Merge branch 'master' into quota

2026-03-15 17:37:22 +01:00 · 2025-02-16 16:29:01 -05:00
parent 44eaef1155 a063506405
commit 271a04333d
40 changed files with 323 additions and 846 deletions
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -51,7 +51,7 @@ if [ -z "$TAG" ]; then
 	if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then
 		# This machine is running Ubuntu 22.04, which is supported by
 		# Mail-in-a-Box versions 60 and later.
-		TAG=v70
+		TAG=v71a
 	elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04, which is supported by
 		# Mail-in-a-Box versions 0.40 through 5x.
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -115,14 +115,14 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
 # Enable SSL, specify the location of the SSL certificate and private key files.
 # Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1,
 # except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2.
-tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
+tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf -E \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
 	"ssl_min_protocol=TLSv1.2" \
 	"ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
 	"ssl_prefer_server_ciphers=no" \
-	"ssl_dh_parameters_length=2048" \
+	"ssl_dh_parameters_length=" \
 	"ssl_dh=<$STORAGE_ROOT/ssl/dh2048.pem"

 # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -126,7 +126,7 @@ minute=$((RANDOM % 60))  # avoid overloading mailinabox.email
 cat > /etc/cron.d/mailinabox-nightly << EOF;
 # Mail-in-a-Box --- Do not edit / will be overwritten on update.
 # Run nightly tasks: backup, status checks.
-$minute 3 * * *	root	(cd $PWD && management/daily_tasks.sh)
+$minute 1 * * *	root	(cd $PWD && management/daily_tasks.sh)
 EOF

 # Start the management server.
--- a/setup/ssl.sh
+++ b/setup/ssl.sh
@@ -219,3 +219,12 @@ fi
 if [ ! -f "$STORAGE_ROOT/ssl/dh2048.pem" ]; then
 	openssl dhparam -out "$STORAGE_ROOT/ssl/dh2048.pem" 2048
 fi
+
+# Cleanup expired SSL certificates from $STORAGE_ROOT/ssl daily
+cat > /etc/cron.daily/mailinabox-ssl-cleanup << EOF;
+#!/bin/bash
+# Mail-in-a-Box
+# Cleanup expired SSL certificates
+$(pwd)/tools/ssl_cleanup
+EOF
+chmod +x /etc/cron.daily/mailinabox-ssl-cleanup
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -92,6 +92,15 @@ fi
 # (See https://discourse.mailinabox.email/t/journalctl-reclaim-space-on-small-mailinabox/6728/11.)
 tools/editconf.py /etc/systemd/journald.conf MaxRetentionSec=10day

+# ### Improve server privacy
+
+# Disable MOTD adverts to prevent revealing server information in MOTD request headers
+# See https://ma.ttias.be/what-exactly-being-sent-ubuntu-motd/
+if [ -f /etc/default/motd-news ]; then
+tools/editconf.py /etc/default/motd-news ENABLED=0
+rm -f /var/cache/motd-news
+fi
+
 # ### Add PPAs.

 # We install some non-standard Ubuntu packages maintained by other
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -34,7 +34,7 @@ echo "Installing Roundcube (webmail)..."
 apt_install \
 	dbconfig-common \
 	php"${PHP_VER}"-cli php"${PHP_VER}"-sqlite3 php"${PHP_VER}"-intl php"${PHP_VER}"-common php"${PHP_VER}"-curl php"${PHP_VER}"-imap \
-	php"${PHP_VER}"-gd php"${PHP_VER}"-pspell php"${PHP_VER}"-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1 \
+	php"${PHP_VER}"-gd php"${PHP_VER}"-pspell php"${PHP_VER}"-mbstring php"${PHP_VER}"-xml libjs-jquery libjs-jquery-mousewheel libmagic1 \
 	sqlite3

 apt_install php"${PHP_VER}"-ldap
@@ -49,8 +49,8 @@ apt_install php"${PHP_VER}"-ldap
 #   https://github.com/mstilkerich/rcmcarddav/releases
 # The easiest way to get the package hashes is to run this script and get the hash from
 # the error message.
-VERSION=1.6.8
-HASH=00586f5163b3f6c1b0798be745982e3547b1b24a
+VERSION=1.6.10
+HASH=0cfbb457e230793df8c56c2e6d3655cf3818f168
 PERSISTENT_LOGIN_VERSION=version-5.3.0
 HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
 CARDDAV_VERSION=4.4.3
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -31,8 +31,8 @@ apt_install \
 phpenmod -v "$PHP_VER" imap

 # Copy Z-Push into place.
-VERSION=2.7.3
-TARGETHASH=9d4bec41935e9a4e07880c5ff915bcddbda4443b
+VERSION=2.7.5
+TARGETHASH=f0b0b06e255f3496173ab9d28a4f2d985184720e
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
@@ -120,4 +120,6 @@ restart_service php"$PHP_VER"-fpm

 # Fix states after upgrade

-hide_output php"$PHP_VER" /usr/local/lib/z-push/z-push-admin.php -a fixstates
+if [ $needs_update == 1 ]; then
+	hide_output php"$PHP_VER" /usr/local/lib/z-push/z-push-admin.php -a fixstates
+fi