mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-22 02:17:26 +00:00
merge branch 'ubuntu_bionic'
This commit is contained in:
commit
29e77d25fc
19
CHANGELOG.md
19
CHANGELOG.md
@ -1,6 +1,25 @@
|
|||||||
CHANGELOG
|
CHANGELOG
|
||||||
=========
|
=========
|
||||||
|
|
||||||
|
In Development
|
||||||
|
--------------
|
||||||
|
|
||||||
|
This is the first release for Ubuntu 18.04. This version and versions going forward can **only** be installed on Ubuntu 18.04; however, upgrades of existing Ubuntu 14.04 boxes to the latest version supporting Ubuntu 14.04 continue to work as normal.
|
||||||
|
|
||||||
|
When **upgrading**, you **must upgrade your existing Ubuntu 14.04 Mail-in-a-Box box** to the latest release supporting Ubuntu 14.04 --- that's v0.30 --- first. If you are running an older version of Mail-in-a-Box which has an old version of ownCloud or Nextcloud, you will *not* be able to upgrade your data because older versions of ownCloud and Nextcloud that are required to perform the upgrade *cannot* be run on Ubuntu 18.04. To upgrade from Ubuntu 14.04 to Ubuntu 18.04, you **must create a fresh Ubuntu 18.04 machine** before installing this version. In-place upgrades of servers are not supported. Since Ubuntu's support for Ubuntu 14.04 has almost ended, everyone is encouraged to upgrade.
|
||||||
|
|
||||||
|
Setup:
|
||||||
|
|
||||||
|
* Mail-in-a-Box now targets Ubuntu 18.04 LTS, which will have support from Ubuntu through 2022.
|
||||||
|
* Some of the system packages updated in virtue of using Ubuntu 18.04 include postfix (2.11=>3.3) nsd (4.0=>4.1), nginx (1.4=>1.14), PHP (7.0=>7.2), Python (3.4=>3.6), fail2ban (0.8=>0.10), Duplicity (0.6=>0.7).
|
||||||
|
* [Unofficial Bash Strict Mode](http://redsymbol.net/articles/unofficial-bash-strict-mode/) is turned on for setup, which might catch previously uncaught issues during setup.
|
||||||
|
|
||||||
|
Mail:
|
||||||
|
|
||||||
|
* IMAP server-side full text search is no longer supported because we were using a custom-built `dovecot-lucene` package that we are no longer maintaining.
|
||||||
|
* Sending email is now disabled on port 25 --- you must log in to port 587 to send email.
|
||||||
|
* Greylisting may delay more emails from new senders. We were using a custom-built postgrey package previously that whitelisted sending domains in dnswl.org, but we are no longer maintaining that package.
|
||||||
|
|
||||||
v0.30 (January 9, 2019)
|
v0.30 (January 9, 2019)
|
||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ Additionally, this project has a [Code of Conduct](CODE_OF_CONDUCT.md), which su
|
|||||||
The Box
|
The Box
|
||||||
-------
|
-------
|
||||||
|
|
||||||
Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a working mail server by installing and configuring various components.
|
Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a working mail server by installing and configuring various components.
|
||||||
|
|
||||||
It is a one-click email appliance. There are no user-configurable setup options. It "just works".
|
It is a one-click email appliance. There are no user-configurable setup options. It "just works".
|
||||||
|
|
||||||
@ -37,7 +37,6 @@ The components installed are:
|
|||||||
It also includes:
|
It also includes:
|
||||||
|
|
||||||
* A control panel and API for adding/removing mail users, aliases, custom DNS records, etc. and detailed system monitoring.
|
* A control panel and API for adding/removing mail users, aliases, custom DNS records, etc. and detailed system monitoring.
|
||||||
* Our own builds of postgrey (adding better whitelisting) and dovecot-lucene (faster search for mail) distributed via the [Mail-in-a-Box PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa) on Launchpad.
|
|
||||||
|
|
||||||
For more information on how Mail-in-a-Box handles your privacy, see the [security details page](security.md).
|
For more information on how Mail-in-a-Box handles your privacy, see the [security details page](security.md).
|
||||||
|
|
||||||
@ -46,7 +45,7 @@ Installation
|
|||||||
|
|
||||||
See the [setup guide](https://mailinabox.email/guide.html) for detailed, user-friendly instructions.
|
See the [setup guide](https://mailinabox.email/guide.html) for detailed, user-friendly instructions.
|
||||||
|
|
||||||
For experts, start with a completely fresh (really, I mean it) Ubuntu 14.04 LTS 64-bit machine. On the machine...
|
For experts, start with a completely fresh (really, I mean it) Ubuntu 18.04 LTS 64-bit machine. On the machine...
|
||||||
|
|
||||||
Clone this repository:
|
Clone this repository:
|
||||||
|
|
||||||
|
9
Vagrantfile
vendored
9
Vagrantfile
vendored
@ -2,14 +2,7 @@
|
|||||||
# vi: set ft=ruby :
|
# vi: set ft=ruby :
|
||||||
|
|
||||||
Vagrant.configure("2") do |config|
|
Vagrant.configure("2") do |config|
|
||||||
config.vm.box = "ubuntu14.04"
|
config.vm.box = "ubuntu/bionic64"
|
||||||
config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box"
|
|
||||||
|
|
||||||
if Vagrant.has_plugin?("vagrant-cachier")
|
|
||||||
# Configure cached packages to be shared between instances of the same base box.
|
|
||||||
# More info on http://fgrehm.viewdocs.io/vagrant-cachier/usage
|
|
||||||
config.cache.scope = :box
|
|
||||||
end
|
|
||||||
|
|
||||||
# Network config: Since it's a mail server, the machine must be connected
|
# Network config: Since it's a mail server, the machine must be connected
|
||||||
# to the public web. However, we currently don't want to expose SSH since
|
# to the public web. However, we currently don't want to expose SSH since
|
||||||
|
10
conf/mailinabox.service
Normal file
10
conf/mailinabox.service
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Mail-in-a-Box System Management Service
|
||||||
|
After=multi-user.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=idle
|
||||||
|
ExecStart=/usr/local/lib/mailinabox/start
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -1,135 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: mailinabox
|
|
||||||
# Required-Start: $all
|
|
||||||
# Required-Stop: $all
|
|
||||||
# Default-Start: 2 3 4 5
|
|
||||||
# Default-Stop: 0 1 6
|
|
||||||
# Short-Description: Start and stop the Mail-in-a-Box management daemon.
|
|
||||||
# Description: Start and stop the Mail-in-a-Box management daemon.
|
|
||||||
### END INIT INFO
|
|
||||||
|
|
||||||
# Adapted from http://blog.codefront.net/2007/06/11/nginx-php-and-a-php-fastcgi-daemon-init-script/
|
|
||||||
|
|
||||||
PATH=/sbin:/usr/sbin:/bin:/usr/bin
|
|
||||||
DESC="Mail-in-a-Box Management Daemon"
|
|
||||||
NAME=mailinabox
|
|
||||||
DAEMON=/usr/local/lib/mailinabox/start
|
|
||||||
PIDFILE=/var/run/$NAME.pid
|
|
||||||
SCRIPTNAME=/etc/init.d/$NAME
|
|
||||||
|
|
||||||
# Exit if the package is not installed
|
|
||||||
[ -x "$DAEMON" ] || exit 0
|
|
||||||
|
|
||||||
# Set defaults.
|
|
||||||
START=yes
|
|
||||||
EXEC_AS_USER=root
|
|
||||||
|
|
||||||
# Ensure Python reads/writes files in UTF-8. If the machine
|
|
||||||
# triggers some other locale in Python, like ASCII encoding,
|
|
||||||
# Python may not be able to read/write files. Set also
|
|
||||||
# setup/start.sh (where the locale is also installed if not
|
|
||||||
# already present) and management/daily_tasks.sh.
|
|
||||||
export LANGUAGE=en_US.UTF-8
|
|
||||||
export LC_ALL=en_US.UTF-8
|
|
||||||
export LANG=en_US.UTF-8
|
|
||||||
export LC_TYPE=en_US.UTF-8
|
|
||||||
|
|
||||||
# Read configuration variable file if it is present
|
|
||||||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
|
||||||
|
|
||||||
# Load the VERBOSE setting and other rcS variables
|
|
||||||
. /lib/init/vars.sh
|
|
||||||
|
|
||||||
# Define LSB log_* functions.
|
|
||||||
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
|
|
||||||
. /lib/lsb/init-functions
|
|
||||||
|
|
||||||
# If the daemon is not enabled, give the user a warning and then exit,
|
|
||||||
# unless we are stopping the daemon
|
|
||||||
if [ "$START" != "yes" -a "$1" != "stop" ]; then
|
|
||||||
log_warning_msg "To enable $NAME, edit /etc/default/$NAME and set START=yes"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Process configuration
|
|
||||||
#export ...
|
|
||||||
DAEMON_ARGS=""
|
|
||||||
|
|
||||||
|
|
||||||
do_start()
|
|
||||||
{
|
|
||||||
# Return
|
|
||||||
# 0 if daemon has been started
|
|
||||||
# 1 if daemon was already running
|
|
||||||
# 2 if daemon could not be started
|
|
||||||
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|
|
||||||
|| return 1
|
|
||||||
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \
|
|
||||||
--background --make-pidfile --chuid $EXEC_AS_USER --startas $DAEMON -- \
|
|
||||||
$DAEMON_ARGS \
|
|
||||||
|| return 2
|
|
||||||
}
|
|
||||||
|
|
||||||
do_stop()
|
|
||||||
{
|
|
||||||
# Return
|
|
||||||
# 0 if daemon has been stopped
|
|
||||||
# 1 if daemon was already stopped
|
|
||||||
# 2 if daemon could not be stopped
|
|
||||||
# other if a failure occurred
|
|
||||||
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE > /dev/null # --name $DAEMON
|
|
||||||
RETVAL="$?"
|
|
||||||
[ "$RETVAL" = 2 ] && return 2
|
|
||||||
# Wait for children to finish too if this is a daemon that forks
|
|
||||||
# and if the daemon is only ever run from this initscript.
|
|
||||||
# If the above conditions are not satisfied then add some other code
|
|
||||||
# that waits for the process to drop all resources that could be
|
|
||||||
# needed by services started subsequently. A last resort is to
|
|
||||||
# sleep for some time.
|
|
||||||
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
|
|
||||||
[ "$?" = 2 ] && return 2
|
|
||||||
# Many daemons don't delete their pidfiles when they exit.
|
|
||||||
rm -f $PIDFILE
|
|
||||||
return "$RETVAL"
|
|
||||||
}
|
|
||||||
case "$1" in
|
|
||||||
start)
|
|
||||||
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
|
||||||
do_start
|
|
||||||
case "$?" in
|
|
||||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
|
||||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
stop)
|
|
||||||
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
|
||||||
do_stop
|
|
||||||
case "$?" in
|
|
||||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
|
||||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
restart|force-reload)
|
|
||||||
log_daemon_msg "Restarting $DESC" "$NAME"
|
|
||||||
do_stop
|
|
||||||
case "$?" in
|
|
||||||
0|1)
|
|
||||||
do_start
|
|
||||||
case "$?" in
|
|
||||||
0) log_end_msg 0 ;;
|
|
||||||
1) log_end_msg 1 ;; # Old process is still running
|
|
||||||
*) log_end_msg 1 ;; # Failed to start
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
# Failed to stop
|
|
||||||
log_end_msg 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
|
|
||||||
exit 3
|
|
||||||
;;
|
|
||||||
esac
|
|
10
conf/munin.service
Normal file
10
conf/munin.service
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Munin System Monitoring Startup Script
|
||||||
|
After=multi-user.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=idle
|
||||||
|
ExecStart=/usr/local/lib/mailinabox/munin_start.sh
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -1,76 +1,20 @@
|
|||||||
# from https://gist.github.com/konklone/6532544 and https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
# We track the Mozilla "intermediate" compatibility TLS recommendations.
|
||||||
###################################################################################################################
|
# Note that these settings are repeated in the SMTP and IMAP configuration.
|
||||||
|
# ssl_protocols has moved to nginx.conf in bionic, check there for enabled protocols.
|
||||||
# Basically the nginx configuration I use at konklone.com.
|
|
||||||
# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
|
|
||||||
#
|
|
||||||
# To provide feedback, please tweet at @konklone or email eric@konklone.com.
|
|
||||||
# Comments on gists don't notify the author.
|
|
||||||
#
|
|
||||||
# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
|
|
||||||
# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.
|
|
||||||
|
|
||||||
# Path to certificate and private key.
|
|
||||||
# The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
|
|
||||||
#ssl_certificate /path/to/unified.crt;
|
|
||||||
#ssl_certificate_key /path/to/my-private-decrypted.key;
|
|
||||||
|
|
||||||
# Tell browsers to require SSL (warning: difficult to change your mind)
|
|
||||||
# Handled by the management daemon because we can toggle this version or a
|
|
||||||
# preload version.
|
|
||||||
#add_header Strict-Transport-Security max-age=31536000;
|
|
||||||
|
|
||||||
# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
|
|
||||||
#
|
|
||||||
# Forces forward secrecy in all browsers and clients that can use TLS,
|
|
||||||
# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
|
|
||||||
#
|
|
||||||
# Reference client: https://www.ssllabs.com/ssltest/analyze.html
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||||
|
ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
|
||||||
|
|
||||||
# Cut out (the old, broken) SSLv3 entirely.
|
|
||||||
# This **excludes IE6 users** and (apparently) Yandexbot.
|
|
||||||
# Just comment out if you need to support IE6, bless your soul.
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
|
||||||
|
|
||||||
# Turn on session resumption, using a cache shared across nginx processes,
|
|
||||||
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
|
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
ssl_session_timeout 1d;
|
ssl_session_timeout 1d;
|
||||||
#keepalive_timeout 70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good
|
|
||||||
|
|
||||||
# Buffer size of 1400 bytes fits in one MTU.
|
# Buffer size of 1400 bytes fits in one MTU.
|
||||||
# nginx 1.5.9+ ONLY
|
# nginx 1.5.9+ ONLY
|
||||||
#ssl_buffer_size 1400;
|
ssl_buffer_size 1400;
|
||||||
|
|
||||||
# SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6.
|
|
||||||
#
|
|
||||||
# BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
|
|
||||||
# Disable with 0, until using a version of nginx with SPDY 4.
|
|
||||||
spdy_headers_comp 0;
|
|
||||||
|
|
||||||
# Now let's really get fancy, and pre-generate a 2048 bit random parameter
|
|
||||||
# for DH elliptic curves. If not created and specified, default is only 1024 bits.
|
|
||||||
#
|
|
||||||
# Generated by OpenSSL with the following command:
|
|
||||||
# openssl dhparam -outform pem -out dhparam2048.pem 2048
|
|
||||||
#
|
|
||||||
# Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
|
|
||||||
ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
|
|
||||||
|
|
||||||
|
|
||||||
# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
|
|
||||||
# and send them to clients so clients don't make their own OCSP calls.
|
|
||||||
# http://en.wikipedia.org/wiki/OCSP_stapling
|
|
||||||
#
|
|
||||||
# while the ssl_certificate above may omit the root cert if the CA is trusted,
|
|
||||||
# ssl_trusted_certificate below must point to a chain of **all** certs
|
|
||||||
# in the trust path - (your cert, intermediary certs, root cert)
|
|
||||||
#
|
|
||||||
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
|
|
||||||
# nginx will use them to talk to the CA.
|
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
resolver 127.0.0.1 valid=86400;
|
resolver 127.0.0.1 valid=86400;
|
||||||
resolver_timeout 10;
|
resolver_timeout 10;
|
||||||
|
|
||||||
|
# h/t https://gist.github.com/konklone/6532544
|
||||||
|
@ -7,6 +7,6 @@
|
|||||||
## your own --- please do not ask for help from us.
|
## your own --- please do not ask for help from us.
|
||||||
|
|
||||||
upstream php-fpm {
|
upstream php-fpm {
|
||||||
server unix:/var/run/php/php7.0-fpm.sock;
|
server unix:/var/run/php/php7.2-fpm.sock;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -31,8 +31,8 @@ server {
|
|||||||
|
|
||||||
# The secure HTTPS server.
|
# The secure HTTPS server.
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
server_name $HOSTNAME;
|
server_name $HOSTNAME;
|
||||||
|
|
||||||
|
@ -20,20 +20,17 @@ rsync_ssh_options = [
|
|||||||
]
|
]
|
||||||
|
|
||||||
def backup_status(env):
|
def backup_status(env):
|
||||||
# Root folder
|
# If backups are dissbled, return no status.
|
||||||
backup_root = os.path.join(env["STORAGE_ROOT"], 'backup')
|
|
||||||
|
|
||||||
# What is the current status of backups?
|
|
||||||
# Query duplicity to get a list of all backups.
|
|
||||||
# Use the number of volumes to estimate the size.
|
|
||||||
config = get_backup_config(env)
|
config = get_backup_config(env)
|
||||||
now = datetime.datetime.now(dateutil.tz.tzlocal())
|
|
||||||
|
|
||||||
# Are backups dissbled?
|
|
||||||
if config["target"] == "off":
|
if config["target"] == "off":
|
||||||
return { }
|
return { }
|
||||||
|
|
||||||
|
# Query duplicity to get a list of all full and incremental
|
||||||
|
# backups available.
|
||||||
|
|
||||||
backups = { }
|
backups = { }
|
||||||
|
now = datetime.datetime.now(dateutil.tz.tzlocal())
|
||||||
|
backup_root = os.path.join(env["STORAGE_ROOT"], 'backup')
|
||||||
backup_cache_dir = os.path.join(backup_root, 'cache')
|
backup_cache_dir = os.path.join(backup_root, 'cache')
|
||||||
|
|
||||||
def reldate(date, ref, clip):
|
def reldate(date, ref, clip):
|
||||||
@ -58,7 +55,7 @@ def backup_status(env):
|
|||||||
"date_delta": reldate(date, now, "the future?"),
|
"date_delta": reldate(date, now, "the future?"),
|
||||||
"full": keys[0] == "full",
|
"full": keys[0] == "full",
|
||||||
"size": 0, # collection-status doesn't give us the size
|
"size": 0, # collection-status doesn't give us the size
|
||||||
"volumes": keys[2], # number of archive volumes for this backup (not really helpful)
|
"volumes": int(keys[2]), # number of archive volumes for this backup (not really helpful)
|
||||||
}
|
}
|
||||||
|
|
||||||
code, collection_status = shell('check_output', [
|
code, collection_status = shell('check_output', [
|
||||||
@ -80,12 +77,20 @@ def backup_status(env):
|
|||||||
backup = parse_line(line)
|
backup = parse_line(line)
|
||||||
backups[backup["date"]] = backup
|
backups[backup["date"]] = backup
|
||||||
|
|
||||||
# Look at the target to get the sizes of each of the backups. There is more than one file per backup.
|
# Look at the target directly to get the sizes of each of the backups. There is more than one file per backup.
|
||||||
|
# Starting with duplicity in Ubuntu 18.04, "signatures" files have dates in their
|
||||||
|
# filenames that are a few seconds off the backup date and so don't line up
|
||||||
|
# with the list of backups we have. Track unmatched files so we know how much other
|
||||||
|
# space is used for those.
|
||||||
|
unmatched_file_size = 0
|
||||||
for fn, size in list_target_files(config):
|
for fn, size in list_target_files(config):
|
||||||
m = re.match(r"duplicity-(full|full-signatures|(inc|new-signatures)\.(?P<incbase>\d+T\d+Z)\.to)\.(?P<date>\d+T\d+Z)\.", fn)
|
m = re.match(r"duplicity-(full|full-signatures|(inc|new-signatures)\.(?P<incbase>\d+T\d+Z)\.to)\.(?P<date>\d+T\d+Z)\.", fn)
|
||||||
if not m: continue # not a part of a current backup chain
|
if not m: continue # not a part of a current backup chain
|
||||||
key = m.group("date")
|
key = m.group("date")
|
||||||
backups[key]["size"] += size
|
if key in backups:
|
||||||
|
backups[key]["size"] += size
|
||||||
|
else:
|
||||||
|
unmatched_file_size += size
|
||||||
|
|
||||||
# Ensure the rows are sorted reverse chronologically.
|
# Ensure the rows are sorted reverse chronologically.
|
||||||
# This is relied on by should_force_full() and the next step.
|
# This is relied on by should_force_full() and the next step.
|
||||||
@ -148,6 +153,7 @@ def backup_status(env):
|
|||||||
|
|
||||||
return {
|
return {
|
||||||
"backups": backups,
|
"backups": backups,
|
||||||
|
"unmatched_file_size": unmatched_file_size,
|
||||||
}
|
}
|
||||||
|
|
||||||
def should_force_full(config, env):
|
def should_force_full(config, env):
|
||||||
@ -220,32 +226,6 @@ def perform_backup(full_backup):
|
|||||||
if config["target"] == "off":
|
if config["target"] == "off":
|
||||||
return
|
return
|
||||||
|
|
||||||
# In an older version of this script, duplicity was called
|
|
||||||
# such that it did not encrypt the backups it created (in
|
|
||||||
# backup/duplicity), and instead openssl was called separately
|
|
||||||
# after each backup run, creating AES256 encrypted copies of
|
|
||||||
# each file created by duplicity in backup/encrypted.
|
|
||||||
#
|
|
||||||
# We detect the transition by the presence of backup/duplicity
|
|
||||||
# and handle it by 'dupliception': we move all the old *un*encrypted
|
|
||||||
# duplicity files up out of the backup/duplicity directory (as
|
|
||||||
# backup/ is excluded from duplicity runs) in order that it is
|
|
||||||
# included in the next run, and we delete backup/encrypted (which
|
|
||||||
# duplicity will output files directly to, post-transition).
|
|
||||||
old_backup_dir = os.path.join(backup_root, 'duplicity')
|
|
||||||
migrated_unencrypted_backup_dir = os.path.join(env["STORAGE_ROOT"], "migrated_unencrypted_backup")
|
|
||||||
if os.path.isdir(old_backup_dir):
|
|
||||||
# Move the old unencrypted files to a new location outside of
|
|
||||||
# the backup root so they get included in the next (new) backup.
|
|
||||||
# Then we'll delete them. Also so that they do not get in the
|
|
||||||
# way of duplicity doing a full backup on the first run after
|
|
||||||
# we take care of this.
|
|
||||||
shutil.move(old_backup_dir, migrated_unencrypted_backup_dir)
|
|
||||||
|
|
||||||
# The backup_dir (backup/encrypted) now has a new purpose.
|
|
||||||
# Clear it out.
|
|
||||||
shutil.rmtree(backup_dir)
|
|
||||||
|
|
||||||
# On the first run, always do a full backup. Incremental
|
# On the first run, always do a full backup. Incremental
|
||||||
# will fail. Otherwise do a full backup when the size of
|
# will fail. Otherwise do a full backup when the size of
|
||||||
# the increments since the most recent full backup are
|
# the increments since the most recent full backup are
|
||||||
@ -267,7 +247,7 @@ def perform_backup(full_backup):
|
|||||||
if quit:
|
if quit:
|
||||||
sys.exit(code)
|
sys.exit(code)
|
||||||
|
|
||||||
service_command("php7.0-fpm", "stop", quit=True)
|
service_command("php7.2-fpm", "stop", quit=True)
|
||||||
service_command("postfix", "stop", quit=True)
|
service_command("postfix", "stop", quit=True)
|
||||||
service_command("dovecot", "stop", quit=True)
|
service_command("dovecot", "stop", quit=True)
|
||||||
|
|
||||||
@ -301,11 +281,7 @@ def perform_backup(full_backup):
|
|||||||
# Start services again.
|
# Start services again.
|
||||||
service_command("dovecot", "start", quit=False)
|
service_command("dovecot", "start", quit=False)
|
||||||
service_command("postfix", "start", quit=False)
|
service_command("postfix", "start", quit=False)
|
||||||
service_command("php7.0-fpm", "start", quit=False)
|
service_command("php7.2-fpm", "start", quit=False)
|
||||||
|
|
||||||
# Once the migrated backup is included in a new backup, it can be deleted.
|
|
||||||
if os.path.isdir(migrated_unencrypted_backup_dir):
|
|
||||||
shutil.rmtree(migrated_unencrypted_backup_dir)
|
|
||||||
|
|
||||||
# Remove old backups. This deletes all backup data no longer needed
|
# Remove old backups. This deletes all backup data no longer needed
|
||||||
# from more than 3 days ago.
|
# from more than 3 days ago.
|
||||||
@ -556,8 +532,7 @@ if __name__ == "__main__":
|
|||||||
run_duplicity_verification()
|
run_duplicity_verification()
|
||||||
|
|
||||||
elif sys.argv[-1] == "--list":
|
elif sys.argv[-1] == "--list":
|
||||||
# Run duplicity's verification command to check a) the backup files
|
# List the saved backup files.
|
||||||
# are readable, and b) report if they are up to date.
|
|
||||||
for fn, size in list_target_files(get_backup_config(load_environment())):
|
for fn, size in list_target_files(get_backup_config(load_environment())):
|
||||||
print("{}\t{}".format(fn, size))
|
print("{}\t{}".format(fn, size))
|
||||||
|
|
||||||
@ -565,6 +540,7 @@ if __name__ == "__main__":
|
|||||||
# Show backup status.
|
# Show backup status.
|
||||||
ret = backup_status(load_environment())
|
ret = backup_status(load_environment())
|
||||||
print(rtyaml.dump(ret["backups"]))
|
print(rtyaml.dump(ret["backups"]))
|
||||||
|
print("Storage for unmatched files:", ret["unmatched_file_size"])
|
||||||
|
|
||||||
elif len(sys.argv) >= 2 and sys.argv[1] == "--restore":
|
elif len(sys.argv) >= 2 and sys.argv[1] == "--restore":
|
||||||
# Run duplicity restore. Rest of command line passed as arguments
|
# Run duplicity restore. Rest of command line passed as arguments
|
||||||
|
@ -572,7 +572,7 @@ def munin_cgi(filename):
|
|||||||
|
|
||||||
if code != 0:
|
if code != 0:
|
||||||
# nonzero returncode indicates error
|
# nonzero returncode indicates error
|
||||||
app.logger.error("munin_cgi: munin-cgi-graph returned nonzero exit code, %s", process.returncode)
|
app.logger.error("munin_cgi: munin-cgi-graph returned nonzero exit code, %s", code)
|
||||||
return ("error processing graph image", 500)
|
return ("error processing graph image", 500)
|
||||||
|
|
||||||
# /usr/lib/munin/cgi/munin-cgi-graph returns both headers and binary png when successful.
|
# /usr/lib/munin/cgi/munin-cgi-graph returns both headers and binary png when successful.
|
||||||
|
@ -354,19 +354,20 @@ def build_sshfp_records():
|
|||||||
# Get our local fingerprints by running ssh-keyscan. The output looks
|
# Get our local fingerprints by running ssh-keyscan. The output looks
|
||||||
# like the known_hosts file: hostname, keytype, fingerprint. The order
|
# like the known_hosts file: hostname, keytype, fingerprint. The order
|
||||||
# of the output is arbitrary, so sort it to prevent spurrious updates
|
# of the output is arbitrary, so sort it to prevent spurrious updates
|
||||||
# to the zone file (that trigger bumping the serial number).
|
# to the zone file (that trigger bumping the serial number). However,
|
||||||
|
# if SSH has been configured to listen on a nonstandard port, we must
|
||||||
# scan the sshd_config and find the ssh ports (port 22 may be closed)
|
# specify that port to sshkeyscan.
|
||||||
|
port = 22
|
||||||
with open('/etc/ssh/sshd_config', 'r') as f:
|
with open('/etc/ssh/sshd_config', 'r') as f:
|
||||||
ports = []
|
for line in f:
|
||||||
t = f.readlines()
|
s = line.rstrip().split()
|
||||||
for line in t:
|
|
||||||
s = line.split()
|
|
||||||
if len(s) == 2 and s[0] == 'Port':
|
if len(s) == 2 and s[0] == 'Port':
|
||||||
ports = ports + [s[1]]
|
try:
|
||||||
# the keys are the same at each port, so we only need to get
|
port = int(s[1])
|
||||||
# them at the first port found (may not be port 22)
|
except ValueError:
|
||||||
keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", ports[0], "localhost"])
|
pass
|
||||||
|
break
|
||||||
|
keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"])
|
||||||
for key in sorted(keys.split("\n")):
|
for key in sorted(keys.split("\n")):
|
||||||
if key.strip() == "" or key[0] == "#": continue
|
if key.strip() == "" or key[0] == "#": continue
|
||||||
try:
|
try:
|
||||||
|
2
management/munin_start.sh
Executable file
2
management/munin_start.sh
Executable file
@ -0,0 +1,2 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
mkdir -p /var/run/munin && chown munin /var/run/munin
|
@ -28,7 +28,6 @@ def get_services():
|
|||||||
{ "name": "Spamassassin", "port": 10025, "public": False, },
|
{ "name": "Spamassassin", "port": 10025, "public": False, },
|
||||||
{ "name": "OpenDKIM", "port": 8891, "public": False, },
|
{ "name": "OpenDKIM", "port": 8891, "public": False, },
|
||||||
{ "name": "OpenDMARC", "port": 8893, "public": False, },
|
{ "name": "OpenDMARC", "port": 8893, "public": False, },
|
||||||
{ "name": "Memcached", "port": 11211, "public": False, },
|
|
||||||
{ "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, },
|
{ "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, },
|
||||||
{ "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, },
|
{ "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, },
|
||||||
{ "name": "Public DNS (nsd4)", "port": 53, "public": True, },
|
{ "name": "Public DNS (nsd4)", "port": 53, "public": True, },
|
||||||
|
@ -200,6 +200,7 @@ function show_system_backup() {
|
|||||||
total_disk_size += b.size;
|
total_disk_size += b.size;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
total_disk_size += r.unmatched_file_size;
|
||||||
$('#backup-total-size').text(nice_size(total_disk_size));
|
$('#backup-total-size').text(nice_size(total_disk_size));
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
62
ppa/Makefile
62
ppa/Makefile
@ -1,62 +0,0 @@
|
|||||||
POSTGREY_VERSION=1.35-1+miab1
|
|
||||||
DOVECOT_VERSION=2.2.9-1ubuntu2.1+miab1
|
|
||||||
|
|
||||||
all: clean build_postgrey build_dovecot_lucene
|
|
||||||
|
|
||||||
clean:
|
|
||||||
# Clean.
|
|
||||||
rm -rf /tmp/build
|
|
||||||
mkdir -p /tmp/build
|
|
||||||
|
|
||||||
build_postgrey: clean
|
|
||||||
# Download the latest Debian postgrey package. It is ahead of Ubuntu,
|
|
||||||
# and we might as well jump ahead.
|
|
||||||
git clone git://git.debian.org/git/collab-maint/postgrey.git /tmp/build/postgrey
|
|
||||||
|
|
||||||
# Download the corresponding upstream package.
|
|
||||||
wget -O /tmp/build/postgrey_1.35.orig.tar.gz http://postgrey.schweikert.ch/pub/old/postgrey-1.35.tar.gz
|
|
||||||
|
|
||||||
# Add our source patch to the debian packaging listing.
|
|
||||||
cp postgrey_sources.diff /tmp/build/postgrey/debian/patches/mailinabox
|
|
||||||
|
|
||||||
# Patch the packaging to give it a new version.
|
|
||||||
patch -p1 -d /tmp/build/postgrey < postgrey.diff
|
|
||||||
|
|
||||||
# Build the source package.
|
|
||||||
(cd /tmp/build/postgrey; dpkg-buildpackage -S -us -uc -nc)
|
|
||||||
|
|
||||||
# Sign the packages.
|
|
||||||
debsign /tmp/build/postgrey_$(POSTGREY_VERSION)_source.changes
|
|
||||||
|
|
||||||
# Upload to PPA.
|
|
||||||
dput ppa:mail-in-a-box/ppa /tmp/build/postgrey_$(POSTGREY_VERSION)_source.changes
|
|
||||||
|
|
||||||
# Clear the intermediate files.
|
|
||||||
rm -rf /tmp/build/postgrey
|
|
||||||
|
|
||||||
# TESTING BINARY PACKAGE
|
|
||||||
#sudo apt-get build-dep -y postgrey
|
|
||||||
#(cd /tmp/build/postgrey; dpkg-buildpackage -us -uc -nc)
|
|
||||||
|
|
||||||
build_dovecot_lucene: clean
|
|
||||||
# Get the upstream source.
|
|
||||||
(cd /tmp/build; apt-get source dovecot)
|
|
||||||
|
|
||||||
# Patch it so that we build dovecot-lucene (and nothing else).
|
|
||||||
patch -p1 -d /tmp/build/dovecot-2.2.9 < dovecot_lucene.diff
|
|
||||||
|
|
||||||
# Build the source package.
|
|
||||||
(cd /tmp/build/dovecot-2.2.9; dpkg-buildpackage -S -us -uc -nc)
|
|
||||||
|
|
||||||
# Sign the packages.
|
|
||||||
debsign /tmp/build/dovecot_$(DOVECOT_VERSION)_source.changes
|
|
||||||
|
|
||||||
# Upload it.
|
|
||||||
dput ppa:mail-in-a-box/ppa /tmp/build/dovecot_$(DOVECOT_VERSION)_source.changes
|
|
||||||
|
|
||||||
# TESTING BINARY PACKAGE
|
|
||||||
# Install build dependencies and build dependencies we've added in our patch,
|
|
||||||
# and then build the binary package.
|
|
||||||
#sudo apt-get build-dep -y dovecot
|
|
||||||
#sudo apt-get install libclucene-dev liblzma-dev libexttextcat-dev libstemmer-dev
|
|
||||||
#(cd /tmp/build/dovecot-2.2.9; dpkg-buildpackage -us -uc -nc)
|
|
@ -1,40 +0,0 @@
|
|||||||
ppa instructions
|
|
||||||
================
|
|
||||||
|
|
||||||
Mail-in-a-Box maintains a Launchpad.net PPA ([Mail-in-a-Box PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa)) for additional deb's that we want to have installed on systems.
|
|
||||||
|
|
||||||
Packages
|
|
||||||
--------
|
|
||||||
|
|
||||||
* postgrey, a fork of [postgrey](http://postgrey.schweikert.ch/) based on the [latest Debian package](http://git.debian.org/?p=collab-maint/postgrey.git), with a modification to whitelist senders that are whitelisted by [dnswl.org](https://www.dnswl.org/) (i.e. don't greylist mail from known good senders).
|
|
||||||
|
|
||||||
* dovecot-lucene, [dovecot's lucene full text search plugin](http://wiki2.dovecot.org/Plugins/FTS/Lucene), which isn't built by Ubuntu's dovecot package maintainer unfortunately.
|
|
||||||
|
|
||||||
Building
|
|
||||||
--------
|
|
||||||
|
|
||||||
To rebuild the packages in the PPA, you'll need to be @JoshData.
|
|
||||||
|
|
||||||
First:
|
|
||||||
|
|
||||||
* You should have an account on Launchpad.net.
|
|
||||||
* Your account should have your GPG key set (to the fingerprint of a GPG key on your system matching the identity at the top of the debian/changelog files).
|
|
||||||
* You should have write permission to the PPA.
|
|
||||||
|
|
||||||
To build:
|
|
||||||
|
|
||||||
# Start a clean VM.
|
|
||||||
vagrant up
|
|
||||||
|
|
||||||
# Put your signing keys (on the host machine) into the VM (so it can sign the debs).
|
|
||||||
gpg --export-secret-keys | vagrant ssh -- gpg --import
|
|
||||||
|
|
||||||
# Build & upload to launchpad.
|
|
||||||
vagrant ssh -- "cd /vagrant && make"
|
|
||||||
|
|
||||||
Mail-in-a-Box adds our PPA during setup, but if you need to do that yourself for testing:
|
|
||||||
|
|
||||||
apt-add-repository ppa:mail-in-a-box/ppa
|
|
||||||
apt-get update
|
|
||||||
apt-get install postgrey dovecot-lucene
|
|
||||||
|
|
12
ppa/Vagrantfile
vendored
12
ppa/Vagrantfile
vendored
@ -1,12 +0,0 @@
|
|||||||
# -*- mode: ruby -*-
|
|
||||||
# vi: set ft=ruby :
|
|
||||||
|
|
||||||
Vagrant.configure("2") do |config|
|
|
||||||
config.vm.box = "ubuntu14.04"
|
|
||||||
config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box"
|
|
||||||
|
|
||||||
config.vm.provision :shell, :inline => <<-SH
|
|
||||||
sudo apt-get update
|
|
||||||
sudo apt-get install -y git dpkg-dev devscripts dput
|
|
||||||
SH
|
|
||||||
end
|
|
@ -1,319 +0,0 @@
|
|||||||
--- a/debian/control
|
|
||||||
+++ b/debian/control
|
|
||||||
@@ -1,210 +1,23 @@
|
|
||||||
Source: dovecot
|
|
||||||
Section: mail
|
|
||||||
Priority: optional
|
|
||||||
-Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
|
|
||||||
-XSBC-Original-Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org>
|
|
||||||
-Uploaders: Jaldhar H. Vyas <jaldhar@debian.org>, Fabio Tranchitella <kobold@debian.org>, Joel Johnson <mrjoel@lixil.net>, Marco Nenciarini <mnencia@debian.org>
|
|
||||||
-Build-Depends: debhelper (>= 7.2.3~), dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, dh-systemd, po-debconf, lsb-release, hardening-wrapper, dh-autoreconf, autotools-dev
|
|
||||||
+Maintainer: Joshua Tauberer <jt@occams.info>
|
|
||||||
+XSBC-Original-Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
|
|
||||||
+Build-Depends: debhelper (>= 7.2.3~), dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, dh-systemd, po-debconf, lsb-release, libclucene-dev (>= 2.3), liblzma-dev, libexttextcat-dev, libstemmer-dev, hardening-wrapper, dh-autoreconf, autotools-dev
|
|
||||||
Standards-Version: 3.9.4
|
|
||||||
Homepage: http://dovecot.org/
|
|
||||||
-Vcs-Git: git://git.debian.org/git/collab-maint/dovecot.git
|
|
||||||
-Vcs-Browser: http://git.debian.org/?p=collab-maint/dovecot.git
|
|
||||||
+Vcs-Git: https://github.com/mail-in-a-box/mailinabox
|
|
||||||
+Vcs-Browser: https://github.com/mail-in-a-box/mailinabox
|
|
||||||
|
|
||||||
-Package: dovecot-core
|
|
||||||
+Package: dovecot-lucene
|
|
||||||
Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 0.76-13.1), openssl, adduser, ucf (>= 2.0020), ssl-cert (>= 1.0-11ubuntu1), lsb-base (>= 3.2-12ubuntu3)
|
|
||||||
-Suggests: ntp, dovecot-gssapi, dovecot-sieve, dovecot-pgsql, dovecot-mysql, dovecot-sqlite, dovecot-ldap, dovecot-imapd, dovecot-pop3d, dovecot-lmtpd, dovecot-managesieved, dovecot-solr, ufw
|
|
||||||
-Recommends: ntpdate
|
|
||||||
-Provides: dovecot-common
|
|
||||||
-Replaces: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4)
|
|
||||||
-Breaks: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4)
|
|
||||||
-Description: secure POP3/IMAP server - core files
|
|
||||||
+Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (>= 1:2.2.9-1ubuntu2.1)
|
|
||||||
+Description: secure POP3/IMAP server - Lucene support
|
|
||||||
Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
fast, extensible, and portable.
|
|
||||||
.
|
|
||||||
- This package contains the Dovecot main server and its command line utility.
|
|
||||||
-
|
|
||||||
-Package: dovecot-dev
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version})
|
|
||||||
-Replaces: dovecot-common (<< 1:2.0.14-2~)
|
|
||||||
-Breaks: dovecot-common (<< 1:2.0.14-2~)
|
|
||||||
-Description: secure POP3/IMAP server - header files
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package contains header files needed to compile plugins for the Dovecot
|
|
||||||
- mail server.
|
|
||||||
-
|
|
||||||
-Package: dovecot-imapd
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020)
|
|
||||||
-Provides: imap-server
|
|
||||||
-Description: secure POP3/IMAP server - IMAP daemon
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package contains the Dovecot IMAP server.
|
|
||||||
-
|
|
||||||
-Package: dovecot-pop3d
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020)
|
|
||||||
-Provides: pop3-server
|
|
||||||
-Description: secure POP3/IMAP server - POP3 daemon
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package contains the Dovecot POP3 server.
|
|
||||||
-
|
|
||||||
-Package: dovecot-lmtpd
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020)
|
|
||||||
-Replaces: dovecot-common (<< 1:2.0.14-2~)
|
|
||||||
-Breaks: dovecot-common (<< 1:2.0.14-2~)
|
|
||||||
-Description: secure POP3/IMAP server - LMTP server
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package contains the Dovecot LMTP server.
|
|
||||||
-
|
|
||||||
-Package: dovecot-managesieved
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), dovecot-sieve (= ${binary:Version}), ucf (>= 2.0020)
|
|
||||||
-Replaces: dovecot-common (<< 1:2.0.14-2~)
|
|
||||||
-Breaks: dovecot-common (<< 1:2.0.14-2~)
|
|
||||||
-Description: secure POP3/IMAP server - ManageSieve server
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package contains the Dovecot ManageSieve server.
|
|
||||||
-
|
|
||||||
-Package: dovecot-pgsql
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version})
|
|
||||||
-Description: secure POP3/IMAP server - PostgreSQL support
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package provides PostgreSQL support for Dovecot.
|
|
||||||
-
|
|
||||||
-Package: dovecot-mysql
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version})
|
|
||||||
-Description: secure POP3/IMAP server - MySQL support
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package provides MySQL support for Dovecot.
|
|
||||||
-
|
|
||||||
-Package: dovecot-sqlite
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version})
|
|
||||||
-Description: secure POP3/IMAP server - SQLite support
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package provides SQLite support for Dovecot.
|
|
||||||
-
|
|
||||||
-Package: dovecot-ldap
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020)
|
|
||||||
-Description: secure POP3/IMAP server - LDAP support
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package provides LDAP support for Dovecot.
|
|
||||||
-
|
|
||||||
-Package: dovecot-gssapi
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version})
|
|
||||||
-Description: secure POP3/IMAP server - GSSAPI support
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package provides GSSAPI authentication support for Dovecot.
|
|
||||||
-
|
|
||||||
-Package: dovecot-sieve
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version}), ucf (>= 2.0020)
|
|
||||||
-Description: secure POP3/IMAP server - Sieve filters support
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package provides Sieve filters support for Dovecot.
|
|
||||||
-
|
|
||||||
-Package: dovecot-solr
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, dovecot-core (= ${binary:Version})
|
|
||||||
-Description: secure POP3/IMAP server - Solr support
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package provides Solr full text search support for Dovecot.
|
|
||||||
-
|
|
||||||
-Package: dovecot-dbg
|
|
||||||
-Section: debug
|
|
||||||
-Priority: extra
|
|
||||||
-Architecture: any
|
|
||||||
-Depends: ${misc:Depends}, dovecot-core (= ${binary:Version})
|
|
||||||
-Description: secure POP3/IMAP server - debug symbols
|
|
||||||
- Dovecot is a mail server whose major goals are security and extreme
|
|
||||||
- reliability. It tries very hard to handle all error conditions and verify
|
|
||||||
- that all data is valid, making it nearly impossible to crash. It supports
|
|
||||||
- mbox/Maildir and its own dbox/mdbox formats, and should also be pretty
|
|
||||||
- fast, extensible, and portable.
|
|
||||||
- .
|
|
||||||
- This package contains debug symbols for Dovecot.
|
|
||||||
-
|
|
||||||
-Package: mail-stack-delivery
|
|
||||||
-Architecture: all
|
|
||||||
-Depends: dovecot-core, dovecot-imapd, dovecot-pop3d, dovecot-managesieved,
|
|
||||||
- postfix, ${misc:Depends}
|
|
||||||
-Replaces: dovecot-postfix (<< 1:1.2.12-0ubuntu1~)
|
|
||||||
-Description: mail server delivery agent stack provided by Ubuntu server team
|
|
||||||
- Ubuntu's mail stack provides fully operational delivery with
|
|
||||||
- safe defaults and additional options. Out of the box it supports IMAP,
|
|
||||||
- POP3 and SMTP services with SASL authentication and Maildir as default
|
|
||||||
- storage engine.
|
|
||||||
- .
|
|
||||||
- This package contains configuration files for dovecot.
|
|
||||||
- .
|
|
||||||
- This package modifies postfix's configuration to integrate with dovecot
|
|
||||||
+ This package provides Lucene full text search support for Dovecot. It has been modified by Mail-in-a-Box
|
|
||||||
+ to supply a dovecot-lucene package compatible with the official ubuntu trusty dovecot-core.
|
|
||||||
|
|
||||||
diff --git a/debian/dovecot-lucene.links b/debian/dovecot-lucene.links
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..6ffcbeb
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/debian/dovecot-lucene.links
|
|
||||||
@@ -0,0 +1 @@
|
|
||||||
+/usr/share/bug/dovecot-core /usr/share/bug/dovecot-lucene
|
|
||||||
diff --git a/debian/dovecot-lucene.lintian-overrides b/debian/dovecot-lucene.lintian-overrides
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..60d90fd
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/debian/dovecot-lucene.lintian-overrides
|
|
||||||
@@ -0,0 +1,2 @@
|
|
||||||
+dovecot-lucene: hardening-no-fortify-functions usr/lib/dovecot/modules/lib21_fts_lucene_plugin.so
|
|
||||||
+
|
|
||||||
diff --git a/debian/dovecot-lucene.substvars b/debian/dovecot-lucene.substvars
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..ed54f36
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/debian/dovecot-lucene.substvars
|
|
||||||
@@ -0,0 +1,2 @@
|
|
||||||
+shlibs:Depends=libc6 (>= 2.4), libclucene-core1 (>= 2.3.3.4), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.1.1), libstemmer0d (>= 0+svn527)
|
|
||||||
+misc:Depends=
|
|
||||||
diff --git a/debian/dovecot-lucene.triggers b/debian/dovecot-lucene.triggers
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..3d933a5
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/debian/dovecot-lucene.triggers
|
|
||||||
@@ -0,0 +1 @@
|
|
||||||
+activate register-dovecot-plugin
|
|
||||||
--- a/debian/rules
|
|
||||||
+++ b/debian/rules
|
|
||||||
@@ -40,6 +40,7 @@
|
|
||||||
--with-solr \
|
|
||||||
--with-ioloop=best \
|
|
||||||
--with-libwrap \
|
|
||||||
+ --with-lucene \
|
|
||||||
--host=$(DEB_HOST_GNU_TYPE) \
|
|
||||||
--build=$(DEB_BUILD_GNU_TYPE) \
|
|
||||||
--prefix=/usr \
|
|
||||||
@@ -95,6 +96,10 @@
|
|
||||||
dh_testroot
|
|
||||||
dh_clean -k
|
|
||||||
dh_installdirs
|
|
||||||
+ mkdir -p $(CURDIR)/debian/dovecot-lucene/usr/lib/dovecot/modules
|
|
||||||
+ mv $(CURDIR)/src/plugins/fts-lucene/.libs/* $(CURDIR)/debian/dovecot-lucene/usr/lib/dovecot/modules/
|
|
||||||
+
|
|
||||||
+rest_disabled_by_miab:
|
|
||||||
$(MAKE) install DESTDIR=$(CURDIR)/debian/dovecot-core
|
|
||||||
$(MAKE) -C $(PIGEONHOLE_DIR) install DESTDIR=$(CURDIR)/debian/dovecot-core
|
|
||||||
rm `find $(CURDIR)/debian -name '*.la'`
|
|
||||||
@@ -209,7 +214,7 @@
|
|
||||||
dh_installdocs -a
|
|
||||||
dh_installexamples -a
|
|
||||||
dh_installpam -a
|
|
||||||
- mv $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot-core $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot
|
|
||||||
+ # mv $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot-core $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot
|
|
||||||
dh_systemd_enable
|
|
||||||
dh_installinit -pdovecot-core --name=dovecot
|
|
||||||
dh_systemd_start
|
|
||||||
@@ -220,10 +225,10 @@
|
|
||||||
dh_lintian -a
|
|
||||||
dh_installchangelogs -a ChangeLog
|
|
||||||
dh_link -a
|
|
||||||
- dh_strip -a --dbg-package=dovecot-dbg
|
|
||||||
+ #dh_strip -a --dbg-package=dovecot-dbg
|
|
||||||
dh_compress -a
|
|
||||||
dh_fixperms -a
|
|
||||||
- chmod 0700 debian/dovecot-core/etc/dovecot/private
|
|
||||||
+ #chmod 0700 debian/dovecot-core/etc/dovecot/private
|
|
||||||
dh_makeshlibs -a -n
|
|
||||||
dh_installdeb -a
|
|
||||||
dh_shlibdeps -a
|
|
||||||
--- a/debian/changelog
|
|
||||||
+++ a/debian/changelog
|
|
||||||
@@ -1,3 +1,9 @@
|
|
||||||
+dovecot (1:2.2.9-1ubuntu2.1+miab1) trusty; urgency=low
|
|
||||||
+
|
|
||||||
+ * Changed to just build dovecot-lucene for Mail-in-a-box PPA
|
|
||||||
+
|
|
||||||
+ -- Joshua Tauberer <jt@occams.info> Sat, 14 May 2015 16:13:00 -0400
|
|
||||||
+
|
|
||||||
dovecot (1:2.2.9-1ubuntu2.1) trusty-security; urgency=medium
|
|
||||||
|
|
||||||
* SECURITY UPDATE: denial of service via SSL connection exhaustion
|
|
||||||
--- a/debian/copyright 2014-03-07 07:26:37.000000000 -0500
|
|
||||||
+++ b/debian/copyright 2015-05-23 18:17:42.668005535 -0400
|
|
||||||
@@ -1,3 +1,7 @@
|
|
||||||
+This package is a fork by Mail-in-a-box (https://mailinabox.email). Original
|
|
||||||
+copyright statement follows:
|
|
||||||
+----------------------------------------------------------------------------
|
|
||||||
+
|
|
||||||
This package was debianized by Jaldhar H. Vyas <jaldhar@debian.org> on
|
|
||||||
Tue, 3 Dec 2002 01:10:07 -0500.
|
|
||||||
|
|
@ -1,80 +0,0 @@
|
|||||||
diff --git a/debian/NEWS b/debian/NEWS
|
|
||||||
index dd09744..de7b640 100644
|
|
||||||
--- a/debian/NEWS
|
|
||||||
+++ b/debian/NEWS
|
|
||||||
@@ -1,3 +1,9 @@
|
|
||||||
+postgrey (1.35-1+miab1)
|
|
||||||
+
|
|
||||||
+ Added DNSWL.org whitelisting.
|
|
||||||
+
|
|
||||||
+ -- Joshua Tauberer <jt@occams.info> Mon May 18 18:58:40 EDT 2015
|
|
||||||
+
|
|
||||||
postgrey (1.32-1) unstable; urgency=low
|
|
||||||
|
|
||||||
Postgrey is now listening to port 10023 and not 60000. The latter was an
|
|
||||||
diff --git a/debian/changelog b/debian/changelog
|
|
||||||
index 1058e15..e5e3557 100644
|
|
||||||
--- a/debian/changelog
|
|
||||||
+++ b/debian/changelog
|
|
||||||
@@ -1,3 +1,9 @@
|
|
||||||
+postgrey (1.35-1+miab1) trusty; urgency=low
|
|
||||||
+
|
|
||||||
+ * Added DNSWL.org whitelisting.
|
|
||||||
+
|
|
||||||
+ -- Joshua Tauberer <jt@occams.info> Mon, 18 May 2015 21:58:40 +0000
|
|
||||||
+
|
|
||||||
postgrey (1.35-1) unstable; urgency=low
|
|
||||||
|
|
||||||
* New upstream release (Closes: 756486)
|
|
||||||
diff --git a/debian/control b/debian/control
|
|
||||||
index ce12ba6..0a82855 100644
|
|
||||||
--- a/debian/control
|
|
||||||
+++ b/debian/control
|
|
||||||
@@ -1,14 +1,11 @@
|
|
||||||
Source: postgrey
|
|
||||||
Section: mail
|
|
||||||
Priority: optional
|
|
||||||
-Maintainer: Antonio Radici <antonio@debian.org>
|
|
||||||
-Uploaders: Jon Daley <jondaley-guest@alioth.debian.org>
|
|
||||||
+Maintainer: Joshua Tauberer <jt@occams.info>
|
|
||||||
Build-Depends: debhelper (>= 7), quilt
|
|
||||||
Build-Depends-Indep: po-debconf
|
|
||||||
Standards-Version: 3.9.6
|
|
||||||
Homepage: http://postgrey.schweikert.ch/
|
|
||||||
-Vcs-Browser: http://git.debian.org/?p=collab-maint/postgrey.git
|
|
||||||
-Vcs-Git: git://git.debian.org/git/collab-maint/postgrey.git
|
|
||||||
|
|
||||||
Package: postgrey
|
|
||||||
Architecture: all
|
|
||||||
@@ -25,3 +22,6 @@ Description: greylisting implementation for Postfix
|
|
||||||
.
|
|
||||||
While Postgrey is designed for use with Postfix, it can also be used
|
|
||||||
with Exim.
|
|
||||||
+ .
|
|
||||||
+ This version has been modified by Mail-in-a-Box to whitelist senders
|
|
||||||
+ in the DNSWL.org list. See https://mailinabox.email.
|
|
||||||
diff --git a/debian/copyright b/debian/copyright
|
|
||||||
index 3cbe377..bf09b89 100644
|
|
||||||
--- a/debian/copyright
|
|
||||||
+++ b/debian/copyright
|
|
||||||
@@ -1,6 +1,10 @@
|
|
||||||
+This package is a fork by Mail-in-a-Box (https://mailinabox.email). Original
|
|
||||||
+copyright statement follows:
|
|
||||||
+----------------------------------------------------------------------------
|
|
||||||
+
|
|
||||||
This Debian package was prepared by Adrian von Bidder <cmot@debian.org> in
|
|
||||||
July 2004, then the package was adopted by Antonio Radici <antonio@dyne.org>
|
|
||||||
-in Sept 2009
|
|
||||||
+in Sept 2009.
|
|
||||||
|
|
||||||
It was downloaded from http://postgrey.schweikert.ch/
|
|
||||||
|
|
||||||
diff --git a/debian/patches/series b/debian/patches/series
|
|
||||||
index f4c5e31..3cd62b8 100644
|
|
||||||
--- a/debian/patches/series
|
|
||||||
+++ b/debian/patches/series
|
|
||||||
@@ -1,3 +1,3 @@
|
|
||||||
imported-upstream-diff
|
|
||||||
disable-transaction-logic
|
|
||||||
-
|
|
||||||
+mailinabox
|
|
@ -1,100 +0,0 @@
|
|||||||
Description: whitelist whatever dnswl.org whitelists
|
|
||||||
.
|
|
||||||
postgrey (1.35-1+miab1) unstable; urgency=low
|
|
||||||
.
|
|
||||||
* Added DNSWL.org whitelisting.
|
|
||||||
Author: Joshua Tauberer <jt@occams.info>
|
|
||||||
|
|
||||||
--- postgrey-1.35.orig/README
|
|
||||||
+++ postgrey-1.35/README
|
|
||||||
@@ -13,7 +13,7 @@ Requirements
|
|
||||||
- BerkeleyDB (Perl Module)
|
|
||||||
- Berkeley DB >= 4.1 (Library)
|
|
||||||
- Digest::SHA (Perl Module, only for --privacy option)
|
|
||||||
-
|
|
||||||
+- Net::DNS (Perl Module)
|
|
||||||
|
|
||||||
Documentation
|
|
||||||
-------------
|
|
||||||
--- postgrey-1.35.orig/postgrey
|
|
||||||
+++ postgrey-1.35/postgrey
|
|
||||||
@@ -18,6 +18,7 @@ use Fcntl ':flock'; # import LOCK_* cons
|
|
||||||
use Sys::Hostname;
|
|
||||||
use Sys::Syslog; # used only to find out which version we use
|
|
||||||
use POSIX qw(strftime setlocale LC_ALL);
|
|
||||||
+use Net::DNS; # for DNSWL.org whitelisting
|
|
||||||
|
|
||||||
use vars qw(@ISA);
|
|
||||||
@ISA = qw(Net::Server::Multiplex);
|
|
||||||
@@ -26,6 +27,8 @@ my $VERSION = '1.35';
|
|
||||||
my $DEFAULT_DBDIR = '/var/lib/postgrey';
|
|
||||||
my $CONFIG_DIR = '/etc/postgrey';
|
|
||||||
|
|
||||||
+my $dns_resolver = Net::DNS::Resolver->new;
|
|
||||||
+
|
|
||||||
sub cidr_parse($)
|
|
||||||
{
|
|
||||||
defined $_[0] or return undef;
|
|
||||||
@@ -48,6 +51,36 @@ sub cidr_match($$$)
|
|
||||||
return ($addr & $mask) == $net;
|
|
||||||
}
|
|
||||||
|
|
||||||
+sub reverseDottedQuad {
|
|
||||||
+ # This is the sub _chkValidPublicIP from Net::DNSBL by PJ Goodwin
|
|
||||||
+ # at http://www.the42.net/net-dnsbl.
|
|
||||||
+ my ($quad) = @_;
|
|
||||||
+ if ($quad =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) {
|
|
||||||
+ my ($ip1,$ip2,$ip3,$ip4) = ($1, $2, $3, $4);
|
|
||||||
+ if (
|
|
||||||
+ $ip1 == 10 || #10.0.0.0/8 (10/8)
|
|
||||||
+ ($ip1 == 172 && $ip2 >= 16 && $ip2 <= 31) || #172.16.0.0/12 (172.16/12)
|
|
||||||
+ ($ip1 == 192 && $ip2 == 168) || #192.168.0.0/16 (192.168/16)
|
|
||||||
+ $quad eq '127.0.0.1' # localhost
|
|
||||||
+ ) {
|
|
||||||
+ # toss the RFC1918 specified privates
|
|
||||||
+ return undef;
|
|
||||||
+ } elsif (
|
|
||||||
+ ($ip1 <= 1 || $ip1 > 254) ||
|
|
||||||
+ ($ip2 < 0 || $ip2 > 255) ||
|
|
||||||
+ ($ip3 < 0 || $ip3 > 255) ||
|
|
||||||
+ ($ip4 < 0 || $ip4 > 255)
|
|
||||||
+ ) {
|
|
||||||
+ #invalid oct, toss it;
|
|
||||||
+ return undef;
|
|
||||||
+ }
|
|
||||||
+ my $revquad = $ip4 . "." . $ip3 . "." . $ip2 . "." . $ip1;
|
|
||||||
+ return $revquad;
|
|
||||||
+ } else { # invalid quad
|
|
||||||
+ return undef;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
sub read_clients_whitelists($)
|
|
||||||
{
|
|
||||||
my ($self) = @_;
|
|
||||||
@@ -361,6 +394,25 @@ sub smtpd_access_policy($$)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ # whitelist clients in dnswl.org
|
|
||||||
+ my $revip = reverseDottedQuad($attr->{client_address});
|
|
||||||
+ if ($revip) { # valid IP / plausibly in DNSWL
|
|
||||||
+ my $answer = $dns_resolver->send($revip . '.list.dnswl.org');
|
|
||||||
+ if ($answer && scalar($answer->answer) > 0) {
|
|
||||||
+ my @rrs = $answer->answer;
|
|
||||||
+ if ($rrs[0]->type eq 'A' && $rrs[0]->address ne '127.0.0.255') {
|
|
||||||
+ # Address appears in DNSWL. (127.0.0.255 means we were rate-limited.)
|
|
||||||
+ my $code = $rrs[0]->address;
|
|
||||||
+ if ($code =~ /^127.0.(\d+)\.([0-3])$/) {
|
|
||||||
+ my %dnswltrust = (0 => 'legitimate', 1 => 'occasional spam', 2 => 'rare spam', 3 => 'highly unlikely to send spam');
|
|
||||||
+ $code = $2 . '/' . $dnswltrust{$2};
|
|
||||||
+ }
|
|
||||||
+ $self->mylog_action($attr, 'pass', 'client whitelisted by dnswl.org (' . $code . ')');
|
|
||||||
+ return 'DUNNO';
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
# auto whitelist clients (see below for explanation)
|
|
||||||
my ($cawl_db, $cawl_key, $cawl_count, $cawl_last);
|
|
||||||
if($self->{postgrey}{awl_clients}) {
|
|
@ -1,7 +1,7 @@
|
|||||||
Mail-in-a-Box Security Guide
|
Mail-in-a-Box Security Guide
|
||||||
============================
|
============================
|
||||||
|
|
||||||
Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components.
|
Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components.
|
||||||
|
|
||||||
This page documents the security features of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box.
|
This page documents the security features of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box.
|
||||||
|
|
||||||
|
@ -7,7 +7,34 @@
|
|||||||
#########################################################
|
#########################################################
|
||||||
|
|
||||||
if [ -z "$TAG" ]; then
|
if [ -z "$TAG" ]; then
|
||||||
TAG=v0.30
|
# If a version to install isn't explicitly given as an environment
|
||||||
|
# variable, then install the latest version. But the latest version
|
||||||
|
# depends on the operating system. Existing Ubuntu 14.04 users need
|
||||||
|
# to be able to upgrade to the latest version supporting Ubuntu 14.04,
|
||||||
|
# in part because an upgrade is required before jumping to Ubuntu 18.04.
|
||||||
|
# New users on Ubuntu 18 need to get the latest version number too.
|
||||||
|
#
|
||||||
|
# Also, the system status checks read this script for TAG= to get
|
||||||
|
# the latest version, so the first TAG= line must be the one that
|
||||||
|
# we want to display in status checks.
|
||||||
|
if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then
|
||||||
|
# This machine is running Ubuntu 18.04.
|
||||||
|
TAG=v0.30
|
||||||
|
|
||||||
|
elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then
|
||||||
|
# This machine is running Ubuntu 14.04.
|
||||||
|
echo "You are installing the last version of Mail-in-a-Box that will"
|
||||||
|
echo "support Ubuntu 14.04. If this is a new installation of Mail-in-a-Box,"
|
||||||
|
echo "stop now and switch to a machine running Ubuntu 18.04. If you are"
|
||||||
|
echo "upgrading an existing Mail-in-a-Box --- great. After upgrading this"
|
||||||
|
echo "box, please visit https://mailinabox.email for notes on how to upgrade"
|
||||||
|
echo "to Ubuntu 18.04."
|
||||||
|
TAG=v0.30
|
||||||
|
|
||||||
|
else
|
||||||
|
echo "This script must be run on a system running Ubuntu 18.04 or Ubuntu 14.04."
|
||||||
|
exit
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Are we running as root?
|
# Are we running as root?
|
||||||
|
@ -21,6 +21,11 @@ mkdir -p $STORAGE_ROOT/mail/dkim
|
|||||||
# Not quite sure why.
|
# Not quite sure why.
|
||||||
echo "127.0.0.1" > /etc/opendkim/TrustedHosts
|
echo "127.0.0.1" > /etc/opendkim/TrustedHosts
|
||||||
|
|
||||||
|
# We need to at least create these files, since we reference them later.
|
||||||
|
# Otherwise, opendkim startup will fail
|
||||||
|
touch /etc/opendkim/KeyTable
|
||||||
|
touch /etc/opendkim/SigningTable
|
||||||
|
|
||||||
if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then
|
if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then
|
||||||
true # already done #NODOC
|
true # already done #NODOC
|
||||||
else
|
else
|
||||||
@ -75,6 +80,9 @@ tools/editconf.py /etc/postfix/main.cf \
|
|||||||
non_smtpd_milters=\$smtpd_milters \
|
non_smtpd_milters=\$smtpd_milters \
|
||||||
milter_default_action=accept
|
milter_default_action=accept
|
||||||
|
|
||||||
|
# We need to explicitly enable the opendmarc service, or it will not start
|
||||||
|
hide_output systemctl enable opendmarc
|
||||||
|
|
||||||
# Restart services.
|
# Restart services.
|
||||||
restart_service opendkim
|
restart_service opendkim
|
||||||
restart_service opendmarc
|
restart_service opendmarc
|
||||||
|
@ -4,9 +4,9 @@ if [ -z "`tools/mail.py user`" ]; then
|
|||||||
# aren't any yet, it'll be empty.
|
# aren't any yet, it'll be empty.
|
||||||
|
|
||||||
# If we didn't ask for an email address at the start, do so now.
|
# If we didn't ask for an email address at the start, do so now.
|
||||||
if [ -z "$EMAIL_ADDR" ]; then
|
if [ -z "${EMAIL_ADDR:-}" ]; then
|
||||||
# In an interactive shell, ask the user for an email address.
|
# In an interactive shell, ask the user for an email address.
|
||||||
if [ -z "$NONINTERACTIVE" ]; then
|
if [ -z "${NONINTERACTIVE:-}" ]; then
|
||||||
input_box "Mail Account" \
|
input_box "Mail Account" \
|
||||||
"Let's create your first mail account.
|
"Let's create your first mail account.
|
||||||
\n\nWhat email address do you want?" \
|
\n\nWhat email address do you want?" \
|
||||||
@ -47,7 +47,7 @@ if [ -z "`tools/mail.py user`" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Create the user's mail account. This will ask for a password if none was given above.
|
# Create the user's mail account. This will ask for a password if none was given above.
|
||||||
tools/mail.py user add $EMAIL_ADDR $EMAIL_PW
|
tools/mail.py user add $EMAIL_ADDR ${EMAIL_PW:-}
|
||||||
|
|
||||||
# Make it an admin.
|
# Make it an admin.
|
||||||
hide_output tools/mail.py user make-admin $EMAIL_ADDR
|
hide_output tools/mail.py user make-admin $EMAIL_ADDR
|
||||||
|
@ -1,3 +1,9 @@
|
|||||||
|
# Turn on "strict mode." See http://redsymbol.net/articles/unofficial-bash-strict-mode/.
|
||||||
|
# -e: exit if any command unexpectedly fails.
|
||||||
|
# -u: exit if we have a variable typo.
|
||||||
|
# -o pipefail: don't ignore errors in the non-last command in a pipeline
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
function hide_output {
|
function hide_output {
|
||||||
# This function hides the output of a command unless the command fails
|
# This function hides the output of a command unless the command fails
|
||||||
# and returns a non-zero exit code.
|
# and returns a non-zero exit code.
|
||||||
@ -5,11 +11,14 @@ function hide_output {
|
|||||||
# Get a temporary file.
|
# Get a temporary file.
|
||||||
OUTPUT=$(tempfile)
|
OUTPUT=$(tempfile)
|
||||||
|
|
||||||
# Execute command, redirecting stderr/stdout to the temporary file.
|
# Execute command, redirecting stderr/stdout to the temporary file. Since we
|
||||||
|
# check the return code ourselves, disable 'set -e' temporarily.
|
||||||
|
set +e
|
||||||
$@ &> $OUTPUT
|
$@ &> $OUTPUT
|
||||||
|
E=$?
|
||||||
|
set -e
|
||||||
|
|
||||||
# If the command failed, show the output that was captured in the temporary file.
|
# If the command failed, show the output that was captured in the temporary file.
|
||||||
E=$?
|
|
||||||
if [ $E != 0 ]; then
|
if [ $E != 0 ]; then
|
||||||
# Something failed.
|
# Something failed.
|
||||||
echo
|
echo
|
||||||
@ -75,7 +84,7 @@ function get_publicip_from_web_service {
|
|||||||
#
|
#
|
||||||
# Pass '4' or '6' as an argument to this function to specify
|
# Pass '4' or '6' as an argument to this function to specify
|
||||||
# what type of address to get (IPv4, IPv6).
|
# what type of address to get (IPv4, IPv6).
|
||||||
curl -$1 --fail --silent --max-time 15 icanhazip.com 2>/dev/null
|
curl -$1 --fail --silent --max-time 15 icanhazip.com 2>/dev/null || /bin/true
|
||||||
}
|
}
|
||||||
|
|
||||||
function get_default_privateip {
|
function get_default_privateip {
|
||||||
@ -131,11 +140,10 @@ function get_default_privateip {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo $address
|
echo $address
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function ufw_allow {
|
function ufw_allow {
|
||||||
if [ -z "$DISABLE_FIREWALL" ]; then
|
if [ -z "${DISABLE_FIREWALL:-}" ]; then
|
||||||
# ufw has completely unhelpful output
|
# ufw has completely unhelpful output
|
||||||
ufw allow $1 > /dev/null;
|
ufw allow $1 > /dev/null;
|
||||||
fi
|
fi
|
||||||
@ -154,10 +162,13 @@ function input_box {
|
|||||||
# input_box "title" "prompt" "defaultvalue" VARIABLE
|
# input_box "title" "prompt" "defaultvalue" VARIABLE
|
||||||
# The user's input will be stored in the variable VARIABLE.
|
# The user's input will be stored in the variable VARIABLE.
|
||||||
# The exit code from dialog will be stored in VARIABLE_EXITCODE.
|
# The exit code from dialog will be stored in VARIABLE_EXITCODE.
|
||||||
|
# Temporarily turn off 'set -e' because we need the dialog return code.
|
||||||
declare -n result=$4
|
declare -n result=$4
|
||||||
declare -n result_code=$4_EXITCODE
|
declare -n result_code=$4_EXITCODE
|
||||||
|
set +e
|
||||||
result=$(dialog --stdout --title "$1" --inputbox "$2" 0 0 "$3")
|
result=$(dialog --stdout --title "$1" --inputbox "$2" 0 0 "$3")
|
||||||
result_code=$?
|
result_code=$?
|
||||||
|
set -e
|
||||||
}
|
}
|
||||||
|
|
||||||
function input_menu {
|
function input_menu {
|
||||||
@ -167,8 +178,10 @@ function input_menu {
|
|||||||
declare -n result=$4
|
declare -n result=$4
|
||||||
declare -n result_code=$4_EXITCODE
|
declare -n result_code=$4_EXITCODE
|
||||||
local IFS=^$'\n'
|
local IFS=^$'\n'
|
||||||
|
set +e
|
||||||
result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 $3)
|
result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 $3)
|
||||||
result_code=$?
|
result_code=$?
|
||||||
|
set -e
|
||||||
}
|
}
|
||||||
|
|
||||||
function wget_verify {
|
function wget_verify {
|
||||||
|
@ -26,7 +26,7 @@ source /etc/mailinabox.conf # load global vars
|
|||||||
echo "Installing Dovecot (IMAP server)..."
|
echo "Installing Dovecot (IMAP server)..."
|
||||||
apt_install \
|
apt_install \
|
||||||
dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-sqlite sqlite3 \
|
dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-sqlite sqlite3 \
|
||||||
dovecot-sieve dovecot-managesieved dovecot-lucene
|
dovecot-sieve dovecot-managesieved
|
||||||
|
|
||||||
# The `dovecot-imapd`, `dovecot-pop3d`, and `dovecot-lmtpd` packages automatically
|
# The `dovecot-imapd`, `dovecot-pop3d`, and `dovecot-lmtpd` packages automatically
|
||||||
# enable IMAP, POP and LMTP protocols.
|
# enable IMAP, POP and LMTP protocols.
|
||||||
@ -112,17 +112,6 @@ tools/editconf.py /etc/dovecot/conf.d/20-imap.conf \
|
|||||||
tools/editconf.py /etc/dovecot/conf.d/20-pop3.conf \
|
tools/editconf.py /etc/dovecot/conf.d/20-pop3.conf \
|
||||||
pop3_uidl_format="%08Xu%08Xv"
|
pop3_uidl_format="%08Xu%08Xv"
|
||||||
|
|
||||||
# Full Text Search - Enable full text search of mail using dovecot's lucene plugin,
|
|
||||||
# which *we* package and distribute (dovecot-lucene package).
|
|
||||||
tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
|
|
||||||
mail_plugins="\$mail_plugins fts fts_lucene"
|
|
||||||
cat > /etc/dovecot/conf.d/90-plugin-fts.conf << EOF;
|
|
||||||
plugin {
|
|
||||||
fts = lucene
|
|
||||||
fts_lucene = whitespace_chars=@.
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# ### LDA (LMTP)
|
# ### LDA (LMTP)
|
||||||
|
|
||||||
# Enable Dovecot's LDA service with the LMTP protocol. It will listen
|
# Enable Dovecot's LDA service with the LMTP protocol. It will listen
|
||||||
|
@ -41,16 +41,8 @@ source /etc/mailinabox.conf # load global vars
|
|||||||
# always will.
|
# always will.
|
||||||
# * `ca-certificates`: A trust store used to squelch postfix warnings about
|
# * `ca-certificates`: A trust store used to squelch postfix warnings about
|
||||||
# untrusted opportunistically-encrypted connections.
|
# untrusted opportunistically-encrypted connections.
|
||||||
#
|
|
||||||
# postgrey is going to come in via the Mail-in-a-Box PPA, which publishes
|
|
||||||
# a modified version of postgrey that lets senders whitelisted by dnswl.org
|
|
||||||
# pass through without being greylisted. So please note [dnswl's license terms](https://www.dnswl.org/?page_id=9):
|
|
||||||
# > Every user with more than 100’000 queries per day on the public nameserver
|
|
||||||
# > infrastructure and every commercial vendor of dnswl.org data (eg through
|
|
||||||
# > anti-spam solutions) must register with dnswl.org and purchase a subscription.
|
|
||||||
|
|
||||||
echo "Installing Postfix (SMTP server)..."
|
echo "Installing Postfix (SMTP server)..."
|
||||||
apt_install postfix postfix-pcre postgrey ca-certificates
|
apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates
|
||||||
|
|
||||||
# ### Basic Settings
|
# ### Basic Settings
|
||||||
|
|
||||||
@ -81,6 +73,8 @@ tools/editconf.py /etc/postfix/main.cf \
|
|||||||
|
|
||||||
# Enable the 'submission' port 587 smtpd server and tweak its settings.
|
# Enable the 'submission' port 587 smtpd server and tweak its settings.
|
||||||
#
|
#
|
||||||
|
# * Enable authentication. It's disabled globally so that it is disabled on port 25,
|
||||||
|
# so we need to explicitly enable it here.
|
||||||
# * Do not add the OpenDMAC Authentication-Results header. That should only be added
|
# * Do not add the OpenDMAC Authentication-Results header. That should only be added
|
||||||
# on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the
|
# on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the
|
||||||
# OpenDKIM milter only. See dkim.sh.
|
# OpenDKIM milter only. See dkim.sh.
|
||||||
@ -95,6 +89,7 @@ tools/editconf.py /etc/postfix/main.cf \
|
|||||||
# emails but we turn this off by setting nested_header_checks empty.
|
# emails but we turn this off by setting nested_header_checks empty.
|
||||||
tools/editconf.py /etc/postfix/master.cf -s -w \
|
tools/editconf.py /etc/postfix/master.cf -s -w \
|
||||||
"submission=inet n - - - - smtpd
|
"submission=inet n - - - - smtpd
|
||||||
|
-o smtpd_sasl_auth_enable=yes
|
||||||
-o syslog_name=postfix/submission
|
-o syslog_name=postfix/submission
|
||||||
-o smtpd_milters=inet:127.0.0.1:8891
|
-o smtpd_milters=inet:127.0.0.1:8891
|
||||||
-o smtpd_tls_security_level=encrypt
|
-o smtpd_tls_security_level=encrypt
|
||||||
@ -154,7 +149,7 @@ tools/editconf.py /etc/postfix/main.cf \
|
|||||||
# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
|
# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
|
||||||
# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
|
# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
|
||||||
# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
|
# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
|
||||||
# relies on our local bind9 server being present and `smtp_dns_support_level=dnssec`.
|
# relies on our local DNS server (see system.sh) and `smtp_dns_support_level=dnssec`.
|
||||||
#
|
#
|
||||||
# The `smtp_tls_CAfile` is superflous, but it eliminates warnings in the logs about untrusted certs,
|
# The `smtp_tls_CAfile` is superflous, but it eliminates warnings in the logs about untrusted certs,
|
||||||
# which we don't care about seeing because Postfix is doing opportunistic TLS anyway. Better to encrypt,
|
# which we don't care about seeing because Postfix is doing opportunistic TLS anyway. Better to encrypt,
|
||||||
|
@ -65,11 +65,15 @@ service auth {
|
|||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# And have Postfix use that service.
|
# And have Postfix use that service. We *disable* it here
|
||||||
|
# so that authentication is not permitted on port 25 (which
|
||||||
|
# does not run DKIM on relayed mail, so outbound mail isn't
|
||||||
|
# correct, see #830), but we enable it specifically for the
|
||||||
|
# submission port.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
tools/editconf.py /etc/postfix/main.cf \
|
||||||
smtpd_sasl_type=dovecot \
|
smtpd_sasl_type=dovecot \
|
||||||
smtpd_sasl_path=private/auth \
|
smtpd_sasl_path=private/auth \
|
||||||
smtpd_sasl_auth_enable=yes
|
smtpd_sasl_auth_enable=no
|
||||||
|
|
||||||
# ### Sender Validation
|
# ### Sender Validation
|
||||||
|
|
||||||
|
@ -24,12 +24,12 @@ done
|
|||||||
# S3 api used in some regions, which breaks backups to those regions.
|
# S3 api used in some regions, which breaks backups to those regions.
|
||||||
# See #627, #653.
|
# See #627, #653.
|
||||||
#
|
#
|
||||||
# python-virtualenv is used to isolate the Python 3 packages we
|
# virtualenv is used to isolate the Python 3 packages we
|
||||||
# install via pip from the system-installed packages.
|
# install via pip from the system-installed packages.
|
||||||
#
|
#
|
||||||
# certbot installs EFF's certbot which we use to
|
# certbot installs EFF's certbot which we use to
|
||||||
# provision free TLS certificates.
|
# provision free TLS certificates.
|
||||||
apt_install duplicity python-pip python-virtualenv certbot
|
apt_install duplicity python-pip virtualenv certbot
|
||||||
hide_output pip2 install --upgrade boto
|
hide_output pip2 install --upgrade boto
|
||||||
|
|
||||||
# Create a virtualenv for the installation of Python 3 packages
|
# Create a virtualenv for the installation of Python 3 packages
|
||||||
@ -87,20 +87,15 @@ rm -f /tmp/bootstrap.zip
|
|||||||
|
|
||||||
# Create an init script to start the management daemon and keep it
|
# Create an init script to start the management daemon and keep it
|
||||||
# running after a reboot.
|
# running after a reboot.
|
||||||
rm -f /usr/local/bin/mailinabox-daemon # old path
|
|
||||||
cat > $inst_dir/start <<EOF;
|
cat > $inst_dir/start <<EOF;
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
source $venv/bin/activate
|
source $venv/bin/activate
|
||||||
exec python `pwd`/management/daemon.py
|
exec python `pwd`/management/daemon.py
|
||||||
EOF
|
EOF
|
||||||
chmod +x $inst_dir/start
|
chmod +x $inst_dir/start
|
||||||
rm -f /etc/init.d/mailinabox
|
hide_output systemctl link conf/mailinabox.service
|
||||||
ln -s $(pwd)/conf/management-initscript /etc/init.d/mailinabox
|
hide_output systemctl daemon-reload
|
||||||
hide_output update-rc.d mailinabox defaults
|
hide_output systemctl enable mailinabox.service
|
||||||
|
|
||||||
# Remove old files we no longer use.
|
|
||||||
rm -f /etc/cron.daily/mailinabox-backup
|
|
||||||
rm -f /etc/cron.daily/mailinabox-statuschecks
|
|
||||||
|
|
||||||
# Perform nightly tasks at 3am in system time: take a backup, run
|
# Perform nightly tasks at 3am in system time: take a backup, run
|
||||||
# status checks and email the administrator any changes.
|
# status checks and email the administrator any changes.
|
||||||
|
@ -29,7 +29,7 @@ address 127.0.0.1
|
|||||||
|
|
||||||
# send alerts to the following address
|
# send alerts to the following address
|
||||||
contacts admin
|
contacts admin
|
||||||
contact.admin.command mail -s "Munin notification ${var:host}" administrator@$PRIMARY_HOSTNAME
|
contact.admin.command mail -s "Munin notification \${var:host}" administrator@$PRIMARY_HOSTNAME
|
||||||
contact.admin.always_send warning critical
|
contact.admin.always_send warning critical
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
@ -44,7 +44,7 @@ tools/editconf.py /etc/munin/munin-node.conf -s \
|
|||||||
log_level=1
|
log_level=1
|
||||||
|
|
||||||
# Update the activated plugins through munin's autoconfiguration.
|
# Update the activated plugins through munin's autoconfiguration.
|
||||||
munin-node-configure --shell --remove-also 2>/dev/null | sh
|
munin-node-configure --shell --remove-also 2>/dev/null | sh || /bin/true
|
||||||
|
|
||||||
# Deactivate monitoring of NTP peers. Not sure why anyone would want to monitor a NTP peer. The addresses seem to change
|
# Deactivate monitoring of NTP peers. Not sure why anyone would want to monitor a NTP peer. The addresses seem to change
|
||||||
# (which is taken care of my munin-node-configure, but only when we re-run it.)
|
# (which is taken care of my munin-node-configure, but only when we re-run it.)
|
||||||
@ -61,6 +61,14 @@ done
|
|||||||
# Create a 'state' directory. Not sure why we need to do this manually.
|
# Create a 'state' directory. Not sure why we need to do this manually.
|
||||||
mkdir -p /var/lib/munin-node/plugin-state/
|
mkdir -p /var/lib/munin-node/plugin-state/
|
||||||
|
|
||||||
|
# Create a systemd service for munin.
|
||||||
|
ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh
|
||||||
|
chmod 0744 /usr/local/lib/mailinabox/munin_start.sh
|
||||||
|
hide_output systemctl link conf/munin.service
|
||||||
|
hide_output systemctl daemon-reload
|
||||||
|
hide_output systemctl unmask munin.service
|
||||||
|
hide_output systemctl enable munin.service
|
||||||
|
|
||||||
# Restart services.
|
# Restart services.
|
||||||
restart_service munin
|
restart_service munin
|
||||||
restart_service munin-node
|
restart_service munin-node
|
||||||
|
@ -9,29 +9,11 @@ source /etc/mailinabox.conf # load global vars
|
|||||||
|
|
||||||
echo "Installing Nextcloud (contacts/calendar)..."
|
echo "Installing Nextcloud (contacts/calendar)..."
|
||||||
|
|
||||||
# Keep the php5 dependancies for the owncloud upgrades
|
apt-get purge -qq -y owncloud* # we used to use the package manager
|
||||||
apt_install \
|
|
||||||
dbconfig-common \
|
|
||||||
php5-cli php5-sqlite php5-gd php5-imap php5-curl php-pear php-apc curl libapr1 libtool libcurl4-openssl-dev php-xml-parser \
|
|
||||||
php5 php5-dev php5-gd php5-fpm memcached php5-memcached
|
|
||||||
|
|
||||||
apt-get purge -qq -y owncloud*
|
apt_install php php-fpm \
|
||||||
|
php-cli php-sqlite3 php-gd php-imap php-curl php-pear curl \
|
||||||
apt_install php7.0 php7.0-fpm \
|
php-dev php-gd php-xml php-mbstring php-zip php-apcu php-json php-intl
|
||||||
php7.0-cli php7.0-sqlite php7.0-gd php7.0-imap php7.0-curl php-pear php-apc curl \
|
|
||||||
php7.0-dev php7.0-gd php7.0-xml php7.0-mbstring php7.0-zip php7.0-apcu php7.0-json php7.0-intl
|
|
||||||
|
|
||||||
# Migrate <= v0.10 setups that stored the ownCloud config.php in /usr/local rather than
|
|
||||||
# in STORAGE_ROOT. Move the file to STORAGE_ROOT.
|
|
||||||
if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
|
|
||||||
&& [ -f /usr/local/lib/owncloud/config/config.php ]; then
|
|
||||||
|
|
||||||
# Move config.php and symlink back into previous location.
|
|
||||||
echo "Migrating owncloud/config.php to new location."
|
|
||||||
mv /usr/local/lib/owncloud/config/config.php $STORAGE_ROOT/owncloud/config.php \
|
|
||||||
&& \
|
|
||||||
ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
|
|
||||||
fi
|
|
||||||
|
|
||||||
InstallNextcloud() {
|
InstallNextcloud() {
|
||||||
|
|
||||||
@ -75,7 +57,7 @@ InstallNextcloud() {
|
|||||||
# Make sure permissions are correct or the upgrade step won't run.
|
# Make sure permissions are correct or the upgrade step won't run.
|
||||||
# $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress
|
# $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress
|
||||||
# that error.
|
# that error.
|
||||||
chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
|
chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud || /bin/true
|
||||||
|
|
||||||
# If this isn't a new installation, immediately run the upgrade script.
|
# If this isn't a new installation, immediately run the upgrade script.
|
||||||
# Then check for success (0=ok and 3=no upgrade needed, both are success).
|
# Then check for success (0=ok and 3=no upgrade needed, both are success).
|
||||||
@ -93,157 +75,42 @@ InstallNextcloud() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# We only install ownCloud intermediate versions to be able to seemlesly upgrade to Nextcloud
|
nextcloud_ver=13.0.6
|
||||||
InstallOwncloud() {
|
nextcloud_hash=33e41f476f0e2be5dc7cdb9d496673d9647aa3d6
|
||||||
|
|
||||||
version=$1
|
# Check if Nextcloud dir exist, and check if version matches nextcloud_ver (if either doesn't - install/upgrade)
|
||||||
hash=$2
|
|
||||||
|
|
||||||
echo
|
|
||||||
echo "Upgrading to OwnCloud version $version"
|
|
||||||
echo
|
|
||||||
|
|
||||||
# Remove the current owncloud/Nextcloud
|
|
||||||
rm -rf /usr/local/lib/owncloud
|
|
||||||
|
|
||||||
# Download and verify
|
|
||||||
wget_verify https://download.owncloud.org/community/owncloud-$version.tar.bz2 $hash /tmp/owncloud.tar.bz2
|
|
||||||
|
|
||||||
|
|
||||||
# Extract ownCloud
|
|
||||||
tar xjf /tmp/owncloud.tar.bz2 -C /usr/local/lib
|
|
||||||
rm -f /tmp/owncloud.tar.bz2
|
|
||||||
|
|
||||||
# The two apps we actually want are not in Nextcloud core. Download the releases from
|
|
||||||
# their github repositories.
|
|
||||||
mkdir -p /usr/local/lib/owncloud/apps
|
|
||||||
|
|
||||||
wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
|
|
||||||
tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
|
|
||||||
rm /tmp/contacts.tgz
|
|
||||||
|
|
||||||
wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
|
|
||||||
tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
|
|
||||||
rm /tmp/calendar.tgz
|
|
||||||
|
|
||||||
# Fix weird permissions.
|
|
||||||
chmod 750 /usr/local/lib/owncloud/{apps,config}
|
|
||||||
|
|
||||||
# Create a symlink to the config.php in STORAGE_ROOT (for upgrades we're restoring the symlink we previously
|
|
||||||
# put in, and in new installs we're creating a symlink and will create the actual config later).
|
|
||||||
ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
|
|
||||||
|
|
||||||
# Make sure permissions are correct or the upgrade step won't run.
|
|
||||||
# $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress
|
|
||||||
# that error.
|
|
||||||
chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
|
|
||||||
|
|
||||||
# If this isn't a new installation, immediately run the upgrade script.
|
|
||||||
# Then check for success (0=ok and 3=no upgrade needed, both are success).
|
|
||||||
if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
|
|
||||||
# ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but
|
|
||||||
# that can be OK.
|
|
||||||
sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
|
|
||||||
if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then
|
|
||||||
echo "Trying ownCloud upgrade again to work around ownCloud upgrade bug..."
|
|
||||||
sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
|
|
||||||
if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
|
|
||||||
sudo -u www-data php5 /usr/local/lib/owncloud/occ maintenance:mode --off
|
|
||||||
echo "...which seemed to work."
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
owncloud_ver=13.0.6
|
|
||||||
owncloud_hash=33e41f476f0e2be5dc7cdb9d496673d9647aa3d6
|
|
||||||
|
|
||||||
# Check if Nextcloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
|
|
||||||
if [ ! -d /usr/local/lib/owncloud/ ] \
|
if [ ! -d /usr/local/lib/owncloud/ ] \
|
||||||
|| ! grep -q $owncloud_ver /usr/local/lib/owncloud/version.php; then
|
|| ! grep -q $nextcloud_ver /usr/local/lib/owncloud/version.php; then
|
||||||
|
|
||||||
# Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail.
|
# Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail.
|
||||||
service php7.0-fpm stop &> /dev/null || /bin/true
|
service php7.2-fpm stop &> /dev/null || /bin/true
|
||||||
service php5-fpm stop &> /dev/null || /bin/true
|
|
||||||
|
|
||||||
# Backup the existing ownCloud/Nextcloud.
|
# Backup the existing ownCloud/Nextcloud.
|
||||||
# Create a backup directory to store the current installation and database to
|
# Create a backup directory to store the current installation and database to
|
||||||
BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"`
|
BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"`
|
||||||
mkdir -p "$BACKUP_DIRECTORY"
|
mkdir -p "$BACKUP_DIRECTORY"
|
||||||
if [ -d /usr/local/lib/owncloud/ ]; then
|
if [ -d /usr/local/lib/owncloud/ ]; then
|
||||||
echo "upgrading ownCloud/Nextcloud to $owncloud_flavor $owncloud_ver (backing up existing installation, configuration and database to directory to $BACKUP_DIRECTORY..."
|
echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..."
|
||||||
cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install"
|
cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install"
|
||||||
fi
|
fi
|
||||||
if [ -e /home/user-data/owncloud/owncloud.db ]; then
|
if [ -e /home/user-data/owncloud/owncloud.db ]; then
|
||||||
cp /home/user-data/owncloud/owncloud.db $BACKUP_DIRECTORY
|
cp /home/user-data/owncloud/owncloud.db $BACKUP_DIRECTORY
|
||||||
fi
|
fi
|
||||||
if [ -e /home/user-data/owncloud/config.php ]; then
|
if [ -e /home/user-data/owncloud/config.php ]; then
|
||||||
cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY
|
cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# We only need to check if we do upgrades when owncloud/Nextcloud was previously installed
|
# If ownCloud or Nextcloud was previously installed....
|
||||||
if [ -e /usr/local/lib/owncloud/version.php ]; then
|
if [ -e /usr/local/lib/owncloud/version.php ]; then
|
||||||
if grep -q "OC_VersionString = '8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
|
# Database migrations from ownCloud are no longer possible because ownCloud cannot be run under
|
||||||
echo "We are running 8.1.x, upgrading to 8.2.11 first"
|
# PHP 7.
|
||||||
InstallOwncloud 8.2.11 e4794938fc2f15a095018ba9d6ee18b53f6f299c
|
if grep -q "OC_VersionString = '[89]\." /usr/local/lib/owncloud/version.php; then
|
||||||
|
echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 8 or 9) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting."
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
if grep -q "OC_VersionString = '10\." /usr/local/lib/owncloud/version.php; then
|
||||||
# If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions
|
echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 10) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting."
|
||||||
if grep -q "OC_VersionString = '8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then
|
exit 1
|
||||||
echo "We are running version 8.2.x, upgrading to 9.0.11 first"
|
|
||||||
|
|
||||||
# We need to disable memcached. The upgrade and install fails
|
|
||||||
# with memcached
|
|
||||||
CONFIG_TEMP=$(/bin/mktemp)
|
|
||||||
php <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php;
|
|
||||||
<?php
|
|
||||||
include("$STORAGE_ROOT/owncloud/config.php");
|
|
||||||
|
|
||||||
\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
|
|
||||||
|
|
||||||
echo "<?php\n\\\$CONFIG = ";
|
|
||||||
var_export(\$CONFIG);
|
|
||||||
echo ";";
|
|
||||||
?>
|
|
||||||
EOF
|
|
||||||
chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
|
|
||||||
|
|
||||||
# We can now install owncloud 9.0.11
|
|
||||||
InstallOwncloud 9.0.11 fc8bad8a62179089bc58c406b28997fb0329337b
|
|
||||||
|
|
||||||
# The owncloud 9 migration doesn't migrate calendars and contacts
|
|
||||||
# The option to migrate these are removed in 9.1
|
|
||||||
# So the migrations should be done when we have 9.0 installed
|
|
||||||
sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-addressbooks
|
|
||||||
# The following migration has to be done for each owncloud user
|
|
||||||
for directory in $STORAGE_ROOT/owncloud/*@*/ ; do
|
|
||||||
username=$(basename "${directory}")
|
|
||||||
sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-calendar $username
|
|
||||||
done
|
|
||||||
sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
|
|
||||||
fi
|
|
||||||
|
|
||||||
# If we are upgrading from 9.0.x we should go to 9.1 first.
|
|
||||||
if grep -q "OC_VersionString = '9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
|
|
||||||
echo "We are running ownCloud 9.0.x, upgrading to ownCloud 9.1.7 first"
|
|
||||||
InstallOwncloud 9.1.7 1307d997d0b23dc42742d315b3e2f11423a9c808
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Newer ownCloud 9.1.x versions cannot be upgraded to Nextcloud 10 and have to be
|
|
||||||
# upgraded to Nextcloud 11 straight away, see:
|
|
||||||
# https://github.com/nextcloud/server/issues/2203
|
|
||||||
# However, for some reason, upgrading to the latest Nextcloud 11.0.7 doesn't
|
|
||||||
# work either. Therefore, we're upgrading to Nextcloud 11.0.0 in the interim.
|
|
||||||
# This should not be a problem since we're upgrading to the latest Nextcloud 12
|
|
||||||
# in the next step.
|
|
||||||
if grep -q "OC_VersionString = '9\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
|
|
||||||
echo "We are running ownCloud 9.1.x, upgrading to Nextcloud 11.0.0 first"
|
|
||||||
InstallNextcloud 11.0.0 e8c9ebe72a4a76c047080de94743c5c11735e72e
|
|
||||||
fi
|
|
||||||
|
|
||||||
# If we are upgrading from 10.0.x we should go to Nextcloud 11.0 first.
|
|
||||||
if grep -q "OC_VersionString = '10\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
|
|
||||||
echo "We are running Nextcloud 10.0.x, upgrading to Nextcloud 11.0.7 first"
|
|
||||||
InstallNextcloud 11.0.7 f936ddcb2ae3dbb66ee4926eb8b2ebbddc3facbe
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If we are upgrading from Nextcloud 11 we should go to Nextcloud 12 first.
|
# If we are upgrading from Nextcloud 11 we should go to Nextcloud 12 first.
|
||||||
@ -253,7 +120,7 @@ EOF
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
InstallNextcloud $owncloud_ver $owncloud_hash
|
InstallNextcloud $nextcloud_ver $nextcloud_hash
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# ### Configuring Nextcloud
|
# ### Configuring Nextcloud
|
||||||
@ -278,10 +145,10 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
|
|||||||
'overwritewebroot' => '/cloud',
|
'overwritewebroot' => '/cloud',
|
||||||
'overwrite.cli.url' => '/cloud',
|
'overwrite.cli.url' => '/cloud',
|
||||||
'user_backends' => array(
|
'user_backends' => array(
|
||||||
array(
|
array(
|
||||||
'class'=>'OC_User_IMAP',
|
'class'=>'OC_User_IMAP',
|
||||||
'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}')
|
'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}')
|
||||||
)
|
)
|
||||||
),
|
),
|
||||||
'memcache.local' => '\OC\Memcache\APCu',
|
'memcache.local' => '\OC\Memcache\APCu',
|
||||||
'mail_smtpmode' => 'sendmail',
|
'mail_smtpmode' => 'sendmail',
|
||||||
@ -377,7 +244,7 @@ if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
|
|||||||
|
|
||||||
# Set PHP FPM values to support large file uploads
|
# Set PHP FPM values to support large file uploads
|
||||||
# (semicolon is the comment character in this file, hashes produce deprecation warnings)
|
# (semicolon is the comment character in this file, hashes produce deprecation warnings)
|
||||||
tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
|
tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
|
||||||
upload_max_filesize=16G \
|
upload_max_filesize=16G \
|
||||||
post_max_size=16G \
|
post_max_size=16G \
|
||||||
output_buffering=16384 \
|
output_buffering=16384 \
|
||||||
@ -386,7 +253,7 @@ tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
|
|||||||
short_open_tag=On
|
short_open_tag=On
|
||||||
|
|
||||||
# Set Nextcloud recommended opcache settings
|
# Set Nextcloud recommended opcache settings
|
||||||
tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \
|
tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \
|
||||||
opcache.enable=1 \
|
opcache.enable=1 \
|
||||||
opcache.enable_cli=1 \
|
opcache.enable_cli=1 \
|
||||||
opcache.interned_strings_buffer=8 \
|
opcache.interned_strings_buffer=8 \
|
||||||
@ -396,12 +263,12 @@ tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \
|
|||||||
opcache.revalidate_freq=1
|
opcache.revalidate_freq=1
|
||||||
|
|
||||||
# Configure the path environment for php-fpm
|
# Configure the path environment for php-fpm
|
||||||
tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
|
tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
|
||||||
env[PATH]=/usr/local/bin:/usr/bin:/bin
|
env[PATH]=/usr/local/bin:/usr/bin:/bin
|
||||||
|
|
||||||
# If apc is explicitly disabled we need to enable it
|
# If apc is explicitly disabled we need to enable it
|
||||||
if grep -q apc.enabled=0 /etc/php/7.0/mods-available/apcu.ini; then
|
if grep -q apc.enabled=0 /etc/php/7.2/mods-available/apcu.ini; then
|
||||||
tools/editconf.py /etc/php/7.0/mods-available/apcu.ini -c ';' \
|
tools/editconf.py /etc/php/7.2/mods-available/apcu.ini -c ';' \
|
||||||
apc.enabled=1
|
apc.enabled=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -423,4 +290,4 @@ chmod +x /etc/cron.hourly/mailinabox-owncloud
|
|||||||
# ```
|
# ```
|
||||||
|
|
||||||
# Enable PHP modules and restart PHP.
|
# Enable PHP modules and restart PHP.
|
||||||
restart_service php7.0-fpm
|
restart_service php7.2-fpm
|
@ -7,9 +7,9 @@ if [[ $EUID -ne 0 ]]; then
|
|||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check that we are running on Ubuntu 14.04 LTS (or 14.04.xx).
|
# Check that we are running on Ubuntu 18.04 LTS (or 18.04.xx).
|
||||||
if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" != "Ubuntu 14.04 LTS" ]; then
|
if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" != "Ubuntu 18.04 LTS" ]; then
|
||||||
echo "Mail-in-a-Box only supports being installed on Ubuntu 14.04, sorry. You are running:"
|
echo "Mail-in-a-Box only supports being installed on Ubuntu 18.04, sorry. You are running:"
|
||||||
echo
|
echo
|
||||||
lsb_release -d | sed 's/.*:\s*//'
|
lsb_release -d | sed 's/.*:\s*//'
|
||||||
echo
|
echo
|
||||||
@ -41,7 +41,7 @@ if [ $TOTAL_PHYSICAL_MEM -lt 750000 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Check that tempfs is mounted with exec
|
# Check that tempfs is mounted with exec
|
||||||
MOUNTED_TMP_AS_NO_EXEC=$(grep "/tmp.*noexec" /proc/mounts)
|
MOUNTED_TMP_AS_NO_EXEC=$(grep "/tmp.*noexec" /proc/mounts || /bin/true)
|
||||||
if [ -n "$MOUNTED_TMP_AS_NO_EXEC" ]; then
|
if [ -n "$MOUNTED_TMP_AS_NO_EXEC" ]; then
|
||||||
echo "Mail-in-a-Box has to have exec rights on /tmp, please mount /tmp with exec"
|
echo "Mail-in-a-Box has to have exec rights on /tmp, please mount /tmp with exec"
|
||||||
exit
|
exit
|
||||||
@ -53,16 +53,14 @@ if [ -e ~/.wgetrc ]; then
|
|||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check that we are running on x86_64 or i686, any other architecture is unsupported and
|
# Check that we are running on x86_64 or i686 architecture, which are the only
|
||||||
# will fail later in the setup when we try to install the custom build lucene packages.
|
# ones we support / test.
|
||||||
#
|
|
||||||
# Set ARM=1 to ignore this check if you have built the packages yourself. If you do this
|
|
||||||
# you are on your own!
|
|
||||||
ARCHITECTURE=$(uname -m)
|
ARCHITECTURE=$(uname -m)
|
||||||
if [ "$ARCHITECTURE" != "x86_64" ] && [ "$ARCHITECTURE" != "i686" ]; then
|
if [ "$ARCHITECTURE" != "x86_64" ] && [ "$ARCHITECTURE" != "i686" ]; then
|
||||||
if [ -z "$ARM" ]; then
|
echo
|
||||||
echo "Mail-in-a-Box only supports x86_64 or i686 and will not work on any other architecture, like ARM."
|
echo "WARNING:"
|
||||||
echo "Your architecture is $ARCHITECTURE"
|
echo "Mail-in-a-Box has only been tested on x86_64 and i686 platform"
|
||||||
exit
|
echo "architectures. Your architecture, $ARCHITECTURE, may not work."
|
||||||
fi
|
echo "You are on your own."
|
||||||
|
echo
|
||||||
fi
|
fi
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
if [ -z "$NONINTERACTIVE" ]; then
|
if [ -z "${NONINTERACTIVE:-}" ]; then
|
||||||
# Install 'dialog' so we can ask the user questions. The original motivation for
|
# Install 'dialog' so we can ask the user questions. The original motivation for
|
||||||
# this was being able to ask the user for input even if stdin has been redirected,
|
# this was being able to ask the user for input even if stdin has been redirected,
|
||||||
# e.g. if we piped a bootstrapping install script to bash to get started. In that
|
# e.g. if we piped a bootstrapping install script to bash to get started. In that
|
||||||
@ -25,8 +25,8 @@ if [ -z "$NONINTERACTIVE" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# The box needs a name.
|
# The box needs a name.
|
||||||
if [ -z "$PRIMARY_HOSTNAME" ]; then
|
if [ -z "${PRIMARY_HOSTNAME:-}" ]; then
|
||||||
if [ -z "$DEFAULT_PRIMARY_HOSTNAME" ]; then
|
if [ -z "${DEFAULT_PRIMARY_HOSTNAME:-}" ]; then
|
||||||
# We recommend to use box.example.com as this hosts name. The
|
# We recommend to use box.example.com as this hosts name. The
|
||||||
# domain the user possibly wants to use is example.com then.
|
# domain the user possibly wants to use is example.com then.
|
||||||
# We strip the string "box." from the hostname to get the mail
|
# We strip the string "box." from the hostname to get the mail
|
||||||
@ -86,30 +86,30 @@ fi
|
|||||||
# If the machine is behind a NAT, inside a VM, etc., it may not know
|
# If the machine is behind a NAT, inside a VM, etc., it may not know
|
||||||
# its IP address on the public network / the Internet. Ask the Internet
|
# its IP address on the public network / the Internet. Ask the Internet
|
||||||
# and possibly confirm with user.
|
# and possibly confirm with user.
|
||||||
if [ -z "$PUBLIC_IP" ]; then
|
if [ -z "${PUBLIC_IP:-}" ]; then
|
||||||
# Ask the Internet.
|
# Ask the Internet.
|
||||||
GUESSED_IP=$(get_publicip_from_web_service 4)
|
GUESSED_IP=$(get_publicip_from_web_service 4)
|
||||||
|
|
||||||
# On the first run, if we got an answer from the Internet then don't
|
# On the first run, if we got an answer from the Internet then don't
|
||||||
# ask the user.
|
# ask the user.
|
||||||
if [[ -z "$DEFAULT_PUBLIC_IP" && ! -z "$GUESSED_IP" ]]; then
|
if [[ -z "${DEFAULT_PUBLIC_IP:-}" && ! -z "$GUESSED_IP" ]]; then
|
||||||
PUBLIC_IP=$GUESSED_IP
|
PUBLIC_IP=$GUESSED_IP
|
||||||
|
|
||||||
# Otherwise on the first run at least provide a default.
|
# Otherwise on the first run at least provide a default.
|
||||||
elif [[ -z "$DEFAULT_PUBLIC_IP" ]]; then
|
elif [[ -z "${DEFAULT_PUBLIC_IP:-}" ]]; then
|
||||||
DEFAULT_PUBLIC_IP=$(get_default_privateip 4)
|
DEFAULT_PUBLIC_IP=$(get_default_privateip 4)
|
||||||
|
|
||||||
# On later runs, if the previous value matches the guessed value then
|
# On later runs, if the previous value matches the guessed value then
|
||||||
# don't ask the user either.
|
# don't ask the user either.
|
||||||
elif [ "$DEFAULT_PUBLIC_IP" == "$GUESSED_IP" ]; then
|
elif [ "${DEFAULT_PUBLIC_IP:-}" == "$GUESSED_IP" ]; then
|
||||||
PUBLIC_IP=$GUESSED_IP
|
PUBLIC_IP=$GUESSED_IP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$PUBLIC_IP" ]; then
|
if [ -z "${PUBLIC_IP:-}" ]; then
|
||||||
input_box "Public IP Address" \
|
input_box "Public IP Address" \
|
||||||
"Enter the public IP address of this machine, as given to you by your ISP.
|
"Enter the public IP address of this machine, as given to you by your ISP.
|
||||||
\n\nPublic IP address:" \
|
\n\nPublic IP address:" \
|
||||||
$DEFAULT_PUBLIC_IP \
|
${DEFAULT_PUBLIC_IP:-} \
|
||||||
PUBLIC_IP
|
PUBLIC_IP
|
||||||
|
|
||||||
if [ -z "$PUBLIC_IP" ]; then
|
if [ -z "$PUBLIC_IP" ]; then
|
||||||
@ -121,27 +121,27 @@ fi
|
|||||||
|
|
||||||
# Same for IPv6. But it's optional. Also, if it looks like the system
|
# Same for IPv6. But it's optional. Also, if it looks like the system
|
||||||
# doesn't have an IPv6, don't ask for one.
|
# doesn't have an IPv6, don't ask for one.
|
||||||
if [ -z "$PUBLIC_IPV6" ]; then
|
if [ -z "${PUBLIC_IPV6:-}" ]; then
|
||||||
# Ask the Internet.
|
# Ask the Internet.
|
||||||
GUESSED_IP=$(get_publicip_from_web_service 6)
|
GUESSED_IP=$(get_publicip_from_web_service 6)
|
||||||
MATCHED=0
|
MATCHED=0
|
||||||
if [[ -z "$DEFAULT_PUBLIC_IPV6" && ! -z "$GUESSED_IP" ]]; then
|
if [[ -z "${DEFAULT_PUBLIC_IPV6:-}" && ! -z "$GUESSED_IP" ]]; then
|
||||||
PUBLIC_IPV6=$GUESSED_IP
|
PUBLIC_IPV6=$GUESSED_IP
|
||||||
elif [[ "$DEFAULT_PUBLIC_IPV6" == "$GUESSED_IP" ]]; then
|
elif [[ "${DEFAULT_PUBLIC_IPV6:-}" == "$GUESSED_IP" ]]; then
|
||||||
# No IPv6 entered and machine seems to have none, or what
|
# No IPv6 entered and machine seems to have none, or what
|
||||||
# the user entered matches what the Internet tells us.
|
# the user entered matches what the Internet tells us.
|
||||||
PUBLIC_IPV6=$GUESSED_IP
|
PUBLIC_IPV6=$GUESSED_IP
|
||||||
MATCHED=1
|
MATCHED=1
|
||||||
elif [[ -z "$DEFAULT_PUBLIC_IPV6" ]]; then
|
elif [[ -z "${DEFAULT_PUBLIC_IPV6:-}" ]]; then
|
||||||
DEFAULT_PUBLIC_IP=$(get_default_privateip 6)
|
DEFAULT_PUBLIC_IP=$(get_default_privateip 6)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -z "$PUBLIC_IPV6" && $MATCHED == 0 ]]; then
|
if [[ -z "${PUBLIC_IPV6:-}" && $MATCHED == 0 ]]; then
|
||||||
input_box "IPv6 Address (Optional)" \
|
input_box "IPv6 Address (Optional)" \
|
||||||
"Enter the public IPv6 address of this machine, as given to you by your ISP.
|
"Enter the public IPv6 address of this machine, as given to you by your ISP.
|
||||||
\n\nLeave blank if the machine does not have an IPv6 address.
|
\n\nLeave blank if the machine does not have an IPv6 address.
|
||||||
\n\nPublic IPv6 address:" \
|
\n\nPublic IPv6 address:" \
|
||||||
$DEFAULT_PUBLIC_IPV6 \
|
${DEFAULT_PUBLIC_IPV6:-} \
|
||||||
PUBLIC_IPV6
|
PUBLIC_IPV6
|
||||||
|
|
||||||
if [ ! $PUBLIC_IPV6_EXITCODE ]; then
|
if [ ! $PUBLIC_IPV6_EXITCODE ]; then
|
||||||
@ -154,10 +154,10 @@ fi
|
|||||||
# Get the IP addresses of the local network interface(s) that are connected
|
# Get the IP addresses of the local network interface(s) that are connected
|
||||||
# to the Internet. We need these when we want to have services bind only to
|
# to the Internet. We need these when we want to have services bind only to
|
||||||
# the public network interfaces (not loopback, not tunnel interfaces).
|
# the public network interfaces (not loopback, not tunnel interfaces).
|
||||||
if [ -z "$PRIVATE_IP" ]; then
|
if [ -z "${PRIVATE_IP:-}" ]; then
|
||||||
PRIVATE_IP=$(get_default_privateip 4)
|
PRIVATE_IP=$(get_default_privateip 4)
|
||||||
fi
|
fi
|
||||||
if [ -z "$PRIVATE_IPV6" ]; then
|
if [ -z "${PRIVATE_IPV6:-}" ]; then
|
||||||
PRIVATE_IPV6=$(get_default_privateip 6)
|
PRIVATE_IPV6=$(get_default_privateip 6)
|
||||||
fi
|
fi
|
||||||
if [[ -z "$PRIVATE_IP" && -z "$PRIVATE_IPV6" ]]; then
|
if [[ -z "$PRIVATE_IP" && -z "$PRIVATE_IPV6" ]]; then
|
||||||
@ -186,11 +186,11 @@ fi
|
|||||||
|
|
||||||
# Set STORAGE_USER and STORAGE_ROOT to default values (user-data and /home/user-data), unless
|
# Set STORAGE_USER and STORAGE_ROOT to default values (user-data and /home/user-data), unless
|
||||||
# we've already got those values from a previous run.
|
# we've already got those values from a previous run.
|
||||||
if [ -z "$STORAGE_USER" ]; then
|
if [ -z "${STORAGE_USER:-}" ]; then
|
||||||
STORAGE_USER=$([[ -z "$DEFAULT_STORAGE_USER" ]] && echo "user-data" || echo "$DEFAULT_STORAGE_USER")
|
STORAGE_USER=$([[ -z "${DEFAULT_STORAGE_USER:-}" ]] && echo "user-data" || echo "$DEFAULT_STORAGE_USER")
|
||||||
fi
|
fi
|
||||||
if [ -z "$STORAGE_ROOT" ]; then
|
if [ -z "${STORAGE_ROOT:-}" ]; then
|
||||||
STORAGE_ROOT=$([[ -z "$DEFAULT_STORAGE_ROOT" ]] && echo "/home/$STORAGE_USER" || echo "$DEFAULT_STORAGE_ROOT")
|
STORAGE_ROOT=$([[ -z "${DEFAULT_STORAGE_ROOT:-}" ]] && echo "/home/$STORAGE_USER" || echo "$DEFAULT_STORAGE_ROOT")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Show the configuration, since the user may have not entered it manually.
|
# Show the configuration, since the user may have not entered it manually.
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
source setup/functions.sh # load our functions
|
source setup/functions.sh # load our functions
|
||||||
|
|
||||||
# Check system setup: Are we running as root on Ubuntu 14.04 on a
|
# Check system setup: Are we running as root on Ubuntu 18.04 on a
|
||||||
# machine with enough memory? Is /tmp mounted with exec.
|
# machine with enough memory? Is /tmp mounted with exec.
|
||||||
# If not, this shows an error and exits.
|
# If not, this shows an error and exits.
|
||||||
source setup/preflight.sh
|
source setup/preflight.sh
|
||||||
@ -60,8 +60,8 @@ source setup/questions.sh
|
|||||||
# Run some network checks to make sure setup on this machine makes sense.
|
# Run some network checks to make sure setup on this machine makes sense.
|
||||||
# Skip on existing installs since we don't want this to block the ability to
|
# Skip on existing installs since we don't want this to block the ability to
|
||||||
# upgrade, and these checks are also in the control panel status checks.
|
# upgrade, and these checks are also in the control panel status checks.
|
||||||
if [ -z "$DEFAULT_PRIMARY_HOSTNAME" ]; then
|
if [ -z "${DEFAULT_PRIMARY_HOSTNAME:-}" ]; then
|
||||||
if [ -z "$SKIP_NETWORK_CHECKS" ]; then
|
if [ -z "${SKIP_NETWORK_CHECKS:-}" ]; then
|
||||||
source setup/network-checks.sh
|
source setup/network-checks.sh
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -106,7 +106,7 @@ source setup/dkim.sh
|
|||||||
source setup/spamassassin.sh
|
source setup/spamassassin.sh
|
||||||
source setup/web.sh
|
source setup/web.sh
|
||||||
source setup/webmail.sh
|
source setup/webmail.sh
|
||||||
source setup/owncloud.sh
|
source setup/nextcloud.sh
|
||||||
source setup/zpush.sh
|
source setup/zpush.sh
|
||||||
source setup/management.sh
|
source setup/management.sh
|
||||||
source setup/munin.sh
|
source setup/munin.sh
|
||||||
|
109
setup/system.sh
109
setup/system.sh
@ -14,6 +14,13 @@ source setup/functions.sh # load our functions
|
|||||||
echo $PRIMARY_HOSTNAME > /etc/hostname
|
echo $PRIMARY_HOSTNAME > /etc/hostname
|
||||||
hostname $PRIMARY_HOSTNAME
|
hostname $PRIMARY_HOSTNAME
|
||||||
|
|
||||||
|
# ### Fix permissions
|
||||||
|
|
||||||
|
# The default Ubuntu Bionic image on Scaleway throws warnings during setup about incorrect
|
||||||
|
# permissions (group writeable) set on the following directories.
|
||||||
|
|
||||||
|
chmod g-w /etc /etc/default /usr
|
||||||
|
|
||||||
# ### Add swap space to the system
|
# ### Add swap space to the system
|
||||||
|
|
||||||
# If the physical memory of the system is below 2GB it is wise to create a
|
# If the physical memory of the system is below 2GB it is wise to create a
|
||||||
@ -37,9 +44,9 @@ hostname $PRIMARY_HOSTNAME
|
|||||||
# for reference
|
# for reference
|
||||||
|
|
||||||
SWAP_MOUNTED=$(cat /proc/swaps | tail -n+2)
|
SWAP_MOUNTED=$(cat /proc/swaps | tail -n+2)
|
||||||
SWAP_IN_FSTAB=$(grep "swap" /etc/fstab)
|
SWAP_IN_FSTAB=$(grep "swap" /etc/fstab || /bin/true)
|
||||||
ROOT_IS_BTRFS=$(grep "\/ .*btrfs" /proc/mounts)
|
ROOT_IS_BTRFS=$(grep "\/ .*btrfs" /proc/mounts || /bin/true)
|
||||||
TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}')
|
TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
|
||||||
AVAILABLE_DISK_SPACE=$(df / --output=avail | tail -n 1)
|
AVAILABLE_DISK_SPACE=$(df / --output=avail | tail -n 1)
|
||||||
if
|
if
|
||||||
[ -z "$SWAP_MOUNTED" ] &&
|
[ -z "$SWAP_MOUNTED" ] &&
|
||||||
@ -70,7 +77,7 @@ fi
|
|||||||
|
|
||||||
# ### Add PPAs.
|
# ### Add PPAs.
|
||||||
|
|
||||||
# We install some non-standard Ubuntu packages maintained by us and other
|
# We install some non-standard Ubuntu packages maintained by other
|
||||||
# third-party providers. First ensure add-apt-repository is installed.
|
# third-party providers. First ensure add-apt-repository is installed.
|
||||||
|
|
||||||
if [ ! -f /usr/bin/add-apt-repository ]; then
|
if [ ! -f /usr/bin/add-apt-repository ]; then
|
||||||
@ -79,14 +86,7 @@ if [ ! -f /usr/bin/add-apt-repository ]; then
|
|||||||
apt_install software-properties-common
|
apt_install software-properties-common
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# [Main-in-a-Box's own PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa)
|
# Install the certbot PPA.
|
||||||
# holds several .deb packages that we built on our own.
|
|
||||||
# One is a replacement for Ubuntu's stock postgrey package that makes
|
|
||||||
# some enhancements. The other is dovecot-lucene, a Lucene-based full
|
|
||||||
# text search plugin for (and by) dovecot, which is not available in
|
|
||||||
# Ubuntu currently.
|
|
||||||
|
|
||||||
hide_output add-apt-repository -y ppa:mail-in-a-box/ppa
|
|
||||||
hide_output add-apt-repository -y ppa:certbot/certbot
|
hide_output add-apt-repository -y ppa:certbot/certbot
|
||||||
|
|
||||||
# ### Update Packages
|
# ### Update Packages
|
||||||
@ -128,21 +128,9 @@ apt_install python3 python3-dev python3-pip \
|
|||||||
haveged pollinate unzip \
|
haveged pollinate unzip \
|
||||||
unattended-upgrades cron ntp fail2ban rsyslog
|
unattended-upgrades cron ntp fail2ban rsyslog
|
||||||
|
|
||||||
# ### Add PHP7 PPA
|
|
||||||
|
|
||||||
# Nextcloud requires PHP7, we will install the ppa from ubuntu php maintainer Ondřej Surý
|
|
||||||
# The PPA is located here https://launchpad.net/%7Eondrej/+archive/ubuntu/php
|
|
||||||
# Unattended upgrades are activated for the repository If it appears it's already
|
|
||||||
# installed, don't do it again so we can avoid an unnecessary call to apt-get update.
|
|
||||||
if [ ! -f /etc/apt/sources.list.d/ondrej-php-trusty.list ]; then
|
|
||||||
hide_output add-apt-repository -y ppa:ondrej/php
|
|
||||||
apt_add_repository_to_unattended_upgrades LP-PPA-ondrej-php:trusty
|
|
||||||
hide_output apt-get update
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ### Suppress Upgrade Prompts
|
# ### Suppress Upgrade Prompts
|
||||||
# Since Mail-in-a-Box might jump straight to 18.04 LTS, there's no need
|
# When Ubuntu 20 comes out, we don't want users to be prompted to upgrade,
|
||||||
# to be reminded about 16.04 on every login.
|
# because we don't yet support it.
|
||||||
if [ -f /etc/update-manager/release-upgrades ]; then
|
if [ -f /etc/update-manager/release-upgrades ]; then
|
||||||
tools/editconf.py /etc/update-manager/release-upgrades Prompt=never
|
tools/editconf.py /etc/update-manager/release-upgrades Prompt=never
|
||||||
rm -f /var/lib/ubuntu-release-upgrader/release-upgrade-available
|
rm -f /var/lib/ubuntu-release-upgrader/release-upgrade-available
|
||||||
@ -162,8 +150,8 @@ fi
|
|||||||
# section) and syslog (see #328). There might be other issues, and it's
|
# section) and syslog (see #328). There might be other issues, and it's
|
||||||
# not likely the user will want to change this, so we only ask on first
|
# not likely the user will want to change this, so we only ask on first
|
||||||
# setup.
|
# setup.
|
||||||
if [ -z "$NONINTERACTIVE" ]; then
|
if [ -z "${NONINTERACTIVE:-}" ]; then
|
||||||
if [ ! -f /etc/timezone ] || [ ! -z $FIRST_TIME_SETUP ]; then
|
if [ ! -f /etc/timezone ] || [ ! -z ${FIRST_TIME_SETUP:-} ]; then
|
||||||
# If the file is missing or this is the user's first time running
|
# If the file is missing or this is the user's first time running
|
||||||
# Mail-in-a-Box setup, run the interactive timezone configuration
|
# Mail-in-a-Box setup, run the interactive timezone configuration
|
||||||
# tool.
|
# tool.
|
||||||
@ -189,7 +177,6 @@ fi
|
|||||||
# * DNSSEC signing keys (see `dns.sh`)
|
# * DNSSEC signing keys (see `dns.sh`)
|
||||||
# * our management server's API key (via Python's os.urandom method)
|
# * our management server's API key (via Python's os.urandom method)
|
||||||
# * Roundcube's SECRET_KEY (`webmail.sh`)
|
# * Roundcube's SECRET_KEY (`webmail.sh`)
|
||||||
# * ownCloud's administrator account password (`owncloud.sh`)
|
|
||||||
#
|
#
|
||||||
# Why /dev/urandom? It's the same as /dev/random, except that it doesn't wait
|
# Why /dev/urandom? It's the same as /dev/random, except that it doesn't wait
|
||||||
# for a constant new stream of entropy. In practice, we only need a little
|
# for a constant new stream of entropy. In practice, we only need a little
|
||||||
@ -259,7 +246,7 @@ EOF
|
|||||||
# Various virtualized environments like Docker and some VPSs don't provide #NODOC
|
# Various virtualized environments like Docker and some VPSs don't provide #NODOC
|
||||||
# a kernel that supports iptables. To avoid error-like output in these cases, #NODOC
|
# a kernel that supports iptables. To avoid error-like output in these cases, #NODOC
|
||||||
# we skip this if the user sets DISABLE_FIREWALL=1. #NODOC
|
# we skip this if the user sets DISABLE_FIREWALL=1. #NODOC
|
||||||
if [ -z "$DISABLE_FIREWALL" ]; then
|
if [ -z "${DISABLE_FIREWALL:-}" ]; then
|
||||||
# Install `ufw` which provides a simple firewall configuration.
|
# Install `ufw` which provides a simple firewall configuration.
|
||||||
apt_install ufw
|
apt_install ufw
|
||||||
|
|
||||||
@ -284,45 +271,69 @@ fi #NODOC
|
|||||||
|
|
||||||
# ### Local DNS Service
|
# ### Local DNS Service
|
||||||
|
|
||||||
# Install a local DNS server, rather than using the DNS server provided by the
|
# Install a local recursive DNS server --- i.e. for DNS queries made by
|
||||||
# ISP's network configuration.
|
# local services running on this machine.
|
||||||
#
|
#
|
||||||
# We do this to ensure that DNS queries
|
# (This is unrelated to the box's public, non-recursive DNS server that
|
||||||
# that *we* make (i.e. looking up other external domains) perform DNSSEC checks.
|
# answers remote queries about domain names hosted on this box. For that
|
||||||
# We could use Google's Public DNS, but we don't want to create a dependency on
|
# see dns.sh.)
|
||||||
# Google per our goals of decentralization. `bind9`, as packaged for Ubuntu, has
|
|
||||||
# DNSSEC enabled by default via "dnssec-validation auto".
|
|
||||||
#
|
#
|
||||||
# So we'll be running `bind9` bound to 127.0.0.1 for locally-issued DNS queries
|
# The default systemd-resolved service provides local DNS name resolution. By default it
|
||||||
# and `nsd` bound to the public ethernet interface for remote DNS queries asking
|
# is a recursive stub nameserver, which means it simply relays requests to an
|
||||||
# about our domain names. `nsd` is configured later.
|
# external nameserver, usually provided by your ISP or configured in /etc/systemd/resolved.conf.
|
||||||
|
#
|
||||||
|
# This won't work for us for three reasons.
|
||||||
|
#
|
||||||
|
# 1) We have higher security goals --- we want DNSSEC to be enforced on all
|
||||||
|
# DNS queries (some upstream DNS servers do, some don't).
|
||||||
|
# 2) We will configure postfix to use DANE, which uses DNSSEC to find TLS
|
||||||
|
# certificates for remote servers. DNSSEC validation *must* be performed
|
||||||
|
# locally because we can't trust an unencrypted connection to an external
|
||||||
|
# DNS server.
|
||||||
|
# 3) DNS-based mail server blacklists (RBLs) typically block large ISP
|
||||||
|
# DNS servers because they only provide free data to small users. Since
|
||||||
|
# we use RBLs to block incoming mail from blacklisted IP addresses,
|
||||||
|
# we have to run our own DNS server. See #1424.
|
||||||
|
#
|
||||||
|
# systemd-resolved has a setting to perform local DNSSEC validation on all
|
||||||
|
# requests (in /etc/systemd/resolved.conf, set DNSSEC=yes), but because it's
|
||||||
|
# a stub server the main part of a request still goes through an upstream
|
||||||
|
# DNS server, which won't work for RBLs. So we really need a local recursive
|
||||||
|
# nameserver.
|
||||||
|
#
|
||||||
|
# We'll install `bind9`, which as packaged for Ubuntu, has DNSSEC enabled by default via "dnssec-validation auto".
|
||||||
|
# We'll have it be bound to 127.0.0.1 so that it does not interfere with
|
||||||
|
# the public, recursive nameserver `nsd` bound to the public ethernet interfaces.
|
||||||
#
|
#
|
||||||
# About the settings:
|
# About the settings:
|
||||||
#
|
#
|
||||||
# * RESOLVCONF=yes will have `bind9` take over /etc/resolv.conf to tell
|
|
||||||
# local services that DNS queries are handled on localhost.
|
|
||||||
# * Adding -4 to OPTIONS will have `bind9` not listen on IPv6 addresses
|
# * Adding -4 to OPTIONS will have `bind9` not listen on IPv6 addresses
|
||||||
# so that we're sure there's no conflict with nsd, our public domain
|
# so that we're sure there's no conflict with nsd, our public domain
|
||||||
# name server, on IPV6.
|
# name server, on IPV6.
|
||||||
# * The listen-on directive in named.conf.options restricts `bind9` to
|
# * The listen-on directive in named.conf.options restricts `bind9` to
|
||||||
# binding to the loopback interface instead of all interfaces.
|
# binding to the loopback interface instead of all interfaces.
|
||||||
apt_install bind9 resolvconf
|
apt_install bind9
|
||||||
tools/editconf.py /etc/default/bind9 \
|
tools/editconf.py /etc/default/bind9 \
|
||||||
RESOLVCONF=yes \
|
|
||||||
"OPTIONS=\"-u bind -4\""
|
"OPTIONS=\"-u bind -4\""
|
||||||
if ! grep -q "listen-on " /etc/bind/named.conf.options; then
|
if ! grep -q "listen-on " /etc/bind/named.conf.options; then
|
||||||
# Add a listen-on directive if it doesn't exist inside the options block.
|
# Add a listen-on directive if it doesn't exist inside the options block.
|
||||||
sed -i "s/^}/\n\tlisten-on { 127.0.0.1; };\n}/" /etc/bind/named.conf.options
|
sed -i "s/^}/\n\tlisten-on { 127.0.0.1; };\n}/" /etc/bind/named.conf.options
|
||||||
fi
|
fi
|
||||||
if [ -f /etc/resolvconf/resolv.conf.d/original ]; then
|
|
||||||
echo "Archiving old resolv.conf (was /etc/resolvconf/resolv.conf.d/original, now /etc/resolvconf/resolv.conf.original)." #NODOC
|
# First we'll disable systemd-resolved's management of resolv.conf and its stub server.
|
||||||
mv /etc/resolvconf/resolv.conf.d/original /etc/resolvconf/resolv.conf.original #NODOC
|
# Breaking the symlink to /run/systemd/resolve/stub-resolv.conf means
|
||||||
fi
|
# systemd-resolved will read it for DNS servers to use. Put in 127.0.0.1,
|
||||||
|
# which is where bind9 will be running. Obviously don't do this before
|
||||||
|
# installing bind9 or else apt won't be able to resolve a server to
|
||||||
|
# download bind9 from.
|
||||||
|
rm -f /etc/resolv.conf
|
||||||
|
tools/editconf.py /etc/systemd/resolved.conf DNSStubListener=no
|
||||||
|
echo "nameserver 127.0.0.1" > /etc/resolv.conf
|
||||||
|
|
||||||
# Restart the DNS services.
|
# Restart the DNS services.
|
||||||
|
|
||||||
restart_service bind9
|
restart_service bind9
|
||||||
restart_service resolvconf
|
systemctl restart systemd-resolved
|
||||||
|
|
||||||
# ### Fail2Ban Service
|
# ### Fail2Ban Service
|
||||||
|
|
||||||
|
30
setup/web.sh
30
setup/web.sh
@ -19,10 +19,7 @@ fi
|
|||||||
|
|
||||||
echo "Installing Nginx (web server)..."
|
echo "Installing Nginx (web server)..."
|
||||||
|
|
||||||
apt_install nginx php7.0-cli php7.0-fpm
|
apt_install nginx php-cli php-fpm
|
||||||
|
|
||||||
# Set PHP7 as the default
|
|
||||||
update-alternatives --set php /usr/bin/php7.0
|
|
||||||
|
|
||||||
rm -f /etc/nginx/sites-enabled/default
|
rm -f /etc/nginx/sites-enabled/default
|
||||||
|
|
||||||
@ -44,19 +41,19 @@ tools/editconf.py /etc/nginx/nginx.conf -s \
|
|||||||
server_names_hash_bucket_size="128;"
|
server_names_hash_bucket_size="128;"
|
||||||
|
|
||||||
# Tell PHP not to expose its version number in the X-Powered-By header.
|
# Tell PHP not to expose its version number in the X-Powered-By header.
|
||||||
tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
|
tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
|
||||||
expose_php=Off
|
expose_php=Off
|
||||||
|
|
||||||
# Set PHPs default charset to UTF-8, since we use it. See #367.
|
# Set PHPs default charset to UTF-8, since we use it. See #367.
|
||||||
tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
|
tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
|
||||||
default_charset="UTF-8"
|
default_charset="UTF-8"
|
||||||
|
|
||||||
# Switch from the dynamic process manager to the ondemand manager see #1216
|
# Switch from the dynamic process manager to the ondemand manager see #1216
|
||||||
tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
|
tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
|
||||||
pm=ondemand
|
pm=ondemand
|
||||||
|
|
||||||
# Bump up PHP's max_children to support more concurrent connections
|
# Bump up PHP's max_children to support more concurrent connections
|
||||||
tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
|
tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
|
||||||
pm.max_children=8
|
pm.max_children=8
|
||||||
|
|
||||||
# Other nginx settings will be configured by the management service
|
# Other nginx settings will be configured by the management service
|
||||||
@ -94,24 +91,9 @@ if [ ! -f $STORAGE_ROOT/www/default/index.html ]; then
|
|||||||
fi
|
fi
|
||||||
chown -R $STORAGE_USER $STORAGE_ROOT/www
|
chown -R $STORAGE_USER $STORAGE_ROOT/www
|
||||||
|
|
||||||
# We previously installed a custom init script to start the PHP FastCGI daemon. #NODOC
|
|
||||||
# Remove it now that we're using php5-fpm. #NODOC
|
|
||||||
if [ -L /etc/init.d/php-fastcgi ]; then
|
|
||||||
echo "Removing /etc/init.d/php-fastcgi, php5-cgi..." #NODOC
|
|
||||||
rm -f /etc/init.d/php-fastcgi #NODOC
|
|
||||||
hide_output update-rc.d php-fastcgi remove #NODOC
|
|
||||||
apt-get -y purge php5-cgi #NODOC
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Remove obsoleted scripts. #NODOC
|
|
||||||
# exchange-autodiscover is now handled by Z-Push. #NODOC
|
|
||||||
for f in webfinger exchange-autodiscover; do #NODOC
|
|
||||||
rm -f /usr/local/bin/mailinabox-$f.php #NODOC
|
|
||||||
done #NODOC
|
|
||||||
|
|
||||||
# Start services.
|
# Start services.
|
||||||
restart_service nginx
|
restart_service nginx
|
||||||
restart_service php7.0-fpm
|
restart_service php7.2-fpm
|
||||||
|
|
||||||
# Open ports.
|
# Open ports.
|
||||||
ufw_allow http
|
ufw_allow http
|
||||||
|
@ -22,15 +22,8 @@ source /etc/mailinabox.conf # load global vars
|
|||||||
echo "Installing Roundcube (webmail)..."
|
echo "Installing Roundcube (webmail)..."
|
||||||
apt_install \
|
apt_install \
|
||||||
dbconfig-common \
|
dbconfig-common \
|
||||||
php7.0-cli php7.0-sqlite php7.0-mcrypt php7.0-intl php7.0-json php7.0-common php7.0-curl \
|
php-cli php-sqlite3 php-intl php-json php-common php-curl \
|
||||||
php7.0-gd php7.0-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php7.0-mbstring
|
php-gd php-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring
|
||||||
|
|
||||||
apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.3
|
|
||||||
|
|
||||||
# We used to install Roundcube from Ubuntu, without triggering the dependencies #NODOC
|
|
||||||
# on Apache and MySQL, by downloading the debs and installing them manually. #NODOC
|
|
||||||
# Now that we're beyond that, get rid of those debs before installing from source. #NODOC
|
|
||||||
apt-get purge -qq -y roundcube* #NODOC
|
|
||||||
|
|
||||||
# Install Roundcube from source if it is not already present or if it is out of date.
|
# Install Roundcube from source if it is not already present or if it is out of date.
|
||||||
# Combine the Roundcube version number with the commit hash of plugins to track
|
# Combine the Roundcube version number with the commit hash of plugins to track
|
||||||
@ -200,5 +193,5 @@ chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
|
|||||||
chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
|
chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
|
||||||
|
|
||||||
# Enable PHP modules.
|
# Enable PHP modules.
|
||||||
phpenmod -v php7.0 mcrypt imap
|
phpenmod -v php mcrypt imap
|
||||||
restart_service php7.0-fpm
|
restart_service php7.2-fpm
|
||||||
|
@ -17,9 +17,9 @@ source /etc/mailinabox.conf # load global vars
|
|||||||
|
|
||||||
echo "Installing Z-Push (Exchange/ActiveSync server)..."
|
echo "Installing Z-Push (Exchange/ActiveSync server)..."
|
||||||
apt_install \
|
apt_install \
|
||||||
php7.0-soap php7.0-imap libawl-php php7.0-xsl
|
php-soap php-imap libawl-php php-xsl
|
||||||
|
|
||||||
phpenmod -v php7.0 imap
|
phpenmod -v php imap
|
||||||
|
|
||||||
# Copy Z-Push into place.
|
# Copy Z-Push into place.
|
||||||
VERSION=2.4.4
|
VERSION=2.4.4
|
||||||
@ -102,7 +102,7 @@ EOF
|
|||||||
|
|
||||||
# Restart service.
|
# Restart service.
|
||||||
|
|
||||||
restart_service php7.0-fpm
|
restart_service php7.2-fpm
|
||||||
|
|
||||||
# Fix states after upgrade
|
# Fix states after upgrade
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
# through some other host you can ssh into (maybe the box
|
# through some other host you can ssh into (maybe the box
|
||||||
# itself?):
|
# itself?):
|
||||||
#
|
#
|
||||||
# python3 --proxy user@ssh_host yourservername
|
# python3 tls.py --proxy user@ssh_host yourservername
|
||||||
#
|
#
|
||||||
# (This will launch "ssh -N -L10023:yourservername:testport user@ssh_host"
|
# (This will launch "ssh -N -L10023:yourservername:testport user@ssh_host"
|
||||||
# to create a tunnel.)
|
# to create a tunnel.)
|
||||||
@ -128,7 +128,7 @@ def sslyze(opts, port, ok_ciphers):
|
|||||||
proxy_proc.terminate()
|
proxy_proc.terminate()
|
||||||
try:
|
try:
|
||||||
proxy_proc.wait(5)
|
proxy_proc.wait(5)
|
||||||
except TimeoutExpired:
|
except subprocess.TimeoutExpired:
|
||||||
proxy_proc.kill()
|
proxy_proc.kill()
|
||||||
|
|
||||||
# Get a list of OpenSSL cipher names.
|
# Get a list of OpenSSL cipher names.
|
||||||
|
@ -13,18 +13,18 @@ PORT 25
|
|||||||
|
|
||||||
* Session Resumption:
|
* Session Resumption:
|
||||||
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
|
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
|
||||||
With TLS Session Tickets: NOT SUPPORTED - TLS ticket not assigned.
|
With TLS Session Tickets: OK - Supported
|
||||||
|
|
||||||
* SSLV2 Cipher Suites:
|
* SSLV2 Cipher Suites:
|
||||||
Server rejected all cipher suites.
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
* TLSV1_2 Cipher Suites:
|
* TLSV1_2 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
Accepted:
|
Accepted:
|
||||||
ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES256-SHA256 DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-AES256-SHA256 DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
@ -33,9 +33,9 @@ PORT 25
|
|||||||
AES256-SHA256 - 256 bits 250 2.0.0 Ok
|
AES256-SHA256 - 256 bits 250 2.0.0 Ok
|
||||||
AES256-SHA - 256 bits 250 2.0.0 Ok
|
AES256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
AES256-GCM-SHA384 - 256 bits 250 2.0.0 Ok
|
AES256-GCM-SHA384 - 256 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES128-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES128-GCM-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES128-SHA256 DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-AES128-SHA256 DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
@ -46,56 +46,47 @@ PORT 25
|
|||||||
AES128-SHA256 - 128 bits 250 2.0.0 Ok
|
AES128-SHA256 - 128 bits 250 2.0.0 Ok
|
||||||
AES128-SHA - 128 bits 250 2.0.0 Ok
|
AES128-SHA - 128 bits 250 2.0.0 Ok
|
||||||
AES128-GCM-SHA256 - 128 bits 250 2.0.0 Ok
|
AES128-GCM-SHA256 - 128 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits 250 2.0.0 Ok
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits 250 2.0.0 Ok
|
|
||||||
DES-CBC3-SHA - 112 bits 250 2.0.0 Ok
|
|
||||||
|
|
||||||
* TLSV1_1 Cipher Suites:
|
* TLSV1_1 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
Accepted:
|
Accepted:
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok
|
CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
AES256-SHA - 256 bits 250 2.0.0 Ok
|
AES256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
SEED-SHA - 128 bits 250 2.0.0 Ok
|
SEED-SHA - 128 bits 250 2.0.0 Ok
|
||||||
CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok
|
CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok
|
||||||
AES128-SHA - 128 bits 250 2.0.0 Ok
|
AES128-SHA - 128 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits 250 2.0.0 Ok
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits 250 2.0.0 Ok
|
|
||||||
DES-CBC3-SHA - 112 bits 250 2.0.0 Ok
|
|
||||||
|
|
||||||
* TLSV1 Cipher Suites:
|
|
||||||
Preferred:
|
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
|
||||||
Accepted:
|
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
|
||||||
CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok
|
|
||||||
AES256-SHA - 256 bits 250 2.0.0 Ok
|
|
||||||
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
|
||||||
SEED-SHA - 128 bits 250 2.0.0 Ok
|
|
||||||
CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok
|
|
||||||
AES128-SHA - 128 bits 250 2.0.0 Ok
|
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits 250 2.0.0 Ok
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits 250 2.0.0 Ok
|
|
||||||
DES-CBC3-SHA - 112 bits 250 2.0.0 Ok
|
|
||||||
|
|
||||||
* SSLV3 Cipher Suites:
|
* SSLV3 Cipher Suites:
|
||||||
Server rejected all cipher suites.
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
|
* TLSV1 Cipher Suites:
|
||||||
|
Preferred:
|
||||||
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
|
Accepted:
|
||||||
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
|
CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
|
AES256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
|
ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
|
SEED-SHA - 128 bits 250 2.0.0 Ok
|
||||||
|
CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok
|
||||||
|
AES128-SHA - 128 bits 250 2.0.0 Ok
|
||||||
|
|
||||||
Should Not Offer: (none -- good)
|
Should Not Offer: (none -- good)
|
||||||
Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, DHE-DSS-SEED-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA
|
Could Also Offer: AES128-CCM, AES128-CCM8, AES256-CCM, AES256-CCM8, CAMELLIA128-SHA256, CAMELLIA256-SHA256, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA128-SHA256, DHE-DSS-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA256, DHE-DSS-SEED-SHA, DHE-RSA-AES128-CCM, DHE-RSA-AES128-CCM8, DHE-RSA-AES256-CCM, DHE-RSA-AES256-CCM8, DHE-RSA-CAMELLIA128-SHA256, DHE-RSA-CAMELLIA256-SHA256, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CAMELLIA128-SHA256, ECDHE-ECDSA-CAMELLIA256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CAMELLIA128-SHA256, ECDHE-RSA-CAMELLIA256-SHA384, ECDHE-RSA-CHACHA20-POLY1305
|
||||||
Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Chrome/42/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Android/2.3.7, Java/6u45, IE/8/XP
|
Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, BingPreview/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.3, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45
|
||||||
|
|
||||||
PORT 587
|
PORT 587
|
||||||
--------
|
--------
|
||||||
@ -112,18 +103,18 @@ PORT 587
|
|||||||
|
|
||||||
* Session Resumption:
|
* Session Resumption:
|
||||||
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
|
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
|
||||||
With TLS Session Tickets: NOT SUPPORTED - TLS ticket not assigned.
|
With TLS Session Tickets: OK - Supported
|
||||||
|
|
||||||
* SSLV2 Cipher Suites:
|
* SSLV2 Cipher Suites:
|
||||||
Server rejected all cipher suites.
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
* TLSV1_2 Cipher Suites:
|
* TLSV1_2 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
Accepted:
|
Accepted:
|
||||||
ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-GCM-SHA384 ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES256-SHA256 DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-AES256-SHA256 DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
@ -132,9 +123,9 @@ PORT 587
|
|||||||
AES256-SHA256 - 256 bits 250 2.0.0 Ok
|
AES256-SHA256 - 256 bits 250 2.0.0 Ok
|
||||||
AES256-SHA - 256 bits 250 2.0.0 Ok
|
AES256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
AES256-GCM-SHA384 - 256 bits 250 2.0.0 Ok
|
AES256-GCM-SHA384 - 256 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES128-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES128-GCM-SHA256 ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES128-SHA256 DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-AES128-SHA256 DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
@ -148,31 +139,14 @@ PORT 587
|
|||||||
|
|
||||||
* TLSV1_1 Cipher Suites:
|
* TLSV1_1 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
Accepted:
|
Accepted:
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok
|
CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
AES256-SHA - 256 bits 250 2.0.0 Ok
|
AES256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
|
ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
|
||||||
SEED-SHA - 128 bits 250 2.0.0 Ok
|
|
||||||
CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok
|
|
||||||
AES128-SHA - 128 bits 250 2.0.0 Ok
|
|
||||||
|
|
||||||
* TLSV1 Cipher Suites:
|
|
||||||
Preferred:
|
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
|
||||||
Accepted:
|
|
||||||
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
|
||||||
CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok
|
|
||||||
AES256-SHA - 256 bits 250 2.0.0 Ok
|
|
||||||
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
|
|
||||||
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
@ -183,9 +157,26 @@ PORT 587
|
|||||||
* SSLV3 Cipher Suites:
|
* SSLV3 Cipher Suites:
|
||||||
Server rejected all cipher suites.
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
|
* TLSV1 Cipher Suites:
|
||||||
|
Preferred:
|
||||||
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
|
Accepted:
|
||||||
|
ECDHE-RSA-AES256-SHA ECDH-521 bits 256 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-AES256-SHA DH-2048 bits 256 bits 250 2.0.0 Ok
|
||||||
|
CAMELLIA256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
|
AES256-SHA - 256 bits 250 2.0.0 Ok
|
||||||
|
ECDHE-RSA-AES128-SHA ECDH-521 bits 128 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-SEED-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits 250 2.0.0 Ok
|
||||||
|
SEED-SHA - 128 bits 250 2.0.0 Ok
|
||||||
|
CAMELLIA128-SHA - 128 bits 250 2.0.0 Ok
|
||||||
|
AES128-SHA - 128 bits 250 2.0.0 Ok
|
||||||
|
|
||||||
Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-RSA-SEED-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, SEED-SHA
|
Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-RSA-SEED-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, SEED-SHA
|
||||||
Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384
|
Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305
|
||||||
Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, IE/11/Win 7, IE/11/Win 8.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, IE Mobile/11/Win Phone 8.1, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Java/8u31, Android/5.0.0, Chrome/42/OS X, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/7u25, Android/2.3.7, Java/6u45
|
Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, BingPreview/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.3, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45
|
||||||
|
|
||||||
PORT 443
|
PORT 443
|
||||||
--------
|
--------
|
||||||
@ -197,19 +188,19 @@ PORT 443
|
|||||||
Client-initiated Renegotiations: OK - Rejected
|
Client-initiated Renegotiations: OK - Rejected
|
||||||
Secure Renegotiation: OK - Supported
|
Secure Renegotiation: OK - Supported
|
||||||
|
|
||||||
* OpenSSL Heartbleed:
|
|
||||||
OK - Not vulnerable to Heartbleed
|
|
||||||
|
|
||||||
* HTTP Strict Transport Security:
|
* HTTP Strict Transport Security:
|
||||||
OK - HSTS header received: max-age=15768000
|
OK - HSTS header received: max-age=15768000
|
||||||
|
|
||||||
Unhandled exception when processing --chrome_sha1:
|
|
||||||
exceptions.TypeError - Incorrect padding
|
|
||||||
|
|
||||||
* Session Resumption:
|
* Session Resumption:
|
||||||
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
|
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
|
||||||
With TLS Session Tickets: OK - Supported
|
With TLS Session Tickets: OK - Supported
|
||||||
|
|
||||||
|
* OpenSSL Heartbleed:
|
||||||
|
OK - Not vulnerable to Heartbleed
|
||||||
|
|
||||||
|
Unhandled exception when processing --chrome_sha1:
|
||||||
|
exceptions.TypeError - Incorrect padding
|
||||||
|
|
||||||
* SSLV2 Cipher Suites:
|
* SSLV2 Cipher Suites:
|
||||||
Server rejected all cipher suites.
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
@ -235,9 +226,6 @@ exceptions.TypeError - Incorrect padding
|
|||||||
AES128-SHA256 - 128 bits HTTP 200 OK
|
AES128-SHA256 - 128 bits HTTP 200 OK
|
||||||
AES128-SHA - 128 bits HTTP 200 OK
|
AES128-SHA - 128 bits HTTP 200 OK
|
||||||
AES128-GCM-SHA256 - 128 bits HTTP 200 OK
|
AES128-GCM-SHA256 - 128 bits HTTP 200 OK
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits HTTP 200 OK
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits HTTP 200 OK
|
|
||||||
DES-CBC3-SHA - 112 bits HTTP 200 OK
|
|
||||||
|
|
||||||
* TLSV1_1 Cipher Suites:
|
* TLSV1_1 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
@ -249,9 +237,9 @@ exceptions.TypeError - Incorrect padding
|
|||||||
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK
|
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits HTTP 200 OK
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits HTTP 200 OK
|
||||||
AES128-SHA - 128 bits HTTP 200 OK
|
AES128-SHA - 128 bits HTTP 200 OK
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits HTTP 200 OK
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits HTTP 200 OK
|
* SSLV3 Cipher Suites:
|
||||||
DES-CBC3-SHA - 112 bits HTTP 200 OK
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
* TLSV1 Cipher Suites:
|
* TLSV1 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
@ -263,16 +251,10 @@ exceptions.TypeError - Incorrect padding
|
|||||||
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK
|
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits HTTP 200 OK
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits HTTP 200 OK
|
||||||
AES128-SHA - 128 bits HTTP 200 OK
|
AES128-SHA - 128 bits HTTP 200 OK
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits HTTP 200 OK
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits HTTP 200 OK
|
|
||||||
DES-CBC3-SHA - 112 bits HTTP 200 OK
|
|
||||||
|
|
||||||
* SSLV3 Cipher Suites:
|
|
||||||
Server rejected all cipher suites.
|
|
||||||
|
|
||||||
Should Not Offer: (none -- good)
|
Should Not Offer: (none -- good)
|
||||||
Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA
|
Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305
|
||||||
Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP
|
Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.3, Android/4.2.2, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45
|
||||||
|
|
||||||
PORT 993
|
PORT 993
|
||||||
--------
|
--------
|
||||||
@ -286,13 +268,13 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
|
|||||||
* OpenSSL Heartbleed:
|
* OpenSSL Heartbleed:
|
||||||
OK - Not vulnerable to Heartbleed
|
OK - Not vulnerable to Heartbleed
|
||||||
|
|
||||||
* SSLV2 Cipher Suites:
|
|
||||||
Server rejected all cipher suites.
|
|
||||||
|
|
||||||
* Session Resumption:
|
* Session Resumption:
|
||||||
With Session IDs: NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
|
With Session IDs: NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
|
||||||
With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted.
|
With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted.
|
||||||
|
|
||||||
|
* SSLV2 Cipher Suites:
|
||||||
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
* TLSV1_2 Cipher Suites:
|
* TLSV1_2 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
ECDHE-RSA-AES128-GCM-SHA256 ECDH-384 bits 128 bits
|
ECDHE-RSA-AES128-GCM-SHA256 ECDH-384 bits 128 bits
|
||||||
@ -315,9 +297,6 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
|
|||||||
AES128-SHA256 - 128 bits
|
AES128-SHA256 - 128 bits
|
||||||
AES128-SHA - 128 bits
|
AES128-SHA - 128 bits
|
||||||
AES128-GCM-SHA256 - 128 bits
|
AES128-GCM-SHA256 - 128 bits
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits
|
|
||||||
DES-CBC3-SHA - 112 bits
|
|
||||||
|
|
||||||
* TLSV1_1 Cipher Suites:
|
* TLSV1_1 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
@ -329,9 +308,9 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
|
|||||||
ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits
|
ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits
|
||||||
AES128-SHA - 128 bits
|
AES128-SHA - 128 bits
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits
|
* SSLV3 Cipher Suites:
|
||||||
DES-CBC3-SHA - 112 bits
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
* TLSV1 Cipher Suites:
|
* TLSV1 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
@ -343,16 +322,10 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
|
|||||||
ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits
|
ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits
|
||||||
AES128-SHA - 128 bits
|
AES128-SHA - 128 bits
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits
|
|
||||||
DES-CBC3-SHA - 112 bits
|
|
||||||
|
|
||||||
* SSLV3 Cipher Suites:
|
Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA
|
||||||
Server rejected all cipher suites.
|
Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305
|
||||||
|
Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.3, Android/4.2.2, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45
|
||||||
Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
|
|
||||||
Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384
|
|
||||||
Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP
|
|
||||||
|
|
||||||
PORT 995
|
PORT 995
|
||||||
--------
|
--------
|
||||||
@ -366,13 +339,13 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
|
|||||||
* OpenSSL Heartbleed:
|
* OpenSSL Heartbleed:
|
||||||
OK - Not vulnerable to Heartbleed
|
OK - Not vulnerable to Heartbleed
|
||||||
|
|
||||||
* SSLV2 Cipher Suites:
|
|
||||||
Server rejected all cipher suites.
|
|
||||||
|
|
||||||
* Session Resumption:
|
* Session Resumption:
|
||||||
With Session IDs: NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
|
With Session IDs: NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
|
||||||
With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted.
|
With TLS Session Tickets: NOT SUPPORTED - TLS ticket assigned but not accepted.
|
||||||
|
|
||||||
|
* SSLV2 Cipher Suites:
|
||||||
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
* TLSV1_2 Cipher Suites:
|
* TLSV1_2 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
ECDHE-RSA-AES128-GCM-SHA256 ECDH-384 bits 128 bits
|
ECDHE-RSA-AES128-GCM-SHA256 ECDH-384 bits 128 bits
|
||||||
@ -395,9 +368,6 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
|
|||||||
AES128-SHA256 - 128 bits
|
AES128-SHA256 - 128 bits
|
||||||
AES128-SHA - 128 bits
|
AES128-SHA - 128 bits
|
||||||
AES128-GCM-SHA256 - 128 bits
|
AES128-GCM-SHA256 - 128 bits
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits
|
|
||||||
DES-CBC3-SHA - 112 bits
|
|
||||||
|
|
||||||
* TLSV1_1 Cipher Suites:
|
* TLSV1_1 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
@ -409,9 +379,9 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
|
|||||||
ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits
|
ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits
|
||||||
AES128-SHA - 128 bits
|
AES128-SHA - 128 bits
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits
|
* SSLV3 Cipher Suites:
|
||||||
DES-CBC3-SHA - 112 bits
|
Server rejected all cipher suites.
|
||||||
|
|
||||||
* TLSV1 Cipher Suites:
|
* TLSV1 Cipher Suites:
|
||||||
Preferred:
|
Preferred:
|
||||||
@ -423,14 +393,8 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
|
|||||||
ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits
|
ECDHE-RSA-AES128-SHA ECDH-384 bits 128 bits
|
||||||
DHE-RSA-AES128-SHA DH-2048 bits 128 bits
|
DHE-RSA-AES128-SHA DH-2048 bits 128 bits
|
||||||
AES128-SHA - 128 bits
|
AES128-SHA - 128 bits
|
||||||
ECDHE-RSA-DES-CBC3-SHA ECDH-384 bits 112 bits
|
|
||||||
EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits
|
|
||||||
DES-CBC3-SHA - 112 bits
|
|
||||||
|
|
||||||
* SSLV3 Cipher Suites:
|
Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA
|
||||||
Server rejected all cipher suites.
|
Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305
|
||||||
|
Supported Clients: Yahoo Slurp/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/6/iOS 6.0.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE Mobile/11/Win Phone 8.1, IE/11/Win 7, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.3, Android/4.2.2, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, Java/7u25, Android/2.3.7, Java/6u45
|
||||||
Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
|
|
||||||
Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384
|
|
||||||
Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP
|
|
||||||
|
|
||||||
|
@ -26,8 +26,7 @@ if [ ! -f $1/config.php ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Restoring backup from $1"
|
echo "Restoring backup from $1"
|
||||||
service php5-fpm stop
|
service php7.2-fpm stop
|
||||||
service php7.0-fpm stop
|
|
||||||
|
|
||||||
# remove the current ownCloud/Nextcloud installation
|
# remove the current ownCloud/Nextcloud installation
|
||||||
rm -rf /usr/local/lib/owncloud/
|
rm -rf /usr/local/lib/owncloud/
|
||||||
@ -46,6 +45,5 @@ chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
|
|||||||
|
|
||||||
sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off
|
sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off
|
||||||
|
|
||||||
service php5-fpm start
|
service php7.2-fpm start
|
||||||
service php7.0-fpm start
|
|
||||||
echo "Done"
|
echo "Done"
|
||||||
|
Loading…
Reference in New Issue
Block a user