From 4fedfb377da393d7fe22ca8781a964e9759a18ce Mon Sep 17 00:00:00 2001 From: downtownallday Date: Tue, 10 Sep 2024 14:53:12 -0400 Subject: [PATCH 01/38] during wait for boot, also wait until vm has an ip address --- tests/bin/lx_functions.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/bin/lx_functions.sh b/tests/bin/lx_functions.sh index 2faec0a2..b64a77fc 100644 --- a/tests/bin/lx_functions.sh +++ b/tests/bin/lx_functions.sh @@ -201,7 +201,25 @@ lx_wait_for_boot() { echo "" echo -n "Wait for cloud-init " lxc --project "$project" exec "$inst" -- cloud-init status --wait + local rc=$? + + if [ $rc -eq 0 ]; then + echo "Wait for ip address " + local ip="" + local count=0 + while [ $count -lt 10 ]; do + let count+=1 + ip="$(lxc --project "$project" exec "$inst" -- hostname -I | awk '{print $1}')" + rc=$? + echo " [${count}] got: $ip" + if [ $rc -ne 0 -o "$ip" != "" ];then + break + fi + sleep 5 + done + fi echo "" + return $rc } lx_get_ssh_identity() { From 3e0a6214508724496ce2c629b598cedf4be1b22c Mon Sep 17 00:00:00 2001 From: downtownallday Date: Tue, 10 Sep 2024 14:54:47 -0400 Subject: [PATCH 02/38] allow supplying a command line to execute to ssh remove debugging echo statements add -q argument to suppress outputting lxc command line --- tests/bin/vlx | 59 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/tests/bin/vlx b/tests/bin/vlx index 52cd0191..0ba3436f 100755 --- a/tests/bin/vlx +++ b/tests/bin/vlx @@ -37,6 +37,12 @@ D=$(dirname "$BASH_SOURCE") . "$D/lx_functions.sh" || exit 1 +show_cl="yes" +if [ "$1" = "-q" ]; then + show_cl="no" + shift +fi + vlx_guess() { if [ $# -eq 2 ]; then LX_PROJECT="$1" @@ -83,7 +89,6 @@ vlx_exec() { if [ "${args[$idx]}" = "--" ]; then if [ $idx -eq 3 ]; then # format 1 with cwd - echo "f1" wd="$3" vlx_guess "$1" "$2" || return 1 shift; shift; shift; shift; @@ -92,12 +97,10 @@ vlx_exec() { if [ "${2#/}" != "$2" ]; then # wd starts with /, so it's a path # format 2 - echo "f2" wd="$2" vlx_guess "" "$1" || return 1 else # format 1 w/o cwd - echo "f1 w/o cwd" vlx_guess "$1" "$2" || return 1 fi shift; shift; shift; @@ -106,12 +109,10 @@ vlx_exec() { if [ "${1#/}" != "$1" ]; then # wd starts with /, so it's a path # format 3 - echo "f3" wd="$1" vlx_guess || return 1 else # format 2 w/o cwd - echo "f2 w/o cwd" vlx_guess "$1" || return 1 fi shift; shift; @@ -121,7 +122,6 @@ vlx_exec() { fi else # format 4 - echo "f4" vlx_guess || return 1 fi @@ -129,28 +129,43 @@ vlx_exec() { if [ ! -z "$wd" ]; then xargs="--cwd $wd" fi - echo lxc --project "$LX_PROJECT" exec "$LX_INST" $xargs -- "$@" + [ "$show_cl" = "yes" ] && + echo lxc --project "$LX_PROJECT" exec "$LX_INST" $xargs -- "$@" lxc --project "$LX_PROJECT" exec "$LX_INST" $xargs -- "$@" } vlx_shell() { vlx_guess "$@" || return 1 - echo lxc --project "$LX_PROJECT" exec "$LX_INST" -- bash + [ "$show_cl" = "yes" ] && + echo lxc --project "$LX_PROJECT" exec "$LX_INST" -- bash lxc --project "$LX_PROJECT" exec "$LX_INST" -- bash } vlx_hostname() { vlx_guess "$@" || return 1 - local host lxc --project "$LX_PROJECT" exec "$LX_INST" -- /usr/bin/hostname --fqdn || return 1 } +vlx_ipaddr() { + vlx_guess "$@" || return 1 + local hostip + hostip="$(lxc --project "$LX_PROJECT" exec "$LX_INST" -- /usr/bin/hostname -I)" + [ $? -ne 0 -o -z "$hostip" ] && return 1 + awk '{print $1}' <<<"$hostip" +} + + vlx_ssh() { local host="$1" + if [ "$host" = "--" ]; then + host="" + else + shift + fi if [ -z "$host" ]; then - host="$(vlx_hostname)" + host="$(vlx_ipaddr)" if [ $? -ne 0 ]; then - echo "Could not determine hostname, please specify" + echo "Could not determine ip address, please specify" host="" fi if [ -z "$host" ]; then @@ -161,20 +176,22 @@ vlx_ssh() { local id="$(lx_get_ssh_identity)" local known_hosts="$(lx_get_ssh_known_hosts)" local vmuser="vmuser" - #echo ssh -i "$id" -o UserKnownHostsFile="$known_hosts" -o StrictHostKeyChecking=no "$vmuser@$host" + #echo ssh -i "$id" -o UserKnownHostsFile="$known_hosts" -o StrictHostKeyChecking=no "$vmuser@$host" "$@" echo "Connecting to $vmuser@$host ..." - ssh -i "$id" -o UserKnownHostsFile="$known_hosts" -o StrictHostKeyChecking=no "$vmuser@$host" + ssh -i "$id" -o UserKnownHostsFile="$known_hosts" -o StrictHostKeyChecking=no "$vmuser@$host" "$@" } vlx_list() { vlx_guess "$1" || return 1 - echo lxc --project "$LX_PROJECT" list + [ "$show_cl" = "yes" ] && + echo lxc --project "$LX_PROJECT" list lxc --project "$LX_PROJECT" list } vlx_images() { vlx_guess "$1" || return 1 - echo lxc --project "$LX_PROJECT" image list + [ "$show_cl" = "yes" ] && + echo lxc --project "$LX_PROJECT" image list lxc --project "$LX_PROJECT" image list } @@ -191,19 +208,22 @@ vlx_up() { vlx_start() { vlx_guess "$@" || return 1 - echo lxc --project "$LX_PROJECT" start "$LX_INST" + [ "$show_cl" = "yes" ] && + echo lxc --project "$LX_PROJECT" start "$LX_INST" lxc --project "$LX_PROJECT" start "$LX_INST" } vlx_stop() { vlx_guess "$@" || return 1 - echo lxc --project "$LX_PROJECT" stop "$LX_INST" + [ "$show_cl" = "yes" ] && + echo lxc --project "$LX_PROJECT" stop "$LX_INST" lxc --project "$LX_PROJECT" stop "$LX_INST" } vlx_delete() { vlx_guess "$@" || return 1 - echo lxc --project "$LX_PROJECT" delete --force --interactive "$LX_INST" + [ "$show_cl" = "yes" ] && + echo lxc --project "$LX_PROJECT" delete --force --interactive "$LX_INST" lxc --project "$LX_PROJECT" delete --force --interactive "$LX_INST" } @@ -224,7 +244,8 @@ vlx_status() { vlx_restart() { vlx_guess "$@" || return 1 - echo lxc --project "$LX_PROJECT" restart "$LX_INST" + [ "$show_cl" = "yes" ] && + echo lxc --project "$LX_PROJECT" restart "$LX_INST" lxc --project "$LX_PROJECT" restart "$LX_INST" } From 1699ab8c02e6813075a65fff9903c85e31d52445 Mon Sep 17 00:00:00 2001 From: matidau <65836048+matidau@users.noreply.github.com> Date: Wed, 18 Sep 2024 04:51:26 +1000 Subject: [PATCH 03/38] Update zpush.sh to version 2.7.4 (#2423) --- setup/zpush.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/zpush.sh b/setup/zpush.sh index a5538d70..5c3e5b30 100755 --- a/setup/zpush.sh +++ b/setup/zpush.sh @@ -22,8 +22,8 @@ apt_install \ phpenmod -v "$PHP_VER" imap # Copy Z-Push into place. -VERSION=2.7.3 -TARGETHASH=9d4bec41935e9a4e07880c5ff915bcddbda4443b +VERSION=2.7.4 +TARGETHASH=78744d56b8799d9828ec8f99a12c1af4e9f9239b needs_update=0 #NODOC if [ ! -f /usr/local/lib/z-push/version ]; then needs_update=1 #NODOC From 62b691f44a2f201f55052831e2b1ddad962a9cb9 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Fri, 20 Sep 2024 15:16:21 -0400 Subject: [PATCH 04/38] QA: updates for recent nextcloud changes --- tests/lib/python/browser/NextcloudAutomation.py | 10 ++++++++-- tests/suites/nextcloud/contacts.py | 13 +++++++++---- tests/suites/remote-nextcloud.sh | 4 ++-- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/tests/lib/python/browser/NextcloudAutomation.py b/tests/lib/python/browser/NextcloudAutomation.py index da209bb0..b2eeca91 100644 --- a/tests/lib/python/browser/NextcloudAutomation.py +++ b/tests/lib/python/browser/NextcloudAutomation.py @@ -58,7 +58,10 @@ class NextcloudAutomation(object): d.say("Logout of Nextcloud") self.click_avatar() - el = d.find_el('[data-id="logout"] a', throws=False) # nc < 26 + el = d.find_el('a#logout', throws=False) + if not el: + # nc >= 29 + el = d.find_el('[data-id="logout"] a', throws=False) # nc < 26 if not el: # nc >= 26 el = d.find_el('#logout > a', throws=False) @@ -72,7 +75,10 @@ class NextcloudAutomation(object): d = self.d d.say("Open contacts") # nc 25+ - el = d.find_el('header [data-app-id="contacts"]', throws=False) + el = d.find_el('header [title="Contacts"]', throws=False) + if not el: + # nc < 29 + el = d.find_el('header [data-app-id="contacts"]', throws=False) if not el: # nc < 25 el = d.find_el('header [data-id="contacts"]') diff --git a/tests/suites/nextcloud/contacts.py b/tests/suites/nextcloud/contacts.py index ddf82b41..6b204e32 100644 --- a/tests/suites/nextcloud/contacts.py +++ b/tests/suites/nextcloud/contacts.py @@ -7,6 +7,7 @@ ##### details. ##### + from browser.automation import ( TestDriver, TimeoutException, @@ -50,16 +51,20 @@ try: # open Contacts # d.start("Open contacts app") - contacts = nc.open_contacts() + try: + contacts = nc.open_contacts() + except NoSuchElementException: + nc.close_first_run_wizard() + contacts = nc.open_contacts() nc.wait_for_app_load() # - # handle selected operation + # handle selected operation # if op=='exists': d.start("Check that contact %s exists", contact['email']) contacts.click_contact(contact) # raises NoSuchElementException if not found - + elif op=='delete': d.start("Delete contact %s", contact['email']) contacts.click_contact(contact) @@ -68,7 +73,7 @@ try: elif op=='nop': pass - + else: raise ValueError('Invalid operation: %s' % op) diff --git a/tests/suites/remote-nextcloud.sh b/tests/suites/remote-nextcloud.sh index 795fe67a..f054609c 100644 --- a/tests/suites/remote-nextcloud.sh +++ b/tests/suites/remote-nextcloud.sh @@ -172,7 +172,7 @@ test_web_config() { record "output=$REST_OUTPUT" if [ $code -eq 0 ]; then test_failure "carddav url works, but expecting 401/NotAuthenticated from server" - elif [ $code -eq 1 -o $REST_HTTP_CODE -ne 401 ] || ! grep "NotAuthenticated" <<<"$REST_OUTPUT" >/dev/null; then + elif [ $REST_HTTP_CODE -ne 401 ]; then test_failure "carddav url doesn't work: $REST_ERROR" fi fi @@ -189,7 +189,7 @@ test_web_config() { record "output=$REST_OUTPUT" if [ $code -eq 0 ]; then test_failure "caldav url works, but expecting 401/NotAuthenticated from server" - elif [ $code -eq 1 -o $REST_HTTP_CODE -ne 401 ] || ! grep "NotAuthenticated" <<<"$REST_OUTPUT" >/dev/null; then + elif [ $REST_HTTP_CODE -ne 401 ]; then test_failure "caldav url doesn't work: $REST_ERROR" fi fi From 706c3e7af93add6ced094a473ebbc57716cd03f7 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Fri, 20 Sep 2024 15:41:44 -0400 Subject: [PATCH 05/38] QA: updates for recent nextcloud change --- tests/lib/python/browser/NcContactsAutomation.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/lib/python/browser/NcContactsAutomation.py b/tests/lib/python/browser/NcContactsAutomation.py index 386f257a..b7976cff 100644 --- a/tests/lib/python/browser/NcContactsAutomation.py +++ b/tests/lib/python/browser/NcContactsAutomation.py @@ -26,10 +26,11 @@ class NcContactsAutomation(object): els = d.find_els('div.contacts-list div.list-item-content,div.option__details') d.say_verbose('found %s contacts' % len(els)) for el in els: - # .line-one (nc 25+) + # .list-item-content__name (nc 29+) + # .line-one (nc 25-28) # .option__lineone (nc <25) - fullname = el.find_el('.line-one,.option__lineone').content().strip() - email = el.find_el('.line-two,.option__linetwo').content().strip() + fullname = el.find_el('.line-one,.option__lineone,.list-item-content__name').content().strip() + email = el.find_el('.line-two,.option__linetwo,.list-item-content__subname').content().strip() d.say_verbose('contact: "%s" <%s>', fullname, email) # NC 28: email not present in html ignore_email = True if email == '' else False @@ -43,7 +44,7 @@ class NcContactsAutomation(object): d = self.d d.say("Wait for contact to load") d.wait_for_el('section.contact-details', secs=secs) - + def delete_current_contact(self): d = self.d d.say("Delete current contact") From 3b6e6177d03c4fc10d3c3afe07760e8f4b49f181 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Fri, 4 Oct 2024 14:51:25 -0400 Subject: [PATCH 06/38] Remove vagrant references - everything has moved to lxd --- tests/lxd/create-backup/README.md | 1 + tests/lxd/majorupgrade/README.md | 1 + .../{vagrant => lxd}/majorupgrade/Vagrantfile | 0 .../majorupgrade/majorupgrade.sh | 0 tests/lxd/vanilla/provision.sh | 2 +- tests/vagrant/.gitignore | 3 - tests/vagrant/Vagrantfile | 104 -------- tests/vagrant/funcs.rb | 25 -- tests/vagrant/parallel.sh | 86 ------- tests/vagrant/preloaded/.gitignore | 2 - tests/vagrant/preloaded/Vagrantfile | 58 ----- tests/vagrant/preloaded/create_preloaded.sh | 134 ---------- tests/vagrant/preloaded/prepvm.sh | 230 ------------------ tests/vagrant/vanilla/.gitignore | 2 - tests/vagrant/vanilla/Vagrantfile | 87 ------- 15 files changed, 3 insertions(+), 732 deletions(-) create mode 100644 tests/lxd/create-backup/README.md create mode 100644 tests/lxd/majorupgrade/README.md rename tests/{vagrant => lxd}/majorupgrade/Vagrantfile (100%) rename tests/{vagrant => lxd}/majorupgrade/majorupgrade.sh (100%) delete mode 100644 tests/vagrant/.gitignore delete mode 100644 tests/vagrant/Vagrantfile delete mode 100644 tests/vagrant/funcs.rb delete mode 100755 tests/vagrant/parallel.sh delete mode 100644 tests/vagrant/preloaded/.gitignore delete mode 100644 tests/vagrant/preloaded/Vagrantfile delete mode 100755 tests/vagrant/preloaded/create_preloaded.sh delete mode 100755 tests/vagrant/preloaded/prepvm.sh delete mode 100644 tests/vagrant/vanilla/.gitignore delete mode 100644 tests/vagrant/vanilla/Vagrantfile diff --git a/tests/lxd/create-backup/README.md b/tests/lxd/create-backup/README.md new file mode 100644 index 00000000..1333ed77 --- /dev/null +++ b/tests/lxd/create-backup/README.md @@ -0,0 +1 @@ +TODO diff --git a/tests/lxd/majorupgrade/README.md b/tests/lxd/majorupgrade/README.md new file mode 100644 index 00000000..e357eb2d --- /dev/null +++ b/tests/lxd/majorupgrade/README.md @@ -0,0 +1 @@ +TODO - convert to lxd diff --git a/tests/vagrant/majorupgrade/Vagrantfile b/tests/lxd/majorupgrade/Vagrantfile similarity index 100% rename from tests/vagrant/majorupgrade/Vagrantfile rename to tests/lxd/majorupgrade/Vagrantfile diff --git a/tests/vagrant/majorupgrade/majorupgrade.sh b/tests/lxd/majorupgrade/majorupgrade.sh similarity index 100% rename from tests/vagrant/majorupgrade/majorupgrade.sh rename to tests/lxd/majorupgrade/majorupgrade.sh diff --git a/tests/lxd/vanilla/provision.sh b/tests/lxd/vanilla/provision.sh index 6d774d55..3d153e66 100755 --- a/tests/lxd/vanilla/provision.sh +++ b/tests/lxd/vanilla/provision.sh @@ -17,7 +17,7 @@ D=$(dirname "$BASH_SOURCE") provision_start "" "/mailinabox" || exit 1 # Setup system -if [ "$1" = "ciab" ]; then +if [ "$TESTS" = "ciab" -o "$1" = "ciab" ]; then # use a remote cloudinabox (does not have to be running) provision_shell <<<" cd /mailinabox diff --git a/tests/vagrant/.gitignore b/tests/vagrant/.gitignore deleted file mode 100644 index 6cfd7a63..00000000 --- a/tests/vagrant/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -.vagrant -out -*-console.log diff --git a/tests/vagrant/Vagrantfile b/tests/vagrant/Vagrantfile deleted file mode 100644 index 353bbf3c..00000000 --- a/tests/vagrant/Vagrantfile +++ /dev/null @@ -1,104 +0,0 @@ -##### -##### This file is part of Mail-in-a-Box-LDAP which is released under the -##### terms of the GNU Affero General Public License as published by the -##### Free Software Foundation, either version 3 of the License, or (at -##### your option) any later version. See file LICENSE or go to -##### https://github.com/downtownallday/mailinabox-ldap for full license -##### details. -##### - -load './funcs.rb' - -Vagrant.configure("2") do |config| - - config.vm.synced_folder "../..", "/mailinabox", id: "mailinabox", automount: false - use_preloaded_box config, "ubuntu/jammy64" - - # fresh install with encryption-at-rest - - if ENV['tests']=='all' - config.vm.define "remote-nextcloud-docker-ehdd" do |m1| - m1.vm.provision :shell, :inline => <<-SH -cd /mailinabox -export PRIMARY_HOSTNAME=qa1.abc.com -export FEATURE_MUNIN=false -export EHDD_KEYFILE=$HOME/keyfile -echo -n "boo" >$EHDD_KEYFILE -tests/system-setup/remote-nextcloud-docker.sh || exit 1 -tests/runner.sh -no-smtp-remote remote-nextcloud ehdd default || exit 2 -SH - end - end - - # remote-nextcloud-docker w/basic data - - config.vm.define "remote-nextcloud-docker" do |m1| - m1.vm.provision :shell, :inline => <<-SH -cd /mailinabox -export PRIMARY_HOSTNAME=qa2.abc.com -export FEATURE_MUNIN=false -tests/system-setup/remote-nextcloud-docker.sh upgrade --populate=basic || exit 1 -tests/runner.sh -no-smtp-remote remote-nextcloud upgrade-basic default || exit 2 -SH - end - - - # upgrade-from-upstream - - config.vm.define "upgrade-from-upstream" do |m1| - m1.vm.provision :shell, :inline => <<-SH -cd /mailinabox -export PRIMARY_HOSTNAME=qa3.abc.com -# TODO: change UPSTREAM_TAG to 'main' once upstream is installable -export UPSTREAM_TAG=v67 -tests/system-setup/upgrade-from-upstream.sh --populate=basic --populate=totpuser || exit 1 -tests/runner.sh -no-smtp-remote upgrade-basic upgrade-totpuser default || exit 2 -SH - end - - # upgrade - - # this test is only needed when testing migrations from miabldap - # to a newer miabldap with a migration step - # - # upgrade will handle testing upgrades of - # miabldap with or without a new migration step - config.vm.define "upgrade" do |m1| - m1.vm.provision :shell, :inline => <<-SH -cd /mailinabox -# TODO: remove DEB_PYTHON_INSTALL_LAYOUT once MIABLDAP_RELEASE_TAG >= v66 (see https://github.com/downtownallday/mailinabox-ldap/commit/371f5bc1b236de40a1ed5d9118140ee13fddf5dc) -export DEB_PYTHON_INSTALL_LAYOUT='deb' -export PRIMARY_HOSTNAME=upgrade.abc.com -tests/system-setup/upgrade.sh --populate=basic --populate=totpuser || exit 1 -tests/runner.sh -no-smtp-remote upgrade-basic upgrade-totpuser default || exit 2 -SH - end - - # unsetvars: because miab sets bash '-e' to fail any setup script - # when a script command returns a non-zero exit code, and more - # importantly '-u' which fails scripts when any unset variable is - # accessed, this definition sets a minimal number of environment - # variables prior to running start.sh. Doing so will test that no - # failures occur during setup in the most common use case because - # other vagrant definitions in this file load - # tests/system-setup/setup-default.sh, which pre-assign a value to - # most variables. - - if ENV['tests']=='all' or ENV['tests']=='pre-commit' - config.vm.define "unsetvars" do |m1| - m1.vm.hostname = "mailinabox.lan" - m1.vm.network "private_network", ip: "192.168.56.4" - m1.vm.provision :shell, :inline => <<-SH -export NONINTERACTIVE=1 -export PUBLIC_IP=auto -export PUBLIC_IPV6=auto -export PRIMARY_HOSTNAME=auto -export SKIP_NETWORK_CHECKS=1 -cd /mailinabox -setup/start.sh -SH - end - end - - -end diff --git a/tests/vagrant/funcs.rb b/tests/vagrant/funcs.rb deleted file mode 100644 index b304e242..00000000 --- a/tests/vagrant/funcs.rb +++ /dev/null @@ -1,25 +0,0 @@ -##### -##### This file is part of Mail-in-a-Box-LDAP which is released under the -##### terms of the GNU Affero General Public License as published by the -##### Free Software Foundation, either version 3 of the License, or (at -##### your option) any later version. See file LICENSE or go to -##### https://github.com/downtownallday/mailinabox-ldap for full license -##### details. -##### - -def use_preloaded_box(obj, name, preloaded_dir=".") - obj.vm.box = String.new(name) - _name=name.sub! '/','-' # ubuntu/bionic64 => ubuntu-bionic64 - if File.file?("#{preloaded_dir}/preloaded/preloaded-#{_name}.box") - # box name needs to be unique on the system - obj.vm.box = "preloaded-miabldap-#{_name}" - obj.vm.box_url = "file://" + Dir.pwd + "/#{preloaded_dir}/preloaded/preloaded-#{_name}.box" - if Vagrant.has_plugin?('vagrant-vbguest') - # do not update additions when booting this machine - obj.vbguest.auto_update = false - end - end -end - -# Grab the name of the default interface -$default_network_interface = `ip route | awk '/^default/ {printf "%s", $5; exit 0}'` diff --git a/tests/vagrant/parallel.sh b/tests/vagrant/parallel.sh deleted file mode 100755 index 98fb0c15..00000000 --- a/tests/vagrant/parallel.sh +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash -##### -##### This file is part of Mail-in-a-Box-LDAP which is released under the -##### terms of the GNU Affero General Public License as published by the -##### Free Software Foundation, either version 3 of the License, or (at -##### your option) any later version. See file LICENSE or go to -##### https://github.com/downtownallday/mailinabox-ldap for full license -##### details. -##### - - -# Parallel provisioning for virtualbox because "The Vagrant VirtualBox -# provider does not support parallel execution at this time" -# (https://www.vagrantup.com/docs/providers/virtualbox/usage.html) -# -# Credit to: -# https://dzone.com/articles/parallel-provisioning-speeding -# - -. "$(dirname "$0")/../lib/color-output.sh" -. "$(dirname "$0")/../lib/misc.sh" - -if [ -z "$tests" ]; then - export tests="pre-commit" -fi - - -OUTPUT_DIR=out -#rm -rf "$OUTPUT_DIR" -mkdir -p "$OUTPUT_DIR" - -# set total parallel vms to (#cores minus 1) -MAX_PROCS=$(cat /proc/cpuinfo | grep processor | wc -l) -let MAX_PROCS-=1 - - -parallel_provision() { - while read box; do - outfile="$OUTPUT_DIR/$box.out.txt" - rm -f "$outfile" - echo "Provisioning '$box'. Output will be in: $outfile" 1>&2 - echo $box - done | xargs -P $MAX_PROCS -I"BOXNAME" \ - sh -c 'vagrant provision BOXNAME >'"$OUTPUT_DIR/"'BOXNAME.out.txt 2>&1 && echo "EXITCODE: 0" >> '"$OUTPUT_DIR/"'BOXNAME.out.txt || echo "EXITCODE: $?" >>'"$OUTPUT_DIR/"'BOXNAME.out.txt' -} - -## -- main -- ## - -start_time="$(date +%s)" - -# start boxes sequentially to avoid vbox explosions -vagrant up --no-provision - -# but run provision tasks in parallel -boxes="$(vagrant status | awk '/running \(/ {print $1}')" -echo "$boxes" | parallel_provision - - -# output overall result - Vagrantfile script must output "EXITCODE: " -H1 "Results" - -rc=0 -for box in $boxes; do - file="$OUTPUT_DIR"/$box.out.txt - exitcode="$(tail "$file" | grep EXITCODE: | awk '{print $NF}')" - echo -n "$box: " - if [ -z "$exitcode" ]; then - danger "NO EXITCODE!" - [ $rc -eq 0 ] && rc=2 - elif [ "$exitcode" == "0" ]; then - success "SUCCESS" - else - danger "FAILURE ($exitcode)" - rc=1 - fi -done - -# output elapsed time -end_time="$(date +%s)" -echo "" -echo "Elapsed time: $(elapsed_pretty $start_time $end_time)" - -# exit -echo "" -echo "Guest VMs are running! Destroy them with 'vagrant destroy -f'" -exit $rc diff --git a/tests/vagrant/preloaded/.gitignore b/tests/vagrant/preloaded/.gitignore deleted file mode 100644 index e24e7c27..00000000 --- a/tests/vagrant/preloaded/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -*.box -src/ diff --git a/tests/vagrant/preloaded/Vagrantfile b/tests/vagrant/preloaded/Vagrantfile deleted file mode 100644 index 453bf80e..00000000 --- a/tests/vagrant/preloaded/Vagrantfile +++ /dev/null @@ -1,58 +0,0 @@ -##### -##### This file is part of Mail-in-a-Box-LDAP which is released under the -##### terms of the GNU Affero General Public License as published by the -##### Free Software Foundation, either version 3 of the License, or (at -##### your option) any later version. See file LICENSE or go to -##### https://github.com/downtownallday/mailinabox-ldap for full license -##### details. -##### - -def checkout_tag_and_mount(obj, tag) - if "#{tag}" == "" - obj.vm.synced_folder "../../..", "/mailinabox", id: "mailinabox", automount: false - else - _srcdir="src/maibldap-#{tag}" - if not Dir.exist?(_srcdir) - puts "Cloning tag #{tag} to #{_srcdir}" - if tag.size==40 and tag.match?(/\A[0-9a-fA-F]+\Z/) - system("git clone #{ENV['MIABLDAP_GIT']} #{_srcdir}") - system("cd #{_srcdir}; git reset --hard #{tag}") - else - system("git clone -b #{tag} --depth 1 #{ENV['MIABLDAP_GIT']} #{_srcdir}") - end - end - obj.vm.synced_folder _srcdir, "/mailinabox", id: "mailinabox", automount: false - end -end - - -Vagrant.configure("2") do |config| - - checkout_tag_and_mount config, ENV['RELEASE_TAG'] - - config.vm.define "preloaded-ubuntu-bionic64" do |m1| - m1.vm.box = "ubuntu/bionic64" - m1.vm.provision :shell, :inline => <<-SH -cd /mailinabox -tests/vagrant/preloaded/prepvm.sh --no-dry-run -rc=$? -echo "$rc" > "/vagrant/prepcode.txt" -[ $rc -gt 0 ] && exit 1 -exit 0 -SH - end - - config.vm.define "preloaded-ubuntu-jammy64" do |m1| - m1.vm.box = "ubuntu/jammy64" - m1.vm.boot_timeout = 30 - m1.vm.provision :shell, :inline => <<-SH -cd /mailinabox -tests/vagrant/preloaded/prepvm.sh --no-dry-run -rc=$? -echo "$rc" > "/vagrant/prepcode.txt" -[ $rc -gt 0 ] && exit 1 -exit 0 -SH - end - -end diff --git a/tests/vagrant/preloaded/create_preloaded.sh b/tests/vagrant/preloaded/create_preloaded.sh deleted file mode 100755 index c9146fd6..00000000 --- a/tests/vagrant/preloaded/create_preloaded.sh +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/bash -##### -##### This file is part of Mail-in-a-Box-LDAP which is released under the -##### terms of the GNU Affero General Public License as published by the -##### Free Software Foundation, either version 3 of the License, or (at -##### your option) any later version. See file LICENSE or go to -##### https://github.com/downtownallday/mailinabox-ldap for full license -##### details. -##### - - -# load defaults for MIABLDAP_GIT and MIABLDAP_FINAL_RELEASE_TAG_BIONIC64 (make available to Vagrantfile) -pushd "../../.." >/dev/null -source tests/lib/color-output.sh -source tests/system-setup/setup-defaults.sh || exit 1 -popd >/dev/null - -H1 "Destroy any running boxes" -vagrant destroy -f -rm -f prepcode.txt - -H1 "Ensure plugins are installed" -for plugin in "vagrant-vbguest" "vagrant-reload" -do - if ! vagrant plugin list | grep -F "$plugin" >/dev/null; then - vagrant plugin install "$plugin" || exit 1 - fi -done - -H1 "Upgrade base boxes" -vagrant box update - - -boxes=( - "preloaded-ubuntu-jammy64" - "preloaded-ubuntu-bionic64" -) -# preload packages from source of the following git tags. empty string -# means use the current source tree -tags=( - "" - "$MIABLDAP_FINAL_RELEASE_TAG_BIONIC64" -) -try_reboot=( - true - false -) -idx=0 - -for box in "${boxes[@]}" -do - if [ -z "$1" ]; then - # no cli arguments - only process first box - [ $idx -ge 1 ] && break - else - # cli argument specifies "all" or a named box - if [ "$1" != "all" -a "$1" != "$box" ]; then - let idx+=1 - continue - fi - fi - - H1 "Provision: $box" - export RELEASE_TAG="${tags[$idx]}" - vagrant up $box | tee /tmp/$box.out - upcode=$? - - if [ $upcode -eq 0 -a ! -e "./prepcode.txt" ] && ${try_reboot[$idx]} && grep -F 'Authentication failure' /tmp/$box.out >/dev/null; then - # note: upcode is 0 only if config.vm.boot_timeout is set. - # If this works it may be an indication that ruby's internal - # ssh does not support the algorithm required by the server, - # or the public key does not match (vagrant and vm out of - # sync) - echo "" - echo "VAGRANT AUTHENTICATION FAILURE - TRYING LOOSER ALLOWED SSHD ALGS" - if vagrant ssh $box -c "sudo bash -c 'echo PubkeyAcceptedAlgorithms +ssh-rsa > /etc/ssh/sshd_config.d/miabldap.conf; sudo systemctl restart sshd'"; then - vagrant halt $box - vagrant up $box - upcode=$? - fi - fi - - if [ $upcode -ne 0 -a ! -e "./prepcode.txt" ] && ${try_reboot[$idx]} - then - # a reboot may be necessary if guest addtions was newly - # compiled by vagrant plugin "vagrant-vbguest" - echo "" - echo "VAGRANT UP RETURNED $upcode -- RETRYING AFTER REBOOT" - vagrant halt $box - vagrant up $box - upcode=$? - fi - - rm -f /tmp/$box.out - - let idx+=1 - prepcode=$(cat "./prepcode.txt") - rm -f prepcode.txt - echo "" - echo "VAGRANT UP RETURNED $upcode" - echo "PREPVM RETURNED $prepcode" - - if [ "$prepcode" != "0" -o $upcode -ne 0 ]; then - echo "FAILED!!!!!!!!" - vagrant destroy -f $box - exit 1 - fi - - if vagrant ssh $box -- cat /var/run/reboot-required >/dev/null 2>&1; then - echo "REBOOT REQUIRED" - vagrant reload $box - else - echo "REBOOT NOT REQUIRED" - fi - - vagrant halt $box - vagrant package $box - rm -f $box.box - mv package.box $box.box - - vagrant destroy -f $box - cached_name="$(sed 's/preloaded-/preloaded-miabldap-/' <<<"$box")" - echo "Removing cached box $cached_name" - if [ -e "../funcs.rb" ]; then - pushd .. > /dev/null - vagrant box remove $cached_name - code=$? - popd > /dev/null - else - vagrant box remove $cached_name - code=$? - fi - echo "Remove cache box result: $code - ignoring" -done diff --git a/tests/vagrant/preloaded/prepvm.sh b/tests/vagrant/preloaded/prepvm.sh deleted file mode 100755 index e43e2e0b..00000000 --- a/tests/vagrant/preloaded/prepvm.sh +++ /dev/null @@ -1,230 +0,0 @@ -#!/bin/bash -##### -##### This file is part of Mail-in-a-Box-LDAP which is released under the -##### terms of the GNU Affero General Public License as published by the -##### Free Software Foundation, either version 3 of the License, or (at -##### your option) any later version. See file LICENSE or go to -##### https://github.com/downtownallday/mailinabox-ldap for full license -##### details. -##### - - -# Run this on a VM to pre-install all the packages, then -# take a snapshot - it will greatly speed up subsequent -# test installs - -# -# What won't be installed: -# -# Nextcloud and Roundcube are downloaded with wget by the setup -# scripts, so they are not included -# -# slapd - we want to test installation with setup/ldap.sh -# - -if [ ! -d "setup" ]; then - echo "Run from the miab root directory" - exit 1 -fi - -source tests/lib/misc.sh -source tests/lib/system.sh -source tests/lib/color-output.sh - -dry_run=true -start=$(date +%s) - -if [ "$1" == "--no-dry-run" ]; then - dry_run=false -fi - -if $dry_run; then - echo "WARNING: dry run is TRUE, no changes will be made" -fi - - -# prevent apt from running needrestart(1) -export NEEDRESTART_SUSPEND=true - -# prevent interaction during package install -export DEBIAN_FRONTEND=noninteractive - -# what major version of ubuntu are we installing on? -OS_MAJOR=$(. /etc/os-release; echo $VERSION_ID | awk -F. '{print $1}') - - -remove_line_continuation() { - local file="$1" - awk ' -BEGIN { C=0 } -C==1 && /[^\\]$/ { C=0; print $0; next } -C==1 { printf("%s",substr($0,0,length($0)-1)); next } -/\\$/ { C=1; printf("%s",substr($0,0,length($0)-1)); next } - { print $0 }' \ - "$file" -} - -install_packages() { - local return_code=0 - while read line; do - pkgs="" - case "$line" in - apt_install* ) - pkgs="$(cut -c12- <<<"$line")" - ;; - "apt-get install"* ) - pkgs="$(cut -c16- <<<"$line")" - ;; - "apt install"* ) - pkgs="$(cut -c12- <<<"$line")" - ;; - esac - - # don't install slapd - pkgs="$(sed 's/slapd//g' <<< "$pkgs")" - - # manually set PHP_VER if necessary - if grep "PHP_VER" <<<"$pkgs" >/dev/null; then - pkgs="$(sed "s/\"\?\${*PHP_VER}*\"\?/$PHP_VER/g" <<< "$pkgs")" - fi - - if [ ! -z "$pkgs" ]; then - H2 "install: $pkgs" - if ! $dry_run; then - exec_no_output apt-get install -y $pkgs - let return_code+=$? - fi - fi - done - return $return_code -} - -install_ppas() { - H1 "Add apt repositories" - grep 'hide_output add-apt-repository' setup/system.sh | - while read line; do - line=$(sed 's/^hide_output //' <<< "$line") - H2 "$line" - if ! $dry_run; then - exec_no_output $line - fi - done -} - -add_swap() { - H1 "Add a swap file to the system" - if ! $dry_run; then - dd if=/dev/zero of=/swapfile bs=1024 count=$[1024*1024] status=none - chmod 600 /swapfile - mkswap /swapfile - swapon /swapfile - echo "/swapfile none swap sw 0 0" >> /etc/fstab - fi -} - - -# install PPAs from sources -install_ppas - -# add swap file -add_swap - -# obtain PHP_VER variable from sources -PHP_VER=$(source setup/functions.sh; echo $PHP_VER) - - -if ! $dry_run; then - H1 "Upgrade system" - H2 "apt update" - exec_no_output apt-get update -y || exit 1 - H2 "apt upgrade" - exec_no_output apt-get upgrade -y --with-new-pkgs || exit 1 - H2 "apt autoremove" - exec_no_output apt-get autoremove -y -fi - -# without using the same installation order as setup/start.sh, we end -# up with the system's php getting installed in addition to the -# non-system php that may also installed by setup (don't know why, -# probably one of the packages has a dependency). create an ordered -# list of files to process so we get a similar system setup. - -setup_files=( $(ls setup/*.sh) ) -desired_order=( - setup/functions.sh - setup/preflight.sh - setup/questions.sh - setup/network-checks.sh - setup/system.sh - setup/ssl.sh - setup/dns.sh - setup/ldap.sh - setup/mail-postfix.sh - setup/mail-dovecot.sh - setup/mail-users.sh - setup/dkim.sh - setup/spamassassin.sh - setup/web.sh - setup/webmail.sh - setup/nextcloud.sh - setup/zpush.sh - setup/management.sh - setup/management-capture.sh - setup/munin.sh - setup/firstuser.sh -) -ordered_files=() -for file in "${desired_order[@]}" "${setup_files[@]}"; do - if [ -e "$file" ] && ! array_contains "$file" "${ordered_files[@]}"; then - ordered_files+=( "$file" ) - fi -done - -failed=0 - -for file in ${ordered_files[@]}; do - H1 "$file" - remove_line_continuation "$file" | install_packages - [ $? -ne 0 ] && let failed+=1 -done - -if ! $dry_run; then - # bonus - H1 "install extras" - - H2 "openssh, emacs, ntpdate, net-tools, jq" - exec_no_output apt-get install -y openssh-server emacs-nox ntpdate net-tools jq || let failed+=1 - - # these are added by system-setup scripts and needed for test runner - H2 "python3-dnspython" - exec_no_output apt-get install -y python3-dnspython || let failed+=1 - H2 "pyotp(pip)" - exec_no_output python3 -m pip install pyotp --quiet || let failed+=1 - - # ...and for browser-based tests - #H2 "x11" # needed for chromium w/head (not --headless) - #exec_no_output apt-get install -y xorg openbox xvfb gtk2-engines-pixbuf dbus-x11 xfonts-base xfonts-100dpi xfonts-75dpi xfonts-cyrillic xfonts-scalable x11-apps imagemagick || let failed+=1 - H2 "chromium" - #exec_no_output apt-get install -y chromium-browser || let failed+=1 - exec_no_output snap install chromium || let failed+=1 - H2 "selenium(pip)" - exec_no_output python3 -m pip install selenium --quiet || let failed+=1 - - # remove apache, which is what setup will do - H2 "remove apache2" - exec_no_output apt-get -y purge apache2 apache2-\* - -fi - -end=$(date +%s) -echo "" -echo "" -if [ $failed -gt 0 ]; then - echo "$failed failures! ($(elapsed_pretty $start $end))" - echo "" - exit 1 -else - echo "Successfully prepped in $(elapsed_pretty $start $end). Take a snapshot...." - echo "" - exit 0 -fi diff --git a/tests/vagrant/vanilla/.gitignore b/tests/vagrant/vanilla/.gitignore deleted file mode 100644 index 69c190a0..00000000 --- a/tests/vagrant/vanilla/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -.vagrant -*-console.log diff --git a/tests/vagrant/vanilla/Vagrantfile b/tests/vagrant/vanilla/Vagrantfile deleted file mode 100644 index 98e27d92..00000000 --- a/tests/vagrant/vanilla/Vagrantfile +++ /dev/null @@ -1,87 +0,0 @@ -##### -##### This file is part of Mail-in-a-Box-LDAP which is released under the -##### terms of the GNU Affero General Public License as published by the -##### Free Software Foundation, either version 3 of the License, or (at -##### your option) any later version. See file LICENSE or go to -##### https://github.com/downtownallday/mailinabox-ldap for full license -##### details. -##### - -load '../funcs.rb' - -Vagrant.configure("2") do |config| - - config.vm.synced_folder "../../..", "/mailinabox", id: "mailinabox", automount: false - config.vm.network "public_network", bridge: "#$default_network_interface" - use_preloaded_box config, "ubuntu/jammy64", ".." - - if ENV['tests']=='ciab' - - # vanilla connected to ciab (ciab does not need to be up) - - config.vm.define "vanilla" do |m1| - m1.vm.provision :shell, :inline => <<-SH -cat >/tmp/provision.sh </dev/null; then - # firewall rules aren't added when ciab is down - echo "For testing, allow ldaps from anywhere" - ufw allow ldaps -fi -echo "Add smart host alias - so \\$NC_HOST can send mail to/via this host" -( - source tests/lib/all.sh - rest_urlencoded POST /admin/mail/aliases/add qa@abc.com Test_1234 "address=@\\$NC_HOST" "description=smart-host" "permitted_senders=qa@abc.com" 2>/dev/null - echo "\\$REST_HTTP_CODE: \\$REST_OUTPUT" -) -EOF -chmod +x /tmp/provision.sh -/tmp/provision.sh -SH - end # vanilla connected to ciab - - else - - - # vanilla (default) install - - config.vm.define "vanilla" do |m1| - m1.vm.provision :shell, :inline => <<-SH -cat >/tmp/provision.sh < Date: Fri, 4 Oct 2024 16:26:29 -0400 Subject: [PATCH 07/38] validate argument --- tests/lxd/vanilla/provision.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/lxd/vanilla/provision.sh b/tests/lxd/vanilla/provision.sh index 3d153e66..a70c09a9 100755 --- a/tests/lxd/vanilla/provision.sh +++ b/tests/lxd/vanilla/provision.sh @@ -44,7 +44,7 @@ exit \$rc " provision_done $? -else +elif [ -z "$1" ]; then # vanilla (default - no miab integration) provision_shell <<<" cd /mailinabox @@ -62,4 +62,7 @@ exit \$rc " provision_done $? +else + echo "Invalid argument: $1" + exit 1 fi From 696b597a9c4a7beea1e76ff5ade57f94bbd9770e Mon Sep 17 00:00:00 2001 From: downtownallday Date: Fri, 4 Oct 2024 16:27:26 -0400 Subject: [PATCH 08/38] use bash as 'source' is needed in provision scripts --- tests/bin/provision_functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/bin/provision_functions.sh b/tests/bin/provision_functions.sh index 68424f0b..1007113f 100644 --- a/tests/bin/provision_functions.sh +++ b/tests/bin/provision_functions.sh @@ -67,7 +67,7 @@ provision_shell() { else local tmp=$(mktemp) - echo "#!/bin/sh" >"$tmp" + echo "#!/bin/bash" >"$tmp" cat >>"$tmp" lxc --project "$project" file push "$tmp" "${inst}${remote_path}" $lxc_flags || return 1 rm -f "$tmp" From 119b11f0227b6565148221bbd0bccb6ef4011a15 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Fri, 4 Oct 2024 17:22:12 -0400 Subject: [PATCH 09/38] remove upstream Vagrantfile --- Vagrantfile | 37 ------------------------------------- 1 file changed, 37 deletions(-) delete mode 100644 Vagrantfile diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 771f7e27..00000000 --- a/Vagrantfile +++ /dev/null @@ -1,37 +0,0 @@ -# -*- mode: ruby -*- -##### -##### This file is part of Mail-in-a-Box-LDAP which is released under the -##### terms of the GNU Affero General Public License as published by the -##### Free Software Foundation, either version 3 of the License, or (at -##### your option) any later version. See file LICENSE or go to -##### https://github.com/downtownallday/mailinabox-ldap for full license -##### details. -##### - -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - config.vm.box = "ubuntu/jammy64" - - # Network config: Since it's a mail server, the machine must be connected - # to the public web. However, we currently don't want to expose SSH since - # the machine's box will let anyone log into it. So instead we'll put the - # machine on a private network. - config.vm.hostname = "mailinabox.lan" - config.vm.network "private_network", ip: "192.168.56.4" - - config.vm.provision :shell, :inline => <<-SH - # Set environment variables so that the setup script does - # not ask any questions during provisioning. We'll let the - # machine figure out its own public IP. - export NONINTERACTIVE=1 - export PUBLIC_IP=auto - export PUBLIC_IPV6=auto - export PRIMARY_HOSTNAME=auto - #export SKIP_NETWORK_CHECKS=1 - - # Start the setup script. - cd /vagrant - setup/start.sh -SH -end From 196f5588cc61e6531cda9491f3eb26f152630528 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Mon, 7 Oct 2024 09:51:56 -0400 Subject: [PATCH 10/38] eliminate the use of deprecated utcnow() --- management/ssl_certificates.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py index dd3106d9..888a6d96 100755 --- a/management/ssl_certificates.py +++ b/management/ssl_certificates.py @@ -100,7 +100,7 @@ def get_ssl_certificates(env): # Sort the certificates to prefer good ones. import datetime - now = datetime.datetime.utcnow() + now = datetime.datetime.now(datetime.timezone.utc).replace(tzinfo=None) ret = { } for domain, cert_list in domains.items(): #for c in cert_list: print(domain, c["cert"].not_valid_before, c["cert"].not_valid_after, "("+str(now)+")", c["cert"].issuer, c["cert"].subject, c._filename if hasattr(c,"_filename") else "") @@ -579,7 +579,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring # Check that the certificate hasn't expired. The datetimes returned by the # certificate are 'naive' and in UTC. We need to get the current time in UTC. import datetime - now = datetime.datetime.utcnow() + now = datetime.datetime.now(datetime.timezone.utc).replace(tzinfo=None) if not(cert.not_valid_before <= now <= cert.not_valid_after): return (f"The certificate has expired or is not yet valid. It is valid from {cert.not_valid_before} to {cert.not_valid_after}.", None) From a8d13b84b4e2ac7332ae825177c4f9aa7a01e782 Mon Sep 17 00:00:00 2001 From: Downtown Allday Date: Wed, 27 Nov 2024 08:22:45 -0500 Subject: [PATCH 11/38] fix: NameError: name 'subprocess' is not defined (#2425) --- management/utils.py | 1 + 1 file changed, 1 insertion(+) diff --git a/management/utils.py b/management/utils.py index 397f124d..1dbbeb7e 100644 --- a/management/utils.py +++ b/management/utils.py @@ -189,6 +189,7 @@ def get_ssh_port(): def get_ssh_config_value(parameter_name): # Returns ssh configuration value for the provided parameter + import subprocess try: output = shell('check_output', ['sshd', '-T']) except FileNotFoundError: From 7ef859ce961ea24b70f7e4f8307f069a8f7b42b3 Mon Sep 17 00:00:00 2001 From: matidau <65836048+matidau@users.noreply.github.com> Date: Sat, 14 Dec 2024 01:28:45 +1100 Subject: [PATCH 12/38] Update zpush.sh to version 2.7.5 (#2463) --- setup/zpush.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/zpush.sh b/setup/zpush.sh index 5c3e5b30..5e0ea2c4 100755 --- a/setup/zpush.sh +++ b/setup/zpush.sh @@ -22,8 +22,8 @@ apt_install \ phpenmod -v "$PHP_VER" imap # Copy Z-Push into place. -VERSION=2.7.4 -TARGETHASH=78744d56b8799d9828ec8f99a12c1af4e9f9239b +VERSION=2.7.5 +TARGETHASH=f0b0b06e255f3496173ab9d28a4f2d985184720e needs_update=0 #NODOC if [ ! -f /usr/local/lib/z-push/version ]; then needs_update=1 #NODOC From 81b0e0a64f3ed295205dbc5461bb8f4fc2791e3d Mon Sep 17 00:00:00 2001 From: Nicholas Wilson Date: Sun, 22 Dec 2024 06:26:59 -0600 Subject: [PATCH 13/38] Updated CHANGELOG.md, fix typo(s) (#2459) --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 718e6682..55cd75b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -73,7 +73,7 @@ Version 64 (September 2, 2023) * Fixed backups to work with the latest duplicity package which was not backwards compatible. * Fixed setting B2 as a backup target with a slash in the application key. * Turned off OpenDMARC diagnostic reports sent in response to incoming mail. -* Fixed some crashes when using an unrelased version of Mail-in-a-Box. +* Fixed some crashes when using an unreleased version of Mail-in-a-Box. * Added z-push administration scripts. Version 63 (July 27, 2023) @@ -1129,7 +1129,7 @@ Control panel: System: * The munin system monitoring tool is now installed and accessible at /admin/munin. -* ownCloud updated to version 8.0.4. The ownCloud installation step now is reslient to download problems. The ownCloud configuration file is now stored in STORAGE_ROOT to fix loss of data when moving STORAGE_ROOT to a new machine. +* ownCloud updated to version 8.0.4. The ownCloud installation step now is resilient to download problems. The ownCloud configuration file is now stored in STORAGE_ROOT to fix loss of data when moving STORAGE_ROOT to a new machine. * The setup scripts now run `apt-get update` prior to installing anything to ensure the apt database is in sync with the packages actually available. @@ -1167,7 +1167,7 @@ DNS: * Internationalized Domain Names (IDNs) should now work in email. If you had custom DNS or custom web settings for internationalized domains, check that they are still working. * It is now possible to set multiple TXT and other types of records on the same domain in the control panel. * The custom DNS API was completely rewritten to support setting multiple records of the same type on a domain. Any existing client code using the DNS API will have to be rewritten. (Existing code will just get 404s back.) -* On some systems the `nsd` service failed to start if network inferfaces were not ready. +* On some systems the `nsd` service failed to start if network interfaces were not ready. System / Control Panel: From d8563be38b2fa047725ee85c7330bdf775101cdd Mon Sep 17 00:00:00 2001 From: Paul Date: Sun, 22 Dec 2024 04:27:36 -0800 Subject: [PATCH 14/38] Disable MOTD advertisements (#2457) Disables MOTD advertisements which use a script to send server information in `wget` headers to Canonical. --- setup/system.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index 7467a72c..dd366401 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -83,6 +83,13 @@ fi # (See https://discourse.mailinabox.email/t/journalctl-reclaim-space-on-small-mailinabox/6728/11.) tools/editconf.py /etc/systemd/journald.conf MaxRetentionSec=10day +# ### Improve server privacy + +# Disable MOTD adverts to prevent revealing server information in MOTD request headers +# See https://ma.ttias.be/what-exactly-being-sent-ubuntu-motd/ +tools/editconf.py /etc/default/motd-news ENABLED=0 +rm -f /var/cache/motd-news + # ### Add PPAs. # We install some non-standard Ubuntu packages maintained by other From ee0d750b8560b0e2e9a9bf0afe52ed12982cb7f2 Mon Sep 17 00:00:00 2001 From: Harm Berntsen Date: Sun, 22 Dec 2024 13:28:04 +0100 Subject: [PATCH 15/38] Add missing php-xml package for Roundcube without Nextcloud (#2441) When the Nextcloud installation is skipped, php8.0-xml will also not be installed. This causes issues for Roundcube because it won't load: `PHP Fatal error: Uncaught Error: Class "DOMDocument" not found in /usr/local/lib/roundcubemail/program/lib/Roundcube/html.php:367`. Installing the package on the Roundcube side as well fixes it for me. --- setup/webmail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index 4591119c..db95028b 100644 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -23,7 +23,7 @@ echo "Installing Roundcube (webmail)..." apt_install \ dbconfig-common \ php"${PHP_VER}"-cli php"${PHP_VER}"-sqlite3 php"${PHP_VER}"-intl php"${PHP_VER}"-common php"${PHP_VER}"-curl php"${PHP_VER}"-imap \ - php"${PHP_VER}"-gd php"${PHP_VER}"-pspell php"${PHP_VER}"-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1 \ + php"${PHP_VER}"-gd php"${PHP_VER}"-pspell php"${PHP_VER}"-mbstring php"${PHP_VER}"-xml libjs-jquery libjs-jquery-mousewheel libmagic1 \ sqlite3 # Install Roundcube from source if it is not already present or if it is out of date. From 3d59f2d7e0d0c2794f88fc36d5fca11fc757f9a7 Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sun, 22 Dec 2024 13:28:39 +0100 Subject: [PATCH 16/38] Update roundcube to 1.6.9 (#2440) --- setup/webmail.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index db95028b..a203cb8c 100644 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -36,8 +36,8 @@ apt_install \ # https://github.com/mstilkerich/rcmcarddav/releases # The easiest way to get the package hashes is to run this script and get the hash from # the error message. -VERSION=1.6.8 -HASH=00586f5163b3f6c1b0798be745982e3547b1b24a +VERSION=1.6.9 +HASH=b63f74209cf287402f6f44b85877388899261f3c PERSISTENT_LOGIN_VERSION=bde7b6840c7d91de627ea14e81cf4133cbb3c07a # version 5.3 HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+ CARDDAV_VERSION=4.4.3 From e36c17fc72249fef1eb6b638c4fa3ad2ad765d32 Mon Sep 17 00:00:00 2001 From: matidau <65836048+matidau@users.noreply.github.com> Date: Sun, 22 Dec 2024 23:42:56 +1100 Subject: [PATCH 17/38] Fixstates only after Z-Push upgrade (#2432) --- setup/zpush.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/zpush.sh b/setup/zpush.sh index 5e0ea2c4..397ee4a9 100755 --- a/setup/zpush.sh +++ b/setup/zpush.sh @@ -110,4 +110,6 @@ restart_service php"$PHP_VER"-fpm # Fix states after upgrade -hide_output php"$PHP_VER" /usr/local/lib/z-push/z-push-admin.php -a fixstates +if [ $needs_update == 1 ]; then + hide_output php"$PHP_VER" /usr/local/lib/z-push/z-push-admin.php -a fixstates +fi From 9f87b36ba182e5ec6e519a4a6c27e9ead8c08469 Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sun, 22 Dec 2024 13:45:45 +0100 Subject: [PATCH 18/38] add check on SOA record to determine up to date synchronization of secondary nameserver (#2429) --- management/status_checks.py | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/management/status_checks.py b/management/status_checks.py index 51f8e631..96d10c95 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -521,6 +521,8 @@ def check_dns_zone(domain, env, output, dns_zonefiles): # Check that each custom secondary nameserver resolves the IP address. if custom_secondary_ns and not probably_external_dns: + SOARecord = query_dns(domain, "SOA", at=env['PUBLIC_IP'])# Explicitly ask the local dns server. + for ns in custom_secondary_ns: # We must first resolve the nameserver to an IP address so we can query it. ns_ips = query_dns(ns, "A") @@ -530,15 +532,36 @@ def check_dns_zone(domain, env, output, dns_zonefiles): # Choose the first IP if nameserver returns multiple ns_ip = ns_ips.split('; ')[0] + checkSOA = True + # Now query it to see what it says about this domain. ip = query_dns(domain, "A", at=ns_ip, nxdomain=None) if ip == correct_ip: - output.print_ok("Secondary nameserver %s resolved the domain correctly." % ns) + output.print_ok(f"Secondary nameserver {ns} resolved the domain correctly.") elif ip is None: - output.print_error("Secondary nameserver %s is not configured to resolve this domain." % ns) + output.print_error(f"Secondary nameserver {ns} is not configured to resolve this domain.") + # No need to check SOA record if not configured as nameserver + checkSOA = False + elif ip == '[timeout]': + output.print_error(f"Secondary nameserver {ns} did not resolve this domain, result: {ip}") + checkSOA = False else: output.print_error(f"Secondary nameserver {ns} is not configured correctly. (It resolved this domain as {ip}. It should be {correct_ip}.)") + if checkSOA: + # Check that secondary DNS server is synchronized with our primary DNS server. Simplified by checking the SOA record which has a version number + SOASecondary = query_dns(domain, "SOA", at=ns_ip) + + if SOARecord == SOASecondary: + output.print_ok(f"Secondary nameserver {ns} has consistent SOA record.") + elif SOARecord == '[Not Set]': + output.print_error(f"Secondary nameserver {ns} has no SOA record configured.") + elif SOARecord == '[timeout]': + output.print_error(f"Secondary nameserver {ns} timed out on checking SOA record.") + else: + output.print_error(f"""Secondary nameserver {ns} has inconsistent SOA record (primary: {SOARecord} versus secondary: {SOASecondary}). + Check that synchronization between secondary and primary DNS servers is properly set-up.""") + def check_dns_zone_suggestions(domain, env, output, dns_zonefiles, domains_with_a_records): # Warn if a custom DNS record is preventing this or the automatic www redirect from # being served. From 564ed59bb47da24c9ebc50ae9137e6dcbcae9826 Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sun, 22 Dec 2024 13:48:36 +0100 Subject: [PATCH 19/38] Add check on ipv6 for spamhaus (#2428) --- management/status_checks.py | 41 +++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/management/status_checks.py b/management/status_checks.py index 96d10c95..67aaaeb4 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -282,26 +282,45 @@ def run_network_checks(env, output): # The user might have ended up on an IP address that was previously in use # by a spammer, or the user may be deploying on a residential network. We # will not be able to reliably send mail in these cases. - + rev_ip4 = ".".join(reversed(env['PUBLIC_IP'].split('.'))) + zen = query_dns(rev_ip4+'.zen.spamhaus.org', 'A', nxdomain=None, retry = False) + evaluate_spamhaus_lookup(env['PUBLIC_IP'], 'IPv4', rev_ip4, output, zen) + + if not env['PUBLIC_IPV6']: + return + + from ipaddress import IPv6Address + + rev_ip6 = ".".join(reversed(IPv6Address(env['PUBLIC_IPV6']).exploded.split(':'))) + zen = query_dns(rev_ip6+'.zen.spamhaus.org', 'A', nxdomain=None, retry = False) + evaluate_spamhaus_lookup(env['PUBLIC_IPV6'], 'IPv6', rev_ip6, output, zen) + + +def evaluate_spamhaus_lookup(lookupaddress, lookuptype, lookupdomain, output, zen): # See https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now. for # information on spamhaus return codes - rev_ip4 = ".".join(reversed(env['PUBLIC_IP'].split('.'))) - zen = query_dns(rev_ip4+'.zen.spamhaus.org', 'A', nxdomain=None) if zen is None: - output.print_ok("IP address is not blacklisted by zen.spamhaus.org.") + output.print_ok(f"{lookuptype} address is not blacklisted by zen.spamhaus.org.") elif zen == "[timeout]": - output.print_warning("Connection to zen.spamhaus.org timed out. Could not determine whether this box's IP address is blacklisted. Please try again later.") + output.print_warning(f"""Connection to zen.spamhaus.org timed out. Could not determine whether this box's + {lookuptype} address is blacklisted. Please try again later.""") elif zen == "[Not Set]": - output.print_warning("Could not connect to zen.spamhaus.org. Could not determine whether this box's IP address is blacklisted. Please try again later.") + output.print_warning(f"""Could not connect to zen.spamhaus.org. Could not determine whether this box's + {lookuptype} address is blacklisted. Please try again later.""") elif zen == "127.255.255.252": - output.print_warning("Incorrect spamhaus query: %s. Could not determine whether this box's IP address is blacklisted." % (rev_ip4+'.zen.spamhaus.org')) + output.print_warning(f"""Incorrect spamhaus query: {lookupdomain + '.zen.spamhaus.org'}. Could not determine whether + this box's {lookuptype} address is blacklisted.""") elif zen == "127.255.255.254": - output.print_warning("Mail-in-a-Box is configured to use a public DNS server. This is not supported by spamhaus. Could not determine whether this box's IP address is blacklisted.") + output.print_warning(f"""Mail-in-a-Box is configured to use a public DNS server. This is not supported by + spamhaus. Could not determine whether this box's {lookuptype} address is blacklisted.""") elif zen == "127.255.255.255": - output.print_warning("Too many queries have been performed on the spamhaus server. Could not determine whether this box's IP address is blacklisted.") + output.print_warning(f"""Too many queries have been performed on the spamhaus server. Could not determine + whether this box's {lookuptype} address is blacklisted.""") else: - output.print_error("""The IP address of this machine {} is listed in the Spamhaus Block List (code {}), - which may prevent recipients from receiving your email. See http://www.spamhaus.org/query/ip/{}.""".format(env['PUBLIC_IP'], zen, env['PUBLIC_IP'])) + output.print_error(f"""The {lookuptype} address of this machine {lookupaddress} is listed in the Spamhaus Block + List (code {zen}), which may prevent recipients from receiving your email. See + http://www.spamhaus.org/query/ip/{lookupaddress}.""") + def run_domain_checks(rounded_time, env, output, pool, domains_to_check=None): # Get the list of domains we handle mail for. From 4f094f7859cab6ee72792b96313c1c7d4407685d Mon Sep 17 00:00:00 2001 From: zoof Date: Sun, 22 Dec 2024 07:57:59 -0500 Subject: [PATCH 20/38] Change hour of daily tasks to run at 1am and only run full backups on weekends (#2424) * Change hour of daily tasks to run at 1am * Change to only do full backup on weekends --- management/backup.py | 17 +++++++++++------ setup/management.sh | 2 +- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/management/backup.py b/management/backup.py index aae6c00b..238cb2ed 100755 --- a/management/backup.py +++ b/management/backup.py @@ -9,6 +9,7 @@ import os, os.path, re, datetime, sys import dateutil.parser, dateutil.relativedelta, dateutil.tz +from datetime import date import rtyaml from exclusiveprocess import Lock @@ -157,6 +158,8 @@ def should_force_full(config, env): # since the last full backup is greater than half the size # of that full backup. inc_size = 0 + # Check if day of week is a weekend day + weekend = date.today().weekday()>=5 for bak in backup_status(env)["backups"]: if not bak["full"]: # Scan through the incremental backups cumulating @@ -165,12 +168,14 @@ def should_force_full(config, env): else: # ...until we reach the most recent full backup. # Return if we should to a full backup, which is based - # on the size of the increments relative to the full - # backup, as well as the age of the full backup. - if inc_size > .5*bak["size"]: - return True - if dateutil.parser.parse(bak["date"]) + datetime.timedelta(days=config["min_age_in_days"]*10+1) < datetime.datetime.now(dateutil.tz.tzlocal()): - return True + # on whether it is a weekend day, the size of the + # increments relative to the full backup, as well as + # the age of the full backup. + if weekend: + if inc_size > .5*bak["size"]: + return True + if dateutil.parser.parse(bak["date"]) + datetime.timedelta(days=config["min_age_in_days"]*10+1) < datetime.datetime.now(dateutil.tz.tzlocal()): + return True return False else: # If we got here there are no (full) backups, so make one. diff --git a/setup/management.sh b/setup/management.sh index fb359cd3..d8032312 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -116,7 +116,7 @@ minute=$((RANDOM % 60)) # avoid overloading mailinabox.email cat > /etc/cron.d/mailinabox-nightly << EOF; # Mail-in-a-Box --- Do not edit / will be overwritten on update. # Run nightly tasks: backup, status checks. -$minute 3 * * * root (cd $PWD && management/daily_tasks.sh) +$minute 1 * * * root (cd $PWD && management/daily_tasks.sh) EOF # Start the management server. From 0d7388899c02a3785714bfe75d711f5929b3ded2 Mon Sep 17 00:00:00 2001 From: Tomasz Stanczak Date: Sun, 22 Dec 2024 13:59:58 +0100 Subject: [PATCH 21/38] Allow DSA end EllipticCurve private keys to be used additionally to RSA for HTTPS certificates (#2416) Co-authored-by: Tomasz Stanczak --- management/ssl_certificates.py | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py index c9f1126c..8c1b841e 100755 --- a/management/ssl_certificates.py +++ b/management/ssl_certificates.py @@ -14,7 +14,7 @@ def get_ssl_certificates(env): # that the certificates are good for to the best certificate for # the domain. - from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey + from cryptography.hazmat.primitives.asymmetric import dsa, rsa, ec from cryptography.x509 import Certificate # The certificates are all stored here: @@ -59,13 +59,15 @@ def get_ssl_certificates(env): # Not a valid PEM format for a PEM type we care about. continue - # Is it a private key? - if isinstance(pem, RSAPrivateKey): - private_keys[pem.public_key().public_numbers()] = { "filename": fn, "key": pem } - # Is it a certificate? if isinstance(pem, Certificate): certificates.append({ "filename": fn, "cert": pem }) + # It is a private key + elif (isinstance(pem, rsa.RSAPrivateKey) + or isinstance(pem, dsa.DSAPrivateKey) + or isinstance(pem, ec.EllipticCurvePrivateKey)): + private_keys[pem.public_key().public_numbers()] = { "filename": fn, "key": pem } + # Process the certificates. domains = { } @@ -505,7 +507,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring # Check that the ssl_certificate & ssl_private_key files are good # for the provided domain. - from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey + from cryptography.hazmat.primitives.asymmetric import rsa, dsa, ec from cryptography.x509 import Certificate # The ssl_certificate file may contain a chain of certificates. We'll @@ -539,7 +541,9 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring except ValueError as e: return (f"The private key file {ssl_private_key} is not a private key file: {e!s}", None) - if not isinstance(priv_key, RSAPrivateKey): + if (not isinstance(priv_key, rsa.RSAPrivateKey) + and not isinstance(priv_key, dsa.DSAPrivateKey) + and not isinstance(priv_key, ec.EllipticCurvePrivateKey)): return ("The private key file %s is not a private key file." % ssl_private_key, None) if priv_key.public_key().public_numbers() != cert.public_key().public_numbers(): @@ -639,7 +643,7 @@ def load_pem(pem): msg = "File is not a valid PEM-formatted file." raise ValueError(msg) pem_type = pem_type.group(1) - if pem_type in {b"RSA PRIVATE KEY", b"PRIVATE KEY"}: + if pem_type.endswith(b"PRIVATE KEY"): return serialization.load_pem_private_key(pem, password=None, backend=default_backend()) if pem_type == b"CERTIFICATE": return load_pem_x509_certificate(pem, default_backend()) From 2e0482e1817fd1a167b247a9137b86ee190d2947 Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sun, 22 Dec 2024 14:01:02 +0100 Subject: [PATCH 22/38] Exclude the owncloud-backup folder from the nightly backup (#2413) --- management/backup.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/management/backup.py b/management/backup.py index 238cb2ed..ac16eade 100755 --- a/management/backup.py +++ b/management/backup.py @@ -325,6 +325,7 @@ def perform_backup(full_backup): "--verbosity", "warning", "--no-print-statistics", "--archive-dir", backup_cache_dir, "--exclude", backup_root, + "--exclude", os.path.join(env["STORAGE_ROOT"], "owncloud-backup"), "--volsize", "250", "--gpg-options", "'--cipher-algo=AES256'", "--allow-source-mismatch", @@ -404,6 +405,7 @@ def run_duplicity_verification(): "--compare-data", "--archive-dir", backup_cache_dir, "--exclude", backup_root, + "--exclude", os.path.join(env["STORAGE_ROOT"], "owncloud-backup"), *get_duplicity_additional_args(env), get_duplicity_target_url(config), env["STORAGE_ROOT"], From e0b93718a33338115e953564170d87af6a55e1f9 Mon Sep 17 00:00:00 2001 From: yeah Date: Sun, 22 Dec 2024 14:02:49 +0100 Subject: [PATCH 23/38] =?UTF-8?q?Revert=20"increase=20timeout=20for=20the?= =?UTF-8?q?=20nginx=20proxy=20that=20provides=20access=20to=20the=20Mail?= =?UTF-8?q?=E2=80=A6"=20(#2411)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reverts #2407 - as per #2316 This reverts commit 2803d8889454fa3a8295c0cfd382cdbe996284d9. --- conf/nginx-primaryonly.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index b361a7b2..36f62aab 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -8,7 +8,6 @@ rewrite ^/admin/munin$ /admin/munin/ redirect; location /admin/ { proxy_pass http://127.0.0.1:10222/; - proxy_read_timeout 600s; proxy_set_header X-Forwarded-For $remote_addr; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options nosniff; From 18721e42d19e87df5b7ba0182525739928dd39fa Mon Sep 17 00:00:00 2001 From: yeah Date: Sun, 22 Dec 2024 14:07:04 +0100 Subject: [PATCH 24/38] Cronjob for cleaning up expired SSL certificates in order to improve page load times with many domains (#2410) Fixes #2316. --- setup/ssl.sh | 9 +++++++++ tools/ssl_cleanup | 17 +++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100755 tools/ssl_cleanup diff --git a/setup/ssl.sh b/setup/ssl.sh index 19a0c048..0aa9b136 100755 --- a/setup/ssl.sh +++ b/setup/ssl.sh @@ -96,3 +96,12 @@ fi if [ ! -f "$STORAGE_ROOT/ssl/dh2048.pem" ]; then openssl dhparam -out "$STORAGE_ROOT/ssl/dh2048.pem" 2048 fi + +# Cleanup expired SSL certificates from $STORAGE_ROOT/ssl daily +cat > /etc/cron.daily/mailinabox-ssl-cleanup << EOF; +#!/bin/bash +# Mail-in-a-Box +# Cleanup expired SSL certificates +$(pwd)/tools/ssl_cleanup +EOF +chmod +x /etc/cron.daily/mailinabox-ssl-cleanup diff --git a/tools/ssl_cleanup b/tools/ssl_cleanup new file mode 100755 index 00000000..5adfa1be --- /dev/null +++ b/tools/ssl_cleanup @@ -0,0 +1,17 @@ +#!/bin/bash +# Cleanup SSL certificates which expired more than 7 days ago from $STORAGE_ROOT/ssl and move them to $STORAGE_ROOT/ssl.expired + +source /etc/mailinabox.conf +shopt -s extglob + +retain_after="$(date --date="7 days ago" +%Y%m%d)" + +mkdir -p $STORAGE_ROOT/ssl.expired +for file in $STORAGE_ROOT/ssl/*-+([0-9])-+([0-9a-f]).pem; do + pem="$(basename "$file")" + not_valid_after="$(cut -d- -f1 <<< "${pem: -21}")" + + if [ "$not_valid_after" -lt "$retain_after" ]; then + mv "$file" "$STORAGE_ROOT/ssl.expired/${pem}" + fi +done From 4c2e4bab29a1030d87f5213b12dcfb38bcec2e83 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Sun, 22 Dec 2024 10:26:09 -0500 Subject: [PATCH 25/38] fix error when glob matches nothing (variable 'file' will have the glob as a value in the for loop and produce the error "mv: cannot stat '/home/user-data/ssl/*-+([0-9])-+([0-9a-f]).pem': No such file or directory") --- tools/ssl_cleanup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ssl_cleanup b/tools/ssl_cleanup index 5adfa1be..eb3eba7b 100755 --- a/tools/ssl_cleanup +++ b/tools/ssl_cleanup @@ -7,7 +7,8 @@ shopt -s extglob retain_after="$(date --date="7 days ago" +%Y%m%d)" mkdir -p $STORAGE_ROOT/ssl.expired -for file in $STORAGE_ROOT/ssl/*-+([0-9])-+([0-9a-f]).pem; do +ls $STORAGE_ROOT/ssl/*-+([0-9])-+([0-9a-f]).pem 2>/dev/null | while read file +do pem="$(basename "$file")" not_valid_after="$(cut -d- -f1 <<< "${pem: -21}")" From f73da3db60fc221fd2ecae17eac16db426800b2b Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Mon, 23 Dec 2024 11:26:09 -0500 Subject: [PATCH 26/38] Fix likely merge mistake in 564ed59bb47da24c9ebc50ae9137e6dcbcae9826 Fixes #2466 --- management/status_checks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/management/status_checks.py b/management/status_checks.py index 67aaaeb4..68755cb7 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -283,7 +283,7 @@ def run_network_checks(env, output): # by a spammer, or the user may be deploying on a residential network. We # will not be able to reliably send mail in these cases. rev_ip4 = ".".join(reversed(env['PUBLIC_IP'].split('.'))) - zen = query_dns(rev_ip4+'.zen.spamhaus.org', 'A', nxdomain=None, retry = False) + zen = query_dns(rev_ip4+'.zen.spamhaus.org', 'A', nxdomain=None) evaluate_spamhaus_lookup(env['PUBLIC_IP'], 'IPv4', rev_ip4, output, zen) if not env['PUBLIC_IPV6']: @@ -292,7 +292,7 @@ def run_network_checks(env, output): from ipaddress import IPv6Address rev_ip6 = ".".join(reversed(IPv6Address(env['PUBLIC_IPV6']).exploded.split(':'))) - zen = query_dns(rev_ip6+'.zen.spamhaus.org', 'A', nxdomain=None, retry = False) + zen = query_dns(rev_ip6+'.zen.spamhaus.org', 'A', nxdomain=None) evaluate_spamhaus_lookup(env['PUBLIC_IPV6'], 'IPv6', rev_ip6, output, zen) From d58dd0c91dd677acd6940d9b6099e2abb0ede729 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 4 Jan 2025 14:38:45 -0500 Subject: [PATCH 27/38] v71 --- CHANGELOG.md | 29 +++++++++++++++++++++++++++++ setup/bootstrap.sh | 2 +- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 55cd75b8..21d76e05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,35 @@ CHANGELOG ========= +Version 71 (January 4, 2025) +---------------------------- + +Upgrades + +* Roundcube upgraded to version 1.6.9. +* Z-Push upgraded to version 2.7.5. + +Automated Maintenance + +* Daily automated tasks are now run at 1am in the box's timezone and full backups are now restricted to running only on Saturdays and Sundays at that time. +* Backups now exclude the owncloud-backup folder so that we're not backing up backups. +* Old TLS certificates are now automatically deleted to improve control panel performance. + +Setup + +* Fixed broken setup if SSH was configured to listen on multiple ports. +* Ubuntu MOTD advertisements are now disabled. +* Fixed missing Roundcube dependency package if NextCloud isn't installed. + +Control Panel + +* Improved status checks for secondary nameservers. +* Spamhaus is now queried for the box's IPv6 address also. +* DSA and EC private keys are now accepted for TLS certificates. +* Timeouts for loading slow control panel pages are reduced. + +And other minor fixes. + Version 70 (August 15, 2024) ---------------------------- diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 00d1b214..00b64c13 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -23,7 +23,7 @@ if [ -z "$TAG" ]; then if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then # This machine is running Ubuntu 22.04, which is supported by # Mail-in-a-Box versions 60 and later. - TAG=v70 + TAG=v71 elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then # This machine is running Ubuntu 18.04, which is supported by # Mail-in-a-Box versions 0.40 through 5x. From c5e33b51e5d112a09420d242c3d8cf1c23aeeafa Mon Sep 17 00:00:00 2001 From: downtownallday Date: Sat, 4 Jan 2025 15:08:53 -0500 Subject: [PATCH 28/38] Update license --- tools/ssl_cleanup | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/ssl_cleanup b/tools/ssl_cleanup index eb3eba7b..95f099de 100755 --- a/tools/ssl_cleanup +++ b/tools/ssl_cleanup @@ -1,4 +1,13 @@ #!/bin/bash +##### +##### This file is part of Mail-in-a-Box-LDAP which is released under the +##### terms of the GNU Affero General Public License as published by the +##### Free Software Foundation, either version 3 of the License, or (at +##### your option) any later version. See file LICENSE or go to +##### https://github.com/downtownallday/mailinabox-ldap for full license +##### details. +##### + # Cleanup SSL certificates which expired more than 7 days ago from $STORAGE_ROOT/ssl and move them to $STORAGE_ROOT/ssl.expired source /etc/mailinabox.conf From 201bd1b0672f138690aade23083a43ddb0e3bcf8 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Sat, 4 Jan 2025 15:14:40 -0500 Subject: [PATCH 29/38] v71 --- changelog/v71.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 changelog/v71.md diff --git a/changelog/v71.md b/changelog/v71.md new file mode 100644 index 00000000..b27bfc72 --- /dev/null +++ b/changelog/v71.md @@ -0,0 +1,42 @@ +## Commits for v71 +| COMMIT | DATE | AUTHOR | TITLE | +| ------ | ---- | ------ | ----- | +| [c5e33b51](https://github.com/downtownallday/mailinabox-ldap/commit/c5e33b51e5d112a09420d242c3d8cf1c23aeeafa) | 2025-01-04 | _downtownallday_ | Update license | +| [d58dd0c9](https://github.com/downtownallday/mailinabox-ldap/commit/d58dd0c91dd677acd6940d9b6099e2abb0ede729) | 2025-01-04 | _Joshua Tauberer_ | v71 | +| [f73da3db](https://github.com/downtownallday/mailinabox-ldap/commit/f73da3db60fc221fd2ecae17eac16db426800b2b) | 2025-01-04 | _Joshua Tauberer_ | Fix likely merge mistake in 564ed59bb47da24c9ebc50ae9137e6dcbcae9826 | +| [4c2e4bab](https://github.com/downtownallday/mailinabox-ldap/commit/4c2e4bab29a1030d87f5213b12dcfb38bcec2e83) | 2024-12-22 | _downtownallday_ | fix error when glob matches nothing (variable 'file' will have the glob as a value in the for loop and produce the error "mv: cannot stat '/home/user-data/ssl/*-+([0-9])-+([0-9a-f]).pem': No such file or directory") | +| [18721e42](https://github.com/downtownallday/mailinabox-ldap/commit/18721e42d19e87df5b7ba0182525739928dd39fa) | 2024-12-22 | _yeah_ | Cronjob for cleaning up expired SSL certificates in order to improve page load times with many domains (#2410) | +| [e0b93718](https://github.com/downtownallday/mailinabox-ldap/commit/e0b93718a33338115e953564170d87af6a55e1f9) | 2024-12-22 | _yeah_ | Revert "increase timeout for the nginx proxy that provides access to the Mail…" (#2411) | +| [2e0482e1](https://github.com/downtownallday/mailinabox-ldap/commit/2e0482e1817fd1a167b247a9137b86ee190d2947) | 2024-12-22 | _KiekerJan_ | Exclude the owncloud-backup folder from the nightly backup (#2413) | +| [0d738889](https://github.com/downtownallday/mailinabox-ldap/commit/0d7388899c02a3785714bfe75d711f5929b3ded2) | 2024-12-22 | _Tomasz Stanczak_ | Allow DSA end EllipticCurve private keys to be used additionally to RSA for HTTPS certificates (#2416) | +| [4f094f78](https://github.com/downtownallday/mailinabox-ldap/commit/4f094f7859cab6ee72792b96313c1c7d4407685d) | 2024-12-22 | _zoof_ | Change hour of daily tasks to run at 1am and only run full backups on weekends (#2424) | +| [564ed59b](https://github.com/downtownallday/mailinabox-ldap/commit/564ed59bb47da24c9ebc50ae9137e6dcbcae9826) | 2024-12-22 | _KiekerJan_ | Add check on ipv6 for spamhaus (#2428) | +| [9f87b36b](https://github.com/downtownallday/mailinabox-ldap/commit/9f87b36ba182e5ec6e519a4a6c27e9ead8c08469) | 2024-12-22 | _KiekerJan_ | add check on SOA record to determine up to date synchronization of secondary nameserver (#2429) | +| [e36c17fc](https://github.com/downtownallday/mailinabox-ldap/commit/e36c17fc72249fef1eb6b638c4fa3ad2ad765d32) | 2024-12-22 | _matidau_ | Fixstates only after Z-Push upgrade (#2432) | +| [3d59f2d7](https://github.com/downtownallday/mailinabox-ldap/commit/3d59f2d7e0d0c2794f88fc36d5fca11fc757f9a7) | 2024-12-22 | _KiekerJan_ | Update roundcube to 1.6.9 (#2440) | +| [ee0d750b](https://github.com/downtownallday/mailinabox-ldap/commit/ee0d750b8560b0e2e9a9bf0afe52ed12982cb7f2) | 2024-12-22 | _Harm Berntsen_ | Add missing php-xml package for Roundcube without Nextcloud (#2441) | +| [d8563be3](https://github.com/downtownallday/mailinabox-ldap/commit/d8563be38b2fa047725ee85c7330bdf775101cdd) | 2024-12-22 | _Paul_ | Disable MOTD advertisements (#2457) | +| [81b0e0a6](https://github.com/downtownallday/mailinabox-ldap/commit/81b0e0a64f3ed295205dbc5461bb8f4fc2791e3d) | 2024-12-22 | _Nicholas Wilson_ | Updated CHANGELOG.md, fix typo(s) (#2459) | +| [7ef859ce](https://github.com/downtownallday/mailinabox-ldap/commit/7ef859ce961ea24b70f7e4f8307f069a8f7b42b3) | 2024-12-13 | _matidau_ | Update zpush.sh to version 2.7.5 (#2463) | +| [a8d13b84](https://github.com/downtownallday/mailinabox-ldap/commit/a8d13b84b4e2ac7332ae825177c4f9aa7a01e782) | 2024-11-27 | _Downtown Allday_ | fix: NameError: name 'subprocess' is not defined (#2425) | +| [196f5588](https://github.com/downtownallday/mailinabox-ldap/commit/196f5588cc61e6531cda9491f3eb26f152630528) | 2024-10-07 | _downtownallday_ | eliminate the use of deprecated utcnow() | +| [119b11f0](https://github.com/downtownallday/mailinabox-ldap/commit/119b11f0227b6565148221bbd0bccb6ef4011a15) | 2024-10-04 | _downtownallday_ | remove upstream Vagrantfile | +| [696b597a](https://github.com/downtownallday/mailinabox-ldap/commit/696b597a9c4a7beea1e76ff5ade57f94bbd9770e) | 2024-10-04 | _downtownallday_ | use bash as 'source' is needed in provision scripts | +| [ae056e50](https://github.com/downtownallday/mailinabox-ldap/commit/ae056e507beaf86272dc5cdc20545f5d9c2ae41c) | 2024-10-04 | _downtownallday_ | validate argument | +| [3b6e6177](https://github.com/downtownallday/mailinabox-ldap/commit/3b6e6177d03c4fc10d3c3afe07760e8f4b49f181) | 2024-10-04 | _downtownallday_ | Remove vagrant references - everything has moved to lxd | +| [706c3e7a](https://github.com/downtownallday/mailinabox-ldap/commit/706c3e7af93add6ced094a473ebbc57716cd03f7) | 2024-09-20 | _downtownallday_ | QA: updates for recent nextcloud change | +| [62b691f4](https://github.com/downtownallday/mailinabox-ldap/commit/62b691f44a2f201f55052831e2b1ddad962a9cb9) | 2024-09-20 | _downtownallday_ | QA: updates for recent nextcloud changes | +| [1699ab8c](https://github.com/downtownallday/mailinabox-ldap/commit/1699ab8c02e6813075a65fff9903c85e31d52445) | 2024-09-17 | _matidau_ | Update zpush.sh to version 2.7.4 (#2423) | +| [3e0a6214](https://github.com/downtownallday/mailinabox-ldap/commit/3e0a6214508724496ce2c629b598cedf4be1b22c) | 2024-09-10 | _downtownallday_ | allow supplying a command line to execute to ssh remove debugging echo statements add -q argument to suppress outputting lxc command line | +| [4fedfb37](https://github.com/downtownallday/mailinabox-ldap/commit/4fedfb377da393d7fe22ca8781a964e9759a18ce) | 2024-09-10 | _downtownallday_ | during wait for boot, also wait until vm has an ip address | +| [2e0b37a0](https://github.com/downtownallday/mailinabox-ldap/commit/2e0b37a09a964c0e7499c2bff7d4f2d25361e9d9) | 2024-09-07 | _downtownallday_ | fix syntax error | +| [6d25bc47](https://github.com/downtownallday/mailinabox-ldap/commit/6d25bc47bf20ba48c53bc861962e9356713fcbfa) | 2024-09-05 | _downtownallday_ | add a restart command | +| [54a3bd10](https://github.com/downtownallday/mailinabox-ldap/commit/54a3bd100c43710800ce3208acf1380e071bc0a3) | 2024-09-04 | _downtownallday_ | Add provision defaults to lxc init | +| [0fce66db](https://github.com/downtownallday/mailinabox-ldap/commit/0fce66dbc7e3c46b08d31698deca27badfbb0682) | 2024-09-03 | _downtownallday_ | back out assert_kernel_modules | +| [446aacb9](https://github.com/downtownallday/mailinabox-ldap/commit/446aacb9b6ae4dce8c021c8d1a4b09efefebabdb) | 2024-09-03 | _downtownallday_ | Don't exit on missing kernel module during non-interactive scenario | +| [c027db8b](https://github.com/downtownallday/mailinabox-ldap/commit/c027db8bf49091e6d4cef214722a062635e80d3c) | 2024-09-03 | _downtownallday_ | reword comment | +| [ca123515](https://github.com/downtownallday/mailinabox-ldap/commit/ca123515aad102327701b18a7d65d180f800b815) | 2024-09-02 | _Downtown Allday_ | fix variable (#2439) | +| [a1d6f671](https://github.com/downtownallday/mailinabox-ldap/commit/a1d6f6713578097b1b68bb0cea80f6327a2c3577) | 2024-09-02 | _downtownallday_ | change from vagrant to lxd as the virtualization system | +| [a79a6c00](https://github.com/downtownallday/mailinabox-ldap/commit/a79a6c00eb252de8c2581744894c8173a34b2f92) | 2024-09-02 | _downtownallday_ | encryption-at-rest: Ensure required kernel modules are installed | +| [3b8f4a2f](https://github.com/downtownallday/mailinabox-ldap/commit/3b8f4a2fe8bd686f9d3ff405d9bb380c3c6315a8) | 2024-08-30 | _matidau_ | Z-Push remove config lines no longer supported (#2433) | +| [f453c44d](https://github.com/downtownallday/mailinabox-ldap/commit/f453c44d524b68a3a99f567168dd401f88556633) | 2024-08-30 | _darren_ | Update setup to handle multiple SSH ports (#2437) | From 432b470d2931a15a3761a3e35f1c30cac4e83b49 Mon Sep 17 00:00:00 2001 From: Paul Date: Mon, 6 Jan 2025 04:06:01 -0800 Subject: [PATCH 30/38] New & improved Disable MOTD advertisements (#2470) Checks if /etc/default/motd-news exists before running commands. --- setup/system.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index dd366401..fce3091f 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -87,8 +87,10 @@ tools/editconf.py /etc/systemd/journald.conf MaxRetentionSec=10day # Disable MOTD adverts to prevent revealing server information in MOTD request headers # See https://ma.ttias.be/what-exactly-being-sent-ubuntu-motd/ +if [ -f /etc/default/motd-news ]; then tools/editconf.py /etc/default/motd-news ENABLED=0 rm -f /var/cache/motd-news +fi # ### Add PPAs. From e6c354c3125bdfdf32fecabb851288a385705e72 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Mon, 6 Jan 2025 07:07:53 -0500 Subject: [PATCH 31/38] v71a --- CHANGELOG.md | 2 ++ setup/bootstrap.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 21d76e05..45943e95 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ CHANGELOG Version 71 (January 4, 2025) ---------------------------- +(Version 71a was posted on January 6, 2025 and fixes a setup regression.) + Upgrades * Roundcube upgraded to version 1.6.9. diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 00b64c13..fc191c21 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -23,7 +23,7 @@ if [ -z "$TAG" ]; then if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then # This machine is running Ubuntu 22.04, which is supported by # Mail-in-a-Box versions 60 and later. - TAG=v71 + TAG=v71a elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then # This machine is running Ubuntu 18.04, which is supported by # Mail-in-a-Box versions 0.40 through 5x. From 2a58cfc50c843e49f3d1586443bb7cca423fdfa4 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Mon, 6 Jan 2025 08:07:32 -0500 Subject: [PATCH 32/38] v71a --- changelog/v71a.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelog/v71a.md diff --git a/changelog/v71a.md b/changelog/v71a.md new file mode 100644 index 00000000..1a710b54 --- /dev/null +++ b/changelog/v71a.md @@ -0,0 +1,5 @@ +## Commits for v71a +| COMMIT | DATE | AUTHOR | TITLE | +| ------ | ---- | ------ | ----- | +| [e6c354c3](https://github.com/downtownallday/mailinabox-ldap/commit/e6c354c3125bdfdf32fecabb851288a385705e72) | 2025-01-06 | _Joshua Tauberer_ | v71a | +| [432b470d](https://github.com/downtownallday/mailinabox-ldap/commit/432b470d2931a15a3761a3e35f1c30cac4e83b49) | 2025-01-06 | _Paul_ | New & improved Disable MOTD advertisements (#2470) | From e4f6510d40e5415b8f2e51a12cff730f286778b2 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Mon, 6 Jan 2025 08:35:12 -0500 Subject: [PATCH 33/38] prevent triggering ci on new tags --- .github/workflows/commit-tests.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/commit-tests.yml b/.github/workflows/commit-tests.yml index 50b75830..3d1cc6a5 100644 --- a/.github/workflows/commit-tests.yml +++ b/.github/workflows/commit-tests.yml @@ -1,5 +1,8 @@ name: commit-tests -on: [push, workflow_dispatch] +on: + workflow_dispatch: { } + push: + tags-ignore: [ 'v**' ] jobs: # MiaB-LDAP using encryption-at-rest and connected to a remote Nextcloud remote-nextcloud-docker-ehdd: From 45841561c54717da5c8919463a99465f2bce1bf6 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Mon, 6 Jan 2025 08:44:23 -0500 Subject: [PATCH 34/38] prevent triggering ci on doc changes --- .github/workflows/commit-tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/commit-tests.yml b/.github/workflows/commit-tests.yml index 3d1cc6a5..219537b2 100644 --- a/.github/workflows/commit-tests.yml +++ b/.github/workflows/commit-tests.yml @@ -3,6 +3,7 @@ on: workflow_dispatch: { } push: tags-ignore: [ 'v**' ] + paths-ignore: [ '**.md', 'api/mailinabox.yml' ] jobs: # MiaB-LDAP using encryption-at-rest and connected to a remote Nextcloud remote-nextcloud-docker-ehdd: From 8b87ee8970b48b384f79e372153d4f23d9f6c809 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Mon, 6 Jan 2025 08:48:32 -0500 Subject: [PATCH 35/38] include all branches --- .github/workflows/commit-tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/commit-tests.yml b/.github/workflows/commit-tests.yml index 219537b2..98649937 100644 --- a/.github/workflows/commit-tests.yml +++ b/.github/workflows/commit-tests.yml @@ -2,6 +2,7 @@ name: commit-tests on: workflow_dispatch: { } push: + branches: [ '**' ] tags-ignore: [ 'v**' ] paths-ignore: [ '**.md', 'api/mailinabox.yml' ] jobs: From 08f13326604d3a16a91cf1c04c062236ca8eefab Mon Sep 17 00:00:00 2001 From: downtownallday Date: Wed, 8 Jan 2025 07:07:23 -0500 Subject: [PATCH 36/38] remove dovecot config setting 'ssl_dh_parameters_length' Dovecot gives the following warning during installation: doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:91: ssl_dh_parameters_length is no longer needed --- setup/mail-dovecot.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index 0af6a1de..a59892fd 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -89,14 +89,14 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \ # Enable SSL, specify the location of the SSL certificate and private key files. # Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1, # except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2. -tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ +tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf -E \ ssl=required \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_min_protocol=TLSv1.2" \ "ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ "ssl_prefer_server_ciphers=no" \ - "ssl_dh_parameters_length=2048" \ + "ssl_dh_parameters_length=" \ "ssl_dh=<$STORAGE_ROOT/ssl/dh2048.pem" # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit From 5ef85f3d02e86b8d7ede4e02da91dd6c1cfb1434 Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sat, 15 Feb 2025 20:29:15 +0100 Subject: [PATCH 37/38] Update roundcube to 1.6.10 (#2483) --- setup/webmail.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index a203cb8c..1db334e5 100644 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -36,8 +36,8 @@ apt_install \ # https://github.com/mstilkerich/rcmcarddav/releases # The easiest way to get the package hashes is to run this script and get the hash from # the error message. -VERSION=1.6.9 -HASH=b63f74209cf287402f6f44b85877388899261f3c +VERSION=1.6.10 +HASH=0cfbb457e230793df8c56c2e6d3655cf3818f168 PERSISTENT_LOGIN_VERSION=bde7b6840c7d91de627ea14e81cf4133cbb3c07a # version 5.3 HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+ CARDDAV_VERSION=4.4.3 From 41cbf0ba8e299d47457bcd992b163ca00061ef1a Mon Sep 17 00:00:00 2001 From: Tomasz Stanczak Date: Sat, 15 Feb 2025 20:31:58 +0100 Subject: [PATCH 38/38] Handle no existence of expired certificates before trying to move them into ssl.expired subdirectory (#2480) Shell option 'nullglob' to prevent the following 'for' loop from being entered even when no matching files are present. --- tools/ssl_cleanup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ssl_cleanup b/tools/ssl_cleanup index 5adfa1be..fd246eba 100755 --- a/tools/ssl_cleanup +++ b/tools/ssl_cleanup @@ -2,7 +2,7 @@ # Cleanup SSL certificates which expired more than 7 days ago from $STORAGE_ROOT/ssl and move them to $STORAGE_ROOT/ssl.expired source /etc/mailinabox.conf -shopt -s extglob +shopt -s extglob nullglob retain_after="$(date --date="7 days ago" +%Y%m%d)"