From c60e3dc8428ebb5dddd728d9a1f2c185845dd376 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Fri, 18 Jan 2019 06:36:43 -0800 Subject: [PATCH 1/6] fail2ban ssh/ssh-ddos and sasl are now sshd and postfix-sasl (fixes #1453, merges #1454) * fail2ban ssh/ssh-ddos and sasl are now sshd and postfix-sasl * specified custom datepattern for miab-owncloud.conf --- CHANGELOG.md | 7 +++++++ conf/fail2ban/filter.d/miab-owncloud.conf | 1 + conf/fail2ban/jails.conf | 7 ++----- setup/system.sh | 1 + 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb64785c..298791ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,13 @@ CHANGELOG ========= +In Development +-------------- + +System: + +* Missing brute force login attack prevention (fail2ban) filters which stopped working on Ubuntu 18.04 were added back. + v0.40 (January 12, 2019) ------------------------ diff --git a/conf/fail2ban/filter.d/miab-owncloud.conf b/conf/fail2ban/filter.d/miab-owncloud.conf index a9a13f2c..709f8bac 100644 --- a/conf/fail2ban/filter.d/miab-owncloud.conf +++ b/conf/fail2ban/filter.d/miab-owncloud.conf @@ -3,5 +3,6 @@ before = common.conf [Definition] +datepattern = %%Y-%%m-%%d %%H:%%M:%%S failregex=Login failed: .*Remote IP: '[\)'] ignoreregex = diff --git a/conf/fail2ban/jails.conf b/conf/fail2ban/jails.conf index 6c6fee32..952dc35a 100644 --- a/conf/fail2ban/jails.conf +++ b/conf/fail2ban/jails.conf @@ -69,13 +69,10 @@ action = iptables-allports[name=recidive] # So the notification is ommited. This will prevent message appearing in the mail.log that mail # can't be delivered to fail2ban@$HOSTNAME. -[sasl] +[postfix-sasl] enabled = true -[ssh] +[sshd] enabled = true maxretry = 7 bantime = 3600 - -[ssh-ddos] -enabled = true diff --git a/setup/system.sh b/setup/system.sh index 2305ccfc..ccc60231 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -339,6 +339,7 @@ systemctl restart systemd-resolved # Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix, ssh, etc. rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore +rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config cat conf/fail2ban/jails.conf \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ From 10050aa6010eb78a75bbd963bf758051271d7736 Mon Sep 17 00:00:00 2001 From: Yoann Colin Date: Sat, 9 Feb 2019 03:24:03 +0100 Subject: [PATCH 2/6] Upgrade to NextCloud 14 (#1504) * Upgraded Nextcloud from 13.0.6 to 14.0.6. * Upgraded Contacts from 2.1.5 to 2.1.8. * Upgraded Calendar from 1.6.1 to 1.6.4. * Cleanup unsupported version upgrades: Since an upgrade to v0.30 is mandatory before moving upward, I removed the checks for Nextcloud prior version 12. * Fix the storage root path. * Add missing indices. Thx @yodax for your feedback. --- CHANGELOG.md | 6 ++++++ setup/nextcloud.sh | 31 ++++++++++++++----------------- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 298791ba..6fdffbab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,12 @@ System: * Missing brute force login attack prevention (fail2ban) filters which stopped working on Ubuntu 18.04 were added back. +Contacts/Calendar: + +* Upgraded Nextcloud from 13.0.6 to 14.0.6. +* Upgraded Contacts from 2.1.5 to 2.1.8. +* Upgraded Calendar from 1.6.1 to 1.6.4. + v0.40 (January 12, 2019) ------------------------ diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index 167c2012..9476bbf8 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -39,11 +39,11 @@ InstallNextcloud() { # their github repositories. mkdir -p /usr/local/lib/owncloud/apps - wget_verify https://github.com/nextcloud/contacts/releases/download/v2.1.5/contacts.tar.gz b7460d15f1b78d492ed502d778c0c458d503ba17 /tmp/contacts.tgz + wget_verify https://github.com/nextcloud/contacts/releases/download/v2.1.8/contacts.tar.gz b5d5bbee33f0c32b124b46cb6aaab90c695ac170 /tmp/contacts.tgz tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/contacts.tgz - wget_verify https://github.com/nextcloud/calendar/releases/download/v1.6.1/calendar.tar.gz f93a247cbd18bc624f427ba2a967d93ebb941f21 /tmp/calendar.tgz + wget_verify https://github.com/nextcloud/calendar/releases/download/v1.6.4/calendar.tar.gz d8a7950dba14803472b6c19625a8ceb23d6fd4ef /tmp/calendar.tgz tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/calendar.tgz @@ -72,11 +72,14 @@ InstallNextcloud() { sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off echo "...which seemed to work." fi + + # Add missing indices. NextCloud didn't include this in the normal upgrade because it might take some time. + sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-indices fi } -nextcloud_ver=13.0.6 -nextcloud_hash=33e41f476f0e2be5dc7cdb9d496673d9647aa3d6 +nextcloud_ver=14.0.6 +nextcloud_hash=4e43a57340f04c2da306c8eea98e30040399ae5a # Check if Nextcloud dir exist, and check if version matches nextcloud_ver (if either doesn't - install/upgrade) if [ ! -d /usr/local/lib/owncloud/ ] \ @@ -93,11 +96,11 @@ if [ ! -d /usr/local/lib/owncloud/ ] \ echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..." cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install" fi - if [ -e /home/user-data/owncloud/owncloud.db ]; then - cp /home/user-data/owncloud/owncloud.db $BACKUP_DIRECTORY + if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then + cp $STORAGE_ROOT/owncloud/owncloud.db $BACKUP_DIRECTORY fi - if [ -e /home/user-data/owncloud/config.php ]; then - cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY + if [ -e $STORAGE_ROOT/owncloud/config.php ]; then + cp $STORAGE_ROOT/owncloud/config.php $BACKUP_DIRECTORY fi # If ownCloud or Nextcloud was previously installed.... @@ -105,19 +108,13 @@ if [ ! -d /usr/local/lib/owncloud/ ] \ # Database migrations from ownCloud are no longer possible because ownCloud cannot be run under # PHP 7. if grep -q "OC_VersionString = '[89]\." /usr/local/lib/owncloud/version.php; then - echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 8 or 9) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + echo "Upgrades from Mail-in-a-Box prior to v0.28 (dated July 30, 2018) with Nextcloud < 13.0.6 (you have ownCloud 8 or 9) are not supported. Upgrade to Mail-in-a-Box version v0.30 first. Setup aborting." exit 1 fi - if grep -q "OC_VersionString = '10\." /usr/local/lib/owncloud/version.php; then - echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 10) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + if grep -q "OC_VersionString = '1[012]\." /usr/local/lib/owncloud/version.php; then + echo "Upgrades from Mail-in-a-Box prior to v0.28 (dated July 30, 2018) with Nextcloud < 13.0.6 (you have ownCloud 10, 11 or 12) are not supported. Upgrade to Mail-in-a-Box version v0.30 first. Setup aborting." exit 1 fi - - # If we are upgrading from Nextcloud 11 we should go to Nextcloud 12 first. - if grep -q "OC_VersionString = '11\." /usr/local/lib/owncloud/version.php; then - echo "We are running Nextcloud 11, upgrading to Nextcloud 12.0.5 first" - InstallNextcloud 12.0.5 d25afbac977a4e331f5e38df50aed0844498ca86 - fi fi InstallNextcloud $nextcloud_ver $nextcloud_hash From bad38840d80b4f87ae5cc6d7afc5a682acb8c108 Mon Sep 17 00:00:00 2001 From: Ryan Stubbs Date: Tue, 12 Feb 2019 01:14:56 +0000 Subject: [PATCH 3/6] Fix type on alias edit page (#1520) --- management/templates/aliases.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/templates/aliases.html b/management/templates/aliases.html index 89af221f..e8d0cb1c 100644 --- a/management/templates/aliases.html +++ b/management/templates/aliases.html @@ -51,7 +51,7 @@
From adddd95e38647598bd318c84b98a42ea98085b52 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Mon, 25 Feb 2019 13:18:30 -0500 Subject: [PATCH 4/6] add lmtp_destination_recipient_limit=1 to work around spampd bug, see #1523 --- CHANGELOG.md | 4 ++++ setup/mail-postfix.sh | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6fdffbab..9e529052 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ System: * Missing brute force login attack prevention (fail2ban) filters which stopped working on Ubuntu 18.04 were added back. +Mail: + +* Incoming messages addressed to more than one local user were rejected because of a bug in spampd packaged by Ubuntu 18.04. A workaround was added. + Contacts/Calendar: * Upgraded Nextcloud from 13.0.6 to 14.0.6. diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 0c9bc97c..4d66cd58 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -173,8 +173,11 @@ tools/editconf.py /etc/postfix/main.cf \ # # In a basic setup we would pass mail directly to Dovecot by setting # virtual_transport to `lmtp:unix:private/dovecot-lmtp`. -# tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025 +# Because of a spampd bug, limit the number of recipients in each connection. +# See https://github.com/mail-in-a-box/mailinabox/issues/1523. +tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1 + # Who can send mail to us? Some basic filters. # From 149552f79b865d35e1d421ad1c2b6d6d0135420e Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Tue, 26 Feb 2019 18:15:36 -0500 Subject: [PATCH 5/6] systemctl link should use -f to avoid an error if a system service already exists with that name but points to a different file https://discourse.mailinabox.email/t/new-error-failed-systemctl-link-conf-mailinabox-service/4626/2 --- CHANGELOG.md | 1 + setup/management.sh | 2 +- setup/munin.sh | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e529052..a60ba3a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ In Development System: * Missing brute force login attack prevention (fail2ban) filters which stopped working on Ubuntu 18.04 were added back. +* Upgrades would fail if Mail-in-a-Box moved to a different directory in `systemctl link`. Mail: diff --git a/setup/management.sh b/setup/management.sh index 9c221198..f7621a8b 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -93,7 +93,7 @@ source $venv/bin/activate exec python `pwd`/management/daemon.py EOF chmod +x $inst_dir/start -hide_output systemctl link conf/mailinabox.service +hide_output systemctl link -f conf/mailinabox.service hide_output systemctl daemon-reload hide_output systemctl enable mailinabox.service diff --git a/setup/munin.sh b/setup/munin.sh index 8a85085d..3cb1cd9d 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -64,7 +64,7 @@ mkdir -p /var/lib/munin-node/plugin-state/ # Create a systemd service for munin. ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh chmod 0744 /usr/local/lib/mailinabox/munin_start.sh -hide_output systemctl link conf/munin.service +hide_output systemctl link -f conf/munin.service hide_output systemctl daemon-reload hide_output systemctl unmask munin.service hide_output systemctl enable munin.service From dd7a2aa8a6702de0cbe0e7f766bd05d03dff9733 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Tue, 26 Feb 2019 18:17:50 -0500 Subject: [PATCH 6/6] v0.41 --- CHANGELOG.md | 4 ++-- README.md | 4 ++-- setup/bootstrap.sh | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a60ba3a0..089aa68d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ CHANGELOG ========= -In Development --------------- +v0.41 (February 26, 2019) +------------------------- System: diff --git a/README.md b/README.md index 300fe496..01997fd4 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ by him: $ curl -s https://keybase.io/joshdata/key.asc | gpg --import gpg: key C10BDD81: public key "Joshua Tauberer " imported - $ git verify-tag v0.40 + $ git verify-tag v0.41 gpg: Signature made ..... using RSA key ID C10BDD81 gpg: Good signature from "Joshua Tauberer " gpg: WARNING: This key is not certified with a trusted signature! @@ -71,7 +71,7 @@ and on his [personal homepage](https://razor.occams.info/). (Of course, if this Checkout the tag corresponding to the most recent release: - $ git checkout v0.40 + $ git checkout v0.41 Begin the installation. diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 3442499d..74bf5e16 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -20,7 +20,7 @@ if [ -z "$TAG" ]; then # want to display in status checks. if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then # This machine is running Ubuntu 18.04. - TAG=v0.40 + TAG=v0.41 elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then # This machine is running Ubuntu 14.04.