1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-12-25 07:47:05 +00:00

Merge branch 'master' of github.com:kiekerjan/mailinabox

This commit is contained in:
KiekerJan 2021-11-04 00:32:14 +01:00
commit 2741affa48
5 changed files with 21 additions and 11 deletions

View File

@ -20,7 +20,7 @@ Functionality changes and additions
* Configure domain names for which only www will be hosted * Configure domain names for which only www will be hosted
Edit /etc/miabwwwdomains.conf to configure. The box will handle incoming traffic asking for these domain names. The DNS entries are entered in an external DNS provider! If you want this box to handle the DNS entries, simply add a mail alias. (existing functionality of the vanilla Mail-in-a-Box) Edit /etc/miabwwwdomains.conf to configure. The box will handle incoming traffic asking for these domain names. The DNS entries are entered in an external DNS provider! If you want this box to handle the DNS entries, simply add a mail alias. (existing functionality of the vanilla Mail-in-a-Box)
* Add some munin plugins * Add some munin plugins
* Update nextcloud to 20.0.8 * Update nextcloud to 20.0.13
* Add nextcloud notes app * Add nextcloud notes app
* Update roundcube carddav plugin to 4.1.1 * Update roundcube carddav plugin to 4.1.1
* Add roundcube context menu plugin * Add roundcube context menu plugin

View File

@ -71,7 +71,7 @@ paths:
x-codeSamples: x-codeSamples:
- lang: curl - lang: curl
source: | source: |
curl -X GET "https://{host}/admin/login" \ curl -X POST "https://{host}/admin/login" \
-u "<email>:<password>" -u "<email>:<password>"
responses: responses:
200: 200:
@ -103,13 +103,15 @@ paths:
x-codeSamples: x-codeSamples:
- lang: curl - lang: curl
source: | source: |
curl -X GET "https://{host}/admin/logout" \ curl -X POST "https://{host}/admin/logout" \
-u "<email>:<session_key>" -u "<email>:<session_key>"
responses: responses:
200: 200:
description: Successful operation description: Successful operation
content: content:
application/json: application/json:
schema:
$ref: '#/components/schemas/LogoutResponse'
/system/status: /system/status:
post: post:
tags: tags:
@ -2723,3 +2725,8 @@ components:
nullable: true nullable: true
MfaDisableSuccessResponse: MfaDisableSuccessResponse:
type: string type: string
LogoutResponse:
type: object
properties:
status:
type: string

View File

@ -330,7 +330,7 @@ def dns_get_records(qname=None, rtype=None):
r["sort-order"]["created"] = i r["sort-order"]["created"] = i
domain_sort_order = utils.sort_domains([r["qname"] for r in records], env) domain_sort_order = utils.sort_domains([r["qname"] for r in records], env)
for i, r in enumerate(sorted(records, key = lambda r : ( for i, r in enumerate(sorted(records, key = lambda r : (
zones.index(r["zone"]), zones.index(r["zone"]) if r.get("zone") else 0, # record is not within a zone managed by the box
domain_sort_order.index(r["qname"]), domain_sort_order.index(r["qname"]),
r["rtype"]))): r["rtype"]))):
r["sort-order"]["qname"] = i r["sort-order"]["qname"] = i

View File

@ -3,7 +3,12 @@ Mail-in-a-Box Security Guide
Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components. Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components.
This page documents the security features of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box. This page documents the security posture of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box.
Reporting Security Vulnerabilities
----------------------------------
Security vulnerabilities should be reported to the [project's maintainer](https://joshdata.me) via email.
Threat Model Threat Model
------------ ------------
@ -49,9 +54,7 @@ Additionally:
### Password Storage ### Password Storage
The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py)) The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py)) Password changes (as well as changes to control panel two-factor authentication settings) expire any control panel login sessions.
When using the web-based administrative control panel, after logging in an API key is placed in the browser's local storage (rather than, say, the user's actual password). The API key is an HMAC based on the user's email address and current password, and it is keyed by a secret known only to the control panel service. By resetting an administrator's password, any HMACs previously generated for that user will expire.
### Console access ### Console access
@ -65,7 +68,7 @@ If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that
`fail2ban` provides some protection from brute-force login attacks (repeated logins that guess account passwords) by blocking offending IP addresses at the network level. `fail2ban` provides some protection from brute-force login attacks (repeated logins that guess account passwords) by blocking offending IP addresses at the network level.
The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP). The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel (over HTTP).
Some other services running on the box may be missing fail2ban filters. Some other services running on the box may be missing fail2ban filters.

View File

@ -20,11 +20,11 @@ if [ -z "$TAG" ]; then
# want to display in status checks. # want to display in status checks.
if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/20\.04\.[0-9]/20.04/' `" == "Ubuntu 20.04 LTS" ]; then if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/20\.04\.[0-9]/20.04/' `" == "Ubuntu 20.04 LTS" ]; then
# This machine is running Ubuntu 20.04. # This machine is running Ubuntu 20.04.
TAG=v055 TAG=v55
elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" == "Ubuntu 18.04 LTS" ]; then elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" == "Ubuntu 18.04 LTS" ]; then
# This machine is running Ubuntu 18.04. # This machine is running Ubuntu 18.04.
TAG=v055 TAG=v55
elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' )" == "Ubuntu 14.04 LTS" ]; then elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' )" == "Ubuntu 14.04 LTS" ]; then
# This machine is running Ubuntu 14.04. # This machine is running Ubuntu 14.04.