Add own changes

management/backup.py

@@ -325,15 +325,6 @@ def perform_backup(full_backup, user_initiated=False):
 	if get_target_type(config) == 'file':
 		shell('check_call', ["/bin/chown", "-R", env["STORAGE_USER"], backup_dir])
 
-	# Execute a post-backup script that does the copying to a remote server.
-	# Run as the STORAGE_USER user, not as root. Pass our settings in
-	# environment variables so the script has access to STORAGE_ROOT.
-	post_script = os.path.join(backup_root, 'after-backup')
-	if os.path.exists(post_script):
-		shell('check_call',
-			['su', env['STORAGE_USER'], '-c', post_script, config["target"]],
-			env=env)
-
 	# Our nightly cron job executes system status checks immediately after this
 	# backup. Since it checks that dovecot and postfix are running, block for a
 	# bit (maximum of 10 seconds each) to give each a chance to finish restarting
@@ -346,6 +337,16 @@ def perform_backup(full_backup, user_initiated=False):
 		wait_for_service(25, True, env, 10)
 		wait_for_service(993, True, env, 10)
 
+	# Execute a post-backup script that does the copying to a remote server.
+	# Run as the STORAGE_USER user, not as root. Pass our settings in
+	# environment variables so the script has access to STORAGE_ROOT.
+	post_script = os.path.join(backup_root, 'after-backup')
+	if os.path.exists(post_script):
+		shell('check_call',
+			['su', env['STORAGE_USER'], '-c', post_script, config["target"]],
+			env=env)
+
+
 def run_duplicity_verification():
 	env = load_environment()
 	backup_root = os.path.join(env["STORAGE_ROOT"], 'backup')

management/mfa.py

@@ -109,7 +109,15 @@ def validate_auth_mfa(email, request, env):
 	# If no MFA modes are added, return True.
 	if len(mfa_state) == 0:
 		return (True, [])
-
+		
+	# munin routes are proxied by our control panel. We do not have
+	# full control over their routes so credentials are supplied via
+	# a basic HTTP authentication prompt.
+	# There is neither a way to input a mfa credential there nor can we pass
+	# the user_api_key from localStorage so mfa should be disabled for these routes.
+	if request.full_path.startswith("/munin"):
+		return (True, [])
+		
 	# Try the enabled MFA modes.
 	hints = set()
 	for mfa_mode in mfa_state:

management/status_checks.py

@@ -857,7 +857,7 @@ def get_latest_miab_version():
     from socket import timeout
 
     try:
-        return re.search(b'TAG=(.*)', urlopen("https://raw.githubusercontent.com/ddavness/power-mailinabox/master/setup/bootstrap.sh", timeout=5).read()).group(1).decode("utf8")
+        return re.search(b'TAG=(.*)', urlopen("https://mailinabox.email/setup.sh?ping=1", timeout=5).read()).group(1).decode("utf8")
     except (HTTPError, URLError, timeout):
         return None
 
@@ -870,16 +870,16 @@ def check_miab_version(env, output):
 		this_ver = "Unknown"
 
 	if config.get("privacy", True):
-		output.print_warning("You are running version Mail-in-a-Box %s. Mail-in-a-Box version check disabled by privacy setting." % this_ver)
+		output.print_warning("You are running version Mail-in-a-Box %s Kiekerjan Edition. Mail-in-a-Box version check disabled by privacy setting." % this_ver)
 	else:
 		latest_ver = get_latest_miab_version()
 
 		if this_ver == latest_ver:
-			output.print_ok("Mail-in-a-Box is up to date. You are running version %s." % this_ver)
+			output.print_ok("Mail-in-a-Box is up to date. You are running version %s Kiekerjan Edition." % this_ver)
 		elif latest_ver is None:
-			output.print_error("Latest Mail-in-a-Box version could not be determined. You are running version %s." % this_ver)
+			output.print_error("Latest Mail-in-a-Box version could not be determined. You are running version %s Kiekerjan Edition." % this_ver)
 		else:
-			output.print_error("A new version of Mail-in-a-Box is available. You are running version %s. The latest version is %s. For upgrade instructions, see https://mailinabox.email. "
+			output.print_error("A new version of Mail-in-a-Box is available. You are running version %s Kiekerjan Edition. The latest version is %s. For upgrade instructions, see https://mailinabox.email. "
 				% (this_ver, latest_ver))
 
 def run_and_output_changes(env, pool):

management/web_update.py

@@ -8,6 +8,7 @@ from mailconfig import get_mail_domains
 from dns_update import get_custom_dns_config, get_dns_zones
 from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
 from utils import shell, safe_domain_name, sort_domains, get_php_version
+from wwwconfig import get_www_domains
 
 def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True):
 	# What domains should we serve HTTP(S) for?
@@ -18,11 +19,15 @@ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True)
 	# if the user wants to make one.
 	domains |= get_mail_domains(env)
 
+	# Add domains for which we only serve www
+	domains |= get_www_domains(domains)
+
 	if include_www_redirects:
 		# Add 'www.' subdomains that we want to provide default redirects
 		# to the main domain for. We'll add 'www.' to any DNS zones, i.e.
 		# the topmost of each domain we serve.
 		domains |= set('www.' + zone for zone, zonefile in get_dns_zones(env))
+		domains |= set('www.' + wwwdomain for wwwdomain in get_www_domains(get_mail_domains(env)))
 
 	# Add Autoconfiguration domains for domains that there are user accounts at:
 	# 'autoconfig.' for Mozilla Thunderbird auto setup.
@@ -83,6 +88,7 @@ def do_web_update(env):
 	template1 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-alldomains.conf")).read()
 	template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read()
 	template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n"
+	template4 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-webonlydomains.conf")).read()
 
 	# Add the PRIMARY_HOST configuration first so it becomes nginx's default server.
 	nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2], ssl_certificates, env)
@@ -90,6 +96,8 @@ def do_web_update(env):
 	# Add configuration all other web domains.
 	has_root_proxy_or_redirect = get_web_domains_with_root_overrides(env)
 	web_domains_not_redirect = get_web_domains(env, include_www_redirects=False)
+	web_only_domains = get_www_domains(get_mail_domains(env))
+	
 	for domain in get_web_domains(env):
 		if domain == env['PRIMARY_HOSTNAME']:
 			# PRIMARY_HOSTNAME is handled above.
@@ -97,6 +105,9 @@ def do_web_update(env):
 		if domain in web_domains_not_redirect:
 			# This is a regular domain.
 			if domain not in has_root_proxy_or_redirect:
+				if domain in web_only_domains:
+					nginx_conf += make_domain_config(domain, [template0, template4], ssl_certificates, env)
+				else:
 				nginx_conf += make_domain_config(domain, [template0, template1], ssl_certificates, env)
 			else:
 				nginx_conf += make_domain_config(domain, [template0], ssl_certificates, env)

management/wwwconfig.py

@@ -0,0 +1,34 @@
+import os.path, idna, sys, collections
+
+def get_www_domains(domains_to_skip):
+    # Returns the domain names (IDNA-encoded) of all of the domains that are configured to serve www
+    # on the system. 
+    domains = []
+
+    try:
+        # read a line from text file
+        with open("/etc/miabwwwdomains.conf") as file_in:
+            for line in file_in:
+                # Valid domain check future extention: use validators module
+                # Only one dot allowed
+                if line.count('.') == 1:
+                    www_domain = get_domain(line, as_unicode=False)
+                    if www_domain not in domains_to_skip:
+                        domains.append(www_domain)
+    except:
+        # ignore failures
+        pass
+    
+    return set(domains)
+
+
+def get_domain(domaintxt, as_unicode=True):
+    ret = domaintxt.rstrip()
+    if as_unicode:
+        try:
+            ret = idna.decode(ret.encode('ascii'))
+        except (ValueError, UnicodeError, idna.IDNAError):
+            pass
+
+    return ret
+