From d96613b8fe91f3d04887aa3318d4ef2467cea08a Mon Sep 17 00:00:00 2001 From: "Christopher A. DeFlumeri" Date: Sat, 7 Jul 2018 18:41:41 +0000 Subject: [PATCH 01/27] minimal changeset to get things working on 18.04 @joshdata squashed pull request #1398, removed some comments, and added these notes: * The old init.d script for the management daemon is replaced with a systemd service. * A systemd service configuration is added to configure permissions for munin on startup. * nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2. * Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config. * The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04. * The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders. * Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing. * Other minor changes. --- CHANGELOG.md | 3 + Vagrantfile | 9 +- conf/mailinabox.service | 10 ++ conf/management-initscript | 135 -------------------- conf/munin.service | 10 ++ conf/nginx-ssl.conf | 70 ++--------- conf/nginx.conf | 4 +- management/dns_update.py | 23 ++-- management/munin_start.sh | 2 + management/status_checks.py | 1 - setup/dkim.sh | 8 ++ setup/mail-dovecot.sh | 13 +- setup/mail-postfix.sh | 3 +- setup/management.sh | 8 +- setup/munin.sh | 8 ++ setup/{owncloud.sh => nextcloud.sh} | 185 ++++------------------------ setup/preflight.sh | 6 +- setup/start.sh | 2 +- setup/system.sh | 11 +- setup/webmail.sh | 2 - 20 files changed, 101 insertions(+), 412 deletions(-) create mode 100644 conf/mailinabox.service delete mode 100755 conf/management-initscript create mode 100644 conf/munin.service create mode 100644 management/munin_start.sh rename setup/{owncloud.sh => nextcloud.sh} (58%) diff --git a/CHANGELOG.md b/CHANGELOG.md index befea2a7..64beabb9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,13 @@ CHANGELOG ========= +This branch supports Ubuntu 18.04 **only**. When upgrading, **always** upgrade your **existing** Ubuntu 14.04 machine to version the latest release supporting Ubuntu 14.04 --- v0.28. If you are running an older version of Mail-in-a-Box which has an old version of ownCloud or Nextcloud, you will *not* be able to upgrade your data because older versions of ownCloud and Nextcloud that are required to perform the upgrade *cannot* be run on Ubuntu 18.04. + In Development -------------- * Starting with v0.28, TLS certificate provisioning wouldn't work on new boxes until the mailinabox setup command was run a second time because of a problem with the non-interactive setup. + * Update to Nextcloud 13.0.5. * Update to Roundcube 1.3.7. * Update to Z-Push 2.4.4. diff --git a/Vagrantfile b/Vagrantfile index 770f66d2..467fb95e 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -2,14 +2,7 @@ # vi: set ft=ruby : Vagrant.configure("2") do |config| - config.vm.box = "ubuntu14.04" - config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box" - - if Vagrant.has_plugin?("vagrant-cachier") - # Configure cached packages to be shared between instances of the same base box. - # More info on http://fgrehm.viewdocs.io/vagrant-cachier/usage - config.cache.scope = :box - end + config.vm.box = "ubuntu/bionic64" # Network config: Since it's a mail server, the machine must be connected # to the public web. However, we currently don't want to expose SSH since diff --git a/conf/mailinabox.service b/conf/mailinabox.service new file mode 100644 index 00000000..b4cfa6cf --- /dev/null +++ b/conf/mailinabox.service @@ -0,0 +1,10 @@ +[Unit] +Description=Mail-in-a-Box System Management Service +After=multi-user.target + +[Service] +Type=idle +ExecStart=/usr/local/lib/mailinabox/start + +[Install] +WantedBy=multi-user.target diff --git a/conf/management-initscript b/conf/management-initscript deleted file mode 100755 index 8275da86..00000000 --- a/conf/management-initscript +++ /dev/null @@ -1,135 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: mailinabox -# Required-Start: $all -# Required-Stop: $all -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Start and stop the Mail-in-a-Box management daemon. -# Description: Start and stop the Mail-in-a-Box management daemon. -### END INIT INFO - -# Adapted from http://blog.codefront.net/2007/06/11/nginx-php-and-a-php-fastcgi-daemon-init-script/ - -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="Mail-in-a-Box Management Daemon" -NAME=mailinabox -DAEMON=/usr/local/lib/mailinabox/start -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Set defaults. -START=yes -EXEC_AS_USER=root - -# Ensure Python reads/writes files in UTF-8. If the machine -# triggers some other locale in Python, like ASCII encoding, -# Python may not be able to read/write files. Set also -# setup/start.sh (where the locale is also installed if not -# already present) and management/daily_tasks.sh. -export LANGUAGE=en_US.UTF-8 -export LC_ALL=en_US.UTF-8 -export LANG=en_US.UTF-8 -export LC_TYPE=en_US.UTF-8 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. -. /lib/lsb/init-functions - -# If the daemon is not enabled, give the user a warning and then exit, -# unless we are stopping the daemon -if [ "$START" != "yes" -a "$1" != "stop" ]; then - log_warning_msg "To enable $NAME, edit /etc/default/$NAME and set START=yes" - exit 0 -fi - -# Process configuration -#export ... -DAEMON_ARGS="" - - -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \ - --background --make-pidfile --chuid $EXEC_AS_USER --startas $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 -} - -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE > /dev/null # --name $DAEMON - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - restart|force-reload) - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 - exit 3 - ;; -esac diff --git a/conf/munin.service b/conf/munin.service new file mode 100644 index 00000000..06735d04 --- /dev/null +++ b/conf/munin.service @@ -0,0 +1,10 @@ +[Unit] +Description=Munin System Monitoring Startup Script +After=multi-user.target + +[Service] +Type=idle +ExecStart=/usr/local/lib/mailinabox/munin_start.sh + +[Install] +WantedBy=multi-user.target diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index e893ad67..d4dc619b 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -1,76 +1,20 @@ -# from https://gist.github.com/konklone/6532544 and https://mozilla.github.io/server-side-tls/ssl-config-generator/ -################################################################################################################### - -# Basically the nginx configuration I use at konklone.com. -# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com -# -# To provide feedback, please tweet at @konklone or email eric@konklone.com. -# Comments on gists don't notify the author. -# -# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites. -# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration. - -# Path to certificate and private key. -# The .crt may omit the root CA cert, if it's a standard CA that ships with clients. -#ssl_certificate /path/to/unified.crt; -#ssl_certificate_key /path/to/my-private-decrypted.key; - -# Tell browsers to require SSL (warning: difficult to change your mind) -# Handled by the management daemon because we can toggle this version or a -# preload version. -#add_header Strict-Transport-Security max-age=31536000; - -# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities. -# -# Forces forward secrecy in all browsers and clients that can use TLS, -# but with a small exception (DES-CBC3-SHA) for IE8/XP users. -# -# Reference client: https://www.ssllabs.com/ssltest/analyze.html -ssl_prefer_server_ciphers on; -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - -# Cut out (the old, broken) SSLv3 entirely. -# This **excludes IE6 users** and (apparently) Yandexbot. -# Just comment out if you need to support IE6, bless your soul. +# We track the Mozilla "intermediate" compatibility TLS recommendations. +# Note that these settings are repeated in the SMTP and IMAP configuration. ssl_protocols TLSv1.2 TLSv1.1 TLSv1; +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; -# Turn on session resumption, using a cache shared across nginx processes, # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; -#keepalive_timeout 70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good # Buffer size of 1400 bytes fits in one MTU. # nginx 1.5.9+ ONLY -#ssl_buffer_size 1400; +ssl_buffer_size 1400; -# SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6. -# -# BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3. -# Disable with 0, until using a version of nginx with SPDY 4. -spdy_headers_comp 0; - -# Now let's really get fancy, and pre-generate a 2048 bit random parameter -# for DH elliptic curves. If not created and specified, default is only 1024 bits. -# -# Generated by OpenSSL with the following command: -# openssl dhparam -outform pem -out dhparam2048.pem 2048 -# -# Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem. -ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; - - -# OCSP stapling - means nginx will poll the CA for signed OCSP responses, -# and send them to clients so clients don't make their own OCSP calls. -# http://en.wikipedia.org/wiki/OCSP_stapling -# -# while the ssl_certificate above may omit the root cert if the CA is trusted, -# ssl_trusted_certificate below must point to a chain of **all** certs -# in the trust path - (your cert, intermediary certs, root cert) -# -# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. -# nginx will use them to talk to the CA. ssl_stapling on; ssl_stapling_verify on; resolver 127.0.0.1 valid=86400; resolver_timeout 10; + +# h/t https://gist.github.com/konklone/6532544 diff --git a/conf/nginx.conf b/conf/nginx.conf index ce662751..fafd3409 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -31,8 +31,8 @@ server { # The secure HTTPS server. server { - listen 443 ssl; - listen [::]:443 ssl; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name $HOSTNAME; diff --git a/management/dns_update.py b/management/dns_update.py index b6e1022d..5c1969d7 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -354,19 +354,20 @@ def build_sshfp_records(): # Get our local fingerprints by running ssh-keyscan. The output looks # like the known_hosts file: hostname, keytype, fingerprint. The order # of the output is arbitrary, so sort it to prevent spurrious updates - # to the zone file (that trigger bumping the serial number). - - # scan the sshd_config and find the ssh ports (port 22 may be closed) + # to the zone file (that trigger bumping the serial number). However, + # if SSH has been configured to listen on a nonstandard port, we must + # specify that port to sshkeyscan. + port = 22 with open('/etc/ssh/sshd_config', 'r') as f: - ports = [] - t = f.readlines() - for line in t: - s = line.split() + for line in f: + s = line.rstrip().split() if len(s) == 2 and s[0] == 'Port': - ports = ports + [s[1]] - # the keys are the same at each port, so we only need to get - # them at the first port found (may not be port 22) - keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", ports[0], "localhost"]) + try: + port = int(s[1]) + except ValueError: + pass + break + keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"]) for key in sorted(keys.split("\n")): if key.strip() == "" or key[0] == "#": continue try: diff --git a/management/munin_start.sh b/management/munin_start.sh new file mode 100644 index 00000000..682861e7 --- /dev/null +++ b/management/munin_start.sh @@ -0,0 +1,2 @@ +#!/bin/bash +mkdir -p /var/run/munin && chown munin /var/run/munin diff --git a/management/status_checks.py b/management/status_checks.py index 3b0026d9..2f4fe0a7 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -28,7 +28,6 @@ def get_services(): { "name": "Spamassassin", "port": 10025, "public": False, }, { "name": "OpenDKIM", "port": 8891, "public": False, }, { "name": "OpenDMARC", "port": 8893, "public": False, }, - { "name": "Memcached", "port": 11211, "public": False, }, { "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, }, { "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, }, { "name": "Public DNS (nsd4)", "port": 53, "public": True, }, diff --git a/setup/dkim.sh b/setup/dkim.sh index 830e9e18..dc7e51e2 100755 --- a/setup/dkim.sh +++ b/setup/dkim.sh @@ -21,6 +21,11 @@ mkdir -p $STORAGE_ROOT/mail/dkim # Not quite sure why. echo "127.0.0.1" > /etc/opendkim/TrustedHosts +# We need to at least create these files, since we reference them later. +# Otherwise, opendkim startup will fail +touch /etc/opendkim/KeyTable +touch /etc/opendkim/SigningTable + if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then true # already done #NODOC else @@ -75,6 +80,9 @@ tools/editconf.py /etc/postfix/main.cf \ non_smtpd_milters=\$smtpd_milters \ milter_default_action=accept +# We need to explicitly enable the opendmarc service, or it will not start +hide_output systemctl enable opendmarc + # Restart services. restart_service opendkim restart_service opendmarc diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index 21343964..4bcc53aa 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -26,7 +26,7 @@ source /etc/mailinabox.conf # load global vars echo "Installing Dovecot (IMAP server)..." apt_install \ dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-sqlite sqlite3 \ - dovecot-sieve dovecot-managesieved dovecot-lucene + dovecot-sieve dovecot-managesieved # The `dovecot-imapd`, `dovecot-pop3d`, and `dovecot-lmtpd` packages automatically # enable IMAP, POP and LMTP protocols. @@ -112,17 +112,6 @@ tools/editconf.py /etc/dovecot/conf.d/20-imap.conf \ tools/editconf.py /etc/dovecot/conf.d/20-pop3.conf \ pop3_uidl_format="%08Xu%08Xv" -# Full Text Search - Enable full text search of mail using dovecot's lucene plugin, -# which *we* package and distribute (dovecot-lucene package). -tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \ - mail_plugins="\$mail_plugins fts fts_lucene" -cat > /etc/dovecot/conf.d/90-plugin-fts.conf << EOF; -plugin { - fts = lucene - fts_lucene = whitespace_chars=@. -} -EOF - # ### LDA (LMTP) # Enable Dovecot's LDA service with the LMTP protocol. It will listen diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index ca52edbd..10322bca 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -48,9 +48,8 @@ source /etc/mailinabox.conf # load global vars # > Every user with more than 100’000 queries per day on the public nameserver # > infrastructure and every commercial vendor of dnswl.org data (eg through # > anti-spam solutions) must register with dnswl.org and purchase a subscription. - echo "Installing Postfix (SMTP server)..." -apt_install postfix postfix-pcre postgrey ca-certificates +apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates # ### Basic Settings diff --git a/setup/management.sh b/setup/management.sh index 064906d3..1e29ab8c 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -87,16 +87,16 @@ rm -f /tmp/bootstrap.zip # Create an init script to start the management daemon and keep it # running after a reboot. -rm -f /usr/local/bin/mailinabox-daemon # old path +rm -f /usr/local/bin/mailinabox-daemon /etc/init.d/mailinabox # old paths cat > $inst_dir/start < /dev/null || /bin/true - service php5-fpm stop &> /dev/null || /bin/true # Backup the existing ownCloud/Nextcloud. # Create a backup directory to store the current installation and database to BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"` mkdir -p "$BACKUP_DIRECTORY" if [ -d /usr/local/lib/owncloud/ ]; then - echo "upgrading ownCloud/Nextcloud to $owncloud_flavor $owncloud_ver (backing up existing installation, configuration and database to directory to $BACKUP_DIRECTORY..." + echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..." cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install" fi if [ -e /home/user-data/owncloud/owncloud.db ]; then cp /home/user-data/owncloud/owncloud.db $BACKUP_DIRECTORY - fi - if [ -e /home/user-data/owncloud/config.php ]; then - cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY - fi + fi + if [ -e /home/user-data/owncloud/config.php ]; then + cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY + fi - # We only need to check if we do upgrades when owncloud/Nextcloud was previously installed + # If ownCloud or Nextcloud was previously installed.... if [ -e /usr/local/lib/owncloud/version.php ]; then - if grep -q "OC_VersionString = '8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running 8.1.x, upgrading to 8.2.11 first" - InstallOwncloud 8.2.11 e4794938fc2f15a095018ba9d6ee18b53f6f299c + # Database migrations from ownCloud are no longer possible because ownCloud cannot be run under + # PHP 7. + if grep -q "OC_VersionString = '[89]\." /usr/local/lib/owncloud/version.php; then + echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 8 or 9) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + exit 1 fi - - # If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions - if grep -q "OC_VersionString = '8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running version 8.2.x, upgrading to 9.0.11 first" - - # We need to disable memcached. The upgrade and install fails - # with memcached - CONFIG_TEMP=$(/bin/mktemp) - php < $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php; - -EOF - chown www-data.www-data $STORAGE_ROOT/owncloud/config.php - - # We can now install owncloud 9.0.11 - InstallOwncloud 9.0.11 fc8bad8a62179089bc58c406b28997fb0329337b - - # The owncloud 9 migration doesn't migrate calendars and contacts - # The option to migrate these are removed in 9.1 - # So the migrations should be done when we have 9.0 installed - sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-addressbooks - # The following migration has to be done for each owncloud user - for directory in $STORAGE_ROOT/owncloud/*@*/ ; do - username=$(basename "${directory}") - sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-calendar $username - done - sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:sync-birthday-calendar - fi - - # If we are upgrading from 9.0.x we should go to 9.1 first. - if grep -q "OC_VersionString = '9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running ownCloud 9.0.x, upgrading to ownCloud 9.1.7 first" - InstallOwncloud 9.1.7 1307d997d0b23dc42742d315b3e2f11423a9c808 - fi - - # Newer ownCloud 9.1.x versions cannot be upgraded to Nextcloud 10 and have to be - # upgraded to Nextcloud 11 straight away, see: - # https://github.com/nextcloud/server/issues/2203 - # However, for some reason, upgrading to the latest Nextcloud 11.0.7 doesn't - # work either. Therefore, we're upgrading to Nextcloud 11.0.0 in the interim. - # This should not be a problem since we're upgrading to the latest Nextcloud 12 - # in the next step. - if grep -q "OC_VersionString = '9\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running ownCloud 9.1.x, upgrading to Nextcloud 11.0.0 first" - InstallNextcloud 11.0.0 e8c9ebe72a4a76c047080de94743c5c11735e72e - fi - - # If we are upgrading from 10.0.x we should go to Nextcloud 11.0 first. - if grep -q "OC_VersionString = '10\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running Nextcloud 10.0.x, upgrading to Nextcloud 11.0.7 first" - InstallNextcloud 11.0.7 f936ddcb2ae3dbb66ee4926eb8b2ebbddc3facbe + if grep -q "OC_VersionString = '10\." /usr/local/lib/owncloud/version.php; then + echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 10) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + exit 1 fi # If we are upgrading from Nextcloud 11 we should go to Nextcloud 12 first. @@ -253,7 +120,7 @@ EOF fi fi - InstallNextcloud $owncloud_ver $owncloud_hash + InstallNextcloud $nextcloud_ver $nextcloud_hash fi # ### Configuring Nextcloud @@ -278,10 +145,10 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then 'overwritewebroot' => '/cloud', 'overwrite.cli.url' => '/cloud', 'user_backends' => array( - array( - 'class'=>'OC_User_IMAP', - 'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}') - ) + array( + 'class'=>'OC_User_IMAP', + 'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}') + ) ), 'memcache.local' => '\OC\Memcache\APCu', 'mail_smtpmode' => 'sendmail', @@ -397,7 +264,7 @@ tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \ # Configure the path environment for php-fpm tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \ - env[PATH]=/usr/local/bin:/usr/bin:/bin + env[PATH]=/usr/local/bin:/usr/bin:/bin # If apc is explicitly disabled we need to enable it if grep -q apc.enabled=0 /etc/php/7.0/mods-available/apcu.ini; then diff --git a/setup/preflight.sh b/setup/preflight.sh index 4be2ec41..54fcd6c9 100644 --- a/setup/preflight.sh +++ b/setup/preflight.sh @@ -7,9 +7,9 @@ if [[ $EUID -ne 0 ]]; then exit fi -# Check that we are running on Ubuntu 14.04 LTS (or 14.04.xx). -if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" != "Ubuntu 14.04 LTS" ]; then - echo "Mail-in-a-Box only supports being installed on Ubuntu 14.04, sorry. You are running:" +# Check that we are running on Ubuntu 18.04 LTS (or 18.04.xx). +if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" != "Ubuntu 18.04 LTS" ]; then + echo "Mail-in-a-Box only supports being installed on Ubuntu 18.04, sorry. You are running:" echo lsb_release -d | sed 's/.*:\s*//' echo diff --git a/setup/start.sh b/setup/start.sh index 3dbaed54..9d64bba5 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -106,7 +106,7 @@ source setup/dkim.sh source setup/spamassassin.sh source setup/web.sh source setup/webmail.sh -source setup/owncloud.sh +source setup/nextcloud.sh source setup/zpush.sh source setup/management.sh source setup/munin.sh diff --git a/setup/system.sh b/setup/system.sh index 04728051..29ee97bd 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -70,7 +70,7 @@ fi # ### Add PPAs. -# We install some non-standard Ubuntu packages maintained by us and other +# We install some non-standard Ubuntu packages maintained by other # third-party providers. First ensure add-apt-repository is installed. if [ ! -f /usr/bin/add-apt-repository ]; then @@ -79,14 +79,7 @@ if [ ! -f /usr/bin/add-apt-repository ]; then apt_install software-properties-common fi -# [Main-in-a-Box's own PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa) -# holds several .deb packages that we built on our own. -# One is a replacement for Ubuntu's stock postgrey package that makes -# some enhancements. The other is dovecot-lucene, a Lucene-based full -# text search plugin for (and by) dovecot, which is not available in -# Ubuntu currently. - -hide_output add-apt-repository -y ppa:mail-in-a-box/ppa +# Install the certbot PPA. hide_output add-apt-repository -y ppa:certbot/certbot # ### Update Packages diff --git a/setup/webmail.sh b/setup/webmail.sh index 38aee942..798641f9 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -25,8 +25,6 @@ apt_install \ php7.0-cli php7.0-sqlite php7.0-mcrypt php7.0-intl php7.0-json php7.0-common php7.0-curl \ php7.0-gd php7.0-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php7.0-mbstring -apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.3 - # We used to install Roundcube from Ubuntu, without triggering the dependencies #NODOC # on Apache and MySQL, by downloading the debs and installing them manually. #NODOC # Now that we're beyond that, get rid of those debs before installing from source. #NODOC From bb43a2127c360c8e6c2cc72c2037968263c3ac4d Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 24 Aug 2018 07:29:26 -0400 Subject: [PATCH 02/27] turn the x64/i686 architecture check into a warning since I'm not sure if we have any architecture requirements anymore, beyond what Ubuntu supports --- setup/preflight.sh | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/setup/preflight.sh b/setup/preflight.sh index 54fcd6c9..7466b857 100644 --- a/setup/preflight.sh +++ b/setup/preflight.sh @@ -53,16 +53,14 @@ if [ -e ~/.wgetrc ]; then exit fi -# Check that we are running on x86_64 or i686, any other architecture is unsupported and -# will fail later in the setup when we try to install the custom build lucene packages. -# -# Set ARM=1 to ignore this check if you have built the packages yourself. If you do this -# you are on your own! +# Check that we are running on x86_64 or i686 architecture, which are the only +# ones we support / test. ARCHITECTURE=$(uname -m) if [ "$ARCHITECTURE" != "x86_64" ] && [ "$ARCHITECTURE" != "i686" ]; then -if [ -z "$ARM" ]; then - echo "Mail-in-a-Box only supports x86_64 or i686 and will not work on any other architecture, like ARM." - echo "Your architecture is $ARCHITECTURE" - exit -fi + echo + echo "WARNING:" + echo "Mail-in-a-Box has only been tested on x86_64 and i686 platform" + echo "architectures. Your architecture, $ARCHITECTURE, may not work." + echo "You are on your own." + echo fi From 51972fd12908643d04439face99b73afde27107e Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 24 Aug 2018 08:44:53 -0400 Subject: [PATCH 03/27] fix some comments --- setup/mail-postfix.sh | 7 ------- setup/start.sh | 2 +- setup/system.sh | 5 ++--- setup/web.sh | 2 +- 4 files changed, 4 insertions(+), 12 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 10322bca..11a2b307 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -41,13 +41,6 @@ source /etc/mailinabox.conf # load global vars # always will. # * `ca-certificates`: A trust store used to squelch postfix warnings about # untrusted opportunistically-encrypted connections. -# -# postgrey is going to come in via the Mail-in-a-Box PPA, which publishes -# a modified version of postgrey that lets senders whitelisted by dnswl.org -# pass through without being greylisted. So please note [dnswl's license terms](https://www.dnswl.org/?page_id=9): -# > Every user with more than 100’000 queries per day on the public nameserver -# > infrastructure and every commercial vendor of dnswl.org data (eg through -# > anti-spam solutions) must register with dnswl.org and purchase a subscription. echo "Installing Postfix (SMTP server)..." apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates diff --git a/setup/start.sh b/setup/start.sh index 9d64bba5..671f4449 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -4,7 +4,7 @@ source setup/functions.sh # load our functions -# Check system setup: Are we running as root on Ubuntu 14.04 on a +# Check system setup: Are we running as root on Ubuntu 18.04 on a # machine with enough memory? Is /tmp mounted with exec. # If not, this shows an error and exits. source setup/preflight.sh diff --git a/setup/system.sh b/setup/system.sh index 29ee97bd..32cf9987 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -134,8 +134,8 @@ hide_output apt-get update fi # ### Suppress Upgrade Prompts -# Since Mail-in-a-Box might jump straight to 18.04 LTS, there's no need -# to be reminded about 16.04 on every login. +# When Ubuntu 20 comes out, we don't want users to be prompted to upgrade, +# because we don't yet support it. if [ -f /etc/update-manager/release-upgrades ]; then tools/editconf.py /etc/update-manager/release-upgrades Prompt=never rm -f /var/lib/ubuntu-release-upgrader/release-upgrade-available @@ -182,7 +182,6 @@ fi # * DNSSEC signing keys (see `dns.sh`) # * our management server's API key (via Python's os.urandom method) # * Roundcube's SECRET_KEY (`webmail.sh`) -# * ownCloud's administrator account password (`owncloud.sh`) # # Why /dev/urandom? It's the same as /dev/random, except that it doesn't wait # for a constant new stream of entropy. In practice, we only need a little diff --git a/setup/web.sh b/setup/web.sh index 021a9b7f..7f9b1638 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -21,7 +21,7 @@ echo "Installing Nginx (web server)..." apt_install nginx php7.0-cli php7.0-fpm -# Set PHP7 as the default +# Set PHP7.0 as the default since several versions are available. update-alternatives --set php /usr/bin/php7.0 rm -f /etc/nginx/sites-enabled/default From f6a641ad2318d1f28fc9910359e6b7e69e417b75 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 24 Aug 2018 08:47:18 -0400 Subject: [PATCH 04/27] remove some cleanup steps that are no longer needed since we aren't supporting upgrades of existing machines and, even if we did, we aren't supporting upgrades from really old versions of Mail-in-a-Box --- setup/management.sh | 5 ----- setup/web.sh | 15 --------------- setup/webmail.sh | 5 ----- 3 files changed, 25 deletions(-) diff --git a/setup/management.sh b/setup/management.sh index 1e29ab8c..3c3357ca 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -87,7 +87,6 @@ rm -f /tmp/bootstrap.zip # Create an init script to start the management daemon and keep it # running after a reboot. -rm -f /usr/local/bin/mailinabox-daemon /etc/init.d/mailinabox # old paths cat > $inst_dir/start < Date: Fri, 24 Aug 2018 08:46:08 -0400 Subject: [PATCH 05/27] update to PHP 7.2 * drop the ondrej/php PPA since PHP 7.x is available directly from Ubuntu 18.04 * intall PHP 7.2 which is just the "php" package in Ubuntu 18.04 * some package names changed, some unnecessary packages are no longer provided * update paths --- conf/nginx-top.conf | 2 +- management/backup.py | 4 ++-- setup/nextcloud.sh | 20 ++++++++++---------- setup/system.sh | 12 ------------ setup/web.sh | 15 ++++++--------- setup/webmail.sh | 8 ++++---- setup/zpush.sh | 6 +++--- tools/owncloud-restore.sh | 6 ++---- 8 files changed, 28 insertions(+), 45 deletions(-) diff --git a/conf/nginx-top.conf b/conf/nginx-top.conf index a5822a82..4d888366 100644 --- a/conf/nginx-top.conf +++ b/conf/nginx-top.conf @@ -7,6 +7,6 @@ ## your own --- please do not ask for help from us. upstream php-fpm { - server unix:/var/run/php/php7.0-fpm.sock; + server unix:/var/run/php/php7.2-fpm.sock; } diff --git a/management/backup.py b/management/backup.py index 8081a267..78af6a19 100755 --- a/management/backup.py +++ b/management/backup.py @@ -267,7 +267,7 @@ def perform_backup(full_backup): if quit: sys.exit(code) - service_command("php7.0-fpm", "stop", quit=True) + service_command("php7.2-fpm", "stop", quit=True) service_command("postfix", "stop", quit=True) service_command("dovecot", "stop", quit=True) @@ -301,7 +301,7 @@ def perform_backup(full_backup): # Start services again. service_command("dovecot", "start", quit=False) service_command("postfix", "start", quit=False) - service_command("php7.0-fpm", "start", quit=False) + service_command("php7.2-fpm", "start", quit=False) # Once the migrated backup is included in a new backup, it can be deleted. if os.path.isdir(migrated_unencrypted_backup_dir): diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index ed67dbf3..0105668c 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -11,9 +11,9 @@ echo "Installing Nextcloud (contacts/calendar)..." apt-get purge -qq -y owncloud* # we used to use the package manager -apt_install php7.0 php7.0-fpm \ - php7.0-cli php7.0-sqlite php7.0-gd php7.0-imap php7.0-curl php-pear php-apc curl \ - php7.0-dev php7.0-gd php7.0-xml php7.0-mbstring php7.0-zip php7.0-apcu php7.0-json php7.0-intl +apt_install php php-fpm \ + php-cli php-sqlite3 php-gd php-imap php-curl php-pear curl \ + php-dev php-gd php-xml php-mbstring php-zip php-apcu php-json php-intl InstallNextcloud() { @@ -83,7 +83,7 @@ if [ ! -d /usr/local/lib/owncloud/ ] \ || ! grep -q $nextcloud_ver /usr/local/lib/owncloud/version.php; then # Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail. - service php7.0-fpm stop &> /dev/null || /bin/true + service php7.2-fpm stop &> /dev/null || /bin/true # Backup the existing ownCloud/Nextcloud. # Create a backup directory to store the current installation and database to @@ -244,7 +244,7 @@ if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi # Set PHP FPM values to support large file uploads # (semicolon is the comment character in this file, hashes produce deprecation warnings) -tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ upload_max_filesize=16G \ post_max_size=16G \ output_buffering=16384 \ @@ -253,7 +253,7 @@ tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \ short_open_tag=On # Set Nextcloud recommended opcache settings -tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \ +tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \ opcache.enable=1 \ opcache.enable_cli=1 \ opcache.interned_strings_buffer=8 \ @@ -263,12 +263,12 @@ tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \ opcache.revalidate_freq=1 # Configure the path environment for php-fpm -tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ env[PATH]=/usr/local/bin:/usr/bin:/bin # If apc is explicitly disabled we need to enable it -if grep -q apc.enabled=0 /etc/php/7.0/mods-available/apcu.ini; then - tools/editconf.py /etc/php/7.0/mods-available/apcu.ini -c ';' \ +if grep -q apc.enabled=0 /etc/php/7.2/mods-available/apcu.ini; then + tools/editconf.py /etc/php/7.2/mods-available/apcu.ini -c ';' \ apc.enabled=1 fi @@ -290,4 +290,4 @@ chmod +x /etc/cron.hourly/mailinabox-owncloud # ``` # Enable PHP modules and restart PHP. -restart_service php7.0-fpm +restart_service php7.2-fpm diff --git a/setup/system.sh b/setup/system.sh index 32cf9987..5dea1f45 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -121,18 +121,6 @@ apt_install python3 python3-dev python3-pip \ haveged pollinate unzip \ unattended-upgrades cron ntp fail2ban -# ### Add PHP7 PPA - -# Nextcloud requires PHP7, we will install the ppa from ubuntu php maintainer Ondřej Surý -# The PPA is located here https://launchpad.net/%7Eondrej/+archive/ubuntu/php -# Unattended upgrades are activated for the repository If it appears it's already -# installed, don't do it again so we can avoid an unnecessary call to apt-get update. -if [ ! -f /etc/apt/sources.list.d/ondrej-php-trusty.list ]; then -hide_output add-apt-repository -y ppa:ondrej/php -apt_add_repository_to_unattended_upgrades LP-PPA-ondrej-php:trusty -hide_output apt-get update -fi - # ### Suppress Upgrade Prompts # When Ubuntu 20 comes out, we don't want users to be prompted to upgrade, # because we don't yet support it. diff --git a/setup/web.sh b/setup/web.sh index 45227b81..ed37e5e3 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -19,10 +19,7 @@ fi echo "Installing Nginx (web server)..." -apt_install nginx php7.0-cli php7.0-fpm - -# Set PHP7.0 as the default since several versions are available. -update-alternatives --set php /usr/bin/php7.0 +apt_install nginx php-cli php-fpm rm -f /etc/nginx/sites-enabled/default @@ -44,19 +41,19 @@ tools/editconf.py /etc/nginx/nginx.conf -s \ server_names_hash_bucket_size="128;" # Tell PHP not to expose its version number in the X-Powered-By header. -tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ expose_php=Off # Set PHPs default charset to UTF-8, since we use it. See #367. -tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ default_charset="UTF-8" # Switch from the dynamic process manager to the ondemand manager see #1216 -tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ pm=ondemand # Bump up PHP's max_children to support more concurrent connections -tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \ +tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ pm.max_children=8 # Other nginx settings will be configured by the management service @@ -96,7 +93,7 @@ chown -R $STORAGE_USER $STORAGE_ROOT/www # Start services. restart_service nginx -restart_service php7.0-fpm +restart_service php7.2-fpm # Open ports. ufw_allow http diff --git a/setup/webmail.sh b/setup/webmail.sh index 9b2591e2..58743a72 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -22,8 +22,8 @@ source /etc/mailinabox.conf # load global vars echo "Installing Roundcube (webmail)..." apt_install \ dbconfig-common \ - php7.0-cli php7.0-sqlite php7.0-mcrypt php7.0-intl php7.0-json php7.0-common php7.0-curl \ - php7.0-gd php7.0-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php7.0-mbstring + php-cli php-sqlite3 php-intl php-json php-common php-curl \ + php-gd php-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track @@ -193,5 +193,5 @@ chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite # Enable PHP modules. -phpenmod -v php7.0 mcrypt imap -restart_service php7.0-fpm +phpenmod -v php mcrypt imap +restart_service php7.2-fpm diff --git a/setup/zpush.sh b/setup/zpush.sh index 84ab4556..32fc4992 100755 --- a/setup/zpush.sh +++ b/setup/zpush.sh @@ -17,9 +17,9 @@ source /etc/mailinabox.conf # load global vars echo "Installing Z-Push (Exchange/ActiveSync server)..." apt_install \ - php7.0-soap php7.0-imap libawl-php php7.0-xsl + php-soap php-imap libawl-php php-xsl -phpenmod -v php7.0 imap +phpenmod -v php imap # Copy Z-Push into place. VERSION=2.4.4 @@ -102,7 +102,7 @@ EOF # Restart service. -restart_service php7.0-fpm +restart_service php7.2-fpm # Fix states after upgrade diff --git a/tools/owncloud-restore.sh b/tools/owncloud-restore.sh index 1b006ca1..c93a322c 100755 --- a/tools/owncloud-restore.sh +++ b/tools/owncloud-restore.sh @@ -26,8 +26,7 @@ if [ ! -f $1/config.php ]; then fi echo "Restoring backup from $1" -service php5-fpm stop -service php7.0-fpm stop +service php7.2-fpm stop # remove the current ownCloud/Nextcloud installation rm -rf /usr/local/lib/owncloud/ @@ -46,6 +45,5 @@ chown www-data.www-data $STORAGE_ROOT/owncloud/config.php sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off -service php5-fpm start -service php7.0-fpm start +service php7.2-fpm start echo "Done" From bc4bdca752892f66c99adeeaa827db6595e2905f Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 29 Sep 2018 20:11:48 -0400 Subject: [PATCH 06/27] update reference to Ubuntu 14.04 to 18.04 in README.md and security.md and drop mentions of our custom packages that we no longer maintain --- README.md | 5 ++--- security.md | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d7caacfa..2f5c2b75 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Additionally, this project has a [Code of Conduct](CODE_OF_CONDUCT.md), which su The Box ------- -Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a working mail server by installing and configuring various components. +Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a working mail server by installing and configuring various components. It is a one-click email appliance. There are no user-configurable setup options. It "just works". @@ -37,7 +37,6 @@ The components installed are: It also includes: * A control panel and API for adding/removing mail users, aliases, custom DNS records, etc. and detailed system monitoring. -* Our own builds of postgrey (adding better whitelisting) and dovecot-lucene (faster search for mail) distributed via the [Mail-in-a-Box PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa) on Launchpad. For more information on how Mail-in-a-Box handles your privacy, see the [security details page](security.md). @@ -46,7 +45,7 @@ Installation See the [setup guide](https://mailinabox.email/guide.html) for detailed, user-friendly instructions. -For experts, start with a completely fresh (really, I mean it) Ubuntu 14.04 LTS 64-bit machine. On the machine... +For experts, start with a completely fresh (really, I mean it) Ubuntu 18.04 LTS 64-bit machine. On the machine... Clone this repository: diff --git a/security.md b/security.md index 5a797673..b8dc35af 100644 --- a/security.md +++ b/security.md @@ -1,7 +1,7 @@ Mail-in-a-Box Security Guide ============================ -Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components. +Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components. This page documents the security features of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box. From 3dbd6c994ada76537f1d823d644403f671d5de4d Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 3 Oct 2018 14:28:43 -0400 Subject: [PATCH 07/27] update bind9 configuration --- management/munin_start.sh | 0 setup/mail-postfix.sh | 2 +- setup/system.sh | 62 +++++++++++++++++++++++++++------------ 3 files changed, 44 insertions(+), 20 deletions(-) mode change 100644 => 100755 management/munin_start.sh diff --git a/management/munin_start.sh b/management/munin_start.sh old mode 100644 new mode 100755 diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 11a2b307..c3183ef0 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -146,7 +146,7 @@ tools/editconf.py /etc/postfix/main.cf \ # then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records # or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC # itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also -# relies on our local bind9 server being present and `smtp_dns_support_level=dnssec`. +# relies on our local DNS server (see system.sh) and `smtp_dns_support_level=dnssec`. # # The `smtp_tls_CAfile` is superflous, but it eliminates warnings in the logs about untrusted certs, # which we don't care about seeing because Postfix is doing opportunistic TLS anyway. Better to encrypt, diff --git a/setup/system.sh b/setup/system.sh index 5dea1f45..2fecac8e 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -264,45 +264,69 @@ fi #NODOC # ### Local DNS Service -# Install a local DNS server, rather than using the DNS server provided by the -# ISP's network configuration. +# Install a local recursive DNS server --- i.e. for DNS queries made by +# local services running on this machine. # -# We do this to ensure that DNS queries -# that *we* make (i.e. looking up other external domains) perform DNSSEC checks. -# We could use Google's Public DNS, but we don't want to create a dependency on -# Google per our goals of decentralization. `bind9`, as packaged for Ubuntu, has -# DNSSEC enabled by default via "dnssec-validation auto". +# (This is unrelated to the box's public, non-recursive DNS server that +# answers remote queries about domain names hosted on this box. For that +# see dns.sh.) # -# So we'll be running `bind9` bound to 127.0.0.1 for locally-issued DNS queries -# and `nsd` bound to the public ethernet interface for remote DNS queries asking -# about our domain names. `nsd` is configured later. +# The default systemd-resolved service provides local DNS name resolution. By default it +# is a recursive stub nameserver, which means it simply relays requests to an +# external nameserver, usually provided by your ISP or configured in /etc/systemd/resolved.conf. +# +# This won't work for us for three reasons. +# +# 1) We have higher security goals --- we want DNSSEC to be enforced on all +# DNS queries (some upstream DNS servers do, some don't). +# 2) We will configure postfix to use DANE, which uses DNSSEC to find TLS +# certificates for remote servers. DNSSEC validation *must* be performed +# locally because we can't trust an unencrypted connection to an external +# DNS server. +# 3) DNS-based mail server blacklists (RBLs) typically block large ISP +# DNS servers because they only provide free data to small users. Since +# we use RBLs to block incoming mail from blacklisted IP addresses, +# we have to run our own DNS server. See #1424. +# +# systemd-resolved has a setting to perform local DNSSEC validation on all +# requests (in /etc/systemd/resolved.conf, set DNSSEC=yes), but because it's +# a stub server the main part of a request still goes through an upstream +# DNS server, which won't work for RBLs. So we really need a local recursive +# nameserver. +# +# We'll install `bind9`, which as packaged for Ubuntu, has DNSSEC enabled by default via "dnssec-validation auto". +# We'll have it be bound to 127.0.0.1 so that it does not interfere with +# the public, recursive nameserver `nsd` bound to the public ethernet interfaces. # # About the settings: # -# * RESOLVCONF=yes will have `bind9` take over /etc/resolv.conf to tell -# local services that DNS queries are handled on localhost. # * Adding -4 to OPTIONS will have `bind9` not listen on IPv6 addresses # so that we're sure there's no conflict with nsd, our public domain # name server, on IPV6. # * The listen-on directive in named.conf.options restricts `bind9` to # binding to the loopback interface instead of all interfaces. -apt_install bind9 resolvconf +apt_install bind9 tools/editconf.py /etc/default/bind9 \ - RESOLVCONF=yes \ "OPTIONS=\"-u bind -4\"" if ! grep -q "listen-on " /etc/bind/named.conf.options; then # Add a listen-on directive if it doesn't exist inside the options block. sed -i "s/^}/\n\tlisten-on { 127.0.0.1; };\n}/" /etc/bind/named.conf.options fi -if [ -f /etc/resolvconf/resolv.conf.d/original ]; then - echo "Archiving old resolv.conf (was /etc/resolvconf/resolv.conf.d/original, now /etc/resolvconf/resolv.conf.original)." #NODOC - mv /etc/resolvconf/resolv.conf.d/original /etc/resolvconf/resolv.conf.original #NODOC -fi + +# First we'll disable systemd-resolved's management of resolv.conf and its stub server. +# Breaking the symlink to /run/systemd/resolve/stub-resolv.conf means +# systemd-resolved will read it for DNS servers to use. Put in 127.0.0.1, +# which is where bind9 will be running. Obviously don't do this before +# installing bind9 or else apt won't be able to resolve a server to +# download bind9 from. +rm -f /etc/resolv.conf +tools/editconf.py /etc/systemd/resolved.conf DNSStubListener=no +echo "127.0.0.1" > /etc/resolv.conf # Restart the DNS services. restart_service bind9 -restart_service resolvconf +systemctl restart systemd-resolved # ### Fail2Ban Service From f7396623922f87eba4de0ae3b52bf39b0e1afaa8 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 13 Oct 2018 16:16:30 -0400 Subject: [PATCH 08/27] duplicity started creating signature files with invalid filenames, fixes #1431 --- management/backup.py | 34 +++++++++++++++---------- management/templates/system-backup.html | 1 + 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/management/backup.py b/management/backup.py index 78af6a19..957ab11f 100755 --- a/management/backup.py +++ b/management/backup.py @@ -20,20 +20,17 @@ rsync_ssh_options = [ ] def backup_status(env): - # Root folder - backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') - - # What is the current status of backups? - # Query duplicity to get a list of all backups. - # Use the number of volumes to estimate the size. + # If backups are dissbled, return no status. config = get_backup_config(env) - now = datetime.datetime.now(dateutil.tz.tzlocal()) - - # Are backups dissbled? if config["target"] == "off": return { } + # Query duplicity to get a list of all full and incremental + # backups available. + backups = { } + now = datetime.datetime.now(dateutil.tz.tzlocal()) + backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') backup_cache_dir = os.path.join(backup_root, 'cache') def reldate(date, ref, clip): @@ -58,7 +55,7 @@ def backup_status(env): "date_delta": reldate(date, now, "the future?"), "full": keys[0] == "full", "size": 0, # collection-status doesn't give us the size - "volumes": keys[2], # number of archive volumes for this backup (not really helpful) + "volumes": int(keys[2]), # number of archive volumes for this backup (not really helpful) } code, collection_status = shell('check_output', [ @@ -80,12 +77,20 @@ def backup_status(env): backup = parse_line(line) backups[backup["date"]] = backup - # Look at the target to get the sizes of each of the backups. There is more than one file per backup. + # Look at the target directly to get the sizes of each of the backups. There is more than one file per backup. + # Starting with duplicity in Ubuntu 18.04, "signatures" files have dates in their + # filenames that are a few seconds off the backup date and so don't line up + # with the list of backups we have. Track unmatched files so we know how much other + # space is used for those. + unmatched_file_size = 0 for fn, size in list_target_files(config): m = re.match(r"duplicity-(full|full-signatures|(inc|new-signatures)\.(?P\d+T\d+Z)\.to)\.(?P\d+T\d+Z)\.", fn) if not m: continue # not a part of a current backup chain key = m.group("date") - backups[key]["size"] += size + if key in backups: + backups[key]["size"] += size + else: + unmatched_file_size += size # Ensure the rows are sorted reverse chronologically. # This is relied on by should_force_full() and the next step. @@ -148,6 +153,7 @@ def backup_status(env): return { "backups": backups, + "unmatched_file_size": unmatched_file_size, } def should_force_full(config, env): @@ -556,8 +562,7 @@ if __name__ == "__main__": run_duplicity_verification() elif sys.argv[-1] == "--list": - # Run duplicity's verification command to check a) the backup files - # are readable, and b) report if they are up to date. + # List the saved backup files. for fn, size in list_target_files(get_backup_config(load_environment())): print("{}\t{}".format(fn, size)) @@ -565,6 +570,7 @@ if __name__ == "__main__": # Show backup status. ret = backup_status(load_environment()) print(rtyaml.dump(ret["backups"])) + print("Storage for unmatched files:", ret["unmatched_file_size"]) elif len(sys.argv) >= 2 and sys.argv[1] == "--restore": # Run duplicity restore. Rest of command line passed as arguments diff --git a/management/templates/system-backup.html b/management/templates/system-backup.html index 0ccb4bd6..be528f19 100644 --- a/management/templates/system-backup.html +++ b/management/templates/system-backup.html @@ -200,6 +200,7 @@ function show_system_backup() { total_disk_size += b.size; } + total_disk_size += r.unmatched_file_size; $('#backup-total-size').text(nice_size(total_disk_size)); }) } From c9b3d88108cbe154fb70c3dcb61cf86fb340dab2 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Wed, 24 Oct 2018 14:20:48 -0700 Subject: [PATCH 09/27] Fixes #1437 - package python-virtualenv is now called just virtualenv (#1452) --- setup/management.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/management.sh b/setup/management.sh index 3c3357ca..9c221198 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -24,12 +24,12 @@ done # S3 api used in some regions, which breaks backups to those regions. # See #627, #653. # -# python-virtualenv is used to isolate the Python 3 packages we +# virtualenv is used to isolate the Python 3 packages we # install via pip from the system-installed packages. # # certbot installs EFF's certbot which we use to # provision free TLS certificates. -apt_install duplicity python-pip python-virtualenv certbot +apt_install duplicity python-pip virtualenv certbot hide_output pip2 install --upgrade boto # Create a virtualenv for the installation of Python 3 packages From 8d5670068ac1fe077b575a51a8813c3b357f0541 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Thu, 25 Oct 2018 12:18:21 -0700 Subject: [PATCH 10/27] fixes nginx warning about duplicate ssl configuration (#1460) --- conf/nginx-ssl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index d4dc619b..1aba45c3 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -1,6 +1,6 @@ # We track the Mozilla "intermediate" compatibility TLS recommendations. # Note that these settings are repeated in the SMTP and IMAP configuration. -ssl_protocols TLSv1.2 TLSv1.1 TLSv1; +# ssl_protocols has moved to nginx.conf in bionic, check there for enabled protocols. ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; From 86e2cfb6c84ca3d1701a89958e316d91b98b4162 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 20 Oct 2018 10:20:43 -0400 Subject: [PATCH 11/27] remove old duplicity migration code from 2015, see 42322455 --- management/backup.py | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/management/backup.py b/management/backup.py index 957ab11f..e15fbbbf 100755 --- a/management/backup.py +++ b/management/backup.py @@ -226,32 +226,6 @@ def perform_backup(full_backup): if config["target"] == "off": return - # In an older version of this script, duplicity was called - # such that it did not encrypt the backups it created (in - # backup/duplicity), and instead openssl was called separately - # after each backup run, creating AES256 encrypted copies of - # each file created by duplicity in backup/encrypted. - # - # We detect the transition by the presence of backup/duplicity - # and handle it by 'dupliception': we move all the old *un*encrypted - # duplicity files up out of the backup/duplicity directory (as - # backup/ is excluded from duplicity runs) in order that it is - # included in the next run, and we delete backup/encrypted (which - # duplicity will output files directly to, post-transition). - old_backup_dir = os.path.join(backup_root, 'duplicity') - migrated_unencrypted_backup_dir = os.path.join(env["STORAGE_ROOT"], "migrated_unencrypted_backup") - if os.path.isdir(old_backup_dir): - # Move the old unencrypted files to a new location outside of - # the backup root so they get included in the next (new) backup. - # Then we'll delete them. Also so that they do not get in the - # way of duplicity doing a full backup on the first run after - # we take care of this. - shutil.move(old_backup_dir, migrated_unencrypted_backup_dir) - - # The backup_dir (backup/encrypted) now has a new purpose. - # Clear it out. - shutil.rmtree(backup_dir) - # On the first run, always do a full backup. Incremental # will fail. Otherwise do a full backup when the size of # the increments since the most recent full backup are @@ -309,10 +283,6 @@ def perform_backup(full_backup): service_command("postfix", "start", quit=False) service_command("php7.2-fpm", "start", quit=False) - # Once the migrated backup is included in a new backup, it can be deleted. - if os.path.isdir(migrated_unencrypted_backup_dir): - shutil.rmtree(migrated_unencrypted_backup_dir) - # Remove old backups. This deletes all backup data no longer needed # from more than 3 days ago. shell('check_call', [ From 7f8f4518e3a8980e31ad745b7665371555942086 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 09:30:55 -0500 Subject: [PATCH 12/27] document password character limitation fixes #407 --- management/templates/users.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/templates/users.html b/management/templates/users.html index cf944c86..c70ac0da 100644 --- a/management/templates/users.html +++ b/management/templates/users.html @@ -31,7 +31,7 @@
    -
  • Passwords must be at least eight characters and may not contain spaces. For best results, generate a random password.
    • +
  • Passwords must be at least eight characters consisting of English lettters and numbers only. For best results, generate a random password.
  • Use aliases to create email addresses that forward to existing accounts.
  • Administrators get access to this control panel.
  • User accounts cannot contain any international (non-ASCII) characters, but aliases can.
    • From b05b06c74af92463d3187d8cb97208400291cb40 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 09:33:24 -0500 Subject: [PATCH 13/27] remove user account mailbox size from the control panel because it takes way too long to compute on very large mailboxes fixes #531 --- management/daemon.py | 2 +- management/mailconfig.py | 7 +------ management/templates/users.html | 4 ---- 3 files changed, 2 insertions(+), 11 deletions(-) diff --git a/management/daemon.py b/management/daemon.py index 2e23c8aa..334749e4 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -146,7 +146,7 @@ def me(): @authorized_personnel_only def mail_users(): if request.args.get("format", "") == "json": - return json_response(get_mail_users_ex(env, with_archived=True, with_slow_info=True)) + return json_response(get_mail_users_ex(env, with_archived=True)) else: return "".join(x+"\n" for x in get_mail_users(env)) diff --git a/management/mailconfig.py b/management/mailconfig.py index 82c922e4..28e1c623 100755 --- a/management/mailconfig.py +++ b/management/mailconfig.py @@ -105,7 +105,7 @@ def get_mail_users(env): users = [ row[0] for row in c.fetchall() ] return utils.sort_email_addresses(users, env) -def get_mail_users_ex(env, with_archived=False, with_slow_info=False): +def get_mail_users_ex(env, with_archived=False): # Returns a complex data structure of all user accounts, optionally # including archived (status="inactive") accounts. # @@ -139,9 +139,6 @@ def get_mail_users_ex(env, with_archived=False, with_slow_info=False): } users.append(user) - if with_slow_info: - user["mailbox_size"] = utils.du(os.path.join(env['STORAGE_ROOT'], 'mail/mailboxes', *reversed(email.split("@")))) - # Add in archived accounts. if with_archived: root = os.path.join(env['STORAGE_ROOT'], 'mail/mailboxes') @@ -158,8 +155,6 @@ def get_mail_users_ex(env, with_archived=False, with_slow_info=False): "mailbox": mbox, } users.append(user) - if with_slow_info: - user["mailbox_size"] = utils.du(mbox) # Group by domain. domains = { } diff --git a/management/templates/users.html b/management/templates/users.html index c70ac0da..dee79d42 100644 --- a/management/templates/users.html +++ b/management/templates/users.html @@ -43,7 +43,6 @@ Email Address Actions - Mailbox Size @@ -73,8 +72,6 @@ archive account - - @@ -156,7 +153,6 @@ function show_users() { n.attr('data-email', user.email); n.find('.address').text(user.email) - n.find('.mailboxsize').text(nice_size(user.mailbox_size)) n2.find('.restore_info tt').text(user.mailbox); if (user.status == 'inactive') continue; From aa52f52d02c39826e2c5990901b111e5f18049c0 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 09:49:00 -0500 Subject: [PATCH 14/27] disable SMTP AUTH on port 25 to stop it accidentally being used for submission fixes #830 --- setup/mail-postfix.sh | 3 +++ setup/mail-users.sh | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index c3183ef0..0c9bc97c 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -73,6 +73,8 @@ tools/editconf.py /etc/postfix/main.cf \ # Enable the 'submission' port 587 smtpd server and tweak its settings. # +# * Enable authentication. It's disabled globally so that it is disabled on port 25, +# so we need to explicitly enable it here. # * Do not add the OpenDMAC Authentication-Results header. That should only be added # on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the # OpenDKIM milter only. See dkim.sh. @@ -87,6 +89,7 @@ tools/editconf.py /etc/postfix/main.cf \ # emails but we turn this off by setting nested_header_checks empty. tools/editconf.py /etc/postfix/master.cf -s -w \ "submission=inet n - - - - smtpd + -o smtpd_sasl_auth_enable=yes -o syslog_name=postfix/submission -o smtpd_milters=inet:127.0.0.1:8891 -o smtpd_tls_security_level=encrypt diff --git a/setup/mail-users.sh b/setup/mail-users.sh index ef9b8118..e54485bb 100755 --- a/setup/mail-users.sh +++ b/setup/mail-users.sh @@ -65,11 +65,15 @@ service auth { } EOF -# And have Postfix use that service. +# And have Postfix use that service. We *disable* it here +# so that authentication is not permitted on port 25 (which +# does not run DKIM on relayed mail, so outbound mail isn't +# correct, see #830), but we enable it specifically for the +# submission port. tools/editconf.py /etc/postfix/main.cf \ smtpd_sasl_type=dovecot \ smtpd_sasl_path=private/auth \ - smtpd_sasl_auth_enable=yes + smtpd_sasl_auth_enable=no # ### Sender Validation From e5e0c643956966cf8a4935ae4377aa83f4d0fb11 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 10:24:19 -0500 Subject: [PATCH 15/27] turn on bash strict mode to better catch setup errors fixes #893 --- setup/firstuser.sh | 2 +- setup/functions.sh | 23 ++++++++++++++++++----- setup/munin.sh | 2 +- setup/preflight.sh | 2 +- setup/questions.sh | 36 ++++++++++++++++++------------------ setup/start.sh | 4 ++-- setup/system.sh | 12 ++++++------ 7 files changed, 47 insertions(+), 34 deletions(-) diff --git a/setup/firstuser.sh b/setup/firstuser.sh index d24fc370..71264f3b 100644 --- a/setup/firstuser.sh +++ b/setup/firstuser.sh @@ -6,7 +6,7 @@ if [ -z "`tools/mail.py user`" ]; then # If we didn't ask for an email address at the start, do so now. if [ -z "$EMAIL_ADDR" ]; then # In an interactive shell, ask the user for an email address. - if [ -z "$NONINTERACTIVE" ]; then + if [ -z "${NONINTERACTIVE:-}" ]; then input_box "Mail Account" \ "Let's create your first mail account. \n\nWhat email address do you want?" \ diff --git a/setup/functions.sh b/setup/functions.sh index 75c6821e..1a74edfd 100644 --- a/setup/functions.sh +++ b/setup/functions.sh @@ -1,3 +1,9 @@ +# Turn on "strict mode." See http://redsymbol.net/articles/unofficial-bash-strict-mode/. +# -e: exit if any command unexpectedly fails. +# -u: exit if we have a variable typo. +# -o pipefail: don't ignore errors in the non-last command in a pipeline +set -euo pipefail + function hide_output { # This function hides the output of a command unless the command fails # and returns a non-zero exit code. @@ -5,11 +11,14 @@ function hide_output { # Get a temporary file. OUTPUT=$(tempfile) - # Execute command, redirecting stderr/stdout to the temporary file. + # Execute command, redirecting stderr/stdout to the temporary file. Since we + # check the return code ourselves, disable 'set -e' temporarily. + set +e $@ &> $OUTPUT + E=$? + set -e # If the command failed, show the output that was captured in the temporary file. - E=$? if [ $E != 0 ]; then # Something failed. echo @@ -75,7 +84,7 @@ function get_publicip_from_web_service { # # Pass '4' or '6' as an argument to this function to specify # what type of address to get (IPv4, IPv6). - curl -$1 --fail --silent --max-time 15 icanhazip.com 2>/dev/null + curl -$1 --fail --silent --max-time 15 icanhazip.com 2>/dev/null || /bin/true } function get_default_privateip { @@ -131,11 +140,10 @@ function get_default_privateip { fi echo $address - } function ufw_allow { - if [ -z "$DISABLE_FIREWALL" ]; then + if [ -z "${DISABLE_FIREWALL:-}" ]; then # ufw has completely unhelpful output ufw allow $1 > /dev/null; fi @@ -154,10 +162,13 @@ function input_box { # input_box "title" "prompt" "defaultvalue" VARIABLE # The user's input will be stored in the variable VARIABLE. # The exit code from dialog will be stored in VARIABLE_EXITCODE. + # Temporarily turn off 'set -e' because we need the dialog return code. declare -n result=$4 declare -n result_code=$4_EXITCODE + set +e result=$(dialog --stdout --title "$1" --inputbox "$2" 0 0 "$3") result_code=$? + set -e } function input_menu { @@ -167,8 +178,10 @@ function input_menu { declare -n result=$4 declare -n result_code=$4_EXITCODE local IFS=^$'\n' + set +e result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 $3) result_code=$? + set -e } function wget_verify { diff --git a/setup/munin.sh b/setup/munin.sh index 2529ba4c..c581c6d0 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -29,7 +29,7 @@ address 127.0.0.1 # send alerts to the following address contacts admin -contact.admin.command mail -s "Munin notification ${var:host}" administrator@$PRIMARY_HOSTNAME +contact.admin.command mail -s "Munin notification \${var:host}" administrator@$PRIMARY_HOSTNAME contact.admin.always_send warning critical EOF diff --git a/setup/preflight.sh b/setup/preflight.sh index 7466b857..d087efe2 100644 --- a/setup/preflight.sh +++ b/setup/preflight.sh @@ -41,7 +41,7 @@ if [ $TOTAL_PHYSICAL_MEM -lt 750000 ]; then fi # Check that tempfs is mounted with exec -MOUNTED_TMP_AS_NO_EXEC=$(grep "/tmp.*noexec" /proc/mounts) +MOUNTED_TMP_AS_NO_EXEC=$(grep "/tmp.*noexec" /proc/mounts || /bin/true) if [ -n "$MOUNTED_TMP_AS_NO_EXEC" ]; then echo "Mail-in-a-Box has to have exec rights on /tmp, please mount /tmp with exec" exit diff --git a/setup/questions.sh b/setup/questions.sh index 3d227d81..3ad7eead 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -1,4 +1,4 @@ -if [ -z "$NONINTERACTIVE" ]; then +if [ -z "${NONINTERACTIVE:-}" ]; then # Install 'dialog' so we can ask the user questions. The original motivation for # this was being able to ask the user for input even if stdin has been redirected, # e.g. if we piped a bootstrapping install script to bash to get started. In that @@ -25,8 +25,8 @@ if [ -z "$NONINTERACTIVE" ]; then fi # The box needs a name. -if [ -z "$PRIMARY_HOSTNAME" ]; then - if [ -z "$DEFAULT_PRIMARY_HOSTNAME" ]; then +if [ -z "${PRIMARY_HOSTNAME:-}" ]; then + if [ -z "${DEFAULT_PRIMARY_HOSTNAME:-}" ]; then # We recommend to use box.example.com as this hosts name. The # domain the user possibly wants to use is example.com then. # We strip the string "box." from the hostname to get the mail @@ -86,7 +86,7 @@ fi # If the machine is behind a NAT, inside a VM, etc., it may not know # its IP address on the public network / the Internet. Ask the Internet # and possibly confirm with user. -if [ -z "$PUBLIC_IP" ]; then +if [ -z "${PUBLIC_IP:-}" ]; then # Ask the Internet. GUESSED_IP=$(get_publicip_from_web_service 4) @@ -105,11 +105,11 @@ if [ -z "$PUBLIC_IP" ]; then PUBLIC_IP=$GUESSED_IP fi - if [ -z "$PUBLIC_IP" ]; then + if [ -z "${PUBLIC_IP:-}" ]; then input_box "Public IP Address" \ "Enter the public IP address of this machine, as given to you by your ISP. \n\nPublic IP address:" \ - $DEFAULT_PUBLIC_IP \ + ${DEFAULT_PUBLIC_IP:-} \ PUBLIC_IP if [ -z "$PUBLIC_IP" ]; then @@ -121,27 +121,27 @@ fi # Same for IPv6. But it's optional. Also, if it looks like the system # doesn't have an IPv6, don't ask for one. -if [ -z "$PUBLIC_IPV6" ]; then +if [ -z "${PUBLIC_IPV6:-}" ]; then # Ask the Internet. GUESSED_IP=$(get_publicip_from_web_service 6) MATCHED=0 - if [[ -z "$DEFAULT_PUBLIC_IPV6" && ! -z "$GUESSED_IP" ]]; then + if [[ -z "${DEFAULT_PUBLIC_IPV6:-}" && ! -z "$GUESSED_IP" ]]; then PUBLIC_IPV6=$GUESSED_IP - elif [[ "$DEFAULT_PUBLIC_IPV6" == "$GUESSED_IP" ]]; then + elif [[ "${DEFAULT_PUBLIC_IPV6:-}" == "$GUESSED_IP" ]]; then # No IPv6 entered and machine seems to have none, or what # the user entered matches what the Internet tells us. PUBLIC_IPV6=$GUESSED_IP MATCHED=1 - elif [[ -z "$DEFAULT_PUBLIC_IPV6" ]]; then + elif [[ -z "${DEFAULT_PUBLIC_IPV6:-}" ]]; then DEFAULT_PUBLIC_IP=$(get_default_privateip 6) fi - if [[ -z "$PUBLIC_IPV6" && $MATCHED == 0 ]]; then + if [[ -z "${PUBLIC_IPV6:-}" && $MATCHED == 0 ]]; then input_box "IPv6 Address (Optional)" \ "Enter the public IPv6 address of this machine, as given to you by your ISP. \n\nLeave blank if the machine does not have an IPv6 address. \n\nPublic IPv6 address:" \ - $DEFAULT_PUBLIC_IPV6 \ + ${DEFAULT_PUBLIC_IPV6:-} \ PUBLIC_IPV6 if [ ! $PUBLIC_IPV6_EXITCODE ]; then @@ -154,10 +154,10 @@ fi # Get the IP addresses of the local network interface(s) that are connected # to the Internet. We need these when we want to have services bind only to # the public network interfaces (not loopback, not tunnel interfaces). -if [ -z "$PRIVATE_IP" ]; then +if [ -z "${PRIVATE_IP:-}" ]; then PRIVATE_IP=$(get_default_privateip 4) fi -if [ -z "$PRIVATE_IPV6" ]; then +if [ -z "${PRIVATE_IPV6:-}" ]; then PRIVATE_IPV6=$(get_default_privateip 6) fi if [[ -z "$PRIVATE_IP" && -z "$PRIVATE_IPV6" ]]; then @@ -186,11 +186,11 @@ fi # Set STORAGE_USER and STORAGE_ROOT to default values (user-data and /home/user-data), unless # we've already got those values from a previous run. -if [ -z "$STORAGE_USER" ]; then - STORAGE_USER=$([[ -z "$DEFAULT_STORAGE_USER" ]] && echo "user-data" || echo "$DEFAULT_STORAGE_USER") +if [ -z "${STORAGE_USER:-}" ]; then + STORAGE_USER=$([[ -z "${DEFAULT_STORAGE_USER:-}" ]] && echo "user-data" || echo "$DEFAULT_STORAGE_USER") fi -if [ -z "$STORAGE_ROOT" ]; then - STORAGE_ROOT=$([[ -z "$DEFAULT_STORAGE_ROOT" ]] && echo "/home/$STORAGE_USER" || echo "$DEFAULT_STORAGE_ROOT") +if [ -z "${STORAGE_ROOT:-}" ]; then + STORAGE_ROOT=$([[ -z "${DEFAULT_STORAGE_ROOT:-}" ]] && echo "/home/$STORAGE_USER" || echo "$DEFAULT_STORAGE_ROOT") fi # Show the configuration, since the user may have not entered it manually. diff --git a/setup/start.sh b/setup/start.sh index 671f4449..0b145022 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -60,8 +60,8 @@ source setup/questions.sh # Run some network checks to make sure setup on this machine makes sense. # Skip on existing installs since we don't want this to block the ability to # upgrade, and these checks are also in the control panel status checks. -if [ -z "$DEFAULT_PRIMARY_HOSTNAME" ]; then -if [ -z "$SKIP_NETWORK_CHECKS" ]; then +if [ -z "${DEFAULT_PRIMARY_HOSTNAME:-}" ]; then +if [ -z "${SKIP_NETWORK_CHECKS:-}" ]; then source setup/network-checks.sh fi fi diff --git a/setup/system.sh b/setup/system.sh index 2fecac8e..2db48298 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -37,9 +37,9 @@ hostname $PRIMARY_HOSTNAME # for reference SWAP_MOUNTED=$(cat /proc/swaps | tail -n+2) -SWAP_IN_FSTAB=$(grep "swap" /etc/fstab) -ROOT_IS_BTRFS=$(grep "\/ .*btrfs" /proc/mounts) -TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}') +SWAP_IN_FSTAB=$(grep "swap" /etc/fstab || /bin/true) +ROOT_IS_BTRFS=$(grep "\/ .*btrfs" /proc/mounts || /bin/true) +TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true) AVAILABLE_DISK_SPACE=$(df / --output=avail | tail -n 1) if [ -z "$SWAP_MOUNTED" ] && @@ -143,8 +143,8 @@ fi # section) and syslog (see #328). There might be other issues, and it's # not likely the user will want to change this, so we only ask on first # setup. -if [ -z "$NONINTERACTIVE" ]; then - if [ ! -f /etc/timezone ] || [ ! -z $FIRST_TIME_SETUP ]; then +if [ -z "${NONINTERACTIVE:-}" ]; then + if [ ! -f /etc/timezone ] || [ ! -z ${FIRST_TIME_SETUP:-} ]; then # If the file is missing or this is the user's first time running # Mail-in-a-Box setup, run the interactive timezone configuration # tool. @@ -239,7 +239,7 @@ EOF # Various virtualized environments like Docker and some VPSs don't provide #NODOC # a kernel that supports iptables. To avoid error-like output in these cases, #NODOC # we skip this if the user sets DISABLE_FIREWALL=1. #NODOC -if [ -z "$DISABLE_FIREWALL" ]; then +if [ -z "${DISABLE_FIREWALL:-}" ]; then # Install `ufw` which provides a simple firewall configuration. apt_install ufw From 60f9c9e3b7a9e6751b4937ce643473258e4dbced Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 10:26:49 -0500 Subject: [PATCH 16/27] show the Mail-in-a-Box version in the system status checks even when the new-version check is disabled fixes #922 --- management/status_checks.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/management/status_checks.py b/management/status_checks.py index 2f4fe0a7..6f9bb1ef 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -794,14 +794,14 @@ def get_latest_miab_version(): def check_miab_version(env, output): config = load_settings(env) - if config.get("privacy", True): - output.print_warning("Mail-in-a-Box version check disabled by privacy setting.") - else: - try: - this_ver = what_version_is_this(env) - except: - this_ver = "Unknown" + try: + this_ver = what_version_is_this(env) + except: + this_ver = "Unknown" + if config.get("privacy", True): + output.print_warning("You are running version Mail-in-a-Box %s. Mail-in-a-Box version check disabled by privacy setting." % this_ver) + else: latest_ver = get_latest_miab_version() if this_ver == latest_ver: From dc6458623d1f5001f7f1a02b41c04a0debd6930e Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 10:36:19 -0500 Subject: [PATCH 17/27] add a note on the aliases page that aliases should not be used to forward to outside domains fixes #1198 --- management/templates/aliases.html | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/management/templates/aliases.html b/management/templates/aliases.html index 78556df8..89af221f 100644 --- a/management/templates/aliases.html +++ b/management/templates/aliases.html @@ -39,8 +39,9 @@
    -
    - Enter just the part of an email address starting with the @-sign. +
    + Enter just the part of an email address starting with the @-sign. + Only forward mail to addresses handled by this Mail-in-a-Box, since mail forwarded by aliases to other domains may be rejected or filtered by the receiver. To forward mail to other domains, create a mail user and then log into webmail for the user and create a filter rule to forward mail.
    From 870b82637a20705cd7e3e6e07968f1298261e705 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 10:39:53 -0500 Subject: [PATCH 18/27] fix some wrong variable names, fixes #1353 --- management/daemon.py | 2 +- tests/tls.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/management/daemon.py b/management/daemon.py index 334749e4..572b6b4a 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -572,7 +572,7 @@ def munin_cgi(filename): if code != 0: # nonzero returncode indicates error - app.logger.error("munin_cgi: munin-cgi-graph returned nonzero exit code, %s", process.returncode) + app.logger.error("munin_cgi: munin-cgi-graph returned nonzero exit code, %s", code) return ("error processing graph image", 500) # /usr/lib/munin/cgi/munin-cgi-graph returns both headers and binary png when successful. diff --git a/tests/tls.py b/tests/tls.py index 32148133..0c7b945a 100644 --- a/tests/tls.py +++ b/tests/tls.py @@ -128,7 +128,7 @@ def sslyze(opts, port, ok_ciphers): proxy_proc.terminate() try: proxy_proc.wait(5) - except TimeoutExpired: + except subprocess.TimeoutExpired: proxy_proc.kill() # Get a list of OpenSSL cipher names. From ff6d8fc672c5e1f1495d4d00513708d3749012b7 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 10:42:44 -0500 Subject: [PATCH 19/27] remove the ppa directory since we're no longer supporting a PPA for Ubuntu 18.04 --- ppa/Makefile | 62 -------- ppa/README.md | 40 ----- ppa/Vagrantfile | 12 -- ppa/dovecot_lucene.diff | 319 -------------------------------------- ppa/postgrey.diff | 80 ---------- ppa/postgrey_sources.diff | 100 ------------ 6 files changed, 613 deletions(-) delete mode 100755 ppa/Makefile delete mode 100644 ppa/README.md delete mode 100644 ppa/Vagrantfile delete mode 100644 ppa/dovecot_lucene.diff delete mode 100644 ppa/postgrey.diff delete mode 100644 ppa/postgrey_sources.diff diff --git a/ppa/Makefile b/ppa/Makefile deleted file mode 100755 index 4e3f99df..00000000 --- a/ppa/Makefile +++ /dev/null @@ -1,62 +0,0 @@ -POSTGREY_VERSION=1.35-1+miab1 -DOVECOT_VERSION=2.2.9-1ubuntu2.1+miab1 - -all: clean build_postgrey build_dovecot_lucene - -clean: - # Clean. - rm -rf /tmp/build - mkdir -p /tmp/build - -build_postgrey: clean - # Download the latest Debian postgrey package. It is ahead of Ubuntu, - # and we might as well jump ahead. - git clone git://git.debian.org/git/collab-maint/postgrey.git /tmp/build/postgrey - - # Download the corresponding upstream package. - wget -O /tmp/build/postgrey_1.35.orig.tar.gz http://postgrey.schweikert.ch/pub/old/postgrey-1.35.tar.gz - - # Add our source patch to the debian packaging listing. - cp postgrey_sources.diff /tmp/build/postgrey/debian/patches/mailinabox - - # Patch the packaging to give it a new version. - patch -p1 -d /tmp/build/postgrey < postgrey.diff - - # Build the source package. - (cd /tmp/build/postgrey; dpkg-buildpackage -S -us -uc -nc) - - # Sign the packages. - debsign /tmp/build/postgrey_$(POSTGREY_VERSION)_source.changes - - # Upload to PPA. - dput ppa:mail-in-a-box/ppa /tmp/build/postgrey_$(POSTGREY_VERSION)_source.changes - - # Clear the intermediate files. - rm -rf /tmp/build/postgrey - - # TESTING BINARY PACKAGE - #sudo apt-get build-dep -y postgrey - #(cd /tmp/build/postgrey; dpkg-buildpackage -us -uc -nc) - -build_dovecot_lucene: clean - # Get the upstream source. - (cd /tmp/build; apt-get source dovecot) - - # Patch it so that we build dovecot-lucene (and nothing else). - patch -p1 -d /tmp/build/dovecot-2.2.9 < dovecot_lucene.diff - - # Build the source package. - (cd /tmp/build/dovecot-2.2.9; dpkg-buildpackage -S -us -uc -nc) - - # Sign the packages. - debsign /tmp/build/dovecot_$(DOVECOT_VERSION)_source.changes - - # Upload it. - dput ppa:mail-in-a-box/ppa /tmp/build/dovecot_$(DOVECOT_VERSION)_source.changes - - # TESTING BINARY PACKAGE - # Install build dependencies and build dependencies we've added in our patch, - # and then build the binary package. - #sudo apt-get build-dep -y dovecot - #sudo apt-get install libclucene-dev liblzma-dev libexttextcat-dev libstemmer-dev - #(cd /tmp/build/dovecot-2.2.9; dpkg-buildpackage -us -uc -nc) diff --git a/ppa/README.md b/ppa/README.md deleted file mode 100644 index 0f009f67..00000000 --- a/ppa/README.md +++ /dev/null @@ -1,40 +0,0 @@ -ppa instructions -================ - -Mail-in-a-Box maintains a Launchpad.net PPA ([Mail-in-a-Box PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa)) for additional deb's that we want to have installed on systems. - -Packages --------- - -* postgrey, a fork of [postgrey](http://postgrey.schweikert.ch/) based on the [latest Debian package](http://git.debian.org/?p=collab-maint/postgrey.git), with a modification to whitelist senders that are whitelisted by [dnswl.org](https://www.dnswl.org/) (i.e. don't greylist mail from known good senders). - -* dovecot-lucene, [dovecot's lucene full text search plugin](http://wiki2.dovecot.org/Plugins/FTS/Lucene), which isn't built by Ubuntu's dovecot package maintainer unfortunately. - -Building --------- - -To rebuild the packages in the PPA, you'll need to be @JoshData. - -First: - -* You should have an account on Launchpad.net. -* Your account should have your GPG key set (to the fingerprint of a GPG key on your system matching the identity at the top of the debian/changelog files). -* You should have write permission to the PPA. - -To build: - - # Start a clean VM. - vagrant up - - # Put your signing keys (on the host machine) into the VM (so it can sign the debs). - gpg --export-secret-keys | vagrant ssh -- gpg --import - - # Build & upload to launchpad. - vagrant ssh -- "cd /vagrant && make" - -Mail-in-a-Box adds our PPA during setup, but if you need to do that yourself for testing: - - apt-add-repository ppa:mail-in-a-box/ppa - apt-get update - apt-get install postgrey dovecot-lucene - diff --git a/ppa/Vagrantfile b/ppa/Vagrantfile deleted file mode 100644 index 7d839b18..00000000 --- a/ppa/Vagrantfile +++ /dev/null @@ -1,12 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - config.vm.box = "ubuntu14.04" - config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box" - - config.vm.provision :shell, :inline => <<-SH - sudo apt-get update - sudo apt-get install -y git dpkg-dev devscripts dput -SH -end diff --git a/ppa/dovecot_lucene.diff b/ppa/dovecot_lucene.diff deleted file mode 100644 index 4d258351..00000000 --- a/ppa/dovecot_lucene.diff +++ /dev/null @@ -1,319 +0,0 @@ ---- a/debian/control -+++ b/debian/control -@@ -1,210 +1,23 @@ - Source: dovecot - Section: mail - Priority: optional --Maintainer: Ubuntu Developers --XSBC-Original-Maintainer: Dovecot Maintainers --Uploaders: Jaldhar H. Vyas , Fabio Tranchitella , Joel Johnson , Marco Nenciarini --Build-Depends: debhelper (>= 7.2.3~), dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, dh-systemd, po-debconf, lsb-release, hardening-wrapper, dh-autoreconf, autotools-dev -+Maintainer: Joshua Tauberer -+XSBC-Original-Maintainer: Ubuntu Developers -+Build-Depends: debhelper (>= 7.2.3~), dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, dh-systemd, po-debconf, lsb-release, libclucene-dev (>= 2.3), liblzma-dev, libexttextcat-dev, libstemmer-dev, hardening-wrapper, dh-autoreconf, autotools-dev - Standards-Version: 3.9.4 - Homepage: http://dovecot.org/ --Vcs-Git: git://git.debian.org/git/collab-maint/dovecot.git --Vcs-Browser: http://git.debian.org/?p=collab-maint/dovecot.git -+Vcs-Git: https://github.com/mail-in-a-box/mailinabox -+Vcs-Browser: https://github.com/mail-in-a-box/mailinabox - --Package: dovecot-core -+Package: dovecot-lucene - Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 0.76-13.1), openssl, adduser, ucf (>= 2.0020), ssl-cert (>= 1.0-11ubuntu1), lsb-base (>= 3.2-12ubuntu3) --Suggests: ntp, dovecot-gssapi, dovecot-sieve, dovecot-pgsql, dovecot-mysql, dovecot-sqlite, dovecot-ldap, dovecot-imapd, dovecot-pop3d, dovecot-lmtpd, dovecot-managesieved, dovecot-solr, ufw --Recommends: ntpdate --Provides: dovecot-common --Replaces: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4) --Breaks: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4) --Description: secure POP3/IMAP server - core files -+Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (>= 1:2.2.9-1ubuntu2.1) -+Description: secure POP3/IMAP server - Lucene support - Dovecot is a mail server whose major goals are security and extreme - reliability. It tries very hard to handle all error conditions and verify - that all data is valid, making it nearly impossible to crash. It supports - mbox/Maildir and its own dbox/mdbox formats, and should also be pretty - fast, extensible, and portable. - . -- This package contains the Dovecot main server and its command line utility. -- --Package: dovecot-dev --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Replaces: dovecot-common (<< 1:2.0.14-2~) --Breaks: dovecot-common (<< 1:2.0.14-2~) --Description: secure POP3/IMAP server - header files -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains header files needed to compile plugins for the Dovecot -- mail server. -- --Package: dovecot-imapd --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Provides: imap-server --Description: secure POP3/IMAP server - IMAP daemon -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains the Dovecot IMAP server. -- --Package: dovecot-pop3d --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Provides: pop3-server --Description: secure POP3/IMAP server - POP3 daemon -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains the Dovecot POP3 server. -- --Package: dovecot-lmtpd --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Replaces: dovecot-common (<< 1:2.0.14-2~) --Breaks: dovecot-common (<< 1:2.0.14-2~) --Description: secure POP3/IMAP server - LMTP server -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains the Dovecot LMTP server. -- --Package: dovecot-managesieved --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), dovecot-sieve (= ${binary:Version}), ucf (>= 2.0020) --Replaces: dovecot-common (<< 1:2.0.14-2~) --Breaks: dovecot-common (<< 1:2.0.14-2~) --Description: secure POP3/IMAP server - ManageSieve server -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains the Dovecot ManageSieve server. -- --Package: dovecot-pgsql --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - PostgreSQL support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides PostgreSQL support for Dovecot. -- --Package: dovecot-mysql --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - MySQL support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides MySQL support for Dovecot. -- --Package: dovecot-sqlite --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - SQLite support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides SQLite support for Dovecot. -- --Package: dovecot-ldap --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Description: secure POP3/IMAP server - LDAP support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides LDAP support for Dovecot. -- --Package: dovecot-gssapi --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - GSSAPI support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides GSSAPI authentication support for Dovecot. -- --Package: dovecot-sieve --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020) --Description: secure POP3/IMAP server - Sieve filters support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides Sieve filters support for Dovecot. -- --Package: dovecot-solr --Architecture: any --Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - Solr support -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package provides Solr full text search support for Dovecot. -- --Package: dovecot-dbg --Section: debug --Priority: extra --Architecture: any --Depends: ${misc:Depends}, dovecot-core (= ${binary:Version}) --Description: secure POP3/IMAP server - debug symbols -- Dovecot is a mail server whose major goals are security and extreme -- reliability. It tries very hard to handle all error conditions and verify -- that all data is valid, making it nearly impossible to crash. It supports -- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty -- fast, extensible, and portable. -- . -- This package contains debug symbols for Dovecot. -- --Package: mail-stack-delivery --Architecture: all --Depends: dovecot-core, dovecot-imapd, dovecot-pop3d, dovecot-managesieved, -- postfix, ${misc:Depends} --Replaces: dovecot-postfix (<< 1:1.2.12-0ubuntu1~) --Description: mail server delivery agent stack provided by Ubuntu server team -- Ubuntu's mail stack provides fully operational delivery with -- safe defaults and additional options. Out of the box it supports IMAP, -- POP3 and SMTP services with SASL authentication and Maildir as default -- storage engine. -- . -- This package contains configuration files for dovecot. -- . -- This package modifies postfix's configuration to integrate with dovecot -+ This package provides Lucene full text search support for Dovecot. It has been modified by Mail-in-a-Box -+ to supply a dovecot-lucene package compatible with the official ubuntu trusty dovecot-core. - -diff --git a/debian/dovecot-lucene.links b/debian/dovecot-lucene.links -new file mode 100644 -index 0000000..6ffcbeb ---- /dev/null -+++ b/debian/dovecot-lucene.links -@@ -0,0 +1 @@ -+/usr/share/bug/dovecot-core /usr/share/bug/dovecot-lucene -diff --git a/debian/dovecot-lucene.lintian-overrides b/debian/dovecot-lucene.lintian-overrides -new file mode 100644 -index 0000000..60d90fd ---- /dev/null -+++ b/debian/dovecot-lucene.lintian-overrides -@@ -0,0 +1,2 @@ -+dovecot-lucene: hardening-no-fortify-functions usr/lib/dovecot/modules/lib21_fts_lucene_plugin.so -+ -diff --git a/debian/dovecot-lucene.substvars b/debian/dovecot-lucene.substvars -new file mode 100644 -index 0000000..ed54f36 ---- /dev/null -+++ b/debian/dovecot-lucene.substvars -@@ -0,0 +1,2 @@ -+shlibs:Depends=libc6 (>= 2.4), libclucene-core1 (>= 2.3.3.4), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.1.1), libstemmer0d (>= 0+svn527) -+misc:Depends= -diff --git a/debian/dovecot-lucene.triggers b/debian/dovecot-lucene.triggers -new file mode 100644 -index 0000000..3d933a5 ---- /dev/null -+++ b/debian/dovecot-lucene.triggers -@@ -0,0 +1 @@ -+activate register-dovecot-plugin ---- a/debian/rules -+++ b/debian/rules -@@ -40,6 +40,7 @@ - --with-solr \ - --with-ioloop=best \ - --with-libwrap \ -+ --with-lucene \ - --host=$(DEB_HOST_GNU_TYPE) \ - --build=$(DEB_BUILD_GNU_TYPE) \ - --prefix=/usr \ -@@ -95,6 +96,10 @@ - dh_testroot - dh_clean -k - dh_installdirs -+ mkdir -p $(CURDIR)/debian/dovecot-lucene/usr/lib/dovecot/modules -+ mv $(CURDIR)/src/plugins/fts-lucene/.libs/* $(CURDIR)/debian/dovecot-lucene/usr/lib/dovecot/modules/ -+ -+rest_disabled_by_miab: - $(MAKE) install DESTDIR=$(CURDIR)/debian/dovecot-core - $(MAKE) -C $(PIGEONHOLE_DIR) install DESTDIR=$(CURDIR)/debian/dovecot-core - rm `find $(CURDIR)/debian -name '*.la'` -@@ -209,7 +214,7 @@ - dh_installdocs -a - dh_installexamples -a - dh_installpam -a -- mv $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot-core $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot -+ # mv $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot-core $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot - dh_systemd_enable - dh_installinit -pdovecot-core --name=dovecot - dh_systemd_start -@@ -220,10 +225,10 @@ - dh_lintian -a - dh_installchangelogs -a ChangeLog - dh_link -a -- dh_strip -a --dbg-package=dovecot-dbg -+ #dh_strip -a --dbg-package=dovecot-dbg - dh_compress -a - dh_fixperms -a -- chmod 0700 debian/dovecot-core/etc/dovecot/private -+ #chmod 0700 debian/dovecot-core/etc/dovecot/private - dh_makeshlibs -a -n - dh_installdeb -a - dh_shlibdeps -a ---- a/debian/changelog -+++ a/debian/changelog -@@ -1,3 +1,9 @@ -+dovecot (1:2.2.9-1ubuntu2.1+miab1) trusty; urgency=low -+ -+ * Changed to just build dovecot-lucene for Mail-in-a-box PPA -+ -+ -- Joshua Tauberer Sat, 14 May 2015 16:13:00 -0400 -+ - dovecot (1:2.2.9-1ubuntu2.1) trusty-security; urgency=medium - - * SECURITY UPDATE: denial of service via SSL connection exhaustion ---- a/debian/copyright 2014-03-07 07:26:37.000000000 -0500 -+++ b/debian/copyright 2015-05-23 18:17:42.668005535 -0400 -@@ -1,3 +1,7 @@ -+This package is a fork by Mail-in-a-box (https://mailinabox.email). Original -+copyright statement follows: -+---------------------------------------------------------------------------- -+ - This package was debianized by Jaldhar H. Vyas on - Tue, 3 Dec 2002 01:10:07 -0500. - diff --git a/ppa/postgrey.diff b/ppa/postgrey.diff deleted file mode 100644 index 1570be02..00000000 --- a/ppa/postgrey.diff +++ /dev/null @@ -1,80 +0,0 @@ -diff --git a/debian/NEWS b/debian/NEWS -index dd09744..de7b640 100644 ---- a/debian/NEWS -+++ b/debian/NEWS -@@ -1,3 +1,9 @@ -+postgrey (1.35-1+miab1) -+ -+ Added DNSWL.org whitelisting. -+ -+ -- Joshua Tauberer Mon May 18 18:58:40 EDT 2015 -+ - postgrey (1.32-1) unstable; urgency=low - - Postgrey is now listening to port 10023 and not 60000. The latter was an -diff --git a/debian/changelog b/debian/changelog -index 1058e15..e5e3557 100644 ---- a/debian/changelog -+++ b/debian/changelog -@@ -1,3 +1,9 @@ -+postgrey (1.35-1+miab1) trusty; urgency=low -+ -+ * Added DNSWL.org whitelisting. -+ -+ -- Joshua Tauberer Mon, 18 May 2015 21:58:40 +0000 -+ - postgrey (1.35-1) unstable; urgency=low - - * New upstream release (Closes: 756486) -diff --git a/debian/control b/debian/control -index ce12ba6..0a82855 100644 ---- a/debian/control -+++ b/debian/control -@@ -1,14 +1,11 @@ - Source: postgrey - Section: mail - Priority: optional --Maintainer: Antonio Radici --Uploaders: Jon Daley -+Maintainer: Joshua Tauberer - Build-Depends: debhelper (>= 7), quilt - Build-Depends-Indep: po-debconf - Standards-Version: 3.9.6 - Homepage: http://postgrey.schweikert.ch/ --Vcs-Browser: http://git.debian.org/?p=collab-maint/postgrey.git --Vcs-Git: git://git.debian.org/git/collab-maint/postgrey.git - - Package: postgrey - Architecture: all -@@ -25,3 +22,6 @@ Description: greylisting implementation for Postfix - . - While Postgrey is designed for use with Postfix, it can also be used - with Exim. -+ . -+ This version has been modified by Mail-in-a-Box to whitelist senders -+ in the DNSWL.org list. See https://mailinabox.email. -diff --git a/debian/copyright b/debian/copyright -index 3cbe377..bf09b89 100644 ---- a/debian/copyright -+++ b/debian/copyright -@@ -1,6 +1,10 @@ -+This package is a fork by Mail-in-a-Box (https://mailinabox.email). Original -+copyright statement follows: -+---------------------------------------------------------------------------- -+ - This Debian package was prepared by Adrian von Bidder in - July 2004, then the package was adopted by Antonio Radici --in Sept 2009 -+in Sept 2009. - - It was downloaded from http://postgrey.schweikert.ch/ - -diff --git a/debian/patches/series b/debian/patches/series -index f4c5e31..3cd62b8 100644 ---- a/debian/patches/series -+++ b/debian/patches/series -@@ -1,3 +1,3 @@ - imported-upstream-diff - disable-transaction-logic -- -+mailinabox diff --git a/ppa/postgrey_sources.diff b/ppa/postgrey_sources.diff deleted file mode 100644 index dcc1f55c..00000000 --- a/ppa/postgrey_sources.diff +++ /dev/null @@ -1,100 +0,0 @@ -Description: whitelist whatever dnswl.org whitelists - . - postgrey (1.35-1+miab1) unstable; urgency=low - . - * Added DNSWL.org whitelisting. -Author: Joshua Tauberer - ---- postgrey-1.35.orig/README -+++ postgrey-1.35/README -@@ -13,7 +13,7 @@ Requirements - - BerkeleyDB (Perl Module) - - Berkeley DB >= 4.1 (Library) - - Digest::SHA (Perl Module, only for --privacy option) -- -+- Net::DNS (Perl Module) - - Documentation - ------------- ---- postgrey-1.35.orig/postgrey -+++ postgrey-1.35/postgrey -@@ -18,6 +18,7 @@ use Fcntl ':flock'; # import LOCK_* cons - use Sys::Hostname; - use Sys::Syslog; # used only to find out which version we use - use POSIX qw(strftime setlocale LC_ALL); -+use Net::DNS; # for DNSWL.org whitelisting - - use vars qw(@ISA); - @ISA = qw(Net::Server::Multiplex); -@@ -26,6 +27,8 @@ my $VERSION = '1.35'; - my $DEFAULT_DBDIR = '/var/lib/postgrey'; - my $CONFIG_DIR = '/etc/postgrey'; - -+my $dns_resolver = Net::DNS::Resolver->new; -+ - sub cidr_parse($) - { - defined $_[0] or return undef; -@@ -48,6 +51,36 @@ sub cidr_match($$$) - return ($addr & $mask) == $net; - } - -+sub reverseDottedQuad { -+ # This is the sub _chkValidPublicIP from Net::DNSBL by PJ Goodwin -+ # at http://www.the42.net/net-dnsbl. -+ my ($quad) = @_; -+ if ($quad =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) { -+ my ($ip1,$ip2,$ip3,$ip4) = ($1, $2, $3, $4); -+ if ( -+ $ip1 == 10 || #10.0.0.0/8 (10/8) -+ ($ip1 == 172 && $ip2 >= 16 && $ip2 <= 31) || #172.16.0.0/12 (172.16/12) -+ ($ip1 == 192 && $ip2 == 168) || #192.168.0.0/16 (192.168/16) -+ $quad eq '127.0.0.1' # localhost -+ ) { -+ # toss the RFC1918 specified privates -+ return undef; -+ } elsif ( -+ ($ip1 <= 1 || $ip1 > 254) || -+ ($ip2 < 0 || $ip2 > 255) || -+ ($ip3 < 0 || $ip3 > 255) || -+ ($ip4 < 0 || $ip4 > 255) -+ ) { -+ #invalid oct, toss it; -+ return undef; -+ } -+ my $revquad = $ip4 . "." . $ip3 . "." . $ip2 . "." . $ip1; -+ return $revquad; -+ } else { # invalid quad -+ return undef; -+ } -+} -+ - sub read_clients_whitelists($) - { - my ($self) = @_; -@@ -361,6 +394,25 @@ sub smtpd_access_policy($$) - } - } - -+ # whitelist clients in dnswl.org -+ my $revip = reverseDottedQuad($attr->{client_address}); -+ if ($revip) { # valid IP / plausibly in DNSWL -+ my $answer = $dns_resolver->send($revip . '.list.dnswl.org'); -+ if ($answer && scalar($answer->answer) > 0) { -+ my @rrs = $answer->answer; -+ if ($rrs[0]->type eq 'A' && $rrs[0]->address ne '127.0.0.255') { -+ # Address appears in DNSWL. (127.0.0.255 means we were rate-limited.) -+ my $code = $rrs[0]->address; -+ if ($code =~ /^127.0.(\d+)\.([0-3])$/) { -+ my %dnswltrust = (0 => 'legitimate', 1 => 'occasional spam', 2 => 'rare spam', 3 => 'highly unlikely to send spam'); -+ $code = $2 . '/' . $dnswltrust{$2}; -+ } -+ $self->mylog_action($attr, 'pass', 'client whitelisted by dnswl.org (' . $code . ')'); -+ return 'DUNNO'; -+ } -+ } -+ } -+ - # auto whitelist clients (see below for explanation) - my ($cawl_db, $cawl_key, $cawl_count, $cawl_last); - if($self->{postgrey}{awl_clients}) { From 9ddca42c9187ace187990ae11fd69ea97c2d9d0a Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 10:44:13 -0500 Subject: [PATCH 20/27] add 'nameserver' to resolv.conf, fixes #1450 --- setup/system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/system.sh b/setup/system.sh index 2db48298..7aafa25d 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -321,7 +321,7 @@ fi # download bind9 from. rm -f /etc/resolv.conf tools/editconf.py /etc/systemd/resolved.conf DNSStubListener=no -echo "127.0.0.1" > /etc/resolv.conf +echo "nameserver 127.0.0.1" > /etc/resolv.conf # Restart the DNS services. From 703a9376ef6a8c31555df1aed7f3d9ed0a9cfb4c Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sun, 2 Dec 2018 18:15:34 -0500 Subject: [PATCH 21/27] fix /etc /usr permissions for Scaleway, see #1438 --- setup/system.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index 7aafa25d..69763c84 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -14,6 +14,13 @@ source setup/functions.sh # load our functions echo $PRIMARY_HOSTNAME > /etc/hostname hostname $PRIMARY_HOSTNAME +# ### Fix permissions + +# The default Ubuntu Bionic image on Scaleway throws warnings during setup about incorrect +# permissions (group writeable) set on the following directories. + +chmod g-w /etc /etc/default /usr + # ### Add swap space to the system # If the physical memory of the system is below 2GB it is wise to create a From e80a1dd4b740b3f50bb8787c36cf2a78023e5f35 Mon Sep 17 00:00:00 2001 From: EliterScripts Date: Thu, 13 Dec 2018 18:28:21 -0700 Subject: [PATCH 22/27] fix DEFAULT_PUBLIC_IP unbound variable error (#1488) This will fix this error while installing: setup/questions.sh: line 95: DEFAULT_PUBLIC_IP: unbound variable --- setup/questions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/questions.sh b/setup/questions.sh index 3ad7eead..d070a52f 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -92,7 +92,7 @@ if [ -z "${PUBLIC_IP:-}" ]; then # On the first run, if we got an answer from the Internet then don't # ask the user. - if [[ -z "$DEFAULT_PUBLIC_IP" && ! -z "$GUESSED_IP" ]]; then + if [[ -z "${DEFAULT_PUBLIC_IP:-}" && ! -z "$GUESSED_IP" ]]; then PUBLIC_IP=$GUESSED_IP # Otherwise on the first run at least provide a default. From 71f1c92b9eeb9c779130a98e612965ad777e9a69 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Thu, 13 Dec 2018 17:30:05 -0800 Subject: [PATCH 23/27] bash strict mode fixes (#1482) --- setup/firstuser.sh | 4 ++-- setup/munin.sh | 2 +- setup/nextcloud.sh | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/firstuser.sh b/setup/firstuser.sh index 71264f3b..f6947695 100644 --- a/setup/firstuser.sh +++ b/setup/firstuser.sh @@ -4,7 +4,7 @@ if [ -z "`tools/mail.py user`" ]; then # aren't any yet, it'll be empty. # If we didn't ask for an email address at the start, do so now. - if [ -z "$EMAIL_ADDR" ]; then + if [ -z "${EMAIL_ADDR:-}" ]; then # In an interactive shell, ask the user for an email address. if [ -z "${NONINTERACTIVE:-}" ]; then input_box "Mail Account" \ @@ -47,7 +47,7 @@ if [ -z "`tools/mail.py user`" ]; then fi # Create the user's mail account. This will ask for a password if none was given above. - tools/mail.py user add $EMAIL_ADDR $EMAIL_PW + tools/mail.py user add $EMAIL_ADDR ${EMAIL_PW:-} # Make it an admin. hide_output tools/mail.py user make-admin $EMAIL_ADDR diff --git a/setup/munin.sh b/setup/munin.sh index c581c6d0..8a85085d 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -44,7 +44,7 @@ tools/editconf.py /etc/munin/munin-node.conf -s \ log_level=1 # Update the activated plugins through munin's autoconfiguration. -munin-node-configure --shell --remove-also 2>/dev/null | sh +munin-node-configure --shell --remove-also 2>/dev/null | sh || /bin/true # Deactivate monitoring of NTP peers. Not sure why anyone would want to monitor a NTP peer. The addresses seem to change # (which is taken care of my munin-node-configure, but only when we re-run it.) diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index e0e66c64..167c2012 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -57,7 +57,7 @@ InstallNextcloud() { # Make sure permissions are correct or the upgrade step won't run. # $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress # that error. - chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud + chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud || /bin/true # If this isn't a new installation, immediately run the upgrade script. # Then check for success (0=ok and 3=no upgrade needed, both are success). From 31b743b164c15391b05d76cfd849be200496cec8 Mon Sep 17 00:00:00 2001 From: Dean Perry Date: Wed, 26 Dec 2018 20:39:47 +0000 Subject: [PATCH 24/27] Fix some more $DEFAULT_PUBLIC_IP issues (#1494) --- setup/questions.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/questions.sh b/setup/questions.sh index d070a52f..bf382f49 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -96,12 +96,12 @@ if [ -z "${PUBLIC_IP:-}" ]; then PUBLIC_IP=$GUESSED_IP # Otherwise on the first run at least provide a default. - elif [[ -z "$DEFAULT_PUBLIC_IP" ]]; then + elif [[ -z "${DEFAULT_PUBLIC_IP:-}" ]]; then DEFAULT_PUBLIC_IP=$(get_default_privateip 4) # On later runs, if the previous value matches the guessed value then # don't ask the user either. - elif [ "$DEFAULT_PUBLIC_IP" == "$GUESSED_IP" ]; then + elif [ "${DEFAULT_PUBLIC_IP:-}" == "$GUESSED_IP" ]; then PUBLIC_IP=$GUESSED_IP fi From 6e60b47cb5b98ab50965c87a2186fa96ba926c58 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 9 Jan 2019 07:11:53 -0500 Subject: [PATCH 25/27] update bootstrap.sh script to detect the operating system and choose a different version tag depending on whether the box is running Ubuntu 14.04 or Ubuntu 18.04 --- setup/bootstrap.sh | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 305a06e9..f46e5f1f 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -7,7 +7,34 @@ ######################################################### if [ -z "$TAG" ]; then - TAG=v0.30 + # If a version to install isn't explicitly given as an environment + # variable, then install the latest version. But the latest version + # depends on the operating system. Existing Ubuntu 14.04 users need + # to be able to upgrade to the latest version supporting Ubuntu 14.04, + # in part because an upgrade is required before jumping to Ubuntu 18.04. + # New users on Ubuntu 18 need to get the latest version number too. + # + # Also, the system status checks read this script for TAG= to get + # the latest version, so the first TAG= line must be the one that + # we want to display in status checks. + if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then + # This machine is running Ubuntu 18.04. + TAG=v0.30 + + elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then + # This machine is running Ubuntu 14.04. + echo "You are installing the last version of Mail-in-a-Box that will" + echo "support Ubuntu 14.04. If this is a new installation of Mail-in-a-Box," + echo "stop now and switch to a machine running Ubuntu 18.04. If you are" + echo "upgrading an existing Mail-in-a-Box --- great. After upgrading this" + echo "box, please visit https://mailinabox.email for notes on how to upgrade" + echo "to Ubuntu 18.04." + TAG=v0.30 + + else + echo "This script must be run on a system running Ubuntu 18.04 or Ubuntu 14.04." + exit + fi fi # Are we running as root? From 8e0d9b9f213598ffa121d0487d530f4d12b62e9f Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 9 Jan 2019 07:33:21 -0500 Subject: [PATCH 26/27] update list of tls ciphers supported --- tests/tls.py | 2 +- tests/tls_results.txt | 220 ++++++++++++++++++------------------------ 2 files changed, 93 insertions(+), 129 deletions(-) diff --git a/tests/tls.py b/tests/tls.py index 0c7b945a..e06ddcc9 100644 --- a/tests/tls.py +++ b/tests/tls.py @@ -17,7 +17,7 @@ # through some other host you can ssh into (maybe the box # itself?): # -# python3 --proxy user@ssh_host yourservername +# python3 tls.py --proxy user@ssh_host yourservername # # (This will launch "ssh -N -L10023:yourservername:testport user@ssh_host" # to create a tunnel.) diff --git a/tests/tls_results.txt b/tests/tls_results.txt index 33ebb7d1..8747bac3 100644 --- a/tests/tls_results.txt +++ b/tests/tls_results.txt @@ -13,18 +13,18 @@ PORT 25 * Session Resumption: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). - With TLS Session Tickets: NOT SUPPORTED - TLS ticket not assigned. + With TLS Session Tickets: OK - Supported * SSLV2 Cipher Suites: Server rejected all cipher suites. * TLSV1_2 Cipher Suites: Preferred: - ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok Accepted: - ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA256 DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok @@ -33,9 +33,9 @@ PORT 25 AES256-SHA256 - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok AES256-GCM-SHA384 - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-GCM-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA256 DH-2048 bits 128 bits 250 2.0.0 Ok @@ -46,56 +46,47 @@ PORT 25 AES128-SHA256 - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok AES128-GCM-SHA256 - 128 bits 250 2.0.0 Ok - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits 250 2.0.0 Ok - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits 250 2.0.0 Ok - DES-CBC3-SHA - 112 bits 250 2.0.0 Ok * TLSV1_1 Cipher Suites: Preferred: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok Accepted: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok SEED-SHA - 128 bits 250 2.0.0 Ok CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok AES128-SHA - 128 bits 250 2.0.0 Ok - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits 250 2.0.0 Ok - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits 250 2.0.0 Ok - DES-CBC3-SHA - 112 bits 250 2.0.0 Ok - - * TLSV1 Cipher Suites: - Preferred: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - Accepted: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok - DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok - CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok - AES256-SHA - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok - DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - SEED-SHA - 128 bits 250 2.0.0 Ok - CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok - AES128-SHA - 128 bits 250 2.0.0 Ok - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits 250 2.0.0 Ok - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits 250 2.0.0 Ok - DES-CBC3-SHA - 112 bits 250 2.0.0 Ok * SSLV3 Cipher Suites: Server rejected all cipher suites. + * TLSV1 Cipher Suites: + Preferred: + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + Accepted: + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok + DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok + CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok + AES256-SHA - 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok + DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + SEED-SHA - 128 bits 250 2.0.0 Ok + CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok + AES128-SHA - 128 bits 250 2.0.0 Ok + Should Not Offer: (none -- good) - Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, DHE-DSS-SEED-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Chrome/42/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Android/2.3.7, Java/6u45, IE/8/XP + Could Also Offer: AES128-CCM, AES128-CCM8, AES256-CCM, AES256-CCM8, CAMELLIA128-SHA256, CAMELLIA256-SHA256, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA128-SHA256, DHE-DSS-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA256, DHE-DSS-SEED-SHA, DHE-RSA-AES128-CCM, DHE-RSA-AES128-CCM8, DHE-RSA-AES256-CCM, DHE-RSA-AES256-CCM8, DHE-RSA-CAMELLIA128-SHA256, DHE-RSA-CAMELLIA256-SHA256, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CAMELLIA128-SHA256, ECDHE-ECDSA-CAMELLIA256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CAMELLIA128-SHA256, ECDHE-RSA-CAMELLIA256-SHA384, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, BingPreview/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.3, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 PORT 587 -------- @@ -112,18 +103,18 @@ PORT 587 * Session Resumption: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). - With TLS Session Tickets: NOT SUPPORTED - TLS ticket not assigned. + With TLS Session Tickets: OK - Supported * SSLV2 Cipher Suites: Server rejected all cipher suites. * TLSV1_2 Cipher Suites: Preferred: - ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok Accepted: - ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA256 DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok @@ -132,9 +123,9 @@ PORT 587 AES256-SHA256 - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok AES256-GCM-SHA384 - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-GCM-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA256 DH-2048 bits 128 bits 250 2.0.0 Ok @@ -148,31 +139,14 @@ PORT 587 * TLSV1_1 Cipher Suites: Preferred: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok Accepted: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok AES256-SHA - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok - DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok - SEED-SHA - 128 bits 250 2.0.0 Ok - CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok - AES128-SHA - 128 bits 250 2.0.0 Ok - - * TLSV1 Cipher Suites: - Preferred: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - Accepted: - ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok - DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok - DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok - CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok - AES256-SHA - 256 bits 250 2.0.0 Ok - ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok @@ -183,9 +157,26 @@ PORT 587 * SSLV3 Cipher Suites: Server rejected all cipher suites. + * TLSV1 Cipher Suites: + Preferred: + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + Accepted: + ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok + DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok + DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok + CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok + AES256-SHA - 256 bits 250 2.0.0 Ok + ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok + DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok + SEED-SHA - 128 bits 250 2.0.0 Ok + CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok + AES128-SHA - 128 bits 250 2.0.0 Ok + Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-RSA-SEED-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, SEED-SHA - Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384 - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, IE/11/Win 7, IE/11/Win 8.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, IE Mobile/11/Win Phone 8.1, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Java/8u31, Android/5.0.0, Chrome/42/OS X, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/7u25, Android/2.3.7, Java/6u45 + Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, BingPreview/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.3, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 PORT 443 -------- @@ -197,19 +188,19 @@ PORT 443 Client-initiated Renegotiations: OK - Rejected Secure Renegotiation: OK - Supported - * OpenSSL Heartbleed: - OK - Not vulnerable to Heartbleed - * HTTP Strict Transport Security: OK - HSTS header received: max-age=15768000 -Unhandled exception when processing --chrome_sha1: -exceptions.TypeError - Incorrect padding - * Session Resumption: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Session Tickets: OK - Supported + * OpenSSL Heartbleed: + OK - Not vulnerable to Heartbleed + +Unhandled exception when processing --chrome_sha1: +exceptions.TypeError - Incorrect padding + * SSLV2 Cipher Suites: Server rejected all cipher suites. @@ -235,9 +226,6 @@ exceptions.TypeError - Incorrect padding AES128-SHA256 - 128 bits HTTP 200 OK AES128-SHA - 128 bits HTTP 200 OK AES128-GCM-SHA256 - 128 bits HTTP 200 OK - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits HTTP 200 OK - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits HTTP 200 OK - DES-CBC3-SHA - 112 bits HTTP 200 OK * TLSV1_1 Cipher Suites: Preferred: @@ -249,9 +237,9 @@ exceptions.TypeError - Incorrect padding ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK DHE-RSA-AES128-SHA DH-2048 bits 128 bits HTTP 200 OK AES128-SHA - 128 bits HTTP 200 OK - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits HTTP 200 OK - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits HTTP 200 OK - DES-CBC3-SHA - 112 bits HTTP 200 OK + + * SSLV3 Cipher Suites: + Server rejected all cipher suites. * TLSV1 Cipher Suites: Preferred: @@ -262,17 +250,11 @@ exceptions.TypeError - Incorrect padding AES256-SHA - 256 bits HTTP 200 OK ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK DHE-RSA-AES128-SHA DH-2048 bits 128 bits HTTP 200 OK - AES128-SHA - 128 bits HTTP 200 OK - ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits HTTP 200 OK - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits HTTP 200 OK - DES-CBC3-SHA - 112 bits HTTP 200 OK - - * SSLV3 Cipher Suites: - Server rejected all cipher suites. + AES128-SHA - 128 bits HTTP 200 OK Should Not Offer: (none -- good) - Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP + Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.3, Android/4.2.2, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 PORT 993 -------- @@ -286,13 +268,13 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed - * SSLV2 Cipher Suites: - Server rejected all cipher suites. - * Session Resumption: With Session IDs: NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts). With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted. + * SSLV2 Cipher Suites: + Server rejected all cipher suites. + * TLSV1_2 Cipher Suites: Preferred: ECDHE-RSA-AES128-GCM-SHA256 ECDH-384 bits 128 bits @@ -315,9 +297,6 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec AES128-SHA256 - 128 bits AES128-SHA - 128 bits AES128-GCM-SHA256 - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits * TLSV1_1 Cipher Suites: Preferred: @@ -329,9 +308,9 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits DHE-RSA-AES128-SHA DH-2048 bits 128 bits AES128-SHA - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits + + * SSLV3 Cipher Suites: + Server rejected all cipher suites. * TLSV1 Cipher Suites: Preferred: @@ -342,17 +321,11 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec AES256-SHA - 256 bits ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits DHE-RSA-AES128-SHA DH-2048 bits 128 bits - AES128-SHA - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits + AES128-SHA - 128 bits - * SSLV3 Cipher Suites: - Server rejected all cipher suites. - - Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA - Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384 - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP + Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA + Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.3, Android/4.2.2, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 PORT 995 -------- @@ -366,13 +339,13 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed - * SSLV2 Cipher Suites: - Server rejected all cipher suites. - * Session Resumption: With Session IDs: NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts). With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted. + * SSLV2 Cipher Suites: + Server rejected all cipher suites. + * TLSV1_2 Cipher Suites: Preferred: ECDHE-RSA-AES128-GCM-SHA256 ECDH-384 bits 128 bits @@ -395,9 +368,6 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec AES128-SHA256 - 128 bits AES128-SHA - 128 bits AES128-GCM-SHA256 - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits * TLSV1_1 Cipher Suites: Preferred: @@ -409,9 +379,9 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits DHE-RSA-AES128-SHA DH-2048 bits 128 bits AES128-SHA - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits + + * SSLV3 Cipher Suites: + Server rejected all cipher suites. * TLSV1 Cipher Suites: Preferred: @@ -422,15 +392,9 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec AES256-SHA - 256 bits ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits DHE-RSA-AES128-SHA DH-2048 bits 128 bits - AES128-SHA - 128 bits - ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits - EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits - DES-CBC3-SHA - 112 bits + AES128-SHA - 128 bits - * SSLV3 Cipher Suites: - Server rejected all cipher suites. - - Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA - Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384 - Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP + Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA + Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 + Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.3, Android/4.2.2, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45 From e56c55efe83bce2e4017ddf241cf72dc6059a263 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 9 Jan 2019 07:42:52 -0500 Subject: [PATCH 27/27] write changelog summary for the Ubuntu 18.04 upgrade --- CHANGELOG.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c5b47259..4b07482b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,9 +4,21 @@ CHANGELOG In Development -------------- -This is the first release for Ubuntu 18.04. Mail-in-a-Box can now **only** be installed on Ubuntu 18.04. +This is the first release for Ubuntu 18.04. This version and versions going forward can **only** be installed on Ubuntu 18.04; however, upgrades of existing Ubuntu 14.04 boxes to the latest version supporting Ubuntu 14.04 continue to work as normal. -When **upgrading**, you **must** upgrade your existing Ubuntu 14.04 Mail-in-a-Box box to the latest release supporting Ubuntu 14.04 --- that's v0.30 --- first. If you are running an older version of Mail-in-a-Box which has an old version of ownCloud or Nextcloud, you will *not* be able to upgrade your data because older versions of ownCloud and Nextcloud that are required to perform the upgrade *cannot* be run on Ubuntu 18.04. +When **upgrading**, you **must upgrade your existing Ubuntu 14.04 Mail-in-a-Box box** to the latest release supporting Ubuntu 14.04 --- that's v0.30 --- first. If you are running an older version of Mail-in-a-Box which has an old version of ownCloud or Nextcloud, you will *not* be able to upgrade your data because older versions of ownCloud and Nextcloud that are required to perform the upgrade *cannot* be run on Ubuntu 18.04. To upgrade from Ubuntu 14.04 to Ubuntu 18.04, you **must create a fresh Ubuntu 18.04 machine** before installing this version. In-place upgrades of servers are not supported. Since Ubuntu's support for Ubuntu 14.04 has almost ended, everyone is encouraged to upgrade. + +Setup: + +* Mail-in-a-Box now targets Ubuntu 18.04 LTS, which will have support from Ubuntu through 2022. +* Some of the system packages updated in virtue of using Ubuntu 18.04 include postfix (2.11=>3.3) nsd (4.0=>4.1), nginx (1.4=>1.14), PHP (7.0=>7.2), Python (3.4=>3.6), fail2ban (0.8=>0.10), Duplicity (0.6=>0.7). +* [Unofficial Bash Strict Mode](http://redsymbol.net/articles/unofficial-bash-strict-mode/) is turned on for setup, which might catch previously uncaught issues during setup. + +Mail: + +* IMAP server-side full text search is no longer supported because we were using a custom-built `dovecot-lucene` package that we are no longer maintaining. +* Sending email is now disabled on port 25 --- you must log in to port 587 to send email. +* Greylisting may delay more emails from new senders. We were using a custom-built postgrey package previously that whitelisted sending domains in dnswl.org, but we are no longer maintaining that package. v0.30 (January 9, 2019) -----------------------