diff --git a/CHANGELOG.md b/CHANGELOG.md index c098e632..4b07482b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,25 @@ CHANGELOG ========= +In Development +-------------- + +This is the first release for Ubuntu 18.04. This version and versions going forward can **only** be installed on Ubuntu 18.04; however, upgrades of existing Ubuntu 14.04 boxes to the latest version supporting Ubuntu 14.04 continue to work as normal. + +When **upgrading**, you **must upgrade your existing Ubuntu 14.04 Mail-in-a-Box box** to the latest release supporting Ubuntu 14.04 --- that's v0.30 --- first. If you are running an older version of Mail-in-a-Box which has an old version of ownCloud or Nextcloud, you will *not* be able to upgrade your data because older versions of ownCloud and Nextcloud that are required to perform the upgrade *cannot* be run on Ubuntu 18.04. To upgrade from Ubuntu 14.04 to Ubuntu 18.04, you **must create a fresh Ubuntu 18.04 machine** before installing this version. In-place upgrades of servers are not supported. Since Ubuntu's support for Ubuntu 14.04 has almost ended, everyone is encouraged to upgrade. + +Setup: + +* Mail-in-a-Box now targets Ubuntu 18.04 LTS, which will have support from Ubuntu through 2022. +* Some of the system packages updated in virtue of using Ubuntu 18.04 include postfix (2.11=>3.3) nsd (4.0=>4.1), nginx (1.4=>1.14), PHP (7.0=>7.2), Python (3.4=>3.6), fail2ban (0.8=>0.10), Duplicity (0.6=>0.7). +* [Unofficial Bash Strict Mode](http://redsymbol.net/articles/unofficial-bash-strict-mode/) is turned on for setup, which might catch previously uncaught issues during setup. + +Mail: + +* IMAP server-side full text search is no longer supported because we were using a custom-built `dovecot-lucene` package that we are no longer maintaining. +* Sending email is now disabled on port 25 --- you must log in to port 587 to send email. +* Greylisting may delay more emails from new senders. We were using a custom-built postgrey package previously that whitelisted sending domains in dnswl.org, but we are no longer maintaining that package. + v0.30 (January 9, 2019) ----------------------- diff --git a/README.md b/README.md index ca9a4df1..c186a65d 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Additionally, this project has a [Code of Conduct](CODE_OF_CONDUCT.md), which su The Box ------- -Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a working mail server by installing and configuring various components. +Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a working mail server by installing and configuring various components. It is a one-click email appliance. There are no user-configurable setup options. It "just works". @@ -37,7 +37,6 @@ The components installed are: It also includes: * A control panel and API for adding/removing mail users, aliases, custom DNS records, etc. and detailed system monitoring. -* Our own builds of postgrey (adding better whitelisting) and dovecot-lucene (faster search for mail) distributed via the [Mail-in-a-Box PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa) on Launchpad. For more information on how Mail-in-a-Box handles your privacy, see the [security details page](security.md). @@ -46,7 +45,7 @@ Installation See the [setup guide](https://mailinabox.email/guide.html) for detailed, user-friendly instructions. -For experts, start with a completely fresh (really, I mean it) Ubuntu 14.04 LTS 64-bit machine. On the machine... +For experts, start with a completely fresh (really, I mean it) Ubuntu 18.04 LTS 64-bit machine. On the machine... Clone this repository: diff --git a/Vagrantfile b/Vagrantfile index 770f66d2..467fb95e 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -2,14 +2,7 @@ # vi: set ft=ruby : Vagrant.configure("2") do |config| - config.vm.box = "ubuntu14.04" - config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box" - - if Vagrant.has_plugin?("vagrant-cachier") - # Configure cached packages to be shared between instances of the same base box. - # More info on http://fgrehm.viewdocs.io/vagrant-cachier/usage - config.cache.scope = :box - end + config.vm.box = "ubuntu/bionic64" # Network config: Since it's a mail server, the machine must be connected # to the public web. However, we currently don't want to expose SSH since diff --git a/conf/mailinabox.service b/conf/mailinabox.service new file mode 100644 index 00000000..b4cfa6cf --- /dev/null +++ b/conf/mailinabox.service @@ -0,0 +1,10 @@ +[Unit] +Description=Mail-in-a-Box System Management Service +After=multi-user.target + +[Service] +Type=idle +ExecStart=/usr/local/lib/mailinabox/start + +[Install] +WantedBy=multi-user.target diff --git a/conf/management-initscript b/conf/management-initscript deleted file mode 100755 index 8275da86..00000000 --- a/conf/management-initscript +++ /dev/null @@ -1,135 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: mailinabox -# Required-Start: $all -# Required-Stop: $all -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Start and stop the Mail-in-a-Box management daemon. -# Description: Start and stop the Mail-in-a-Box management daemon. -### END INIT INFO - -# Adapted from http://blog.codefront.net/2007/06/11/nginx-php-and-a-php-fastcgi-daemon-init-script/ - -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="Mail-in-a-Box Management Daemon" -NAME=mailinabox -DAEMON=/usr/local/lib/mailinabox/start -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Set defaults. -START=yes -EXEC_AS_USER=root - -# Ensure Python reads/writes files in UTF-8. If the machine -# triggers some other locale in Python, like ASCII encoding, -# Python may not be able to read/write files. Set also -# setup/start.sh (where the locale is also installed if not -# already present) and management/daily_tasks.sh. -export LANGUAGE=en_US.UTF-8 -export LC_ALL=en_US.UTF-8 -export LANG=en_US.UTF-8 -export LC_TYPE=en_US.UTF-8 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. -. /lib/lsb/init-functions - -# If the daemon is not enabled, give the user a warning and then exit, -# unless we are stopping the daemon -if [ "$START" != "yes" -a "$1" != "stop" ]; then - log_warning_msg "To enable $NAME, edit /etc/default/$NAME and set START=yes" - exit 0 -fi - -# Process configuration -#export ... -DAEMON_ARGS="" - - -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \ - --background --make-pidfile --chuid $EXEC_AS_USER --startas $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 -} - -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE > /dev/null # --name $DAEMON - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - restart|force-reload) - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 - exit 3 - ;; -esac diff --git a/conf/munin.service b/conf/munin.service new file mode 100644 index 00000000..06735d04 --- /dev/null +++ b/conf/munin.service @@ -0,0 +1,10 @@ +[Unit] +Description=Munin System Monitoring Startup Script +After=multi-user.target + +[Service] +Type=idle +ExecStart=/usr/local/lib/mailinabox/munin_start.sh + +[Install] +WantedBy=multi-user.target diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index e893ad67..1aba45c3 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -1,76 +1,20 @@ -# from https://gist.github.com/konklone/6532544 and https://mozilla.github.io/server-side-tls/ssl-config-generator/ -################################################################################################################### - -# Basically the nginx configuration I use at konklone.com. -# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com -# -# To provide feedback, please tweet at @konklone or email eric@konklone.com. -# Comments on gists don't notify the author. -# -# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites. -# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration. - -# Path to certificate and private key. -# The .crt may omit the root CA cert, if it's a standard CA that ships with clients. -#ssl_certificate /path/to/unified.crt; -#ssl_certificate_key /path/to/my-private-decrypted.key; - -# Tell browsers to require SSL (warning: difficult to change your mind) -# Handled by the management daemon because we can toggle this version or a -# preload version. -#add_header Strict-Transport-Security max-age=31536000; - -# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities. -# -# Forces forward secrecy in all browsers and clients that can use TLS, -# but with a small exception (DES-CBC3-SHA) for IE8/XP users. -# -# Reference client: https://www.ssllabs.com/ssltest/analyze.html -ssl_prefer_server_ciphers on; +# We track the Mozilla "intermediate" compatibility TLS recommendations. +# Note that these settings are repeated in the SMTP and IMAP configuration. +# ssl_protocols has moved to nginx.conf in bionic, check there for enabled protocols. ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; -# Cut out (the old, broken) SSLv3 entirely. -# This **excludes IE6 users** and (apparently) Yandexbot. -# Just comment out if you need to support IE6, bless your soul. -ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - -# Turn on session resumption, using a cache shared across nginx processes, # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; -#keepalive_timeout 70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good # Buffer size of 1400 bytes fits in one MTU. # nginx 1.5.9+ ONLY -#ssl_buffer_size 1400; +ssl_buffer_size 1400; -# SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6. -# -# BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3. -# Disable with 0, until using a version of nginx with SPDY 4. -spdy_headers_comp 0; - -# Now let's really get fancy, and pre-generate a 2048 bit random parameter -# for DH elliptic curves. If not created and specified, default is only 1024 bits. -# -# Generated by OpenSSL with the following command: -# openssl dhparam -outform pem -out dhparam2048.pem 2048 -# -# Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem. -ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; - - -# OCSP stapling - means nginx will poll the CA for signed OCSP responses, -# and send them to clients so clients don't make their own OCSP calls. -# http://en.wikipedia.org/wiki/OCSP_stapling -# -# while the ssl_certificate above may omit the root cert if the CA is trusted, -# ssl_trusted_certificate below must point to a chain of **all** certs -# in the trust path - (your cert, intermediary certs, root cert) -# -# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. -# nginx will use them to talk to the CA. ssl_stapling on; ssl_stapling_verify on; resolver 127.0.0.1 valid=86400; resolver_timeout 10; + +# h/t https://gist.github.com/konklone/6532544 diff --git a/conf/nginx-top.conf b/conf/nginx-top.conf index a5822a82..4d888366 100644 --- a/conf/nginx-top.conf +++ b/conf/nginx-top.conf @@ -7,6 +7,6 @@ ## your own --- please do not ask for help from us. upstream php-fpm { - server unix:/var/run/php/php7.0-fpm.sock; + server unix:/var/run/php/php7.2-fpm.sock; } diff --git a/conf/nginx.conf b/conf/nginx.conf index ce662751..fafd3409 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -31,8 +31,8 @@ server { # The secure HTTPS server. server { - listen 443 ssl; - listen [::]:443 ssl; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name $HOSTNAME; diff --git a/management/backup.py b/management/backup.py index 8081a267..e15fbbbf 100755 --- a/management/backup.py +++ b/management/backup.py @@ -20,20 +20,17 @@ rsync_ssh_options = [ ] def backup_status(env): - # Root folder - backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') - - # What is the current status of backups? - # Query duplicity to get a list of all backups. - # Use the number of volumes to estimate the size. + # If backups are dissbled, return no status. config = get_backup_config(env) - now = datetime.datetime.now(dateutil.tz.tzlocal()) - - # Are backups dissbled? if config["target"] == "off": return { } + # Query duplicity to get a list of all full and incremental + # backups available. + backups = { } + now = datetime.datetime.now(dateutil.tz.tzlocal()) + backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') backup_cache_dir = os.path.join(backup_root, 'cache') def reldate(date, ref, clip): @@ -58,7 +55,7 @@ def backup_status(env): "date_delta": reldate(date, now, "the future?"), "full": keys[0] == "full", "size": 0, # collection-status doesn't give us the size - "volumes": keys[2], # number of archive volumes for this backup (not really helpful) + "volumes": int(keys[2]), # number of archive volumes for this backup (not really helpful) } code, collection_status = shell('check_output', [ @@ -80,12 +77,20 @@ def backup_status(env): backup = parse_line(line) backups[backup["date"]] = backup - # Look at the target to get the sizes of each of the backups. There is more than one file per backup. + # Look at the target directly to get the sizes of each of the backups. There is more than one file per backup. + # Starting with duplicity in Ubuntu 18.04, "signatures" files have dates in their + # filenames that are a few seconds off the backup date and so don't line up + # with the list of backups we have. Track unmatched files so we know how much other + # space is used for those. + unmatched_file_size = 0 for fn, size in list_target_files(config): m = re.match(r"duplicity-(full|full-signatures|(inc|new-signatures)\.(?P\d+T\d+Z)\.to)\.(?P\d+T\d+Z)\.", fn) if not m: continue # not a part of a current backup chain key = m.group("date") - backups[key]["size"] += size + if key in backups: + backups[key]["size"] += size + else: + unmatched_file_size += size # Ensure the rows are sorted reverse chronologically. # This is relied on by should_force_full() and the next step. @@ -148,6 +153,7 @@ def backup_status(env): return { "backups": backups, + "unmatched_file_size": unmatched_file_size, } def should_force_full(config, env): @@ -220,32 +226,6 @@ def perform_backup(full_backup): if config["target"] == "off": return - # In an older version of this script, duplicity was called - # such that it did not encrypt the backups it created (in - # backup/duplicity), and instead openssl was called separately - # after each backup run, creating AES256 encrypted copies of - # each file created by duplicity in backup/encrypted. - # - # We detect the transition by the presence of backup/duplicity - # and handle it by 'dupliception': we move all the old *un*encrypted - # duplicity files up out of the backup/duplicity directory (as - # backup/ is excluded from duplicity runs) in order that it is - # included in the next run, and we delete backup/encrypted (which - # duplicity will output files directly to, post-transition). - old_backup_dir = os.path.join(backup_root, 'duplicity') - migrated_unencrypted_backup_dir = os.path.join(env["STORAGE_ROOT"], "migrated_unencrypted_backup") - if os.path.isdir(old_backup_dir): - # Move the old unencrypted files to a new location outside of - # the backup root so they get included in the next (new) backup. - # Then we'll delete them. Also so that they do not get in the - # way of duplicity doing a full backup on the first run after - # we take care of this. - shutil.move(old_backup_dir, migrated_unencrypted_backup_dir) - - # The backup_dir (backup/encrypted) now has a new purpose. - # Clear it out. - shutil.rmtree(backup_dir) - # On the first run, always do a full backup. Incremental # will fail. Otherwise do a full backup when the size of # the increments since the most recent full backup are @@ -267,7 +247,7 @@ def perform_backup(full_backup): if quit: sys.exit(code) - service_command("php7.0-fpm", "stop", quit=True) + service_command("php7.2-fpm", "stop", quit=True) service_command("postfix", "stop", quit=True) service_command("dovecot", "stop", quit=True) @@ -301,11 +281,7 @@ def perform_backup(full_backup): # Start services again. service_command("dovecot", "start", quit=False) service_command("postfix", "start", quit=False) - service_command("php7.0-fpm", "start", quit=False) - - # Once the migrated backup is included in a new backup, it can be deleted. - if os.path.isdir(migrated_unencrypted_backup_dir): - shutil.rmtree(migrated_unencrypted_backup_dir) + service_command("php7.2-fpm", "start", quit=False) # Remove old backups. This deletes all backup data no longer needed # from more than 3 days ago. @@ -556,8 +532,7 @@ if __name__ == "__main__": run_duplicity_verification() elif sys.argv[-1] == "--list": - # Run duplicity's verification command to check a) the backup files - # are readable, and b) report if they are up to date. + # List the saved backup files. for fn, size in list_target_files(get_backup_config(load_environment())): print("{}\t{}".format(fn, size)) @@ -565,6 +540,7 @@ if __name__ == "__main__": # Show backup status. ret = backup_status(load_environment()) print(rtyaml.dump(ret["backups"])) + print("Storage for unmatched files:", ret["unmatched_file_size"]) elif len(sys.argv) >= 2 and sys.argv[1] == "--restore": # Run duplicity restore. Rest of command line passed as arguments diff --git a/management/daemon.py b/management/daemon.py index 334749e4..572b6b4a 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -572,7 +572,7 @@ def munin_cgi(filename): if code != 0: # nonzero returncode indicates error - app.logger.error("munin_cgi: munin-cgi-graph returned nonzero exit code, %s", process.returncode) + app.logger.error("munin_cgi: munin-cgi-graph returned nonzero exit code, %s", code) return ("error processing graph image", 500) # /usr/lib/munin/cgi/munin-cgi-graph returns both headers and binary png when successful. diff --git a/management/dns_update.py b/management/dns_update.py index b6e1022d..5c1969d7 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -354,19 +354,20 @@ def build_sshfp_records(): # Get our local fingerprints by running ssh-keyscan. The output looks # like the known_hosts file: hostname, keytype, fingerprint. The order # of the output is arbitrary, so sort it to prevent spurrious updates - # to the zone file (that trigger bumping the serial number). - - # scan the sshd_config and find the ssh ports (port 22 may be closed) + # to the zone file (that trigger bumping the serial number). However, + # if SSH has been configured to listen on a nonstandard port, we must + # specify that port to sshkeyscan. + port = 22 with open('/etc/ssh/sshd_config', 'r') as f: - ports = [] - t = f.readlines() - for line in t: - s = line.split() + for line in f: + s = line.rstrip().split() if len(s) == 2 and s[0] == 'Port': - ports = ports + [s[1]] - # the keys are the same at each port, so we only need to get - # them at the first port found (may not be port 22) - keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", ports[0], "localhost"]) + try: + port = int(s[1]) + except ValueError: + pass + break + keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"]) for key in sorted(keys.split("\n")): if key.strip() == "" or key[0] == "#": continue try: diff --git a/management/munin_start.sh b/management/munin_start.sh new file mode 100755 index 00000000..682861e7 --- /dev/null +++ b/management/munin_start.sh @@ -0,0 +1,2 @@ +#!/bin/bash +mkdir -p /var/run/munin && chown munin /var/run/munin diff --git a/management/status_checks.py b/management/status_checks.py index 86cfe33f..6f9bb1ef 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -28,7 +28,6 @@ def get_services(): { "name": "Spamassassin", "port": 10025, "public": False, }, { "name": "OpenDKIM", "port": 8891, "public": False, }, { "name": "OpenDMARC", "port": 8893, "public": False, }, - { "name": "Memcached", "port": 11211, "public": False, }, { "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, }, { "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, }, { "name": "Public DNS (nsd4)", "port": 53, "public": True, }, diff --git a/management/templates/system-backup.html b/management/templates/system-backup.html index 0ccb4bd6..be528f19 100644 --- a/management/templates/system-backup.html +++ b/management/templates/system-backup.html @@ -200,6 +200,7 @@ function show_system_backup() { total_disk_size += b.size; } + total_disk_size += r.unmatched_file_size; $('#backup-total-size').text(nice_size(total_disk_size)); }) } diff --git a/ppa/Makefile b/ppa/Makefile deleted file mode 100755 index 4e3f99df..00000000 --- a/ppa/Makefile +++ /dev/null @@ -1,62 +0,0 @@ -POSTGREY_VERSION=1.35-1+miab1 -DOVECOT_VERSION=2.2.9-1ubuntu2.1+miab1 - -all: clean build_postgrey build_dovecot_lucene - -clean: - # Clean. - rm -rf /tmp/build - mkdir -p /tmp/build - -build_postgrey: clean - # Download the latest Debian postgrey package. It is ahead of Ubuntu, - # and we might as well jump ahead. - git clone git://git.debian.org/git/collab-maint/postgrey.git /tmp/build/postgrey - - # Download the corresponding upstream package. - wget -O /tmp/build/postgrey_1.35.orig.tar.gz http://postgrey.schweikert.ch/pub/old/postgrey-1.35.tar.gz - - # Add our source patch to the debian packaging listing. - cp postgrey_sources.diff /tmp/build/postgrey/debian/patches/mailinabox - - # Patch the packaging to give it a new version. - patch -p1 -d /tmp/build/postgrey < postgrey.diff - - # Build the source package. - (cd /tmp/build/postgrey; dpkg-buildpackage -S -us -uc -nc) - - # Sign the packages. - debsign /tmp/build/postgrey_$(POSTGREY_VERSION)_source.changes - - # Upload to PPA. - dput ppa:mail-in-a-box/ppa /tmp/build/postgrey_$(POSTGREY_VERSION)_source.changes - - # Clear the intermediate files. - rm -rf /tmp/build/postgrey - - # TESTING BINARY PACKAGE - #sudo apt-get build-dep -y postgrey - #(cd /tmp/build/postgrey; dpkg-buildpackage -us -uc -nc) - -build_dovecot_lucene: clean - # Get the upstream source. - (cd /tmp/build; apt-get source dovecot) - - # Patch it so that we build dovecot-lucene (and nothing else). - patch -p1 -d /tmp/build/dovecot-2.2.9 < dovecot_lucene.diff - - # Build the source package. - (cd /tmp/build/dovecot-2.2.9; dpkg-buildpackage -S -us -uc -nc) - - # Sign the packages. - debsign /tmp/build/dovecot_$(DOVECOT_VERSION)_source.changes - - # Upload it. - dput ppa:mail-in-a-box/ppa /tmp/build/dovecot_$(DOVECOT_VERSION)_source.changes - - # TESTING BINARY PACKAGE - # Install build dependencies and build dependencies we've added in our patch, - # and then build the binary package. - #sudo apt-get build-dep -y dovecot - #sudo apt-get install libclucene-dev liblzma-dev libexttextcat-dev libstemmer-dev - #(cd /tmp/build/dovecot-2.2.9; dpkg-buildpackage -us -uc -nc) diff --git a/ppa/README.md b/ppa/README.md deleted file mode 100644 index 0f009f67..00000000 --- a/ppa/README.md +++ /dev/null @@ -1,40 +0,0 @@ -ppa instructions -================ - -Mail-in-a-Box maintains a Launchpad.net PPA ([Mail-in-a-Box PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa)) for additional deb's that we want to have installed on systems. - -Packages --------- - -* postgrey, a fork of [postgrey](http://postgrey.schweikert.ch/) based on the [latest Debian package](http://git.debian.org/?p=collab-maint/postgrey.git), with a modification to whitelist senders that are whitelisted by [dnswl.org](https://www.dnswl.org/) (i.e. don't greylist mail from known good senders). - -* dovecot-lucene, [dovecot's lucene full text search plugin](http://wiki2.dovecot.org/Plugins/FTS/Lucene), which isn't built by Ubuntu's dovecot package maintainer unfortunately. - -Building --------- - -To rebuild the packages in the PPA, you'll need to be @JoshData. - -First: - -* You should have an account on Launchpad.net. -* Your account should have your GPG key set (to the fingerprint of a GPG key on your system matching the identity at the top of the debian/changelog files). -* You should have write permission to the PPA. - -To build: - - # Start a clean VM. - vagrant up - - # Put your signing keys (on the host machine) into the VM (so it can sign the debs). - gpg --export-secret-keys | vagrant ssh -- gpg --import - - # Build & upload to launchpad. - vagrant ssh -- "cd /vagrant && make" - -Mail-in-a-Box adds our PPA during setup, but if you need to do that yourself for testing: - - apt-add-repository ppa:mail-in-a-box/ppa - apt-get update - apt-get install postgrey dovecot-lucene - diff --git a/ppa/Vagrantfile b/ppa/Vagrantfile deleted file mode 100644 index 7d839b18..00000000 --- a/ppa/Vagrantfile +++ /dev/null @@ -1,12 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - config.vm.box = "ubuntu14.04" - config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box" - - config.vm.provision :shell, :inline => <<-SH - sudo apt-get update - sudo apt-get install -y git dpkg-dev devscripts dput -SH -end diff --git a/ppa/dovecot_lucene.diff b/ppa/dovecot_lucene.diff deleted file mode 100644 index 4d258351..00000000 --- a/ppa/dovecot_lucene.diff +++ /dev/null @@ -1,319 +0,0 @@ ---- a/debian/control -+++ b/debian/control -@@ -1,210 +1,23 @@ - Source: dovecot - Section: mail - Priority: optional --Maintainer: Ubuntu Developers --XSBC-Original-Maintainer: Dovecot Maintainers --Uploaders: Jaldhar H. Vyas , Fabio Tranchitella , Joel Johnson , Marco Nenciarini --Build-Depends: debhelper (>= 7.2.3~), dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, dh-systemd, po-debconf, lsb-release, hardening-wrapper, dh-autoreconf, autotools-dev -+Maintainer: Joshua Tauberer -+XSBC-Original-Maintainer: Ubuntu Developers -+Build-Depends: debhelper (>= 7.2.3~), dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, dh-systemd, po-debconf, lsb-release, libclucene-dev (>= 2.3), liblzma-dev, libexttextcat-dev, libstemmer-dev, hardening-wrapper, dh-autoreconf, autotools-dev - Standards-Version: 3.9.4 - Homepage: http://dovecot.org/ --Vcs-Git: git://git.debian.org/git/collab-maint/dovecot.git --Vcs-Browser: http://git.debian.org/?p=collab-maint/dovecot.git -+Vcs-Git: https://github.com/mail-in-a-box/mailinabox -+Vcs-Browser: https://github.com/mail-in-a-box/mailinabox - --Package: dovecot-core -+Package: dovecot-lucene - Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 0.76-13.1), openssl, adduser, ucf (>= 2.0020), ssl-cert (>= 1.0-11ubuntu1), lsb-base (>= 3.2-12ubuntu3) --Suggests: ntp, dovecot-gssapi, dovecot-sieve, dovecot-pgsql, dovecot-mysql, dovecot-sqlite, dovecot-ldap, dovecot-imapd, dovecot-pop3d, dovecot-lmtpd, dovecot-managesieved, dovecot-solr, ufw --Recommends: ntpdate --Provides: dovecot-common --Replaces: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4) --Breaks: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4) --Description: secure POP3/IMAP server - core files -+Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (>= 1:2.2.9-1ubuntu2.1) -+Description: secure POP3/IMAP server - Lucene support - Dovecot is a mail server whose major goals are security and extreme - reliability. It tries very hard to handle all error conditions and verify - that all data is valid, making it nearly impossible to crash. It supports - mbox/Maildir and its own dbox/mdbox formats, and should also be pretty - fast, extensible, and portable. - . -- This package contains the Dovecot main server and its command line utility. -- --Package: dovecot-dev --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Replaces: dovecot-common (<< 1:2.0.14-2~) --Breaks: dovecot-common (<< 1:2.0.14-2~) --Description: secure POP3/IMAP server - header files -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains header files needed to compile plugins for the Dovecot -- mail server. -- --Package: dovecot-imapd --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Provides: imap-server --Description: secure POP3/IMAP server - IMAP daemon -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains the Dovecot IMAP server. -- --Package: dovecot-pop3d --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Provides: pop3-server --Description: secure POP3/IMAP server - POP3 daemon -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains the Dovecot POP3 server. -- --Package: dovecot-lmtpd --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Replaces: dovecot-common (<< 1:2.0.14-2~) --Breaks: dovecot-common (<< 1:2.0.14-2~) --Description: secure POP3/IMAP server - LMTP server -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains the Dovecot LMTP server. -- --Package: dovecot-managesieved --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), dovecot-sieve (= ${binary:Version}), ucf (>= 2.0020) --Replaces: dovecot-common (<< 1:2.0.14-2~) --Breaks: dovecot-common (<< 1:2.0.14-2~) --Description: secure POP3/IMAP server - ManageSieve server -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains the Dovecot ManageSieve server. -- --Package: dovecot-pgsql --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - PostgreSQL support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides PostgreSQL support for Dovecot. -- --Package: dovecot-mysql --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - MySQL support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides MySQL support for Dovecot. -- --Package: dovecot-sqlite --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - SQLite support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides SQLite support for Dovecot. -- --Package: dovecot-ldap --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Description: secure POP3/IMAP server - LDAP support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides LDAP support for Dovecot. -- --Package: dovecot-gssapi --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - GSSAPI support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides GSSAPI authentication support for Dovecot. -- --Package: dovecot-sieve --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Description: secure POP3/IMAP server - Sieve filters support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides Sieve filters support for Dovecot. -- --Package: dovecot-solr --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - Solr support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides Solr full text search support for Dovecot. -- --Package: dovecot-dbg --Section: debug --Priority: extra --Architecture: any --Depends: ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - debug symbols -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains debug symbols for Dovecot. -- --Package: mail-stack-delivery --Architecture: all --Depends: dovecot-core, dovecot-imapd, dovecot-pop3d, dovecot-managesieved, -- postfix, ${misc:Depends} --Replaces: dovecot-postfix (<< 1:1.2.12-0ubuntu1~) --Description: mail server delivery agent stack provided by Ubuntu server team -- Ubuntu's mail stack provides fully operational delivery with -- safe defaults and additional options. Out of the box it supports IMAP, -- POP3 and SMTP services with SASL authentication and Maildir as default -- storage engine. -- . -- This package contains configuration files for dovecot. -- . -- This package modifies postfix's configuration to integrate with dovecot -+ This package provides Lucene full text search support for Dovecot. It has been modified by Mail-in-a-Box -+ to supply a dovecot-lucene package compatible with the official ubuntu trusty dovecot-core. - -diff --git a/debian/dovecot-lucene.links b/debian/dovecot-lucene.links -new file mode 100644 -index 0000000..6ffcbeb ---- /dev/null -+++ b/debian/dovecot-lucene.links -@@ -0,0 +1 @@ -+/usr/share/bug/dovecot-core /usr/share/bug/dovecot-lucene -diff --git a/debian/dovecot-lucene.lintian-overrides b/debian/dovecot-lucene.lintian-overrides -new file mode 100644 -index 0000000..60d90fd ---- /dev/null -+++ b/debian/dovecot-lucene.lintian-overrides -@@ -0,0 +1,2 @@ -+dovecot-lucene: hardening-no-fortify-functions usr/lib/dovecot/modules/lib21_fts_lucene_plugin.so -+ -diff --git a/debian/dovecot-lucene.substvars b/debian/dovecot-lucene.substvars -new file mode 100644 -index 0000000..ed54f36 ---- /dev/null -+++ b/debian/dovecot-lucene.substvars -@@ -0,0 +1,2 @@ -+shlibs:Depends=libc6 (>= 2.4), libclucene-core1 (>= 2.3.3.4), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.1.1), libstemmer0d (>= 0+svn527) -+misc:Depends= -diff --git a/debian/dovecot-lucene.triggers b/debian/dovecot-lucene.triggers -new file mode 100644 -index 0000000..3d933a5 ---- /dev/null -+++ b/debian/dovecot-lucene.triggers -@@ -0,0 +1 @@ -+activate register-dovecot-plugin ---- a/debian/rules -+++ b/debian/rules -@@ -40,6 +40,7 @@ - --with-solr \ - --with-ioloop=best \ - --with-libwrap \ -+ --with-lucene \ - --host=$(DEB_HOST_GNU_TYPE) \ - --build=$(DEB_BUILD_GNU_TYPE) \ - --prefix=/usr \ -@@ -95,6 +96,10 @@ - dh_testroot - dh_clean -k - dh_installdirs -+ mkdir -p $(CURDIR)/debian/dovecot-lucene/usr/lib/dovecot/modules -+ mv $(CURDIR)/src/plugins/fts-lucene/.libs/* $(CURDIR)/debian/dovecot-lucene/usr/lib/dovecot/modules/ -+ -+rest_disabled_by_miab: - $(MAKE) install DESTDIR=$(CURDIR)/debian/dovecot-core - $(MAKE) -C $(PIGEONHOLE_DIR) install DESTDIR=$(CURDIR)/debian/dovecot-core - rm `find $(CURDIR)/debian -name '*.la'` -@@ -209,7 +214,7 @@ - dh_installdocs -a - dh_installexamples -a - dh_installpam -a -- mv $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot-core $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot -+ # mv $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot-core $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot - dh_systemd_enable - dh_installinit -pdovecot-core --name=dovecot - dh_systemd_start -@@ -220,10 +225,10 @@ - dh_lintian -a - dh_installchangelogs -a ChangeLog - dh_link -a -- dh_strip -a --dbg-package=dovecot-dbg -+ #dh_strip -a --dbg-package=dovecot-dbg - dh_compress -a - dh_fixperms -a -- chmod 0700 debian/dovecot-core/etc/dovecot/private -+ #chmod 0700 debian/dovecot-core/etc/dovecot/private - dh_makeshlibs -a -n - dh_installdeb -a - dh_shlibdeps -a ---- a/debian/changelog -+++ a/debian/changelog -@@ -1,3 +1,9 @@ -+dovecot (1:2.2.9-1ubuntu2.1+miab1) trusty; urgency=low -+ -+ * Changed to just build dovecot-lucene for Mail-in-a-box PPA -+ -+ -- Joshua Tauberer Sat, 14 May 2015 16:13:00 -0400 -+ - dovecot (1:2.2.9-1ubuntu2.1) trusty-security; urgency=medium - - * SECURITY UPDATE: denial of service via SSL connection exhaustion ---- a/debian/copyright 2014-03-07 07:26:37.000000000 -0500 -+++ b/debian/copyright 2015-05-23 18:17:42.668005535 -0400 -@@ -1,3 +1,7 @@ -+This package is a fork by Mail-in-a-box (https://mailinabox.email). Original -+copyright statement follows: -+---------------------------------------------------------------------------- -+ - This package was debianized by Jaldhar H. Vyas on - Tue, 3 Dec 2002 01:10:07 -0500. - diff --git a/ppa/postgrey.diff b/ppa/postgrey.diff deleted file mode 100644 index 1570be02..00000000 --- a/ppa/postgrey.diff +++ /dev/null @@ -1,80 +0,0 @@ -diff --git a/debian/NEWS b/debian/NEWS -index dd09744..de7b640 100644 ---- a/debian/NEWS -+++ b/debian/NEWS -@@ -1,3 +1,9 @@ -+postgrey (1.35-1+miab1) -+ -+ Added DNSWL.org whitelisting. -+ -+ -- Joshua Tauberer Mon May 18 18:58:40 EDT 2015 -+ - postgrey (1.32-1) unstable; urgency=low - - Postgrey is now listening to port 10023 and not 60000. The latter was an -diff --git a/debian/changelog b/debian/changelog -index 1058e15..e5e3557 100644 ---- a/debian/changelog -+++ b/debian/changelog -@@ -1,3 +1,9 @@ -+postgrey (1.35-1+miab1) trusty; urgency=low -+ -+ * Added DNSWL.org whitelisting. -+ -+ -- Joshua Tauberer Mon, 18 May 2015 21:58:40 +0000 -+ - postgrey (1.35-1) unstable; urgency=low - - * New upstream release (Closes: 756486) -diff --git a/debian/control b/debian/control -index ce12ba6..0a82855 100644 ---- a/debian/control -+++ b/debian/control -@@ -1,14 +1,11 @@ - Source: postgrey - Section: mail - Priority: optional --Maintainer: Antonio Radici --Uploaders: Jon Daley -+Maintainer: Joshua Tauberer - Build-Depends: debhelper (>= 7), quilt - Build-Depends-Indep: po-debconf - Standards-Version: 3.9.6 - Homepage: http://postgrey.schweikert.ch/ --Vcs-Browser: http://git.debian.org/?p=collab-maint/postgrey.git --Vcs-Git: git://git.debian.org/git/collab-maint/postgrey.git - - Package: postgrey - Architecture: all -@@ -25,3 +22,6 @@ Description: greylisting implementation for Postfix - . - While Postgrey is designed for use with Postfix, it can also be used - with Exim. -+ . -+ This version has been modified by Mail-in-a-Box to whitelist senders -+ in the DNSWL.org list. See https://mailinabox.email. -diff --git a/debian/copyright b/debian/copyright -index 3cbe377..bf09b89 100644 ---- a/debian/copyright -+++ b/debian/copyright -@@ -1,6 +1,10 @@ -+This package is a fork by Mail-in-a-Box (https://mailinabox.email). Original -+copyright statement follows: -+---------------------------------------------------------------------------- -+ - This Debian package was prepared by Adrian von Bidder in - July 2004, then the package was adopted by Antonio Radici --in Sept 2009 -+in Sept 2009. - - It was downloaded from http://postgrey.schweikert.ch/ - -diff --git a/debian/patches/series b/debian/patches/series -index f4c5e31..3cd62b8 100644 ---- a/debian/patches/series -+++ b/debian/patches/series -@@ -1,3 +1,3 @@ - imported-upstream-diff - disable-transaction-logic -- -+mailinabox diff --git a/ppa/postgrey_sources.diff b/ppa/postgrey_sources.diff deleted file mode 100644 index dcc1f55c..00000000 --- a/ppa/postgrey_sources.diff +++ /dev/null @@ -1,100 +0,0 @@ -Description: whitelist whatever dnswl.org whitelists - . - postgrey (1.35-1+miab1) unstable; urgency=low - . - * Added DNSWL.org whitelisting. -Author: Joshua Tauberer - ---- postgrey-1.35.orig/README -+++ postgrey-1.35/README -@@ -13,7 +13,7 @@ Requirements - - BerkeleyDB (Perl Module) - - Berkeley DB >= 4.1 (Library) - - Digest::SHA (Perl Module, only for --privacy option) -- -+- Net::DNS (Perl Module) - - Documentation - ------------- ---- postgrey-1.35.orig/postgrey -+++ postgrey-1.35/postgrey -@@ -18,6 +18,7 @@ use Fcntl ':flock'; # import LOCK_* cons - use Sys::Hostname; - use Sys::Syslog; # used only to find out which version we use - use POSIX qw(strftime setlocale LC_ALL); -+use Net::DNS; # for DNSWL.org whitelisting - - use vars qw(@ISA); - @ISA = qw(Net::Server::Multiplex); -@@ -26,6 +27,8 @@ my $VERSION = '1.35'; - my $DEFAULT_DBDIR = '/var/lib/postgrey'; - my $CONFIG_DIR = '/etc/postgrey'; - -+my $dns_resolver = Net::DNS::Resolver->new; -+ - sub cidr_parse($) - { - defined $_[0] or return undef; -@@ -48,6 +51,36 @@ sub cidr_match($$$) - return ($addr & $mask) == $net; - } - -+sub reverseDottedQuad { -+ # This is the sub _chkValidPublicIP from Net::DNSBL by PJ Goodwin -+ # at http://www.the42.net/net-dnsbl. -+ my ($quad) = @_; -+ if ($quad =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) { -+ my ($ip1,$ip2,$ip3,$ip4) = ($1, $2, $3, $4); -+ if ( -+ $ip1 == 10 || #10.0.0.0/8 (10/8) -+ ($ip1 == 172 && $ip2 >= 16 && $ip2 <= 31) || #172.16.0.0/12 (172.16/12) -+ ($ip1 == 192 && $ip2 == 168) || #192.168.0.0/16 (192.168/16) -+ $quad eq '127.0.0.1' # localhost -+ ) { -+ # toss the RFC1918 specified privates -+ return undef; -+ } elsif ( -+ ($ip1 <= 1 || $ip1 > 254) || -+ ($ip2 < 0 || $ip2 > 255) || -+ ($ip3 < 0 || $ip3 > 255) || -+ ($ip4 < 0 || $ip4 > 255) -+ ) { -+ #invalid oct, toss it; -+ return undef; -+ } -+ my $revquad = $ip4 . "." . $ip3 . "." . $ip2 . "." . $ip1; -+ return $revquad; -+ } else { # invalid quad -+ return undef; -+ } -+} -+ - sub read_clients_whitelists($) - { - my ($self) = @_; -@@ -361,6 +394,25 @@ sub smtpd_access_policy($$) - } - } - -+ # whitelist clients in dnswl.org -+ my $revip = reverseDottedQuad($attr->{client_address}); -+ if ($revip) { # valid IP / plausibly in DNSWL -+ my $answer = $dns_resolver->send($revip . '.list.dnswl.org'); -+ if ($answer && scalar($answer->answer) > 0) { -+ my @rrs = $answer->answer; -+ if ($rrs[0]->type eq 'A' && $rrs[0]->address ne '127.0.0.255') { -+ # Address appears in DNSWL. (127.0.0.255 means we were rate-limited.) -+ my $code = $rrs[0]->address; -+ if ($code =~ /^127.0.(\d+)\.([0-3])$/) { -+ my %dnswltrust = (0 => 'legitimate', 1 => 'occasional spam', 2 => 'rare spam', 3 => 'highly unlikely to send spam'); -+ $code = $2 . '/' . $dnswltrust{$2}; -+ } -+ $self->mylog_action($attr, 'pass', 'client whitelisted by dnswl.org (' . $code . ')'); -+ return 'DUNNO'; -+ } -+ } -+ } -+ - # auto whitelist clients (see below for explanation) - my ($cawl_db, $cawl_key, $cawl_count, $cawl_last); - if($self->{postgrey}{awl_clients}) { diff --git a/security.md b/security.md index 5a797673..b8dc35af 100644 --- a/security.md +++ b/security.md @@ -1,7 +1,7 @@ Mail-in-a-Box Security Guide ============================ -Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components. +Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components. This page documents the security features of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box. diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 305a06e9..f46e5f1f 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -7,7 +7,34 @@ ######################################################### if [ -z "$TAG" ]; then - TAG=v0.30 + # If a version to install isn't explicitly given as an environment + # variable, then install the latest version. But the latest version + # depends on the operating system. Existing Ubuntu 14.04 users need + # to be able to upgrade to the latest version supporting Ubuntu 14.04, + # in part because an upgrade is required before jumping to Ubuntu 18.04. + # New users on Ubuntu 18 need to get the latest version number too. + # + # Also, the system status checks read this script for TAG= to get + # the latest version, so the first TAG= line must be the one that + # we want to display in status checks. + if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then + # This machine is running Ubuntu 18.04. + TAG=v0.30 + + elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then + # This machine is running Ubuntu 14.04. + echo "You are installing the last version of Mail-in-a-Box that will" + echo "support Ubuntu 14.04. If this is a new installation of Mail-in-a-Box," + echo "stop now and switch to a machine running Ubuntu 18.04. If you are" + echo "upgrading an existing Mail-in-a-Box --- great. After upgrading this" + echo "box, please visit https://mailinabox.email for notes on how to upgrade" + echo "to Ubuntu 18.04." + TAG=v0.30 + + else + echo "This script must be run on a system running Ubuntu 18.04 or Ubuntu 14.04." + exit + fi fi # Are we running as root? diff --git a/setup/dkim.sh b/setup/dkim.sh index 830e9e18..dc7e51e2 100755 --- a/setup/dkim.sh +++ b/setup/dkim.sh @@ -21,6 +21,11 @@ mkdir -p $STORAGE_ROOT/mail/dkim # Not quite sure why. echo "127.0.0.1" > /etc/opendkim/TrustedHosts +# We need to at least create these files, since we reference them later. +# Otherwise, opendkim startup will fail +touch /etc/opendkim/KeyTable +touch /etc/opendkim/SigningTable + if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then true # already done #NODOC else @@ -75,6 +80,9 @@ tools/editconf.py /etc/postfix/main.cf \ non_smtpd_milters=\$smtpd_milters \ milter_default_action=accept +# We need to explicitly enable the opendmarc service, or it will not start +hide_output systemctl enable opendmarc + # Restart services. restart_service opendkim restart_service opendmarc diff --git a/setup/firstuser.sh b/setup/firstuser.sh index d24fc370..f6947695 100644 --- a/setup/firstuser.sh +++ b/setup/firstuser.sh @@ -4,9 +4,9 @@ if [ -z "`tools/mail.py user`" ]; then # aren't any yet, it'll be empty. # If we didn't ask for an email address at the start, do so now. - if [ -z "$EMAIL_ADDR" ]; then + if [ -z "${EMAIL_ADDR:-}" ]; then # In an interactive shell, ask the user for an email address. - if [ -z "$NONINTERACTIVE" ]; then + if [ -z "${NONINTERACTIVE:-}" ]; then input_box "Mail Account" \ "Let's create your first mail account. \n\nWhat email address do you want?" \ @@ -47,7 +47,7 @@ if [ -z "`tools/mail.py user`" ]; then fi # Create the user's mail account. This will ask for a password if none was given above. - tools/mail.py user add $EMAIL_ADDR $EMAIL_PW + tools/mail.py user add $EMAIL_ADDR ${EMAIL_PW:-} # Make it an admin. hide_output tools/mail.py user make-admin $EMAIL_ADDR diff --git a/setup/functions.sh b/setup/functions.sh index 75c6821e..1a74edfd 100644 --- a/setup/functions.sh +++ b/setup/functions.sh @@ -1,3 +1,9 @@ +# Turn on "strict mode." See http://redsymbol.net/articles/unofficial-bash-strict-mode/. +# -e: exit if any command unexpectedly fails. +# -u: exit if we have a variable typo. +# -o pipefail: don't ignore errors in the non-last command in a pipeline +set -euo pipefail + function hide_output { # This function hides the output of a command unless the command fails # and returns a non-zero exit code. @@ -5,11 +11,14 @@ function hide_output { # Get a temporary file. OUTPUT=$(tempfile) - # Execute command, redirecting stderr/stdout to the temporary file. + # Execute command, redirecting stderr/stdout to the temporary file. Since we + # check the return code ourselves, disable 'set -e' temporarily. + set +e $@ &> $OUTPUT + E=$? + set -e # If the command failed, show the output that was captured in the temporary file. - E=$? if [ $E != 0 ]; then # Something failed. echo @@ -75,7 +84,7 @@ function get_publicip_from_web_service { # # Pass '4' or '6' as an argument to this function to specify # what type of address to get (IPv4, IPv6). - curl -$1 --fail --silent --max-time 15 icanhazip.com 2>/dev/null + curl -$1 --fail --silent --max-time 15 icanhazip.com 2>/dev/null || /bin/true } function get_default_privateip { @@ -131,11 +140,10 @@ function get_default_privateip { fi echo $address - } function ufw_allow { - if [ -z "$DISABLE_FIREWALL" ]; then + if [ -z "${DISABLE_FIREWALL:-}" ]; then # ufw has completely unhelpful output ufw allow $1 > /dev/null; fi @@ -154,10 +162,13 @@ function input_box { # input_box "title" "prompt" "defaultvalue" VARIABLE # The user's input will be stored in the variable VARIABLE. # The exit code from dialog will be stored in VARIABLE_EXITCODE. + # Temporarily turn off 'set -e' because we need the dialog return code. declare -n result=$4 declare -n result_code=$4_EXITCODE + set +e result=$(dialog --stdout --title "$1" --inputbox "$2" 0 0 "$3") result_code=$? + set -e } function input_menu { @@ -167,8 +178,10 @@ function input_menu { declare -n result=$4 declare -n result_code=$4_EXITCODE local IFS=^$'\n' + set +e result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 $3) result_code=$? + set -e } function wget_verify { diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index 21343964..4bcc53aa 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -26,7 +26,7 @@ source /etc/mailinabox.conf # load global vars echo "Installing Dovecot (IMAP server)..." apt_install \ dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-sqlite sqlite3 \ - dovecot-sieve dovecot-managesieved dovecot-lucene + dovecot-sieve dovecot-managesieved # The `dovecot-imapd`, `dovecot-pop3d`, and `dovecot-lmtpd` packages automatically # enable IMAP, POP and LMTP protocols. @@ -112,17 +112,6 @@ tools/editconf.py /etc/dovecot/conf.d/20-imap.conf \ tools/editconf.py /etc/dovecot/conf.d/20-pop3.conf \ pop3_uidl_format="%08Xu%08Xv" -# Full Text Search - Enable full text search of mail using dovecot's lucene plugin, -# which *we* package and distribute (dovecot-lucene package). -tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \ - mail_plugins="\$mail_plugins fts fts_lucene" -cat > /etc/dovecot/conf.d/90-plugin-fts.conf << EOF; -plugin { - fts = lucene - fts_lucene = whitespace_chars=@. -} -EOF - # ### LDA (LMTP) # Enable Dovecot's LDA service with the LMTP protocol. It will listen diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index ca52edbd..0c9bc97c 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -41,16 +41,8 @@ source /etc/mailinabox.conf # load global vars # always will. # * `ca-certificates`: A trust store used to squelch postfix warnings about # untrusted opportunistically-encrypted connections. -# -# postgrey is going to come in via the Mail-in-a-Box PPA, which publishes -# a modified version of postgrey that lets senders whitelisted by dnswl.org -# pass through without being greylisted. So please note [dnswl's license terms](https://www.dnswl.org/?page_id=9): -# > Every user with more than 100’000 queries per day on the public nameserver -# > infrastructure and every commercial vendor of dnswl.org data (eg through -# > anti-spam solutions) must register with dnswl.org and purchase a subscription. - echo "Installing Postfix (SMTP server)..." -apt_install postfix postfix-pcre postgrey ca-certificates +apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates # ### Basic Settings @@ -81,6 +73,8 @@ tools/editconf.py /etc/postfix/main.cf \ # Enable the 'submission' port 587 smtpd server and tweak its settings. # +# * Enable authentication. It's disabled globally so that it is disabled on port 25, +# so we need to explicitly enable it here. # * Do not add the OpenDMAC Authentication-Results header. That should only be added # on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the # OpenDKIM milter only. See dkim.sh. @@ -95,6 +89,7 @@ tools/editconf.py /etc/postfix/main.cf \ # emails but we turn this off by setting nested_header_checks empty. tools/editconf.py /etc/postfix/master.cf -s -w \ "submission=inet n - - - - smtpd + -o smtpd_sasl_auth_enable=yes -o syslog_name=postfix/submission -o smtpd_milters=inet:127.0.0.1:8891 -o smtpd_tls_security_level=encrypt @@ -154,7 +149,7 @@ tools/editconf.py /etc/postfix/main.cf \ # then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records # or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC # itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also -# relies on our local bind9 server being present and `smtp_dns_support_level=dnssec`. +# relies on our local DNS server (see system.sh) and `smtp_dns_support_level=dnssec`. # # The `smtp_tls_CAfile` is superflous, but it eliminates warnings in the logs about untrusted certs, # which we don't care about seeing because Postfix is doing opportunistic TLS anyway. Better to encrypt, diff --git a/setup/mail-users.sh b/setup/mail-users.sh index ef9b8118..e54485bb 100755 --- a/setup/mail-users.sh +++ b/setup/mail-users.sh @@ -65,11 +65,15 @@ service auth { } EOF -# And have Postfix use that service. +# And have Postfix use that service. We *disable* it here +# so that authentication is not permitted on port 25 (which +# does not run DKIM on relayed mail, so outbound mail isn't +# correct, see #830), but we enable it specifically for the +# submission port. tools/editconf.py /etc/postfix/main.cf \ smtpd_sasl_type=dovecot \ smtpd_sasl_path=private/auth \ - smtpd_sasl_auth_enable=yes + smtpd_sasl_auth_enable=no # ### Sender Validation diff --git a/setup/management.sh b/setup/management.sh index 064906d3..9c221198 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -24,12 +24,12 @@ done # S3 api used in some regions, which breaks backups to those regions. # See #627, #653. # -# python-virtualenv is used to isolate the Python 3 packages we +# virtualenv is used to isolate the Python 3 packages we # install via pip from the system-installed packages. # # certbot installs EFF's certbot which we use to # provision free TLS certificates. -apt_install duplicity python-pip python-virtualenv certbot +apt_install duplicity python-pip virtualenv certbot hide_output pip2 install --upgrade boto # Create a virtualenv for the installation of Python 3 packages @@ -87,20 +87,15 @@ rm -f /tmp/bootstrap.zip # Create an init script to start the management daemon and keep it # running after a reboot. -rm -f /usr/local/bin/mailinabox-daemon # old path cat > $inst_dir/start </dev/null | sh +munin-node-configure --shell --remove-also 2>/dev/null | sh || /bin/true # Deactivate monitoring of NTP peers. Not sure why anyone would want to monitor a NTP peer. The addresses seem to change # (which is taken care of my munin-node-configure, but only when we re-run it.) @@ -61,6 +61,14 @@ done # Create a 'state' directory. Not sure why we need to do this manually. mkdir -p /var/lib/munin-node/plugin-state/ +# Create a systemd service for munin. +ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh +chmod 0744 /usr/local/lib/mailinabox/munin_start.sh +hide_output systemctl link conf/munin.service +hide_output systemctl daemon-reload +hide_output systemctl unmask munin.service +hide_output systemctl enable munin.service + # Restart services. restart_service munin restart_service munin-node diff --git a/setup/owncloud.sh b/setup/nextcloud.sh similarity index 55% rename from setup/owncloud.sh rename to setup/nextcloud.sh index e2f28984..167c2012 100755 --- a/setup/owncloud.sh +++ b/setup/nextcloud.sh @@ -9,29 +9,11 @@ source /etc/mailinabox.conf # load global vars echo "Installing Nextcloud (contacts/calendar)..." -# Keep the php5 dependancies for the owncloud upgrades -apt_install \ - dbconfig-common \ - php5-cli php5-sqlite php5-gd php5-imap php5-curl php-pear php-apc curl libapr1 libtool libcurl4-openssl-dev php-xml-parser \ - php5 php5-dev php5-gd php5-fpm memcached php5-memcached +apt-get purge -qq -y owncloud* # we used to use the package manager -apt-get purge -qq -y owncloud* - -apt_install php7.0 php7.0-fpm \ - php7.0-cli php7.0-sqlite php7.0-gd php7.0-imap php7.0-curl php-pear php-apc curl \ - php7.0-dev php7.0-gd php7.0-xml php7.0-mbstring php7.0-zip php7.0-apcu php7.0-json php7.0-intl - -# Migrate <= v0.10 setups that stored the ownCloud config.php in /usr/local rather than -# in STORAGE_ROOT. Move the file to STORAGE_ROOT. -if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \ - && [ -f /usr/local/lib/owncloud/config/config.php ]; then - - # Move config.php and symlink back into previous location. - echo "Migrating owncloud/config.php to new location." - mv /usr/local/lib/owncloud/config/config.php $STORAGE_ROOT/owncloud/config.php \ - && \ - ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php -fi +apt_install php php-fpm \ + php-cli php-sqlite3 php-gd php-imap php-curl php-pear curl \ + php-dev php-gd php-xml php-mbstring php-zip php-apcu php-json php-intl InstallNextcloud() { @@ -75,7 +57,7 @@ InstallNextcloud() { # Make sure permissions are correct or the upgrade step won't run. # $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress # that error. - chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud + chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud || /bin/true # If this isn't a new installation, immediately run the upgrade script. # Then check for success (0=ok and 3=no upgrade needed, both are success). @@ -93,157 +75,42 @@ InstallNextcloud() { fi } -# We only install ownCloud intermediate versions to be able to seemlesly upgrade to Nextcloud -InstallOwncloud() { +nextcloud_ver=13.0.6 +nextcloud_hash=33e41f476f0e2be5dc7cdb9d496673d9647aa3d6 - version=$1 - hash=$2 - - echo - echo "Upgrading to OwnCloud version $version" - echo - - # Remove the current owncloud/Nextcloud - rm -rf /usr/local/lib/owncloud - - # Download and verify - wget_verify https://download.owncloud.org/community/owncloud-$version.tar.bz2 $hash /tmp/owncloud.tar.bz2 - - - # Extract ownCloud - tar xjf /tmp/owncloud.tar.bz2 -C /usr/local/lib - rm -f /tmp/owncloud.tar.bz2 - - # The two apps we actually want are not in Nextcloud core. Download the releases from - # their github repositories. - mkdir -p /usr/local/lib/owncloud/apps - - wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz - tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/ - rm /tmp/contacts.tgz - - wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz - tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/ - rm /tmp/calendar.tgz - - # Fix weird permissions. - chmod 750 /usr/local/lib/owncloud/{apps,config} - - # Create a symlink to the config.php in STORAGE_ROOT (for upgrades we're restoring the symlink we previously - # put in, and in new installs we're creating a symlink and will create the actual config later). - ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php - - # Make sure permissions are correct or the upgrade step won't run. - # $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress - # that error. - chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud - - # If this isn't a new installation, immediately run the upgrade script. - # Then check for success (0=ok and 3=no upgrade needed, both are success). - if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then - # ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but - # that can be OK. - sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade - if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then - echo "Trying ownCloud upgrade again to work around ownCloud upgrade bug..." - sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade - if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi - sudo -u www-data php5 /usr/local/lib/owncloud/occ maintenance:mode --off - echo "...which seemed to work." - fi - fi -} - -owncloud_ver=13.0.6 -owncloud_hash=33e41f476f0e2be5dc7cdb9d496673d9647aa3d6 - -# Check if Nextcloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade) +# Check if Nextcloud dir exist, and check if version matches nextcloud_ver (if either doesn't - install/upgrade) if [ ! -d /usr/local/lib/owncloud/ ] \ - || ! grep -q $owncloud_ver /usr/local/lib/owncloud/version.php; then + || ! grep -q $nextcloud_ver /usr/local/lib/owncloud/version.php; then # Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail. - service php7.0-fpm stop &> /dev/null || /bin/true - service php5-fpm stop &> /dev/null || /bin/true + service php7.2-fpm stop &> /dev/null || /bin/true # Backup the existing ownCloud/Nextcloud. # Create a backup directory to store the current installation and database to BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"` mkdir -p "$BACKUP_DIRECTORY" if [ -d /usr/local/lib/owncloud/ ]; then - echo "upgrading ownCloud/Nextcloud to $owncloud_flavor $owncloud_ver (backing up existing installation, configuration and database to directory to $BACKUP_DIRECTORY..." + echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..." cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install" fi if [ -e /home/user-data/owncloud/owncloud.db ]; then cp /home/user-data/owncloud/owncloud.db $BACKUP_DIRECTORY - fi - if [ -e /home/user-data/owncloud/config.php ]; then - cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY - fi + fi + if [ -e /home/user-data/owncloud/config.php ]; then + cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY + fi - # We only need to check if we do upgrades when owncloud/Nextcloud was previously installed + # If ownCloud or Nextcloud was previously installed.... if [ -e /usr/local/lib/owncloud/version.php ]; then - if grep -q "OC_VersionString = '8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running 8.1.x, upgrading to 8.2.11 first" - InstallOwncloud 8.2.11 e4794938fc2f15a095018ba9d6ee18b53f6f299c + # Database migrations from ownCloud are no longer possible because ownCloud cannot be run under + # PHP 7. + if grep -q "OC_VersionString = '[89]\." /usr/local/lib/owncloud/version.php; then + echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 8 or 9) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + exit 1 fi - - # If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions - if grep -q "OC_VersionString = '8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running version 8.2.x, upgrading to 9.0.11 first" - - # We need to disable memcached. The upgrade and install fails - # with memcached - CONFIG_TEMP=$(/bin/mktemp) - php < $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php; - -EOF - chown www-data.www-data $STORAGE_ROOT/owncloud/config.php - - # We can now install owncloud 9.0.11 - InstallOwncloud 9.0.11 fc8bad8a62179089bc58c406b28997fb0329337b - - # The owncloud 9 migration doesn't migrate calendars and contacts - # The option to migrate these are removed in 9.1 - # So the migrations should be done when we have 9.0 installed - sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-addressbooks - # The following migration has to be done for each owncloud user - for directory in $STORAGE_ROOT/owncloud/*@*/ ; do - username=$(basename "${directory}") - sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-calendar $username - done - sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:sync-birthday-calendar - fi - - # If we are upgrading from 9.0.x we should go to 9.1 first. - if grep -q "OC_VersionString = '9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running ownCloud 9.0.x, upgrading to ownCloud 9.1.7 first" - InstallOwncloud 9.1.7 1307d997d0b23dc42742d315b3e2f11423a9c808 - fi - - # Newer ownCloud 9.1.x versions cannot be upgraded to Nextcloud 10 and have to be - # upgraded to Nextcloud 11 straight away, see: - # https://github.com/nextcloud/server/issues/2203 - # However, for some reason, upgrading to the latest Nextcloud 11.0.7 doesn't - # work either. Therefore, we're upgrading to Nextcloud 11.0.0 in the interim. - # This should not be a problem since we're upgrading to the latest Nextcloud 12 - # in the next step. - if grep -q "OC_VersionString = '9\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running ownCloud 9.1.x, upgrading to Nextcloud 11.0.0 first" - InstallNextcloud 11.0.0 e8c9ebe72a4a76c047080de94743c5c11735e72e - fi - - # If we are upgrading from 10.0.x we should go to Nextcloud 11.0 first. - if grep -q "OC_VersionString = '10\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running Nextcloud 10.0.x, upgrading to Nextcloud 11.0.7 first" - InstallNextcloud 11.0.7 f936ddcb2ae3dbb66ee4926eb8b2ebbddc3facbe + if grep -q "OC_VersionString = '10\." /usr/local/lib/owncloud/version.php; then + echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 10) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + exit 1 fi # If we are upgrading from Nextcloud 11 we should go to Nextcloud 12 first. @@ -253,7 +120,7 @@ EOF fi fi - InstallNextcloud $owncloud_ver $owncloud_hash + InstallNextcloud $nextcloud_ver $nextcloud_hash fi # ### Configuring Nextcloud @@ -278,10 +145,10 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then 'overwritewebroot' => '/cloud', 'overwrite.cli.url' => '/cloud', 'user_backends' => array( - array( - 'class'=>'OC_User_IMAP', - 'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}') - ) + array( + 'class'=>'OC_User_IMAP', + 'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}') + ) ), 'memcache.local' => '\OC\Memcache\APCu', 'mail_smtpmode' => 'sendmail', @@ -377,7 +244,7 @@ if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi # Set PHP FPM values to support large file uploads # (semicolon is the comment character in this file, hashes produce deprecation warnings) -tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ upload_max_filesize=16G \ post_max_size=16G \ output_buffering=16384 \ @@ -386,7 +253,7 @@ tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \ short_open_tag=On # Set Nextcloud recommended opcache settings -tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \ +tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \ opcache.enable=1 \ opcache.enable_cli=1 \ opcache.interned_strings_buffer=8 \ @@ -396,12 +263,12 @@ tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \ opcache.revalidate_freq=1 # Configure the path environment for php-fpm -tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \ - env[PATH]=/usr/local/bin:/usr/bin:/bin +tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ + env[PATH]=/usr/local/bin:/usr/bin:/bin # If apc is explicitly disabled we need to enable it -if grep -q apc.enabled=0 /etc/php/7.0/mods-available/apcu.ini; then - tools/editconf.py /etc/php/7.0/mods-available/apcu.ini -c ';' \ +if grep -q apc.enabled=0 /etc/php/7.2/mods-available/apcu.ini; then + tools/editconf.py /etc/php/7.2/mods-available/apcu.ini -c ';' \ apc.enabled=1 fi @@ -423,4 +290,4 @@ chmod +x /etc/cron.hourly/mailinabox-owncloud # ``` # Enable PHP modules and restart PHP. -restart_service php7.0-fpm +restart_service php7.2-fpm diff --git a/setup/preflight.sh b/setup/preflight.sh index 4be2ec41..d087efe2 100644 --- a/setup/preflight.sh +++ b/setup/preflight.sh @@ -7,9 +7,9 @@ if [[ $EUID -ne 0 ]]; then exit fi -# Check that we are running on Ubuntu 14.04 LTS (or 14.04.xx). -if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" != "Ubuntu 14.04 LTS" ]; then - echo "Mail-in-a-Box only supports being installed on Ubuntu 14.04, sorry. You are running:" +# Check that we are running on Ubuntu 18.04 LTS (or 18.04.xx). +if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" != "Ubuntu 18.04 LTS" ]; then + echo "Mail-in-a-Box only supports being installed on Ubuntu 18.04, sorry. You are running:" echo lsb_release -d | sed 's/.*:\s*//' echo @@ -41,7 +41,7 @@ if [ $TOTAL_PHYSICAL_MEM -lt 750000 ]; then fi # Check that tempfs is mounted with exec -MOUNTED_TMP_AS_NO_EXEC=$(grep "/tmp.*noexec" /proc/mounts) +MOUNTED_TMP_AS_NO_EXEC=$(grep "/tmp.*noexec" /proc/mounts || /bin/true) if [ -n "$MOUNTED_TMP_AS_NO_EXEC" ]; then echo "Mail-in-a-Box has to have exec rights on /tmp, please mount /tmp with exec" exit @@ -53,16 +53,14 @@ if [ -e ~/.wgetrc ]; then exit fi -# Check that we are running on x86_64 or i686, any other architecture is unsupported and -# will fail later in the setup when we try to install the custom build lucene packages. -# -# Set ARM=1 to ignore this check if you have built the packages yourself. If you do this -# you are on your own! +# Check that we are running on x86_64 or i686 architecture, which are the only +# ones we support / test. ARCHITECTURE=$(uname -m) if [ "$ARCHITECTURE" != "x86_64" ] && [ "$ARCHITECTURE" != "i686" ]; then -if [ -z "$ARM" ]; then - echo "Mail-in-a-Box only supports x86_64 or i686 and will not work on any other architecture, like ARM." - echo "Your architecture is $ARCHITECTURE" - exit -fi + echo + echo "WARNING:" + echo "Mail-in-a-Box has only been tested on x86_64 and i686 platform" + echo "architectures. Your architecture, $ARCHITECTURE, may not work." + echo "You are on your own." + echo fi diff --git a/setup/questions.sh b/setup/questions.sh index 3d227d81..bf382f49 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -1,4 +1,4 @@ -if [ -z "$NONINTERACTIVE" ]; then +if [ -z "${NONINTERACTIVE:-}" ]; then # Install 'dialog' so we can ask the user questions. The original motivation for # this was being able to ask the user for input even if stdin has been redirected, # e.g. if we piped a bootstrapping install script to bash to get started. In that @@ -25,8 +25,8 @@ if [ -z "$NONINTERACTIVE" ]; then fi # The box needs a name. -if [ -z "$PRIMARY_HOSTNAME" ]; then - if [ -z "$DEFAULT_PRIMARY_HOSTNAME" ]; then +if [ -z "${PRIMARY_HOSTNAME:-}" ]; then + if [ -z "${DEFAULT_PRIMARY_HOSTNAME:-}" ]; then # We recommend to use box.example.com as this hosts name. The # domain the user possibly wants to use is example.com then. # We strip the string "box." from the hostname to get the mail @@ -86,30 +86,30 @@ fi # If the machine is behind a NAT, inside a VM, etc., it may not know # its IP address on the public network / the Internet. Ask the Internet # and possibly confirm with user. -if [ -z "$PUBLIC_IP" ]; then +if [ -z "${PUBLIC_IP:-}" ]; then # Ask the Internet. GUESSED_IP=$(get_publicip_from_web_service 4) # On the first run, if we got an answer from the Internet then don't # ask the user. - if [[ -z "$DEFAULT_PUBLIC_IP" && ! -z "$GUESSED_IP" ]]; then + if [[ -z "${DEFAULT_PUBLIC_IP:-}" && ! -z "$GUESSED_IP" ]]; then PUBLIC_IP=$GUESSED_IP # Otherwise on the first run at least provide a default. - elif [[ -z "$DEFAULT_PUBLIC_IP" ]]; then + elif [[ -z "${DEFAULT_PUBLIC_IP:-}" ]]; then DEFAULT_PUBLIC_IP=$(get_default_privateip 4) # On later runs, if the previous value matches the guessed value then # don't ask the user either. - elif [ "$DEFAULT_PUBLIC_IP" == "$GUESSED_IP" ]; then + elif [ "${DEFAULT_PUBLIC_IP:-}" == "$GUESSED_IP" ]; then PUBLIC_IP=$GUESSED_IP fi - if [ -z "$PUBLIC_IP" ]; then + if [ -z "${PUBLIC_IP:-}" ]; then input_box "Public IP Address" \ "Enter the public IP address of this machine, as given to you by your ISP. \n\nPublic IP address:" \ - $DEFAULT_PUBLIC_IP \ + ${DEFAULT_PUBLIC_IP:-} \ PUBLIC_IP if [ -z "$PUBLIC_IP" ]; then @@ -121,27 +121,27 @@ fi # Same for IPv6. But it's optional. Also, if it looks like the system # doesn't have an IPv6, don't ask for one. -if [ -z "$PUBLIC_IPV6" ]; then +if [ -z "${PUBLIC_IPV6:-}" ]; then # Ask the Internet. GUESSED_IP=$(get_publicip_from_web_service 6) MATCHED=0 - if [[ -z "$DEFAULT_PUBLIC_IPV6" && ! -z "$GUESSED_IP" ]]; then + if [[ -z "${DEFAULT_PUBLIC_IPV6:-}" && ! -z "$GUESSED_IP" ]]; then PUBLIC_IPV6=$GUESSED_IP - elif [[ "$DEFAULT_PUBLIC_IPV6" == "$GUESSED_IP" ]]; then + elif [[ "${DEFAULT_PUBLIC_IPV6:-}" == "$GUESSED_IP" ]]; then # No IPv6 entered and machine seems to have none, or what # the user entered matches what the Internet tells us. PUBLIC_IPV6=$GUESSED_IP MATCHED=1 - elif [[ -z "$DEFAULT_PUBLIC_IPV6" ]]; then + elif [[ -z "${DEFAULT_PUBLIC_IPV6:-}" ]]; then DEFAULT_PUBLIC_IP=$(get_default_privateip 6) fi - if [[ -z "$PUBLIC_IPV6" && $MATCHED == 0 ]]; then + if [[ -z "${PUBLIC_IPV6:-}" && $MATCHED == 0 ]]; then input_box "IPv6 Address (Optional)" \ "Enter the public IPv6 address of this machine, as given to you by your ISP. \n\nLeave blank if the machine does not have an IPv6 address. \n\nPublic IPv6 address:" \ - $DEFAULT_PUBLIC_IPV6 \ + ${DEFAULT_PUBLIC_IPV6:-} \ PUBLIC_IPV6 if [ ! $PUBLIC_IPV6_EXITCODE ]; then @@ -154,10 +154,10 @@ fi # Get the IP addresses of the local network interface(s) that are connected # to the Internet. We need these when we want to have services bind only to # the public network interfaces (not loopback, not tunnel interfaces). -if [ -z "$PRIVATE_IP" ]; then +if [ -z "${PRIVATE_IP:-}" ]; then PRIVATE_IP=$(get_default_privateip 4) fi -if [ -z "$PRIVATE_IPV6" ]; then +if [ -z "${PRIVATE_IPV6:-}" ]; then PRIVATE_IPV6=$(get_default_privateip 6) fi if [[ -z "$PRIVATE_IP" && -z "$PRIVATE_IPV6" ]]; then @@ -186,11 +186,11 @@ fi # Set STORAGE_USER and STORAGE_ROOT to default values (user-data and /home/user-data), unless # we've already got those values from a previous run. -if [ -z "$STORAGE_USER" ]; then - STORAGE_USER=$([[ -z "$DEFAULT_STORAGE_USER" ]] && echo "user-data" || echo "$DEFAULT_STORAGE_USER") +if [ -z "${STORAGE_USER:-}" ]; then + STORAGE_USER=$([[ -z "${DEFAULT_STORAGE_USER:-}" ]] && echo "user-data" || echo "$DEFAULT_STORAGE_USER") fi -if [ -z "$STORAGE_ROOT" ]; then - STORAGE_ROOT=$([[ -z "$DEFAULT_STORAGE_ROOT" ]] && echo "/home/$STORAGE_USER" || echo "$DEFAULT_STORAGE_ROOT") +if [ -z "${STORAGE_ROOT:-}" ]; then + STORAGE_ROOT=$([[ -z "${DEFAULT_STORAGE_ROOT:-}" ]] && echo "/home/$STORAGE_USER" || echo "$DEFAULT_STORAGE_ROOT") fi # Show the configuration, since the user may have not entered it manually. diff --git a/setup/start.sh b/setup/start.sh index 3dbaed54..0b145022 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -4,7 +4,7 @@ source setup/functions.sh # load our functions -# Check system setup: Are we running as root on Ubuntu 14.04 on a +# Check system setup: Are we running as root on Ubuntu 18.04 on a # machine with enough memory? Is /tmp mounted with exec. # If not, this shows an error and exits. source setup/preflight.sh @@ -60,8 +60,8 @@ source setup/questions.sh # Run some network checks to make sure setup on this machine makes sense. # Skip on existing installs since we don't want this to block the ability to # upgrade, and these checks are also in the control panel status checks. -if [ -z "$DEFAULT_PRIMARY_HOSTNAME" ]; then -if [ -z "$SKIP_NETWORK_CHECKS" ]; then +if [ -z "${DEFAULT_PRIMARY_HOSTNAME:-}" ]; then +if [ -z "${SKIP_NETWORK_CHECKS:-}" ]; then source setup/network-checks.sh fi fi @@ -106,7 +106,7 @@ source setup/dkim.sh source setup/spamassassin.sh source setup/web.sh source setup/webmail.sh -source setup/owncloud.sh +source setup/nextcloud.sh source setup/zpush.sh source setup/management.sh source setup/munin.sh diff --git a/setup/system.sh b/setup/system.sh index d096f7a4..2305ccfc 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -14,6 +14,13 @@ source setup/functions.sh # load our functions echo $PRIMARY_HOSTNAME > /etc/hostname hostname $PRIMARY_HOSTNAME +# ### Fix permissions + +# The default Ubuntu Bionic image on Scaleway throws warnings during setup about incorrect +# permissions (group writeable) set on the following directories. + +chmod g-w /etc /etc/default /usr + # ### Add swap space to the system # If the physical memory of the system is below 2GB it is wise to create a @@ -37,9 +44,9 @@ hostname $PRIMARY_HOSTNAME # for reference SWAP_MOUNTED=$(cat /proc/swaps | tail -n+2) -SWAP_IN_FSTAB=$(grep "swap" /etc/fstab) -ROOT_IS_BTRFS=$(grep "\/ .*btrfs" /proc/mounts) -TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}') +SWAP_IN_FSTAB=$(grep "swap" /etc/fstab || /bin/true) +ROOT_IS_BTRFS=$(grep "\/ .*btrfs" /proc/mounts || /bin/true) +TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true) AVAILABLE_DISK_SPACE=$(df / --output=avail | tail -n 1) if [ -z "$SWAP_MOUNTED" ] && @@ -70,7 +77,7 @@ fi # ### Add PPAs. -# We install some non-standard Ubuntu packages maintained by us and other +# We install some non-standard Ubuntu packages maintained by other # third-party providers. First ensure add-apt-repository is installed. if [ ! -f /usr/bin/add-apt-repository ]; then @@ -79,14 +86,7 @@ if [ ! -f /usr/bin/add-apt-repository ]; then apt_install software-properties-common fi -# [Main-in-a-Box's own PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa) -# holds several .deb packages that we built on our own. -# One is a replacement for Ubuntu's stock postgrey package that makes -# some enhancements. The other is dovecot-lucene, a Lucene-based full -# text search plugin for (and by) dovecot, which is not available in -# Ubuntu currently. - -hide_output add-apt-repository -y ppa:mail-in-a-box/ppa +# Install the certbot PPA. hide_output add-apt-repository -y ppa:certbot/certbot # ### Update Packages @@ -128,21 +128,9 @@ apt_install python3 python3-dev python3-pip \ haveged pollinate unzip \ unattended-upgrades cron ntp fail2ban rsyslog -# ### Add PHP7 PPA - -# Nextcloud requires PHP7, we will install the ppa from ubuntu php maintainer Ondřej Surý -# The PPA is located here https://launchpad.net/%7Eondrej/+archive/ubuntu/php -# Unattended upgrades are activated for the repository If it appears it's already -# installed, don't do it again so we can avoid an unnecessary call to apt-get update. -if [ ! -f /etc/apt/sources.list.d/ondrej-php-trusty.list ]; then -hide_output add-apt-repository -y ppa:ondrej/php -apt_add_repository_to_unattended_upgrades LP-PPA-ondrej-php:trusty -hide_output apt-get update -fi - # ### Suppress Upgrade Prompts -# Since Mail-in-a-Box might jump straight to 18.04 LTS, there's no need -# to be reminded about 16.04 on every login. +# When Ubuntu 20 comes out, we don't want users to be prompted to upgrade, +# because we don't yet support it. if [ -f /etc/update-manager/release-upgrades ]; then tools/editconf.py /etc/update-manager/release-upgrades Prompt=never rm -f /var/lib/ubuntu-release-upgrader/release-upgrade-available @@ -162,8 +150,8 @@ fi # section) and syslog (see #328). There might be other issues, and it's # not likely the user will want to change this, so we only ask on first # setup. -if [ -z "$NONINTERACTIVE" ]; then - if [ ! -f /etc/timezone ] || [ ! -z $FIRST_TIME_SETUP ]; then +if [ -z "${NONINTERACTIVE:-}" ]; then + if [ ! -f /etc/timezone ] || [ ! -z ${FIRST_TIME_SETUP:-} ]; then # If the file is missing or this is the user's first time running # Mail-in-a-Box setup, run the interactive timezone configuration # tool. @@ -189,7 +177,6 @@ fi # * DNSSEC signing keys (see `dns.sh`) # * our management server's API key (via Python's os.urandom method) # * Roundcube's SECRET_KEY (`webmail.sh`) -# * ownCloud's administrator account password (`owncloud.sh`) # # Why /dev/urandom? It's the same as /dev/random, except that it doesn't wait # for a constant new stream of entropy. In practice, we only need a little @@ -259,7 +246,7 @@ EOF # Various virtualized environments like Docker and some VPSs don't provide #NODOC # a kernel that supports iptables. To avoid error-like output in these cases, #NODOC # we skip this if the user sets DISABLE_FIREWALL=1. #NODOC -if [ -z "$DISABLE_FIREWALL" ]; then +if [ -z "${DISABLE_FIREWALL:-}" ]; then # Install `ufw` which provides a simple firewall configuration. apt_install ufw @@ -284,45 +271,69 @@ fi #NODOC # ### Local DNS Service -# Install a local DNS server, rather than using the DNS server provided by the -# ISP's network configuration. +# Install a local recursive DNS server --- i.e. for DNS queries made by +# local services running on this machine. # -# We do this to ensure that DNS queries -# that *we* make (i.e. looking up other external domains) perform DNSSEC checks. -# We could use Google's Public DNS, but we don't want to create a dependency on -# Google per our goals of decentralization. `bind9`, as packaged for Ubuntu, has -# DNSSEC enabled by default via "dnssec-validation auto". +# (This is unrelated to the box's public, non-recursive DNS server that +# answers remote queries about domain names hosted on this box. For that +# see dns.sh.) # -# So we'll be running `bind9` bound to 127.0.0.1 for locally-issued DNS queries -# and `nsd` bound to the public ethernet interface for remote DNS queries asking -# about our domain names. `nsd` is configured later. +# The default systemd-resolved service provides local DNS name resolution. By default it +# is a recursive stub nameserver, which means it simply relays requests to an +# external nameserver, usually provided by your ISP or configured in /etc/systemd/resolved.conf. +# +# This won't work for us for three reasons. +# +# 1) We have higher security goals --- we want DNSSEC to be enforced on all +# DNS queries (some upstream DNS servers do, some don't). +# 2) We will configure postfix to use DANE, which uses DNSSEC to find TLS +# certificates for remote servers. DNSSEC validation *must* be performed +# locally because we can't trust an unencrypted connection to an external +# DNS server. +# 3) DNS-based mail server blacklists (RBLs) typically block large ISP +# DNS servers because they only provide free data to small users. Since +# we use RBLs to block incoming mail from blacklisted IP addresses, +# we have to run our own DNS server. See #1424. +# +# systemd-resolved has a setting to perform local DNSSEC validation on all +# requests (in /etc/systemd/resolved.conf, set DNSSEC=yes), but because it's +# a stub server the main part of a request still goes through an upstream +# DNS server, which won't work for RBLs. So we really need a local recursive +# nameserver. +# +# We'll install `bind9`, which as packaged for Ubuntu, has DNSSEC enabled by default via "dnssec-validation auto". +# We'll have it be bound to 127.0.0.1 so that it does not interfere with +# the public, recursive nameserver `nsd` bound to the public ethernet interfaces. # # About the settings: # -# * RESOLVCONF=yes will have `bind9` take over /etc/resolv.conf to tell -# local services that DNS queries are handled on localhost. # * Adding -4 to OPTIONS will have `bind9` not listen on IPv6 addresses # so that we're sure there's no conflict with nsd, our public domain # name server, on IPV6. # * The listen-on directive in named.conf.options restricts `bind9` to # binding to the loopback interface instead of all interfaces. -apt_install bind9 resolvconf +apt_install bind9 tools/editconf.py /etc/default/bind9 \ - RESOLVCONF=yes \ "OPTIONS=\"-u bind -4\"" if ! grep -q "listen-on " /etc/bind/named.conf.options; then # Add a listen-on directive if it doesn't exist inside the options block. sed -i "s/^}/\n\tlisten-on { 127.0.0.1; };\n}/" /etc/bind/named.conf.options fi -if [ -f /etc/resolvconf/resolv.conf.d/original ]; then - echo "Archiving old resolv.conf (was /etc/resolvconf/resolv.conf.d/original, now /etc/resolvconf/resolv.conf.original)." #NODOC - mv /etc/resolvconf/resolv.conf.d/original /etc/resolvconf/resolv.conf.original #NODOC -fi + +# First we'll disable systemd-resolved's management of resolv.conf and its stub server. +# Breaking the symlink to /run/systemd/resolve/stub-resolv.conf means +# systemd-resolved will read it for DNS servers to use. Put in 127.0.0.1, +# which is where bind9 will be running. Obviously don't do this before +# installing bind9 or else apt won't be able to resolve a server to +# download bind9 from. +rm -f /etc/resolv.conf +tools/editconf.py /etc/systemd/resolved.conf DNSStubListener=no +echo "nameserver 127.0.0.1" > /etc/resolv.conf # Restart the DNS services. restart_service bind9 -restart_service resolvconf +systemctl restart systemd-resolved # ### Fail2Ban Service diff --git a/setup/web.sh b/setup/web.sh index 021a9b7f..ed37e5e3 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -19,10 +19,7 @@ fi echo "Installing Nginx (web server)..." -apt_install nginx php7.0-cli php7.0-fpm - -# Set PHP7 as the default -update-alternatives --set php /usr/bin/php7.0 +apt_install nginx php-cli php-fpm rm -f /etc/nginx/sites-enabled/default @@ -44,19 +41,19 @@ tools/editconf.py /etc/nginx/nginx.conf -s \ server_names_hash_bucket_size="128;" # Tell PHP not to expose its version number in the X-Powered-By header. -tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ expose_php=Off # Set PHPs default charset to UTF-8, since we use it. See #367. -tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ default_charset="UTF-8" # Switch from the dynamic process manager to the ondemand manager see #1216 -tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ pm=ondemand # Bump up PHP's max_children to support more concurrent connections -tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ pm.max_children=8 # Other nginx settings will be configured by the management service @@ -94,24 +91,9 @@ if [ ! -f $STORAGE_ROOT/www/default/index.html ]; then fi chown -R $STORAGE_USER $STORAGE_ROOT/www -# We previously installed a custom init script to start the PHP FastCGI daemon. #NODOC -# Remove it now that we're using php5-fpm. #NODOC -if [ -L /etc/init.d/php-fastcgi ]; then - echo "Removing /etc/init.d/php-fastcgi, php5-cgi..." #NODOC - rm -f /etc/init.d/php-fastcgi #NODOC - hide_output update-rc.d php-fastcgi remove #NODOC - apt-get -y purge php5-cgi #NODOC -fi - -# Remove obsoleted scripts. #NODOC -# exchange-autodiscover is now handled by Z-Push. #NODOC -for f in webfinger exchange-autodiscover; do #NODOC - rm -f /usr/local/bin/mailinabox-$f.php #NODOC -done #NODOC - # Start services. restart_service nginx -restart_service php7.0-fpm +restart_service php7.2-fpm # Open ports. ufw_allow http diff --git a/setup/webmail.sh b/setup/webmail.sh index cdf73cfb..b0e11c9b 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -22,15 +22,8 @@ source /etc/mailinabox.conf # load global vars echo "Installing Roundcube (webmail)..." apt_install \ dbconfig-common \ - php7.0-cli php7.0-sqlite php7.0-mcrypt php7.0-intl php7.0-json php7.0-common php7.0-curl \ - php7.0-gd php7.0-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php7.0-mbstring - -apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.3 - -# We used to install Roundcube from Ubuntu, without triggering the dependencies #NODOC -# on Apache and MySQL, by downloading the debs and installing them manually. #NODOC -# Now that we're beyond that, get rid of those debs before installing from source. #NODOC -apt-get purge -qq -y roundcube* #NODOC + php-cli php-sqlite3 php-intl php-json php-common php-curl \ + php-gd php-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track @@ -200,5 +193,5 @@ chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite # Enable PHP modules. -phpenmod -v php7.0 mcrypt imap -restart_service php7.0-fpm +phpenmod -v php mcrypt imap +restart_service php7.2-fpm diff --git a/setup/zpush.sh b/setup/zpush.sh index 84ab4556..32fc4992 100755 --- a/setup/zpush.sh +++ b/setup/zpush.sh @@ -17,9 +17,9 @@ source /etc/mailinabox.conf # load global vars echo "Installing Z-Push (Exchange/ActiveSync server)..." apt_install \ - php7.0-soap php7.0-imap libawl-php php7.0-xsl + php-soap php-imap libawl-php php-xsl -phpenmod -v php7.0 imap +phpenmod -v php imap # Copy Z-Push into place. VERSION=2.4.4 @@ -102,7 +102,7 @@ EOF # Restart service. -restart_service php7.0-fpm +restart_service php7.2-fpm # Fix states after upgrade diff --git a/tests/tls.py b/tests/tls.py index 32148133..e06ddcc9 100644 --- a/tests/tls.py +++ b/tests/tls.py @@ -17,7 +17,7 @@ # through some other host you can ssh into (maybe the box # itself?): # -# python3 --proxy user@ssh_host yourservername +# python3 tls.py --proxy user@ssh_host yourservername # # (This will launch "ssh -N -L10023:yourservername:testport user@ssh_host" # to create a tunnel.) @@ -128,7 +128,7 @@ def sslyze(opts, port, ok_ciphers): proxy_proc.terminate() try: proxy_proc.wait(5) - except TimeoutExpired: + except subprocess.TimeoutExpired: proxy_proc.kill() # Get a list of OpenSSL cipher names. diff --git a/tests/tls_results.txt b/tests/tls_results.txt index 33ebb7d1..8747bac3 100644 --- a/tests/tls_results.txt +++ b/tests/tls_results.txt @@ -13,18 +13,18 @@ PORT 25 * Session Resumption: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). - With TLS Session Tickets: NOT SUPPORTED - TLS ticket not assigned. + With TLS Session Tickets: OK - Supported * SSLV2 Cipher Suites: Server rejected all cipher suites. * TLSV1_2 Cipher Suites: Preferred: - ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok Accepted: - ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA256 DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok @@ -33,9 +33,9 @@ PORT 25 AES256-SHA256 - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok AES256-GCM-SHA384 - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-GCM-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA256 DH-2048 bits 128 bits 250 2.0.0 Ok @@ -46,56 +46,47 @@ PORT 25 AES128-SHA256 - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok AES128-GCM-SHA256 - 128 bits 250 2.0.0 Ok - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits 250 2.0.0 Ok - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits 250 2.0.0 Ok - DES-CBC3-SHA - 112 bits 250 2.0.0 Ok * TLSV1_1 Cipher Suites: Preferred: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok Accepted: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok SEED-SHA - 128 bits 250 2.0.0 Ok CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits 250 2.0.0 Ok - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits 250 2.0.0 Ok - DES-CBC3-SHA - 112 bits 250 2.0.0 Ok - - * TLSV1 Cipher Suites: - Preferred: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - Accepted: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok - DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok - CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok - AES256-SHA - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok - DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - SEED-SHA - 128 bits 250 2.0.0 Ok - CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok - AES128-SHA - 128 bits 250 2.0.0 Ok - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits 250 2.0.0 Ok - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits 250 2.0.0 Ok - DES-CBC3-SHA - 112 bits 250 2.0.0 Ok * SSLV3 Cipher Suites: Server rejected all cipher suites. + * TLSV1 Cipher Suites: + Preferred: + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + Accepted: + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok + DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok + CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok + AES256-SHA - 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok + DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + SEED-SHA - 128 bits 250 2.0.0 Ok + CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok + AES128-SHA - 128 bits 250 2.0.0 Ok + Should Not Offer: (none -- good) - Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, DHE-DSS-SEED-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Chrome/42/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Android/2.3.7, Java/6u45, IE/8/XP + Could Also Offer: AES128-CCM, AES128-CCM8, AES256-CCM, AES256-CCM8, CAMELLIA128-SHA256, CAMELLIA256-SHA256, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA128-SHA256, DHE-DSS-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA256, DHE-DSS-SEED-SHA, DHE-RSA-AES128-CCM, DHE-RSA-AES128-CCM8, DHE-RSA-AES256-CCM, DHE-RSA-AES256-CCM8, DHE-RSA-CAMELLIA128-SHA256, DHE-RSA-CAMELLIA256-SHA256, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CAMELLIA128-SHA256, ECDHE-ECDSA-CAMELLIA256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CAMELLIA128-SHA256, ECDHE-RSA-CAMELLIA256-SHA384, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, BingPreview/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.3, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 PORT 587 -------- @@ -112,18 +103,18 @@ PORT 587 * Session Resumption: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). - With TLS Session Tickets: NOT SUPPORTED - TLS ticket not assigned. + With TLS Session Tickets: OK - Supported * SSLV2 Cipher Suites: Server rejected all cipher suites. * TLSV1_2 Cipher Suites: Preferred: - ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok Accepted: - ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA256 DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok @@ -132,9 +123,9 @@ PORT 587 AES256-SHA256 - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok AES256-GCM-SHA384 - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-GCM-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA256 DH-2048 bits 128 bits 250 2.0.0 Ok @@ -148,31 +139,14 @@ PORT 587 * TLSV1_1 Cipher Suites: Preferred: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok Accepted: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok - DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - SEED-SHA - 128 bits 250 2.0.0 Ok - CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok - AES128-SHA - 128 bits 250 2.0.0 Ok - - * TLSV1 Cipher Suites: - Preferred: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - Accepted: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok - DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok - CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok - AES256-SHA - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok @@ -183,9 +157,26 @@ PORT 587 * SSLV3 Cipher Suites: Server rejected all cipher suites. + * TLSV1 Cipher Suites: + Preferred: + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + Accepted: + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok + DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok + CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok + AES256-SHA - 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok + DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + SEED-SHA - 128 bits 250 2.0.0 Ok + CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok + AES128-SHA - 128 bits 250 2.0.0 Ok + Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-RSA-SEED-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, SEED-SHA - Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384 - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, IE/11/Win 7, IE/11/Win 8.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, IE Mobile/11/Win Phone 8.1, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Java/8u31, Android/5.0.0, Chrome/42/OS X, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/7u25, Android/2.3.7, Java/6u45 + Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, BingPreview/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.3, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 PORT 443 -------- @@ -197,19 +188,19 @@ PORT 443 Client-initiated Renegotiations: OK - Rejected Secure Renegotiation: OK - Supported - * OpenSSL Heartbleed: - OK - Not vulnerable to Heartbleed - * HTTP Strict Transport Security: OK - HSTS header received: max-age=15768000 -Unhandled exception when processing --chrome_sha1: -exceptions.TypeError - Incorrect padding - * Session Resumption: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Session Tickets: OK - Supported + * OpenSSL Heartbleed: + OK - Not vulnerable to Heartbleed + +Unhandled exception when processing --chrome_sha1: +exceptions.TypeError - Incorrect padding + * SSLV2 Cipher Suites: Server rejected all cipher suites. @@ -235,9 +226,6 @@ exceptions.TypeError - Incorrect padding AES128-SHA256 - 128 bits HTTP 200 OK AES128-SHA - 128 bits HTTP 200 OK AES128-GCM-SHA256 - 128 bits HTTP 200 OK - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits HTTP 200 OK - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits HTTP 200 OK - DES-CBC3-SHA - 112 bits HTTP 200 OK * TLSV1_1 Cipher Suites: Preferred: @@ -249,9 +237,9 @@ exceptions.TypeError - Incorrect padding ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK DHE-RSA-AES128-SHA DH-2048 bits 128 bits HTTP 200 OK AES128-SHA - 128 bits HTTP 200 OK - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits HTTP 200 OK - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits HTTP 200 OK - DES-CBC3-SHA - 112 bits HTTP 200 OK + + * SSLV3 Cipher Suites: + Server rejected all cipher suites. * TLSV1 Cipher Suites: Preferred: @@ -262,17 +250,11 @@ exceptions.TypeError - Incorrect padding AES256-SHA - 256 bits HTTP 200 OK ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK DHE-RSA-AES128-SHA DH-2048 bits 128 bits HTTP 200 OK - AES128-SHA - 128 bits HTTP 200 OK - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits HTTP 200 OK - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits HTTP 200 OK - DES-CBC3-SHA - 112 bits HTTP 200 OK - - * SSLV3 Cipher Suites: - Server rejected all cipher suites. + AES128-SHA - 128 bits HTTP 200 OK Should Not Offer: (none -- good) - Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP + Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.3, Android/4.2.2, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 PORT 993 -------- @@ -286,13 +268,13 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed - * SSLV2 Cipher Suites: - Server rejected all cipher suites. - * Session Resumption: With Session IDs: NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts). With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted. + * SSLV2 Cipher Suites: + Server rejected all cipher suites. + * TLSV1_2 Cipher Suites: Preferred: ECDHE-RSA-AES128-GCM-SHA256 ECDH-384 bits 128 bits @@ -315,9 +297,6 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec AES128-SHA256 - 128 bits AES128-SHA - 128 bits AES128-GCM-SHA256 - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits * TLSV1_1 Cipher Suites: Preferred: @@ -329,9 +308,9 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits DHE-RSA-AES128-SHA DH-2048 bits 128 bits AES128-SHA - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits + + * SSLV3 Cipher Suites: + Server rejected all cipher suites. * TLSV1 Cipher Suites: Preferred: @@ -342,17 +321,11 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec AES256-SHA - 256 bits ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits DHE-RSA-AES128-SHA DH-2048 bits 128 bits - AES128-SHA - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits + AES128-SHA - 128 bits - * SSLV3 Cipher Suites: - Server rejected all cipher suites. - - Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA - Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384 - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP + Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA + Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.3, Android/4.2.2, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 PORT 995 -------- @@ -366,13 +339,13 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed - * SSLV2 Cipher Suites: - Server rejected all cipher suites. - * Session Resumption: With Session IDs: NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts). With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted. + * SSLV2 Cipher Suites: + Server rejected all cipher suites. + * TLSV1_2 Cipher Suites: Preferred: ECDHE-RSA-AES128-GCM-SHA256 ECDH-384 bits 128 bits @@ -395,9 +368,6 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec AES128-SHA256 - 128 bits AES128-SHA - 128 bits AES128-GCM-SHA256 - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits * TLSV1_1 Cipher Suites: Preferred: @@ -409,9 +379,9 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits DHE-RSA-AES128-SHA DH-2048 bits 128 bits AES128-SHA - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits + + * SSLV3 Cipher Suites: + Server rejected all cipher suites. * TLSV1 Cipher Suites: Preferred: @@ -422,15 +392,9 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec AES256-SHA - 256 bits ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits DHE-RSA-AES128-SHA DH-2048 bits 128 bits - AES128-SHA - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits + AES128-SHA - 128 bits - * SSLV3 Cipher Suites: - Server rejected all cipher suites. - - Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA - Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384 - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP + Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA + Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.3, Android/4.2.2, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 diff --git a/tools/owncloud-restore.sh b/tools/owncloud-restore.sh index 1b006ca1..c93a322c 100755 --- a/tools/owncloud-restore.sh +++ b/tools/owncloud-restore.sh @@ -26,8 +26,7 @@ if [ ! -f $1/config.php ]; then fi echo "Restoring backup from $1" -service php5-fpm stop -service php7.0-fpm stop +service php7.2-fpm stop # remove the current ownCloud/Nextcloud installation rm -rf /usr/local/lib/owncloud/ @@ -46,6 +45,5 @@ chown www-data.www-data $STORAGE_ROOT/owncloud/config.php sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off -service php5-fpm start -service php7.0-fpm start +service php7.2-fpm start echo "Done"