGE_ROOT/owncloud/owncloud.db $BACKUP_DIRECTORY fi - if [ -e /home/user-data/owncloud/config.php ]; then - cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY + if [ -e $STORAGE_ROOT/owncloud/config.php ]; then + cp $STORAGE_ROOT/owncloud/config.php $BACKUP_DIRECTORY fi # If ownCloud or Nextcloud was previously installed.... @@ -105,19 +108,13 @@ if [ ! -d /usr/local/lib/owncloud/ ] \ # Database migrations from ownCloud are no longer possible because ownCloud cannot be run under # PHP 7. if grep -q "OC_VersionString = '[89]\." /usr/local/lib/owncloud/version.php; then - echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 8 or 9) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + echo "Upgrades from Mail-in-a-Box prior to v0.28 (dated July 30, 2018) with Nextcloud < 13.0.6 (you have ownCloud 8 or 9) are not supported. Upgrade to Mail-in-a-Box version v0.30 first. Setup aborting." exit 1 fi - if grep -q "OC_VersionString = '10\." /usr/local/lib/owncloud/version.php; then - echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 10) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + if grep -q "OC_VersionString = '1[012]\." /usr/local/lib/owncloud/version.php; then + echo "Upgrades from Mail-in-a-Box prior to v0.28 (dated July 30, 2018) with Nextcloud < 13.0.6 (you have ownCloud 10, 11 or 12) are not supported. Upgrade to Mail-in-a-Box version v0.30 first. Setup aborting." exit 1 fi - - # If we are upgrading from Nextcloud 11 we should go to Nextcloud 12 first. - if grep -q "OC_VersionString = '11\." /usr/local/lib/owncloud/version.php; then - echo "We are running Nextcloud 11, upgrading to Nextcloud 12.0.5 first" - InstallNextcloud 12.0.5 d25afbac977a4e331f5e38df50aed0844498ca86 - fi fi InstallNextcloud $nextcloud_ver $nextcloud_hash diff --git a/setup/options-dialog.py b/setup/options-dialog.py new file mode 100644 index 00000000..9c9bfc60 --- /dev/null +++ b/setup/options-dialog.py @@ -0,0 +1,60 @@ +#!/usr/bin/env python +# encoding: utf-8 + +import npyscreen +import sys +import os + + +class TestApp(npyscreen.NPSApp): + def main(self): + # These lines create the form and populate it with widgets. + # A fairly complex screen in only 8 or so lines of code - a line for each control. + npyscreen.setTheme(npyscreen.Themes.BlackOnWhiteTheme) + + form = npyscreen.Form(name = "Mail-in-a-Box Options",) + postgrey_text = form.add( + npyscreen.TitleFixedText, + name="POSTGREY", + value="Should Postgrey be used to greylist messages?", + editable=False + ) + form.add(npyscreen.FixedText) + + postgrey_text = form.add( + npyscreen.MultiLineEditable, + name="POSTSRSD", + value="The PostSRSd daemon performs return path rewriting using the SRS protocol.\n" + "Not that all messages, including locally delivered mail will have their return\n" + "paths rewritten", + max_height=4, + editable=False + ) + form.add(npyscreen.FixedText) + + options = form.add( + npyscreen.TitleMultiSelect, + max_height=-2, + value = [ + int(os.getenv('POSTGREY', 1)), + int(os.getenv('POSTSRSD', 0)), + int(os.getenv('POLICY_SPF', 0)) + ], + name="Options", + values= ["POSTGREY","POSTSRSD","POLICY_SPF"], + scroll_exit=True + ) + + # This lets the user interact with the Form. + form.edit() + + with open('_options.sh', 'w') as output: + print('POSTGREY=%i' % (1 if 0 in options.value else 0), file=output) + print('POSTSRSD=%i' % (1 if 1 in options.value else 0), file=output) + print('POLICY_SPF=%i' % (1 if 2 in options.value else 0), file=output) + # print(npyscreen.ThemeManager.default_colors, file=output) + + +if __name__ == "__main__": + App = TestApp() + App.run() diff --git a/setup/questions.sh b/setup/questions.sh index bf382f49..18b64f02 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -16,6 +16,7 @@ if [ -z "${NONINTERACTIVE:-}" ]; then # we install it inside a virtualenv. In this script, we don't have the virtualenv yet # so we install the python package globally. hide_output pip3 install "email_validator>=1.0.0" || exit 1 + hide_output pip3 install npyscreen || exit 1 message_box "Mail-in-a-Box Installation" \ "Hello and thanks for deploying a Mail-in-a-Box! @@ -193,6 +194,8 @@ if [ -z "${STORAGE_ROOT:-}" ]; then STORAGE_ROOT=$([[ -z "${DEFAULT_STORAGE_ROOT:-}" ]] && echo "/home/$STORAGE_USER" || echo "$DEFAULT_STORAGE_ROOT") fi +python3 setup/options-dialog.py + # Show the configuration, since the user may have not entered it manually. echo echo "Primary Hostname: $PRIMARY_HOSTNAME" diff --git a/setup/start.sh b/setup/start.sh index 60a0349e..b84d720c 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -42,18 +42,20 @@ else FIRST_TIME_SETUP=1 fi -if [ -z "${DEFAULT_HTTP_SSL_PORT:-}" ]; then - HTTP_SSL_PORT=443 -else - HTTP_SSL_PORT=$DEFAULT_HTTP_SSL_PORT +if [ -z "${HTTP_SSL_PORT:-}" ]; then + HTTP_SSL_PORT=$([[ -z "${DEFAULT_HTTP_SSL_PORT:-}" ]] && echo "443" || echo "$DEFAULT_HTTP_SSL_PORT") fi -if [ -z "${DEFAULT_NO_GREYLISTING:-}" ]; then - NO_GREYLISTING=0 -elif (($DEFAULT_NO_GREYLISTING > 0)); then - NO_GREYLISTING=1 -else - NO_GREYLISTING=0 +if [ -z "${GREYLISTING:-}" ]; then + GREYLISTING=$([[ -z "${DEFAULT_GREYLISTING:-}" ]] && echo "1" || echo "$DEFAULT_GREYLISTING") +fi + +if [ -z "${POSTSRSD:-}" ]; then + POSTSRSD=$([[ -z "${DEFAULT_POSTSRSD:-}" ]] && echo "0" || echo "$DEFAULT_POSTSRSD") +fi + +if [ -z "${POLICY_SPF:-}" ]; then + POLICY_SPF=$([[ -z "${DEFAULT_POLICY_SPF:-}" ]] && echo "0" || echo "$DEFAULT_POLICY_SPF") fi # Put a start script in a global location. We tell the user to run 'mailinabox' @@ -108,7 +110,9 @@ PUBLIC_IPV6=$PUBLIC_IPV6 PRIVATE_IP=$PRIVATE_IP PRIVATE_IPV6=$PRIVATE_IPV6 HTTP_SSL_PORT=$HTTP_SSL_PORT -NO_GREYLISTING=$NO_GREYLISTING +GREYLISTING=$GREYLISTING +POSTSRSD=$POSTSRSD +POLICY_SPF=$POLICY_SPF EOF # Start service configuration.